package bootstrap

import (
	"baron-sso-backend/internal/domain"
	"log/slog"
	"os"
	"strings"
)

// SeedAdminIdentity creates the initial admin identity in the configured IDP.
func SeedAdminIdentity(idp domain.IdentityProvider) error {
	if idp == nil {
		return nil
	}

	adminEmail := strings.TrimSpace(os.Getenv("ADMIN_EMAIL"))
	adminPassword := os.Getenv("ADMIN_PASSWORD")
	if adminEmail == "" || adminPassword == "" {
		slog.Warn("[Bootstrap] ADMIN_EMAIL or ADMIN_PASSWORD not set. Skipping admin identity seed.")
		return nil
	}

	adminName := strings.TrimSpace(os.Getenv("ADMIN_NAME"))
	if adminName == "" {
		adminName = "System Admin"
	}

	user := &domain.BrokerUser{
		Email:       adminEmail,
		Name:        adminName,
		PhoneNumber: "",
		Attributes: map[string]interface{}{
			"department":      "Admin",
			"affiliationType": "internal",
			"companyCode":     "",
			"grade":           "admin",
		},
	}

	_, err := idp.CreateUser(user, adminPassword)
	if err != nil {
		if strings.Contains(err.Error(), "already exists") {
			slog.Info("[Bootstrap] Admin identity already exists in IDP", "email", adminEmail)
			return nil
		}
		return err
	}

	slog.Info("[Bootstrap] Admin identity created in IDP", "email", adminEmail, "idp", idp.Name())
	return nil
}