#! /usr/bin/env perl

use strict;
use Hydra::Schema;
use Hydra::Helper::Nix;
use Hydra::Model::DB;
use Getopt::Long qw(:config gnu_getopt);
use Digest::SHA1 qw(sha1_hex);

sub showHelp {
    print <<EOF;
Usage: $0 NAME
  [--rename-from NAME]
  [--type hydra|google]
  [--full-name FULLNAME]
  [--email-address EMAIL-ADDRESS]
  [--password PASSWORD]
  [--password-hash SHA1-HASH]
  [--wipe-roles]
  [--role ROLE]...

Create a new Hydra user account, or update or an existing one.  The
--role flag can be given multiple times.  If the account already
exists, roles are added to the existing roles unless --wipe-roles is
specified.  If --rename-from is given, the specified account is
renamed.

Example:
  \$ hydra-create-user alice --password foobar --role admin
EOF
    exit 0;
}

my ($renameFrom, $type, $fullName, $emailAddress, $password, $passwordHash);
my $wipeRoles = 0;
my @roles;

GetOptions("rename-from=s" => \$renameFrom,
           "type=s" => \$type,
           "full-name=s" => \$fullName,
           "email-address=s" => \$emailAddress,
           "password=s" => \$password,
           "password-hash=s" => \$passwordHash,
           "wipe-roles" => \$wipeRoles,
           "role=s" => \@roles,
           "help" => sub { showHelp() }
    ) or exit 1;

die "$0: one user name required\n" if scalar @ARGV != 1;
my $userName = $ARGV[0];

die "$0: type must be `hydra' or `google'\n"
    if defined $type && $type ne "hydra" && $type ne "google";

my $db = Hydra::Model::DB->new();

$db->txn_do(sub {
    my $user = $db->resultset('Users')->find({ username => $renameFrom // $userName });
    if ($renameFrom) {
        die "$0: user `$renameFrom' does not exist\n" unless $user;
        $user->update({ username => $userName });
    } elsif ($user) {
        print STDERR "updating existing user `$userName'\n";
    } else {
        print STDERR "creating new user `$userName'\n";
        $user = $db->resultset('Users')->create(
            { username => $userName, type => "hydra", emailaddress => "", password => "!" });
    }

    die "$0: Google user names must be email addresses\n"
        if $user->type eq "google" && $userName !~ /\@/;

    $user->update({ type => $type }) if defined $type;

    $user->update({ fullname => $fullName eq "" ? undef : $fullName }) if defined $fullName;

    if ($user->type eq "google") {
        die "$0: Google accounts do not have an explicitly set email address.\n"
            if defined $emailAddress;
        die "$0: Google accounts do not have a password.\n"
            if defined $password;
        die "$0: Google accounts do not have a password.\n"
            if defined $passwordHash;
        $user->update({ emailaddress => $userName, password => "!" });
    } else {
        $user->update({ emailaddress => $emailAddress }) if defined $emailAddress;
        if (defined $password && !(defined $passwordHash)) {
            $passwordHash = sha1_hex($password);
        }
        $user->update({ password => $passwordHash }) if defined $passwordHash;
    }

    $user->userroles->delete if $wipeRoles;
    $user->userroles->update_or_create({ role => $_ }) foreach @roles;
});
