{{- $clientID := .Values.blueprint.provider.oidc.clientID }}
{{- $clientSecret := .Values.blueprint.provider.oidc.clientSecret }}
{{- $bindPolicyID := .Values.blueprint.application.bindPolicyID }}
{{- if or (and .Values.blueprint.provider.enabled (eq .Values.blueprint.provider.type "oidc") (not $clientID) (not $clientSecret)) (and (not $bindPolicyID) (eq (len .Values.blueprint.groups) 0)) }}
---
{{- $secretName :=  .Values.secret.name | default (include "authentik-application.fullname" .) }}
apiVersion: v1
kind: Secret
metadata:
  name: {{ $secretName }}
  labels:
    {{- include "authentik-application.labels" . | nindent 4 }}
    {{- with .Values.secret.labels }}
    {{- toYaml . | nindent 4 }}
    {{- end }}
stringData:
  {{- $secretObj := (lookup "v1" "Secret" .Release.Namespace $secretName) | default dict }}
  {{- $secretData := (get $secretObj "data") | default dict }}

  {{- $bindPolicyIDCoded := (get $secretData "bindPolicyID") | default (uuidv4 | b64enc) }}
  {{- $bindPolicyID = $bindPolicyID | default ($bindPolicyIDCoded | b64dec) }}
  bindPolicyID: {{ $bindPolicyID | quote }}

  {{- if .Values.blueprint.provider.enabled }}
  issuerURL: {{ print .Values.blueprint.authentik.domain "/application/o/" .Values.blueprint.application.slug "/" }}

  {{- with .Values.blueprint.provider.oidc }}
  {{- $clientIDCoded := (get $secretData "clientID") | default (randAlphaNum 32 | b64enc) }}
  {{- $clientID = $clientID | default ($clientIDCoded | b64dec) }}
  clientID: {{ $clientID | quote }}

  {{- $clientSecretCoded := (get $secretData "clientSecret") | default (randAlphaNum 32 | b64enc) }}
  {{- $clientSecret = $clientSecret | default ($clientSecretCoded | b64dec) }}
  clientSecret: {{ $clientSecret | quote }}

  redirectURL: {{ .redirectURL }}

  {{- with .tokenDuration }}
  tokenDuration: {{ . | quote }}
  {{- end }} 

  {{- with .scopes }}
  customScopes: {{ . | join "," | quote }}
  {{- end }} 

  {{- with .claimUsername }}
  claimUsername: {{ . | quote }}
  {{- end }} 

  {{- with .claimGroups }}
  claimGroups: {{ . | quote }}
  {{- end }}
  {{- end }}
  {{- end }}{{/* end when-oidc */}}
{{- end }}
---
apiVersion: v1
kind: Secret
metadata:
  name: {{ include "authentik-application.fullname" . }}-blueprint
  labels:
    {{- include "authentik-application.labels" . | nindent 4 }}
    {{- with .Values.blueprint.labels }}
    {{- toYaml . | nindent 4 }}
    {{- end }}
stringData:
  blueprint.yaml: |-
    version: 1
    metadata:
      name: {{ include "authentik-application.fullname" . }}
    entries:

      {{- if .Values.blueprint.provider.enabled }}
      {{- if (eq .Values.blueprint.provider.type "oidc") }}
      - model: authentik_providers_oauth2.OAuth2Provider
        id: {{ .Values.blueprint.provider.name | default (include "authentik-application.fullname" .) }}
        identifiers:
          name: {{ .Values.blueprint.provider.name | default (include "authentik-application.fullname" .) }}
        state: present
        attrs:
          authorization_flow: !Find [authentik_flows.flow, [slug, {{ .Values.blueprint.provider.authorizationFlow }}]]
          {{- with .Values.blueprint.provider.oidc }}
          client_type: {{ .clientType | quote }}
          client_id: {{ $clientID | quote }}
          client_secret: {{ $clientSecret | quote }}
          redirect_uris: {{ .redirectURL }}
          {{- with .tokenDuration }}
          access_token_validity: {{ . | quote }}
          {{- end }} 
          {{- with .signingKey }}
          signing_key: !Find [authentik_crypto.CertificateKeyPair, [name, {{ . }}]]
          {{- end }}
          {{- with .scopes }}
          property_mappings:
            {{- range . }}
            - !Find [authentik_providers_oauth2.ScopeMapping, [scope_name, {{ . }}]]
            {{- end }}
          {{- end }}
          {{- end }}{{/* with-oidc */}}
      {{- end }}{{/* if-oidc */}}

