#!/bin/bash
# Variables
KC_HOST="http://localhost:8080"
REALM="master"
CLIENT_ID="soa"
CLIENT_SECRET="mysecret"
USERNAME="alexis"
PASSWORD="password"
USERNAME2="fabio"
PASSWORD2="password"
PERSONAL_TOKEN="personaltoken"
PERSONAL_TOKEN2="personaltoken2"

# Fonction d'attente
wait_for_keycloak() {
  echo "⏳ Attente de Keycloak..."
  until curl -s "$KC_HOST" > /dev/null; do
    sleep 2
  done
  echo "✅ Keycloak est prêt."
}

# Obtenir un token admin
get_admin_token() {
  curl -s -X POST "$KC_HOST/realms/master/protocol/openid-connect/token" \
    -H "Content-Type: application/x-www-form-urlencoded" \
    -d "username=admin" \
    -d "password=admin" \
    -d "grant_type=password" \
    -d "client_id=admin-cli" |
    jq -r .access_token
}

# Générer une date d'expiration (1 an à partir de maintenant)
generate_expiry_date() {
  date -d "+1 year" --iso-8601=seconds
}

# Créer un realm, client et utilisateur
setup_keycloak() {
  TOKEN=$(get_admin_token)
  CURRENT_DATE=$(date --iso-8601=seconds)
  EXPIRY_DATE=$(generate_expiry_date)

  echo "🛠️ Création du realm $REALM..."
  curl -s -X POST "$KC_HOST/admin/realms" \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json" \
    -d "{\"realm\":\"$REALM\",\"enabled\":true}" > /dev/null

  echo "🛠️ Configuration des durées de vie des tokens..."
  curl -s -X PUT "$KC_HOST/admin/realms/$REALM" \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json" \
    -d "{
      \"accessTokenLifespan\": 3600,
      \"refreshTokenMaxReuse\": 0,
      \"ssoSessionIdleTimeout\": 7200,
      \"ssoSessionMaxLifespan\": 36000,
      \"offlineSessionIdleTimeout\": 2592000
    }" > /dev/null

  echo "🛠️ Création du client $CLIENT_ID..."
  curl -s -X POST "$KC_HOST/admin/realms/$REALM/clients" \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json" \
    -d "{
      \"clientId\": \"$CLIENT_ID\",
      \"enabled\": true,
      \"publicClient\": false,
      \"secret\": \"$CLIENT_SECRET\",
      \"redirectUris\": [\"*\"],
      \"standardFlowEnabled\": true,
      \"directAccessGrantsEnabled\": true,
      \"serviceAccountsEnabled\": true,
      \"authorizationServicesEnabled\": false
    }" 

  echo "👤 Création de l'utilisateur $USERNAME avec token personnel..."
  curl -s -X POST "$KC_HOST/admin/realms/$REALM/users" \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json" \
    -d "{
      \"username\": \"$USERNAME\",
      \"enabled\": true,
      \"emailVerified\": true,
      \"attributes\": {
        \"api_token\": [\"$PERSONAL_TOKEN\"],
        \"token_created\": [\"$CURRENT_DATE\"],
        \"token_expires\": [\"$EXPIRY_DATE\"],
        \"created_by\": [\"setup_script\"],
        \"department\": [\"IT\"],
        \"access_level\": [\"developer\"]
      },
      \"credentials\": [{
        \"type\": \"password\",
        \"value\": \"$PASSWORD\",
        \"temporary\": false
      }]
    }"

  echo "👤 Création du deuxième utilisateur $USERNAME2..."
  curl -s -X POST "$KC_HOST/admin/realms/$REALM/users" \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json" \
    -d "{
      \"username\": \"$USERNAME2\",
      \"enabled\": true,
      \"emailVerified\": true,
      \"email\": \"fabio@example.com\",
      \"firstName\": \"Fabio\",
      \"lastName\": \"Artist\",
      \"attributes\": {
        \"api_token\": [\"$PERSONAL_TOKEN2\"],
        \"token_created\": [\"$CURRENT_DATE\"],
        \"token_expires\": [\"$EXPIRY_DATE\"],
        \"created_by\": [\"setup_script\"],
        \"department\": [\"Artist\"],
        \"access_level\": [\"user\"]
      },
      \"credentials\": [{
        \"type\": \"password\",
        \"value\": \"$PASSWORD2\",
        \"temporary\": false
      }]
    }"

  echo "✅ Configuration terminée !"
  echo ""
  echo "👥 Utilisateurs créés:"
  echo "🔐 Utilisateur 1: $USERNAME / $PASSWORD"
  echo "🔐 Utilisateur 2: $USERNAME2 / $PASSWORD2"
  echo ""
  echo "🪪 Client secret: $CLIENT_SECRET"
  echo "🎫 Personal Access Token 1: $PERSONAL_TOKEN"
  echo "🎫 Personal Access Token 2: $PERSONAL_TOKEN2"
  echo "📅 Tokens créés le: $CURRENT_DATE"
  echo "⏰ Tokens expirent le: $EXPIRY_DATE"
  echo ""
  echo "⏱️ Token Settings:"
  echo "   • Access Token Lifespan: 3600 seconds (1 hour)"
  echo "   • Direct Access Grants: ENABLED"
  echo "   • SSO Session Timeout: 7200 seconds (2 hours)"
}

# Fonction pour tester les tokens
test_personal_token() {
  echo ""
  echo "🧪 Test des tokens:"
  echo ""
  echo "Token pour Alexis:"
  echo "curl -k -X POST http://auth.local:8080/realms/master/protocol/openid-connect/token \\"
  echo "  -H \"Content-Type: application/x-www-form-urlencoded\" \\"
  echo "  -d \"grant_type=password&client_id=soa&client_secret=mysecret&username=$USERNAME&password=$PASSWORD\""
  echo ""
  echo "Token pour Fabio:"
  echo "curl -k -X POST http://auth.local:8080/realms/master/protocol/openid-connect/token \\"
  echo "  -H \"Content-Type: application/x-www-form-urlencoded\" \\"
  echo "  -d \"grant_type=password&client_id=soa&client_secret=mysecret&username=$USERNAME2&password=$PASSWORD2\""
  echo ""
}

# Lancer le setup
wait_for_keycloak
setup_keycloak
test_personal_token