/*
 * Copyright © 2020 Atomist, Inc.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

import * as gcp from "@pulumi/gcp";
import * as k8s from "@pulumi/kubernetes";
import * as pulumi from "@pulumi/pulumi";

import * as iam from "../iam";

/** Arguments for [[ownerRoleBinding]]. */
export interface OwnerRoleBindingArgs {
	/** Owner user email addresses */
	owners: string[];
	/** Kubernetes provider */
	provider: k8s.Provider;
	/**
	 * Options to use when creating the resources. The Kubernetes
	 * provider will be automatically set as the provider.
	 */
	options?: pulumi.CustomResourceOptions;
}

/** Create cluster-admin cluster role binding for owners. */
export function ownerRoleBinding(
	args: OwnerRoleBindingArgs,
): k8s.rbac.v1.ClusterRoleBinding {
	const k8sOpts = { ...args.options, provider: args.provider };
	return new k8s.rbac.v1.ClusterRoleBinding(
		"atomist-admin-cluster-role-binding",
		{
			apiVersion: "rbac.authorization.k8s.io/v1",
			kind: "ClusterRoleBinding",
			roleRef: {
				apiGroup: "rbac.authorization.k8s.io",
				kind: "ClusterRole",
				name: "cluster-admin",
			},
			subjects: args.owners.map(owner => ({
				apiGroup: "rbac.authorization.k8s.io",
				kind: "User",
				name: owner.replace(/^user:/, ""),
			})),
		},
		k8sOpts,
	);
}

export interface CreateAndAssignDeveloperRoleArgs {
	gcpProject: string;
	userAccounts: iam.UserAccount[];
}

export function createAndAssignDeveloperRole({
	gcpProject,
	userAccounts,
}: CreateAndAssignDeveloperRoleArgs) {
	const developerRole = new gcp.projects.IAMCustomRole(
		"atm-k8s-developer-role",
		{
			roleId: "atmK8sDeveloperRole",
			title: "Atomist k8s developer role",
			description:
				"Custom role granting the minimum permissions required for developers to connect to k8s clusters",
			permissions: [
				"container.apiServices.get",
				"container.apiServices.list",
				"container.clusters.connect",
				"container.clusters.get",
				"container.clusters.getCredentials",
				"container.clusters.list",
			],
		},
	);

	for (const user of userAccounts) {
		new gcp.projects.IAMMember(
			`atm-k8s-developer-role-${user.accountId}-iam-member`,
			{
				project: gcpProject,
				role: developerRole.id,
				member: user.member,
			},
		);
	}
}