      {{- if (eq .Values.blueprint.provider.type "proxy") }}
      - model: authentik_providers_proxy.ProxyProvider
        id: {{ .Values.blueprint.provider.name | default (include "authentik-application.fullname" .) }}
        identifiers:
          name: {{ .Values.blueprint.provider.name | default (include "authentik-application.fullname" .) }}
        state: present
        attrs:
          authorization_flow: !Find [authentik_flows.flow, [slug, {{ .Values.blueprint.provider.authorizationFlow }}]]
          mode: "forward_single"
          {{- with .Values.blueprint.provider.proxy }}
          external_host: {{ .externalHost | quote }}
          skip_path_regex: {{ .skipPathRegex | quote }}
          cookie_domain: {{ .cookieDomain | quote }}
          {{- end }}{{/* with-proxy */}}
      {{- end }}{{/* if-proxy */}}
      {{- end }}
    
      - model: authentik_core.Application
        id: {{ .Values.blueprint.application.name | default (include "authentik-application.fullname" .) }}
        identifiers:
          slug: {{ .Values.blueprint.application.slug }}
        state: present
        attrs:
          name: {{ .Values.blueprint.application.name | default (include "authentik-application.fullname" .) }}
          slug: {{ .Values.blueprint.application.slug }}
          {{- if .Values.blueprint.provider.enabled }}
          provider: !KeyOf {{ .Values.blueprint.provider.name | default (include "authentik-application.fullname" .) }}
          {{- end }}
          policy_engine_mode: {{ .Values.blueprint.application.policyEngineMode }}
          {{- with .Values.blueprint.application.group }}
          group: {{ . | quote }}
          {{- end }}
          {{- with .Values.blueprint.application.launchURL }}
          meta_launch_url: {{ . | quote }}
          {{- end }}
          open_in_new_tab: {{ toYaml .Values.blueprint.application.openInNewTab }}
          {{- with .Values.blueprint.application.icon }}
          icon: {{ . | quote }}
          {{- end }}
          {{- with .Values.blueprint.application.description }}
          meta_description: {{ . | quote }}
          {{- end }}
          {{- with .Values.blueprint.application.publisher }}
          meta_publisher: {{ . | quote }}
          {{- end }}
      
      {{- if (eq (len .Values.blueprint.groups) 0) }}
      
      - model: authentik_core.group
        id: "app: {{ .Values.blueprint.application.slug }}"
        identifiers:
          name: "app: {{ .Values.blueprint.application.slug }}"
        state: "present"
        attrs:
          name: "app: {{ .Values.blueprint.application.slug }}"
      
      - model: authentik_policies.PolicyBinding
        id: {{ printf "%s-app-%s" (include "authentik-application.fullname" .) .Values.blueprint.application.slug | quote }}
        identifiers:
          pk: {{ $bindPolicyID | quote }}
        attrs:
          group: !KeyOf "app: {{ .Values.blueprint.application.slug }}"
          order: 10
          target: !Find [authentik_core.Application, [slug, {{ .Values.blueprint.application.slug }}]]
      {{- end }}
    
      {{- range $group := .Values.blueprint.groups }}

      - model: authentik_core.group
        id: {{ $group.slug | quote }}
        identifiers:
          name: {{ $group.slug | quote }}
        state: {{ $group.state | default "present" | quote }}
        attrs:
          name: {{ $group.slug | quote }}
          {{- with $group.parent }}
          parent: !Find [authentik_core.group, [name, {{ . | quote }}]]
          {{- else}}
          parent: null
          {{- end }}

      - model: authentik_policies.PolicyBinding
        id: {{ printf "%s-app-%s" (include "authentik-application.fullname" $) $group.slug | quote }}
        identifiers:
          pk: {{ $group.bindID | quote }}
        attrs:
          group: !KeyOf {{ $group.slug | quote}}
          order: 10
          target: !Find [authentik_core.Application, [slug, {{ $.Values.blueprint.application.slug }}]]
      {{- end }}