#!/bin/bash

# This script sets the environment properly so that a user can use the OpenStack CLI

#    Copyright (C) 2017, ETH Zuerich, Switzerland
#
#    This program is free software: you can redistribute it and/or modify
#    it under the terms of the GNU General Public License as published by
#    the Free Software Foundation, version 3 of the License.
#
#    This program is distributed in the hope that it will be useful,
#    but WITHOUT ANY WARRANTY; without even the implied warranty of
#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#    GNU General Public License for more details.
#
#    You should have received a copy of the GNU General Public License
#    along with this program.  If not, see <http://www.gnu.org/licenses/>.
#
#    AUTHORS Pablo Fernandez & Massimo Benini
#    DATE    July 11th, 2017 (Updated: March 2021)

[[ "${BASH_SOURCE[0]}" == "${0}" ]] && \
  echo "USAGE INFO: you need source this script (source $0 or . $0)." && \
  echo "  You can also pass a parameter that serves a project name filter (for scoped tokens)" && exit

echo " * Creating environment for openstack CLI:"
read -p 'Username: ' uservar
read -sp 'Password: ' passvar
echo ""

# Prepare filter parameter
if [ "$1" == "" ]; then
  PRJ_FILTER="."
else
  PRJ_FILTER=" $1$"
fi

# Prepare environment
for key in $( set | awk '{FS="="}  /^OS_/ {print $1}' ); do unset $key ; done
export OS_USERNAME=$uservar
export OS_PASSWORD=$passvar
export OS_IDENTITY_API_VERSION=3
export OS_AUTH_URL=https://pollux.cscs.ch:13000/v3
export OS_IDENTITY_PROVIDER=cscskc
export OS_PROTOCOL=openid
export OS_INTERFACE=public
export OS_CLIENT_ID=pollux-prod
export OS_CLIENT_SECRET="82c7a379-f5ee-48c7-8a6b-7ee15557e28e" #set to anything if keycloak client is public
export OS_DISCOVERY_ENDPOINT=https://auth.cscs.ch/auth/realms/cscs/.well-known/openid-configuration

# Getting the unscoped token:
echo "[openstack --os-auth-type v3oidcpassword token issue]"
UNSCOPED_TOKEN="$(openstack --os-auth-type v3oidcpassword token issue --format value --column id)"

# Remove the password from the environment, for security
if [ $? -ne 0 ]; then
    echo " * Failed to get unscoped token, exit"
    unset OS_PASSWORD
    return
fi

echo " * Got an unscoped token, preparing environment..."
export OS_AUTH_TYPE=token
export OS_TOKEN=$UNSCOPED_TOKEN
unset OS_PASSWORD

# Getting the user ID with python directly (no other way, plus serves as an example!!)
echo -n " * Logged in user ID $OS_USERNAME: "
python <<EOF
from keystoneauth1.identity import v3
from keystoneauth1 import session
auth = v3.Token(auth_url="$OS_AUTH_URL", token="$OS_TOKEN")
sess = session.Session(auth=auth)
print(sess.get_user_id())
EOF
# OTHER EXAMPLES WITH PYTHON BINDINGS:
### To list user's projects:
# from keystoneclient.v3 import client
# ks = client.Client(session=sess, interface='public')
# projects = ks.projects.list(user=sess.get_user_id())
# print [t.name for t in projects]
# print projects[0]
### To list project's Swift containers (needs an scoped token):
# import swiftclient.client as swiftclient
# auth2 = v3.Token(auth_url="$OS_AUTH_URL", token="$OS_TOKEN", project_id=projects[0].id)
# sess2 = session.Session(auth=auth2)
# conn2 = swiftclient.Connection(session=sess2)
# resp_headers, containers = conn2.get_account()
# print [container['name'] for container in containers]
### Alternatively (probably worse):
### You could also get the token with: scoped_token = sess2.get_token()  # Get the scoped token
### Then get the right URL with: swift_url = auth2.get_endpoint(sess2, service_type='object-store', interface='public')
### And get the connection with both: conn = swiftclient.Connection(preauthurl=swift_url, preauthtoken=scoped_token)

# Getting the project name
echo "[openstack project list]"
PROJECTS="$(openstack project list --format value | grep "${PRJ_FILTER}")"
echo $PROJECTS

if [ $(echo "$PROJECTS" | wc -c) -lt 5 ]; then
  echo " * WARNING: You don't belong to a project, having a scoped token is not possible"
  return

elif [ $(echo -n "$PROJECTS" | grep -c '^') -eq 1 ]; then
  # Just one project, accepting it...
  PROJECT_ID="$(echo $PROJECTS | awk '{print $1}')"
  PROJECT_NAME="$(echo $PROJECTS | awk '{print $2}')"
  echo " * Selected project $PROJECT_NAME: $PROJECT_ID"
else
  # More than one project, we need a menu
  SAVEIFS=$IFS; IFS=$'\n' read -a lines -d '' <<< "$PROJECTS"
  declare -a lines; IFS=$SAVEIFS
  PS3="Please choose an option: "
  select option in "${lines[@]}"; do
    if [ 1 -le "$REPLY" ] && [ "$REPLY" -le ${#lines[@]} ]; then
      PROJECT_ID="$(echo $option | awk '{print $1}')"
      PROJECT_NAME="$(echo $option | awk '{print $2}')"
      echo " * Selected project $PROJECT_NAME: $PROJECT_ID"
      break;
    fi
  done
fi


# Getting the scoped token:
echo "[openstack --os-project-id $PROJECT_ID token issue]"
SCOPED_TOKEN="$(openstack --os-project-id $PROJECT_ID token issue --format value --column id)"

if [ $? -ne 0 ]; then
    echo " * WARNING: Failed to get scoped token, but unscoped commands should work fine"
    return
fi

export OS_TOKEN=$SCOPED_TOKEN
export OS_PROJECT_ID=$PROJECT_ID

echo " * Setting custom 'swift' alias"
alias swift='swift --os-auth-token $OS_TOKEN --os-storage-url https://object.cscs.ch/v1/AUTH_$OS_PROJECT_ID'

echo " * Setting custom 'cinder' alias"
alias cinder='cinder --os-token $OS_TOKEN --os-url https://pollux.cscs.ch:13776/v3/$OS_PROJECT_ID --os-auth-type=token_endpoint'


echo " * Environment ready for openstack CLI with scoped project: $PROJECT_NAME"