#!/bin/sh
set -ex

: ${SCHEME:=k8s}
: ${DRYRUN:=no}

EXTRAFLAGS=""

if [ "$OVERRIDE_OWNERSHIP" = yes -o "$OVERRIDE_OWNERSHIP" = true -o "$OVERRIDE_OWNERSHIP" = 1 ];then
    EXTRAFLAGS="$EXTRAFLAGS --force-conflicts"
fi

while true;do
    echo "starting sync of $SCHEME://"
curl -sL http://localhost:8087/list/object/items | \
jq -c \
   --arg scheme "${SCHEME}" \
'
# str -> {uri: str, path: str[], scheme: str?, auth: str?, domain: str?, port: int?, query: str?, fragment: str?}
def uriparse:
  . as $input
    # capture the url elements
  | capture("^((?<scheme>[^:/?#]+):)?(//(((?<auth>[^@]*)@)?(?<domain>[^/?#:]*)(:(?<port>[0-9]*))?))?(?<path>[^?#]*)?([?](?<query>[^#]*))?(#(?<fragment>.*))?")
    # remove nulls
  | del(.[] | nulls)
    # split query params
  | if .query then .query |= ((split("&") | .[] |= (split("=") | {(.[0]): (.[1] // "")})) | add) else . end
    # split path elements and drop the leading ""
  | if .path then .path |= (ltrimstr("/") | split("/")) else . end
  | .port |= tonumber?
  | .uri = $input;

def count(elt): [.[] | select(. == elt)] | length;
def counts: . as $in | unique | map(. as $elt | {"\($elt)": $in | count($elt)}) | add;
def repeats: counts | [to_entries[] | select(.value > 1) .key];
def assert(what; msg): if what then . else (msg | halt_error(77)) end;

.
| assert(.success == true; "listing objects in vault failed.")
| assert(.data.object == "list"; "object list is not a list?")
| [ .data.data[]
  | . as $input
  | select(.login.uris | length > 0)
  | (.login.uris // [])[] |= (.uri | uriparse)
  | select(.login.uris[] | (.scheme == $scheme and (.path | length) == 2) )
  | .login.uris[]
  | {"src": $input, "dest": .}
] | unique
| ([.[].dest.uri] | repeats) as $dups
| assert($dups | length == 0; "dups found for destinations: \($dups)")
| .[]
| .src as $src
| .dest as $dest
| {
    "namespace": .dest.path[0],
    "name": .dest.path[1],
    "annotations": {
      "app.kubernetes.io/managed-by": "warden-operator.kn8v.com",
      "warden-operator.kn8v.com/source-uid": $src.id,
      "warden-operator.kn8v.com/source-organizationId": $src.organizationId,
      "warden-operator.kn8v.com/source-revisionDate": $src.revisionDate,
      "warden-operator.kn8v.com/source-creationDate": $src.creationDate,
      "warden-operator.kn8v.com/source-name": $src.name,
      "warden-operator.kn8v.com/source-notes": $src.notes,
      "warden-operator.kn8v.com/source-passwordRevisionDate": $src.passwordRevisionDate,
      "warden-operator.kn8v.com/source-folderId": $src.folderId
    }
  } as $metadata
| . = {}
| .fields = if $src.fields == null then {} else [$src.fields[] |
    if .type == 3 and .linkedId == 100 then {(.name): $src.login.username} else
    if .type == 3 and .linkedId == 101 then {(.name): $src.login.password} else
    {(.name): .value}
    end end
  ] | add end
| assert(.fields.username == null and .fields.password == null; "username and password may not be present as additional fields")
| .fields.username = $src.login.username
| .fields.password = $src.login.password
| del(.fields[] | nulls)
| {
      "apiVersion": "v1",
      "kind": "Secret",
      "metadata": $metadata,
      "stringData": .fields
  }
' | while read -r SEC;do
    echo "$SEC" | jq -r '"syncing \(.metadata.namespace)/\(.metadata.name)"'
    if [ "$DRYRUN" != no ];then
      echo "DRY-RUN MODE"
      echo "$SEC" 
      echo "| kubectl apply --server-side=true --field-manager=\"warden-operator.kn8v.com\" $EXTRAFLAGS -f -"
    else
      echo "$SEC" | kubectl apply --server-side=true --field-manager="warden-operator.kn8v.com" $EXTRAFLAGS -f - || 1>&2 echo "failed to apply!"
    fi
    done
    echo "done with sync"
    sleep ${SYNC_INTERVAL-60}
done