#!/bin/bash
# Offboard a marketer: remove per-project IAM bindings + remove from deny-policy group.
#
# Usage:
#   ./remove-marketer.sh <marketer-email> <project-id> [project-id ...]
#
# Example:
#   ./remove-marketer.sh amber@aimclear.com tonies-dynamic-landing client-amsoil-dealer-pages
#
# What this does per project:
#   - Removes bigquery.jobUser at project level
#   - Removes mcp.toolUser at project level
#   - Removes bigquery.dataViewer at project level (if present)
#   - Scans all datasets in the project and removes bigquery.dataViewer at dataset level (if present)
#   - Removes the marketer from marketers@aimclear.com (deny policy group)
#
# Prerequisites:
#   - Run on a machine with an account that has:
#       roles/iam.securityAdmin on each target project
#       Google Workspace Admin access (for group membership)

set -euo pipefail

MARKETER="${1:-}"
shift || true
PROJECTS=("$@")

if [[ -z "$MARKETER" || ${#PROJECTS[@]} -eq 0 ]]; then
  echo "Usage: $0 <marketer-email> <project-id> [project-id ...]"
  exit 1
fi

DENY_GROUP="marketers@aimclear.com"

echo "=== Offboarding $MARKETER ==="
echo ""

# ── Remove IAM bindings per project ───────────────────────────────────────────
for PROJECT in "${PROJECTS[@]}"; do
  echo "Project: $PROJECT"

  # Project-level roles
  for ROLE in roles/bigquery.jobUser roles/mcp.toolUser roles/bigquery.dataViewer; do
    if gcloud projects get-iam-policy "$PROJECT" \
        --flatten="bindings[].members" \
        --format="value(bindings.members)" \
        --filter="bindings.role=$ROLE AND bindings.members=user:$MARKETER" \
        2>/dev/null | grep -q .; then
      gcloud projects remove-iam-policy-binding "$PROJECT" \
        --member="user:$MARKETER" --role="$ROLE" --quiet
      echo "  ✓ Removed $ROLE at project level"
    else
      echo "  — $ROLE not present at project level (skipping)"
    fi
  done

  # Dataset-level dataViewer bindings — scan all datasets in the project
  echo "  Scanning datasets for dataset-level dataViewer bindings..."
  DATASETS=$(bq ls --project_id="$PROJECT" --format=prettyjson 2>/dev/null \
    | python3 -c "import sys,json; d=json.load(sys.stdin); [print(r['datasetReference']['datasetId']) for r in d]" \
    2>/dev/null || true)

  if [[ -z "$DATASETS" ]]; then
    echo "  — No datasets found or insufficient permission to list"
  else
    FOUND_DATASET_BINDING=false
    while IFS= read -r DATASET; do
      BINDING=$(bq get-iam-policy "${PROJECT}:${DATASET}" --format=prettyjson 2>/dev/null \
        | python3 -c "
import sys, json
d = json.load(sys.stdin)
for b in d.get('bindings', []):
    if b.get('role') == 'roles/bigquery.dataViewer' and 'user:$MARKETER' in b.get('members', []):
        print('found')
        break
" 2>/dev/null || true)

      if [[ "$BINDING" == "found" ]]; then
        bq remove-iam-policy-binding \
          --member="user:$MARKETER" \
          --role="roles/bigquery.dataViewer" \
          "${PROJECT}:${DATASET}"
        echo "  ✓ Removed bigquery.dataViewer from dataset: $DATASET"
        FOUND_DATASET_BINDING=true
      fi
    done <<< "$DATASETS"

    if [[ "$FOUND_DATASET_BINDING" == "false" ]]; then
      echo "  — No dataset-level bindings found"
    fi
  fi

  echo ""
done

# ── Remove from deny-policy group ─────────────────────────────────────────────
echo "Removing from $DENY_GROUP..."
gcloud identity groups memberships delete \
  --group-email="$DENY_GROUP" \
  --member-email="$MARKETER" \
  2>/dev/null && echo "✓ Removed from group" || echo "⚠ Group removal failed or not a member — check Workspace Admin manually"

echo ""
echo "=== Done ==="
echo "$MARKETER has been offboarded from: ${PROJECTS[*]}"
echo ""
echo "Verify: ask the marketer to re-run a BigQuery query — it should return 403."
