#!/usr/bin/env bash
#
# group-list.sh — List Authentik groups
#
# Usage: group-list.sh [-f format] [-s search] [-a instance]
#
# Options:
#   -f format     Output format: table (default), json
#   -s search     Search by group name
#   -a instance   Authentik instance name (e.g. usc, mosaic)
#   -h            Show this help
set -euo pipefail

MOSAIC_HOME="${MOSAIC_HOME:-$HOME/.config/mosaic}"
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
source "$MOSAIC_HOME/tools/_lib/credentials.sh"

FORMAT="table"
SEARCH=""
AK_INSTANCE=""

while getopts "f:s:a:h" opt; do
  case $opt in
    f) FORMAT="$OPTARG" ;;
    s) SEARCH="$OPTARG" ;;
    a) AK_INSTANCE="$OPTARG" ;;
    h) head -13 "$0" | grep "^#" | sed 's/^# \?//'; exit 0 ;;
    *) echo "Usage: $0 [-f format] [-s search] [-a instance]" >&2; exit 1 ;;
  esac
done

if [[ -n "$AK_INSTANCE" ]]; then
  load_credentials "authentik-${AK_INSTANCE}"
else
  load_credentials authentik
fi

TOKEN=$("$SCRIPT_DIR/auth-token.sh" -q ${AK_INSTANCE:+-a "$AK_INSTANCE"})

PARAMS="ordering=name"
[[ -n "$SEARCH" ]] && PARAMS="${PARAMS}&search=${SEARCH}"

response=$(curl -sk -w "\n%{http_code}" \
  -H "Authorization: Bearer $TOKEN" \
  "${AUTHENTIK_URL}/api/v3/core/groups/?${PARAMS}")

http_code=$(echo "$response" | tail -n1)
body=$(echo "$response" | sed '$d')

if [[ "$http_code" != "200" ]]; then
  echo "Error: Failed to list groups (HTTP $http_code)" >&2
  exit 1
fi

if [[ "$FORMAT" == "json" ]]; then
  echo "$body" | jq '.results'
  exit 0
fi

echo "NAME                          PK                                    MEMBERS  SUPERUSER"
echo "----------------------------  ------------------------------------  -------  ---------"
echo "$body" | jq -r '.results[] | [
  .name,
  .pk,
  (.users | length | tostring),
  (if .is_superuser then "yes" else "no" end)
] | @tsv' | while IFS=$'\t' read -r name pk members superuser; do
  printf "%-28s  %-36s  %-7s  %s\n" "${name:0:28}" "$pk" "$members" "$superuser"
done