#!/bin/bash
set -euo pipefail

# Test script for Keycloak authentication and JWT claims verification
# This script validates the realm configuration after import

KEYCLOAK_URL="${KEYCLOAK_URL:-http://localhost:8080}"
REALM="workclub"
CLIENT_ID="workclub-app"

# Color output
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
NC='\033[0m' # No Color

echo "=== Keycloak Authentication Test ==="
echo "Keycloak URL: $KEYCLOAK_URL"
echo "Realm: $REALM"
echo ""

# Wait for Keycloak to be ready
echo "Waiting for Keycloak to be ready..."
max_attempts=60
attempt=0
while ! curl -sf "$KEYCLOAK_URL/health/ready" > /dev/null; do
    attempt=$((attempt + 1))
    if [ $attempt -ge $max_attempts ]; then
        echo -e "${RED}✗ Keycloak failed to become ready after $max_attempts attempts${NC}"
        exit 1
    fi
    echo -n "."
    sleep 2
done
echo -e "\n${GREEN}✓ Keycloak is ready${NC}\n"

# Test users with expected club memberships
declare -A USERS=(
    ["admin@test.com"]='{"club-1-uuid":"admin","club-2-uuid":"member"}'
    ["manager@test.com"]='{"club-1-uuid":"manager"}'
    ["member1@test.com"]='{"club-1-uuid":"member","club-2-uuid":"member"}'
    ["member2@test.com"]='{"club-1-uuid":"member"}'
    ["viewer@test.com"]='{"club-1-uuid":"viewer"}'
)

PASSWORD="testpass123"
EVIDENCE_DIR=".sisyphus/evidence"
mkdir -p "$EVIDENCE_DIR"

RESULTS_FILE="$EVIDENCE_DIR/task-3-user-auth.txt"
JWT_FILE="$EVIDENCE_DIR/task-3-jwt-claims.txt"

# Clear previous results
> "$RESULTS_FILE"
> "$JWT_FILE"

echo "Testing authentication for all users..." | tee -a "$RESULTS_FILE"
echo "=======================================" | tee -a "$RESULTS_FILE"
echo "" | tee -a "$RESULTS_FILE"

success_count=0
failure_count=0

for user in "${!USERS[@]}"; do
    expected_clubs="${USERS[$user]}"
    
    echo "Testing: $user" | tee -a "$RESULTS_FILE"
    echo "Expected clubs: $expected_clubs" | tee -a "$RESULTS_FILE"
    
    # Request token using direct grant (password grant)
    response=$(curl -s -X POST "$KEYCLOAK_URL/realms/$REALM/protocol/openid-connect/token" \
        -H "Content-Type: application/x-www-form-urlencoded" \
        -d "grant_type=password" \
        -d "client_id=$CLIENT_ID" \
        -d "username=$user" \
        -d "password=$PASSWORD" \
        2>&1)
    
    # Check if token was obtained
    if echo "$response" | jq -e '.access_token' > /dev/null 2>&1; then
        access_token=$(echo "$response" | jq -r '.access_token')
        
        # Decode JWT (extract payload, base64 decode)
        payload=$(echo "$access_token" | cut -d. -f2)
        # Add padding if needed for base64
        padding=$((4 - ${#payload} % 4))
        if [ $padding -ne 4 ]; then
            payload="${payload}$(printf '=%.0s' $(seq 1 $padding))"
        fi
        
        decoded=$(echo "$payload" | base64 -d 2>/dev/null | jq '.')
        
        # Extract clubs claim
        clubs_claim=$(echo "$decoded" | jq -c '.clubs // empty')
        
        if [ -z "$clubs_claim" ]; then
            echo -e "  ${RED}✗ FAILED: No 'clubs' claim found in JWT${NC}" | tee -a "$RESULTS_FILE"
            failure_count=$((failure_count + 1))
        elif [ "$clubs_claim" == "$expected_clubs" ]; then
            echo -e "  ${GREEN}✓ SUCCESS: Clubs claim matches expected value${NC}" | tee -a "$RESULTS_FILE"
            success_count=$((success_count + 1))
            
            # Save decoded JWT for first successful user (admin)
            if [ "$user" == "admin@test.com" ]; then
                echo "=== Decoded JWT for admin@test.com ===" > "$JWT_FILE"
                echo "$decoded" | jq '.' >> "$JWT_FILE"
                echo "" >> "$JWT_FILE"
                echo "=== Clubs Claim ===" >> "$JWT_FILE"
                echo "$clubs_claim" | jq '.' >> "$JWT_FILE"
            fi
        else
            echo -e "  ${YELLOW}✗ FAILED: Clubs claim mismatch${NC}" | tee -a "$RESULTS_FILE"
            echo "    Expected: $expected_clubs" | tee -a "$RESULTS_FILE"
            echo "    Got: $clubs_claim" | tee -a "$RESULTS_FILE"
            failure_count=$((failure_count + 1))
        fi
        
        echo "  Claim type: $(echo "$clubs_claim" | jq -r 'type')" | tee -a "$RESULTS_FILE"
    else
        echo -e "  ${RED}✗ FAILED: Could not obtain access token${NC}" | tee -a "$RESULTS_FILE"
        echo "  Error: $(echo "$response" | jq -r '.error_description // .error // "Unknown error"')" | tee -a "$RESULTS_FILE"
        failure_count=$((failure_count + 1))
    fi
    
    echo "" | tee -a "$RESULTS_FILE"
done

echo "=======================================" | tee -a "$RESULTS_FILE"
echo "Summary: $success_count passed, $failure_count failed" | tee -a "$RESULTS_FILE"
echo "" | tee -a "$RESULTS_FILE"

if [ $failure_count -eq 0 ]; then
    echo -e "${GREEN}✓ All authentication tests passed!${NC}" | tee -a "$RESULTS_FILE"
    echo "Evidence saved to:" | tee -a "$RESULTS_FILE"
    echo "  - $RESULTS_FILE" | tee -a "$RESULTS_FILE"
    echo "  - $JWT_FILE" | tee -a "$RESULTS_FILE"
    exit 0
else
    echo -e "${RED}✗ Some tests failed${NC}" | tee -a "$RESULTS_FILE"
    exit 1
fi