#!/usr/bin/env tsx

import KcAdminClient from "@keycloak/keycloak-admin-client";
import invariant from "tiny-invariant";

const main = async () => {
  const KEYCLOAK_HOST = process.env.KEYCLOAK_HOST;
  const KEYCLOAK_ADMIN_USER = process.env.KEYCLOAK_ADMIN_USER;
  const KEYCLOAK_ADMIN_PASSWORD = process.env.KEYCLOAK_ADMIN_PASSWORD;
  const realm = process.env.KEYCLOAK_REALM;
  const scopeName = process.env.SCOPE_NAME;
  const audience = process.env.KEYCLOAK_AUDIENCE;

  invariant(KEYCLOAK_HOST, "KEYCLOAK_HOST environment variable is required");
  invariant(KEYCLOAK_ADMIN_USER, "KEYCLOAK_ADMIN_USER environment variable is required");
  invariant(KEYCLOAK_ADMIN_PASSWORD, "KEYCLOAK_ADMIN_PASSWORD environment variable is required");
  invariant(realm, "KEYCLOAK_REALM environment variable is required");
  invariant(scopeName, "SCOPE_NAME environment variable is required");
  invariant(audience, "KEYCLOAK_AUDIENCE environment variable is required");

  const kcAdminClient = new KcAdminClient({
    baseUrl: `https://${KEYCLOAK_HOST}`,
    realmName: "master",
  });

  try {
    await kcAdminClient.auth({
      username: KEYCLOAK_ADMIN_USER,
      password: KEYCLOAK_ADMIN_PASSWORD,
      grantType: "password",
      clientId: "admin-cli",
    });

    console.log("Authentication successful.");

    kcAdminClient.setConfig({
      realmName: realm,
    });

    const clientScopes = await kcAdminClient.clientScopes.find();
    const scope = clientScopes.find((s) => s.name === scopeName);
    if (!scope) {
      throw new Error(`Client scope '${scopeName}' not found`);
    }

    invariant(scope.id, "Client scope ID is not set");

    const mapperName = `aud-mapper-${audience}`;
    const existingMappers = await kcAdminClient.clientScopes.listProtocolMappers({ id: scope.id });

    if (existingMappers.some((mapper) => mapper.name === mapperName)) {
      console.warn(`Audience mapper '${mapperName}' already exists in scope '${scopeName}'.`);
      return;
    }

    const audienceMapper = {
      name: mapperName,
      protocol: "openid-connect",
      protocolMapper: "oidc-audience-mapper",
      config: {
        "included.client.audience": audience,
        "id.token.claim": "false",
        "access.token.claim": "true",
      },
    };

    await kcAdminClient.clientScopes.addProtocolMapper({ id: scope.id }, audienceMapper);
    console.log(`Audience mapper '${mapperName}' added to client scope '${scopeName}'.`);
  } catch (error) {
    console.error("Error adding audience mapper to scope:", error);
    process.exit(1);
  }
};

main();