locals {
  app_name = var.component == var.instance ? var.instance : format("%s-%s", var.component, var.instance)
  main-group = format("app-%s", local.app_name)
  sorted-group-names = reverse(distinct(sort([
    for grp in var.user-groups: grp.name
  ])))
  sorted-groups = flatten([
    for name in local.sorted-group-names: [
      for grp in var.user-groups:
        grp if grp.name == name
    ]
  ])
}

data "authentik_group" "vynil-admin" {
  name = "vynil-ldap-admins"
}

resource "authentik_group" "groups" {
  count = length(local.sorted-groups)
  name  = local.sorted-groups[count.index].name
  attributes   = jsonencode({"${local.app_name}" = true})
}
data "authentik_group" "readed_groups" {
  depends_on = [ authentik_group.groups ]
  count = length(local.sorted-groups)
  name  = local.sorted-groups[count.index].name
}

resource "authentik_application" "dolibarr_application_ldap" {
  name              = "${var.component}-${var.instance}-ldap"
  slug              = "${var.component}-${var.instance}-ldap"
  protocol_provider = authentik_provider_ldap.dolibarr_provider_ldap.id
  meta_launch_url   = "blank://blank"
}

resource "authentik_policy_expression" "policy" {
  name       = local.main-group
  expression = <<-EOF
    attr = request.user.group_attributes()
    return attr['${local.app_name}'] if '${local.app_name}' in attr else False
  EOF
}

resource "authentik_policy_binding" "dolibarr_ldap_access_users" {
  target = authentik_application.dolibarr_application_ldap.uuid
  policy = authentik_policy_expression.policy.id
  order  = 0
}
resource "authentik_policy_binding" "dolibarr_ldap_access_ldap" {
  target = authentik_application.dolibarr_application_ldap.uuid
  group  = authentik_group.dolibarr_ldapsearch.id
  order  = 1
}
resource "authentik_policy_binding" "dolibarr_ldap_access_vynil" {
  target = authentik_application.dolibarr_application_ldap.uuid
  group  = data.authentik_group.vynil-admin.id
  order  = 2
}

resource "authentik_application" "dolibarr_application_saml" {
  name              = "${var.instance}"
  slug              = "${var.component}-${var.instance}"
  group             = var.app_group
  protocol_provider = authentik_provider_saml.dolibarr.id
  meta_launch_url   = format("https://%s.%s", var.sub_domain, var.domain_name)
  meta_icon         = format("https://%s.%s/%s", var.sub_domain, var.domain_name, "theme/dolibarr_256x256_color.png")
}

resource "authentik_policy_binding" "dolibarr_saml_access_users" {
  count = length(local.sorted-groups)
  target = authentik_application.dolibarr_application_saml.uuid
  group  = authentik_group.groups[count.index].id
  order  = count.index
}
resource "authentik_policy_binding" "dolibarr_saml_access_vynil" {
  target = authentik_application.dolibarr_application_saml.uuid
  group  = data.authentik_group.vynil-admin.id
  order  = length(local.sorted-groups)+1
}