#!/bin/bash
# Setup centralized user management in Keycloak

set -e

NAMESPACE="identity"
KEYCLOAK_URL="${KEYCLOAK_URL:-http://keycloak.${NAMESPACE}.svc.cluster.local:8080}"
ADMIN_USER="${KEYCLOAK_ADMIN:-admin}"
ADMIN_PASSWORD="${KEYCLOAK_ADMIN_PASSWORD:-change-me-in-production}"

echo "👥 Setting up centralized user management..."

# Check if Keycloak is accessible
if ! curl -s "${KEYCLOAK_URL}/health" > /dev/null; then
  echo "⚠️  Keycloak not accessible at $KEYCLOAK_URL"
  echo "   → Ensure Keycloak is deployed and running"
  exit 1
fi

# Get admin token
echo "🔑 Getting admin token..."
TOKEN=$(curl -s -X POST "${KEYCLOAK_URL}/realms/master/protocol/openid-connect/token" \
  -d "client_id=admin-cli" \
  -d "username=${ADMIN_USER}" \
  -d "password=${ADMIN_PASSWORD}" \
  -d "grant_type=password" | jq -r '.access_token')

if [ -z "$TOKEN" ] || [ "$TOKEN" == "null" ]; then
  echo "❌ Failed to get admin token"
  exit 1
fi

# Create realm
echo "🌍 Creating workspace realm..."
curl -s -X POST "${KEYCLOAK_URL}/admin/realms" \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d @keycloak-realm.json

echo "✅ User management setup complete!"
echo ""
echo "📝 Next steps:"
echo "   1. Access Keycloak admin console"
echo "   2. Review realm configuration"
echo "   3. Create additional users and roles"
echo "   4. Configure identity providers (if needed)"
echo "   5. Set up user federation (if needed)"