#!/bin/bash
# Onboard a marketer: add to deny-policy group + grant per-project BigQuery access.
#
# Usage:
#   ./add-marketer.sh <marketer-email> <project>[:<dataset1>,<dataset2>,...] [...]
#
# Examples:
#   # Full project access (dataViewer on all datasets):
#   ./add-marketer.sh amber@aimclear.com tonies-dynamic-landing client-amsoil-dealer-pages
#
#   # Dataset-scoped access (dataViewer on specific datasets only):
#   ./add-marketer.sh amber@aimclear.com tonies-dynamic-landing:ga4_data,search_console
#
#   # Mix: scoped on one project, full on another:
#   ./add-marketer.sh amber@aimclear.com tonies-dynamic-landing:ga4_data client-amsoil-dealer-pages
#
# Notes:
#   - bigquery.jobUser and mcp.toolUser are always granted at the project level
#     (required to run queries and use the MCP regardless of dataset scoping)
#   - bigquery.dataViewer is granted at the project level when no datasets are
#     specified, or at the individual dataset level when datasets are listed
#   - Dataset-scoped dataViewer means the marketer can only read those datasets;
#     listing other datasets in the project will return permission denied
#
# Prerequisites:
#   - An IAM Deny Policy must already exist at the folder or org level that
#     targets the marketers@aimclear.com group and denies write-capable MCP
#     permissions. This script adds the marketer to that group — if the deny
#     policy doesn't exist, the group membership has no protective effect.
#   - Run on a machine with an account that has:
#       roles/iam.securityAdmin on each target project
#       Google Workspace Admin access (for group membership)

set -euo pipefail

MARKETER="${1:-}"
shift || true
PROJECT_ARGS=("$@")

if [[ -z "$MARKETER" || ${#PROJECT_ARGS[@]} -eq 0 ]]; then
  echo "Usage: $0 <marketer-email> <project>[:<dataset1>,<dataset2>,...] [...]"
  exit 1
fi

DENY_GROUP="marketers@aimclear.com"

echo "=== Onboarding $MARKETER ==="
echo ""

# ── Deny policy sanity check ───────────────────────────────────────────────────
echo "Checking for deny policy at org level..."
ORG_ID=$(gcloud organizations list --format="value(ID)" 2>/dev/null | head -1)

if [[ -z "$ORG_ID" ]]; then
  echo "⚠ Could not determine org ID — skipping deny policy check."
  echo "  Ensure a deny policy targeting $DENY_GROUP exists before proceeding."
else
  DENY_POLICY_COUNT=$(gcloud iam deny-policies list \
    --attachment-point="cloudresourcemanager.googleapis.com/organizations/$ORG_ID" \
    --format="value(name)" 2>/dev/null | wc -l || echo "0")

  if [[ "$DENY_POLICY_COUNT" -eq 0 ]]; then
    echo ""
    echo "⚠ WARNING: No IAM deny policies found at org $ORG_ID."
    echo "  Adding $MARKETER to $DENY_GROUP will have no protective effect"
    echo "  until a deny policy targeting that group is created."
    echo "  Contact Tim E to set up the deny policy before proceeding."
    echo ""
    read -r -p "Continue anyway? [y/N] " CONFIRM
    if [[ "${CONFIRM,,}" != "y" ]]; then
      echo "Aborted."
      exit 1
    fi
  else
    echo "✓ Found $DENY_POLICY_COUNT deny policy/policies at org level"
  fi
fi

echo ""

# ── Add to deny-policy group ───────────────────────────────────────────────────
echo "Adding to $DENY_GROUP (deny policy coverage)..."
gcloud identity groups memberships add \
  --group-email="$DENY_GROUP" \
  --member-email="$MARKETER" \
  2>/dev/null && echo "✓ Added to group" || echo "⚠ Group add failed or already a member — check Workspace Admin manually"

echo ""

# ── Grant access per project ───────────────────────────────────────────────────
for ARG in "${PROJECT_ARGS[@]}"; do
  # Split on ':' — left side is project, right side is optional comma-separated datasets
  PROJECT="${ARG%%:*}"
  DATASETS_STR="${ARG#*:}"

  # If no ':' was present, DATASETS_STR equals PROJECT (no split occurred)
  if [[ "$DATASETS_STR" == "$PROJECT" ]]; then
    DATASETS_STR=""
  fi

  echo "Project: $PROJECT"

  # jobUser and mcp.toolUser always at the project level
  gcloud projects add-iam-policy-binding "$PROJECT" \
    --member="user:$MARKETER" --role="roles/bigquery.jobUser" --quiet
  gcloud projects add-iam-policy-binding "$PROJECT" \
    --member="user:$MARKETER" --role="roles/mcp.toolUser" --quiet
  echo "  ✓ bigquery.jobUser + mcp.toolUser granted at project level"

  if [[ -z "$DATASETS_STR" ]]; then
    # No datasets specified — grant dataViewer at the project level
    gcloud projects add-iam-policy-binding "$PROJECT" \
      --member="user:$MARKETER" --role="roles/bigquery.dataViewer" --quiet
    echo "  ✓ bigquery.dataViewer granted at project level (all datasets)"
  else
    # Datasets specified — grant dataViewer at each dataset level only
    IFS=',' read -ra DATASETS <<< "$DATASETS_STR"
    for DATASET in "${DATASETS[@]}"; do
      bq add-iam-policy-binding \
        --member="user:$MARKETER" \
        --role="roles/bigquery.dataViewer" \
        "${PROJECT}:${DATASET}"
      echo "  ✓ bigquery.dataViewer granted on dataset: $DATASET"
    done
  fi

  echo ""
done

# ── Summary ────────────────────────────────────────────────────────────────────
echo "=== Done ==="
echo "$MARKETER onboarded with the following access:"
for ARG in "${PROJECT_ARGS[@]}"; do
  PROJECT="${ARG%%:*}"
  DATASETS_STR="${ARG#*:}"
  if [[ "$DATASETS_STR" == "$PROJECT" || -z "$DATASETS_STR" ]]; then
    echo "  $PROJECT — all datasets"
  else
    echo "  $PROJECT — datasets: $DATASETS_STR"
  fi
done
echo ""
echo "Next step for the marketer: run the install script for their OS"
echo "  Mac:     marketer-pipeline-setup-mac.sh"
echo "  Windows: marketer-pipeline-setup-windows.ps1"
