#!/usr/bin/env bash

# Copyright 2022 The KCP Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

export DEMO_DIR="$( dirname "${BASH_SOURCE[0]}" )"
source "${DEMO_DIR}"/../.setupEnv

. ${DEMOS_DIR}/demo-magic

TYPE_SPEED=30
#PROMPT_AFTER=1
DEMO_PROMPT="☸️ $ "

function pause() {
  if [[ -n "${NO_WAIT}" ]]; then
    sleep 2
  else
    if [[ -n "${1-}" ]]; then
      sleep "$1"
    else
      wait
    fi
  fi
}

function comment() {
  OLD_DEMO_PROMPT=${DEMO_PROMPT}
  DEMO_PROMPT=''; pei "# $*"
  DEMO_PROMPT=${OLD_DEMO_PROMPT}
}

export KUBECONFIG=${KUBECONFIG:-${KCP_DIR}/.kcp/admin.kubeconfig}
if ! kubectl get namespaces &>/dev/null; then
  echo "kcp server not started, run 'bin/kcp start'"
  exit 1
fi

# TODO(ncdc): remove this if/when we reenable creating the default namespace by default.
kubectl create namespace default &> /dev/null || exit

kubectl create secret generic kubeconfig --from-file=kubeconfig=${KUBECONFIG}
kubectl apply -f ${DEMO_DIR}/workspace-shard.yaml

touch myKubeConfig
export PATH=$PATH:${KCP_DIR}/bin
export KUBECONFIG=$(pwd)/myKubeConfig

kubectl kcp workspace --token user-1-token --workspace-directory-insecure-skip-tls-verify list

clear

comment "The kubectl kcp workspace plugin mainly delegates to the 'workspaces' virtual workspace"
comment "in order to create, list, delete workspaces but also to retrieve a workspace kubeconfig"
comment "that can then be added as a new context to the current kubeconfig"
echo

pe "kubectl kcp workspace --help"

pause
clear

comment "Let's use a kubeconfig that contains only one context pointing to the virtual workspace"
comment "and allowing to retrieve the workspaces owned by a user (== workspace directory)"

pe "more ${KUBECONFIG}"

pause
clear

comment "Let's create 2 workspaces for user-1"
comment "Creating a workspace also creates the required cluster role and cluster role bindings"
comment "in the underlying KCP organization workspace."
echo

pe "kubectl kcp workspace --token user-1-token create user-1-workspace-1"
pe "kubectl kcp workspace --token user-1-token create user-1-workspace-2"

echo
comment "The 2 workspaces are now part of user-1 personal workspaces and each one has a valid URL"
comment "to access it directly in KCP."
echo

pe "kubectl kcp workspace --token user-1-token list"

echo
comment "And we confirm that user-2 cannot see them."
echo

pe "kubectl kcp workspace --token user-2-token list"

echo
comment "Now let user-1 switch to his first workspace to use it."
comment "Note that it is similar, at the KCP workspace level, to:"
comment "    kubectl config use-content"
echo

pe "kubectl kcp workspace --token user-1-token use user-1-workspace-1"

echo
comment "We can confirm that the current workspace is correctly set."
comment "That means that any subsequent call to kubectl will be performed against"
comment "the current workspace with the user used when previously switching to the workspace"
comment "(with the use command)."
echo

pe "kubectl kcp workspace --token user-1-token current"

echo
comment "In other words, a new kubectl context, dedicated to this KCP workspace"
comment "has been created in the current kubeconfig, and set as the current context."
echo

pe "kubectl config current-context"

echo
comment "Now we can access the content of the current workspace with kubectl"
echo
comment "NOTE : Here and later on, the override of the user to use the admin user"
comment "is only required temporarily, until the KCP workspace Auth PR is merged."
comment "When it is done, the user-1 user will automatically have access to the"
comment "content of workspaces he owns."
echo

# TODO(ncdc): remove this if/when we reenable creating the default namespace by default.
kubectl --token admin-token create namespace default &> /dev/null || exit

pe "kubectl --token admin-token create secret generic user-1-secret-1"
pe "kubectl --token admin-token  get secrets"

echo
comment "Let's prove that user-2 cannot access the content of user-1-workspace-1"
echo

pe "kubectl --token user-2-token get secrets"

echo
comment "Yes, only user-1 should have access to the his workspaces."
echo

pe "kubectl --token user-1-token get secrets"

echo""
comment "And in the updated kubeconfig, the current workspace context effectively"
comment "uses user-1, since the use command was run by user-1"
echo

pe "more myKubeConfig"

pause
clear

echo
comment "Now let's switch to user-1 second workspace and see that the 2 workspaces"
comment "don't mix their content"
echo

pe "kubectl kcp workspace use user-1-workspace-2"

# TODO(ncdc): remove this if/when we reenable creating the default namespace by default.
kubectl --token admin-token create namespace default &> /dev/null || exit


pe "kubectl --token admin-token get secrets"
pe "kubectl --token admin-token create secret generic user-1-secret-2"
pe "kubectl --token admin-token get secrets"

echo
comment "Let's switch back to the previous workspace with '-'"
echo

pe "kubectl kcp workspace use -"

echo
comment "And find back the user-1 first workspace content"
echo

pe "kubectl --token admin-token get secrets"

pause
clear

echo
comment "Finally let's create a workspace for user-2."
comment "We can specify the workspace it should inherit CRDs from,"
comment "as well as switch directly to the new workspace with the 'use' argument"
echo

pe "kubectl kcp workspace --token user-2-token create user-2-workspace-1 --inherit-from=user --use"

# TODO(ncdc): remove this if/when we reenable creating the default namespace by default.
kubectl --token admin-token create namespace default &> /dev/null || exit


pe "kubectl --token admin-token create secret generic user-2-secret-1"
pe "kubectl --token admin-token get secrets"

echo
comment "As expected user-1 cannot see the contents of the current workspace owned by user-2"
echo

pe "kubectl --token user-1-token get secrets"

echo
comment "But more than that, user-1 cannot use a workspace owned by user-2"
comment "since for user-1 it just doesn't exist."
comment "Ability for user-2 to share his workspace will be implemented later."
echo

pe "kubectl kcp workspace --token user-1-token use user-2-workspace1"
