#!/bin/bash
set -e

# Load environment variables
source infra/environments/production/.env

# Vault Configuration
VAULT_ADDR="http://127.0.0.1:8200"
KEYS_FILE="infra/environments/production/.vault-keys"

if [ ! -f "$KEYS_FILE" ]; then
    echo "Error: Keys file not found at $KEYS_FILE. Run init-vault.sh first."
    exit 1
fi

VAULT_TOKEN=$(grep '"root_token":' "$KEYS_FILE" | cut -d'"' -f4)
CONTAINER_NAME="apa-vault"

echo "Configuring Vault..."

# Helper function to run vault commands inside docker
vault_cmd() {
    docker exec -i -e VAULT_ADDR=$VAULT_ADDR -e VAULT_TOKEN=$VAULT_TOKEN $CONTAINER_NAME vault "$@"
}

# Enable OIDC auth method
echo "Enabling OIDC auth method..."
if ! vault_cmd auth list | grep -q "oidc/"; then
    vault_cmd auth enable oidc
else
    echo "OIDC auth method already enabled."
fi

# Configure OIDC
echo "Configuring OIDC..."
vault_cmd write auth/oidc/config \
    oidc_discovery_url="https://auth.${DOMAIN}/application/o/vault-prod/" \
    oidc_client_id="vault-prod" \
    oidc_client_secret="${AUTHENTIK_VAULT_CLIENT_SECRET}" \
    default_role="reader"

# Create Policies
echo "Creating policies..."

# Admin Policy
vault_cmd policy write admin - <<EOF
path "*" {
  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
EOF

# Reader Policy
vault_cmd policy write reader - <<EOF
path "secret/*" {
  capabilities = ["read", "list"]
}
EOF

# Create Roles
echo "Creating roles..."

# Admin Role
vault_cmd write auth/oidc/role/admin \
    bound_audiences="vault-prod" \
    allowed_redirect_uris="https://vault.${DOMAIN}/ui/vault/auth/oidc/oidc/callback" \
    allowed_redirect_uris="https://vault.${DOMAIN}/oidc/callback" \
    user_claim="email" \
    policies="admin" \
    role_type="oidc" \
    groups_claim="groups" \
    oidc_scopes="openid,email,profile,groups"

# Reader Role
vault_cmd write auth/oidc/role/reader \
    bound_audiences="vault-prod" \
    allowed_redirect_uris="https://vault.${DOMAIN}/ui/vault/auth/oidc/oidc/callback" \
    allowed_redirect_uris="https://vault.${DOMAIN}/oidc/callback" \
    user_claim="email" \
    policies="reader" \
    role_type="oidc" \
    groups_claim="groups" \
    oidc_scopes="openid,email,profile,groups"

echo "Vault configuration complete!"