#!/bin/sh
export TEXTDOMAINDIR='/usr/share/locale'
export TEXTDOMAIN='podsec-k8s-rbac'

cmdname=$(basename $0)
. podsec-k8s-rbac-functions

if [ $# -lt 4 -o $# -gt 5 ]
then
  echo -ne "$(gettext 'Format':)\n$cmdname $(gettext 'username') role|clusterrole|role=clusterrole $(gettext 'role') $(gettext 'role_bundle_name') [namespace]" >&2
  exit 1
fi

user=$1
bindedRoleType=$2
roleName=$3
bindName=$4
namespace=
if [ $# -eq 5 ]
then
  namespace="-n $5"
fi

isSystem=
if [ ${user:0:7} = 'system:' ]
then
  user=${user:7}
  isSystem=1
fi

if [ -z "$isSystem" -a ! -d /home/$user  ]
then
  echo -ne "$(gettext 'User') $user $(gettext 'does not exist')" >&2
  exit 1
fi

case $bindedRoleType in
  role|clusterrole) roleType=$bindedRoleType;
    break;;
  role=clusterrole)
    roleType="role"
    bindedRoleType='clusterrole'
    break;;
  *)
    echo "$(gettext 'Invalid cluster role type') $bindedRoleType" >&2
    echo -ne "$(gettext 'Format':)\n$cmdname $(gettext 'username') role|clusterrole|role=clusterrole $(gettext 'role') $(gettext 'role_bundle_name') [namespace]" >&2
    exit 1
esac

if [ -n "$namespace" -a "$roleType" == 'clusterrole' ]
then
  echo "$(gettext 'namespace is not applicable to cluster role')" >&2
  exit 1
fi

if [ -z "$namespace" -a  "$roleType" == 'role' ]
then
   echo "$(gettext 'When binding a regular role, you must specify a namespace')"  >&2
  exit 1
fi

if ! kubectl $namespace get ${bindedRoleType} $roleName >/dev/null 2>&1
then
  if [ "$roleType" == 'clusterrole' ]
  then
    roleTxt="$(gettext 'Cluster role')"
  else
    roleTxt="$(gettext 'Role')"
  fi
  echo "$roleTxt '$roleName' $(gettext 'absent')" >&2
  exit 1
fi

TMPFILE="/tmp/$cmdname.$$"
# Сформировать шаблон манифеста создания rolebinging
kubectl $namespace create ${roleType}binding $bindName --$bindedRoleType=$roleName --user=$user --dry-run=client -o json > $TMPFILE
# Выделить subjects из шаблона
templateSubject=$(jq '.subjects[]' $TMPFILE)
# rolebinging уже существует?
if currentBR="$(kubectl $namespace get ${roleType}binding $bindName -o json 2>/dev/null)"
then
  # Добавить templateSubject к существующему rolebinging
  subjects=$(echo $currentBR | jq ".subjects | unique | .[length]=$templateSubject | unique")
  echo $currentBR | jq ".subjects=$subjects" | kubectl $namespace apply -f -
else
  # Применить rolebinging из шаблона
  kubectl $namespace apply -f $TMPFILE
fi
rm -f $TMPFILE

