#!/bin/bash

set -eu

file_env() {
   local var="$1"
   local fileVar="${var}_FILE"
   local def="${2:-}"

   if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
      echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
      exit 1
   fi
   local val="$def"
   if [ "${!var:-}" ]; then
      val="${!var}"
   elif [ "${!fileVar:-}" ]; then
      val="$(< "${!fileVar}")"
   fi
   export "$var"="$val"
   unset "$fileVar"
}

file_env "PASSWORD"

{{ if eq (env "OIDC_ENABLED") "1" }}
echo 'auth-openid=1' >> /etc/rstudio/rserver.conf
echo 'auth-openid-issuer={{ env "OIDC_ISSUER_URL"}}' >> /etc/rstudio/rserver.conf
echo 'auth-openid-base-uri=https://{{ env "DOMAIN" }}' >> /etc/rstudio/rserver.conf
{{ end }}

{{ if eq (env "KEYCLOAK_ENABLED") "1" }}
apt install -y libpam-script
mkdir -p /opt/pam-exec-oauth2/
wget https://github.com/WASHNote/pam-exec-oauth2/releases/download/v0.0.1/pam-exec-oauth2 -O /opt/pam-exec-oauth2/pam-exec-oauth2
chmod +x /opt/pam-exec-oauth2/pam-exec-oauth2
echo 'auth requisite pam_exec.so log=/tmp/pam_exec.log expose_authtok /opt/pam-exec-oauth2/pam-exec-oauth2 --verbose' > /etc/pam.d/common-auth
echo 'auth requisite pam_script.so' >> /etc/pam.d/common-auth
{{ end }}

exec "$@"