#!/usr/bin/env bash

# Create the PCA for loggin in to Entra ID
function usage() {
  echo "Usage: $0 [options]"
  echo "Options:"
  echo "  -n, --app-name <name>  Application display name (required)"
  echo "  -h, --help    Show this help message and exit"
}

function main() {
    local APP_NAME=""
    while [[ $# -gt 0 ]]; do
        case "$1" in
            -h|--help)
            usage
            echo "Options:"
            echo "  -h, --help    Show this help message and exit"
            exit 0
            ;;
            -n|--app-name)
            APP_NAME="$2"
            shift 2
            ;;
            -*)
            echo "Unknown option: $1"
            echo "Use -h or --help for usage information."
            exit 1
            ;;
            *) # Leave the rest of the arguments for the script to process
            break
            ;;
        esac
    done

    if [[ -z "$APP_NAME" ]]; then
        echo "Error: Application name is required."
        usage
        exit 1
    fi

    # Find the app by name
    APP_ID=$(az ad app list --display-name "$APP_NAME" --query "[0].appId" -o tsv)
    if [[ -n "$APP_ID" ]]; then
        echo "Error: Application '$APP_NAME' already exists."
        exit 1
    fi

    # Create the app
    APP_ID=$(az ad app create --display-name "$APP_NAME" --query "appId" -o tsv)
    if [[ -z "$APP_ID" ]]; then
        echo "Error: Failed to create application '$APP_NAME'."
        exit 1
    fi

    local M365_GRAPH_APP_ID="00000003-0000-0000-c000-000000000000"
    local M365_GRAPH_SCOPE_ID="0e263e50-5827-48a4-b97c-d940288653c7"
    local AZURE_SERVICE_MGMT_APP_ID="797f4846-ba00-4fd7-ba43-dac1f8f63013"
    local AZURE_SERVICE_MGMT_SCOPE_ID="41094075-9dad-400e-a0bd-54e686782033"
    local AZURE_DEVOPS_APP_ID="499b84ac-1321-427f-aa17-267ca6975798"
    local AZURE_DEVOPS_SCOPE_ID="ee69721e-6c3a-468f-a9ec-302d16a4c599"

    local REQUIRED_RESOURCE_ACCESS_JSON
    REQUIRED_RESOURCE_ACCESS_JSON=$(cat <<EOF
[
  {
    "resourceAppId": "${M365_GRAPH_APP_ID}",
    "resourceAccess": [
      {
        "id": "${M365_GRAPH_SCOPE_ID}",
        "type": "Scope"
      }
    ]
  },
  {
    "resourceAppId": "${AZURE_DEVOPS_APP_ID}",
    "resourceAccess": [
      {
        "id": "${AZURE_DEVOPS_SCOPE_ID}",
        "type": "Scope"
      }
    ]
  },
  {
    "resourceAppId": "${AZURE_SERVICE_MGMT_APP_ID}",
    "resourceAccess": [
      {
        "id": "${AZURE_SERVICE_MGMT_SCOPE_ID}",
        "type": "Scope"
      }
    ]
  }
]
EOF
)

    local PUBLIC_CLIENT_REDIRECT_URIS_JSON
    PUBLIC_CLIENT_REDIRECT_URIS_JSON=$(cat <<EOF
[
  "http://localhost",
  "msal${APP_ID}://auth"
]
EOF
)

    # Configure app to match "Azure Node Playground Public".
    az ad app update \
      --id "$APP_ID" \
      --set signInAudience=AzureADMyOrg \
            isFallbackPublicClient=true \
            requiredResourceAccess="$REQUIRED_RESOURCE_ACCESS_JSON" \
            publicClient.redirectUris="$PUBLIC_CLIENT_REDIRECT_URIS_JSON" \
            web.implicitGrantSettings.enableAccessTokenIssuance=true \
            web.implicitGrantSettings.enableIdTokenIssuance=true \
      1>/dev/null

    # Ensure service principal exists before granting tenant-wide admin consent.
    az ad sp create --id "$APP_ID" 1>/dev/null 2>/dev/null || true

    # Grant admin consent for configured delegated permissions.
    az ad app permission admin-consent --id "$APP_ID" 1>/dev/null
    if [[ $? -ne 0 ]]; then
      echo "Error: Failed to grant admin consent for '$APP_NAME' ($APP_ID)."
      exit 1
    fi

    echo "Created application '$APP_NAME'"
    echo "appId: $APP_ID"
}

main "$@"