#!/bin/bash
set -e

if [[ "$#" -lt 1 ]]; then
    echo "Please pass the domain name to use for the Portal and an optional suffix"
    exit 1
fi
portal_domain="$1"
suffix="$2"

# API Access app registration
tee > api-access-required-resource.json <<EOF
[{
    "resourceAppId": "00000003-0000-0000-c000-000000000000",
    "resourceAccess": [
        {
            "id": "e1fe6dd8-ba31-4d61-89e7-88639da4683d",
            "type": "Scope"
        }
    ]
}]
EOF

tee > api-access-app-roles.json <<EOF
[{
    "allowedMemberTypes": [
        "Application",
        "User"
    ],
    "description": "Admins can manage anything on the Halo",
    "displayName": "Admin",
    "isEnabled": "true",
    "value": "Admin"
},
{
    "allowedMemberTypes": [
        "Application",
        "User"
    ],
    "description": "Users can read policies and rebuild files",
    "displayName": "User",
    "isEnabled": "true",
    "value": "User"
}]
EOF
tenant_id=$(az account show --query tenantId -o tsv)
api_access_response=$(az ad app create --display-name ar-halo-api-access${suffix} --identifier-uris "api://${tenant_id}/cdrplatform-api-access${suffix}" \
--required-resource-accesses @api-access-required-resource.json --app-roles @api-access-app-roles.json \
 --sign-in-audience AzureADMyOrg)
# echo "$api_access_response"
echo "created api access app registration"
api_access_client_id=$(echo "$api_access_response" | jq -r ".id")
az ad sp create --id "${api_access_client_id}" -o none
echo "created API access Service Principal"
rm -f api-access-required-resource.json
rm -f api-access-app-roles.json

# Portal Access app registration
tee > portal-access-required-resource.json <<EOF
[{
    "resourceAppId": "00000003-0000-0000-c000-000000000000",
    "resourceAccess": [
        {
            "id": "e1fe6dd8-ba31-4d61-89e7-88639da4683d",
            "type": "Scope"
        }
    ]
}]
EOF

tee > portal-access-app-roles.json <<EOF
[{
    "allowedMemberTypes": [
        "Application",
        "User"
    ],
    "description": "Admins can manage anything on the Halo",
    "displayName": "Admin",
    "isEnabled": "true",
    "value": "Admin"
},
{
    "allowedMemberTypes": [
        "Application",
        "User"
    ],
    "description": "Users can read policies and rebuild files",
    "displayName": "User",
    "isEnabled": "true",
    "value": "User"
}]
EOF
uuid=$(uuidgen)

tee > oauth2-permissions.json <<EOF
{
    "acceptMappedClaims": null,
    "knownClientApplications": [],
    "oauth2PermissionScopes": [
        {
            "adminConsentDescription": "Allow the application to access example on behalf of the signed-in user.",
            "adminConsentDisplayName": "PortalUserScope",
            "id": "$uuid",
            "isEnabled": true,
            "type": "User",
            "userConsentDescription": null,
            "userConsentDisplayName": null,
            "value": "PortalUserScope"
        }
    ]
}
EOF

portal_access_response=$(az ad app create --display-name ar-halo-portal-access${suffix} --identifier-uris "api://${tenant_id}/cdrplatform-portal-access${suffix}" \
--required-resource-accesses @portal-access-required-resource.json --app-roles @portal-access-app-roles.json \
 --sign-in-audience AzureADMyOrg)
# echo "$portal_access_response"
echo "created portal access app registration"
portal_app_id=$(echo "$portal_access_response" | jq -r ".appId")
portal_id=$(echo "$portal_access_response" | jq -r ".id")
echo "portal_access_id is $portal_id"

az ad app update --id "$portal_app_id" --set api=@oauth2-permissions.json
body='{"accessTokenAcceptedVersion":1}'
# az rest --method PATCH --uri "https://graph.microsoft.com/v1.0/applications/${portal_id}" --headers 'Content-Type=application/json' --body "$body"
# echo "patched portal access"
az ad sp create --id "${portal_id}" -o none
echo "created portal access Service Principal"
echo "api_access_uri is api://cdrplatform-api-access${suffix}"

rm -f portal-access-required-resource.json
rm -f portal-access-app-roles.json
rm -f oauth2-permissions.json

# Portal Client app registration
tee > portal-client-required-resource.json <<EOF
[{
    "resourceAppId": "00000003-0000-0000-c000-000000000000",
    "resourceAccess": [
        {
            "id": "e1fe6dd8-ba31-4d61-89e7-88639da4683d",
            "type": "Scope"
        }
    ]
},
{
    "resourceAppId": "${portal_app_id}",
    "resourceAccess": [
        {
            "id": "${uuid}",
            "type": "Scope"
        }
    ]
}
]
EOF

portal_client_response=$(az ad app create --display-name ar-halo-portal-client${suffix} --identifier-uris "api://${tenant_id}/cdrplatform-portal-client${suffix}" \
--required-resource-accesses @portal-client-required-resource.json --web-redirect-uris "https://${portal_domain}/authentication/login-callback" --enable-access-token-issuance true \
 --sign-in-audience AzureADMyOrg)
# echo "$portal_client_response"
echo "created portal app reg"
portal_client_app_id=$(echo "$portal_client_response" | jq -r ".appId")
portal_client_id=$(echo "$portal_client_response" | jq -r ".id")

body="{\"web\":{\"logoutUrl\":\"https://${portal_domain}/authentication/logout\"},\"spa\":{\"redirectUris\":[\"https://${portal_domain}/authentication/login-callback\"]}}"
az rest --method PATCH --uri "https://graph.microsoft.com/v1.0/applications/${portal_client_id}" --headers 'Content-Type=application/json' --body "$body"
echo "patched portal"
az ad sp create --id "${portal_client_id}" -o none
echo "created portal Service Principal"

rm -f portal-client-required-resource.json
rm -f portal-client-app-roles.json

echo "Please make a note of below values:"
echo "portal_client_id is ${portal_client_app_id}"
echo "tenant_id is ${tenant_id}"
echo "portal client uri is api://${tenant_id}/cdrplatform-portal-client${suffix}"
echo "portal access uri is api://${tenant_id}/cdrplatform-portal-access${suffix}"
echo "api access uri is api://${tenant_id}/cdrplatform-api-access${suffix}"