locals{
  app_slug = "${var.instance}${var.component==""?"":"-"}${var.component}"
  saml_labels = merge(var.labels, {
    "app.kubernetes.io/component" = "authentik-saml"
  })
}
data "authentik_flow" "default-authorization-flow" {
  slug = "default-provider-authorization-implicit-consent"
}
data "authentik_flow" "default-authentication-flow" {
  slug = "default-authentication-flow"
}

data "authentik_property_mapping_saml" "saml_maps" {
  managed_list = var.group_mapping==null?[
      "goauthentik.io/providers/saml/email",
      "goauthentik.io/providers/saml/groups",
      "goauthentik.io/providers/saml/name",
      "goauthentik.io/providers/saml/upn",
      "goauthentik.io/providers/saml/uid",
      "goauthentik.io/providers/saml/username",
      "goauthentik.io/providers/saml/ms-windowsaccountname",
  ]:[
      "goauthentik.io/providers/saml/email",
      "goauthentik.io/providers/saml/name",
      "goauthentik.io/providers/saml/upn",
      "goauthentik.io/providers/saml/uid",
      "goauthentik.io/providers/saml/username",
      "goauthentik.io/providers/saml/ms-windowsaccountname",
  ]
}

resource "authentik_property_mapping_saml" "mapping" {
  count         = var.group_mapping==null?0:1
  friendly_name = "groups"
  name          = "${local.app_slug} Group mapping"
  saml_name     = "http://schemas.xmlsoap.org/claims/Group"
  expression    = var.group_mapping
}

data "authentik_property_mapping_saml" "saml_name" {
  managed = "goauthentik.io/providers/saml/username"
}

data "authentik_certificate_key_pair" "generated" {
  name = "authentik Self-signed Certificate"
}

resource "kubectl_manifest" "saml_certificate" {
  yaml_body  = <<-EOF
    apiVersion: "cert-manager.io/v1"
    kind: "Certificate"
    metadata:
      name: "${local.app_slug}-saml"
      namespace: "${var.namespace}"
      labels: ${jsonencode(local.saml_labels)}
    spec:
        secretName: "${local.app_slug}-saml"
        dnsNames: ${jsonencode(var.dns_names)}
        issuerRef:
          name: "${var.issuer}"
          kind: "ClusterIssuer"
          group: "cert-manager.io"
  EOF
}

resource "authentik_provider_saml" "prj" {
  name                = "${local.app_slug}-saml"
  authentication_flow = data.authentik_flow.default-authentication-flow.id
  authorization_flow  = data.authentik_flow.default-authorization-flow.id
  acs_url             = "https://${var.dns_names[0]}/${var.acs_path}"
  property_mappings   = var.group_mapping==null?data.authentik_property_mapping_saml.saml_maps.ids:concat(data.authentik_property_mapping_saml.saml_maps.ids,[authentik_property_mapping_saml.mapping[0].id])
  name_id_mapping     = data.authentik_property_mapping_saml.saml_name.id
  signing_kp          = data.authentik_certificate_key_pair.generated.id
  sp_binding          = var.binding
  audience            = var.audience
  issuer              = var.saml_issuer
}