#!/bin/bash

# 初始化系统管理员策略
# Initialize system administrator policy

set -e

# 加载数据库配置
if [ -f "../.env.local" ]; then
    source ../.env.local
elif [ -f ".env.local" ]; then
    source .env.local
fi

DB_HOST=${DB_HOST:-localhost}
DB_PORT=${DB_PORT:-3306}
DB_USER=${DB_USER:-root}
DB_PASSWORD=${DB_PASSWORD}
DB_NAME="yunioncloud"

echo "=== 初始化系统管理员策略 ==="

# 检查策略是否已存在
POLICY_COUNT=$(mysql -h $DB_HOST -P $DB_PORT -u $DB_USER -p$DB_PASSWORD $DB_NAME -sN -e "SELECT COUNT(*) FROM policy WHERE name='system-admin-allow-all';")

if [ "$POLICY_COUNT" -gt 0 ]; then
    echo "✓ 系统管理员策略已存在"
    exit 0
fi

echo "创建系统管理员策略..."

# 创建策略SQL
mysql -h $DB_HOST -P $DB_PORT -u $DB_USER -p$DB_PASSWORD $DB_NAME << 'EOF'
-- 生成策略ID
SET @policy_id = REPLACE(UUID(), '-', '');
SET @admin_role_id = 'f86e3d4191ae4a6283fc9a9d6b65fe6f';
SET @system_project_id = 'cb66410213744b9a857376e529797a18';

-- 插入策略
INSERT INTO policy (
    id,
    name,
    type,
    description,
    enabled,
    scope,
    is_public,
    public_scope,
    domain_id,
    is_system,
    `blob`,
    created_at,
    updated_at,
    update_version,
    deleted
) VALUES (
    @policy_id,
    'system-admin-allow-all',
    'system-admin-allow-all',
    'System administrator policy - allows all operations',
    1,
    'system',
    1,
    'system',
    'default',
    1,
    '{"policy":{"*":{"*":{"*":"allow"}}}}',
    NOW(),
    NOW(),
    0,
    0
);

-- 绑定策略到admin角色和system项目
INSERT INTO rolepolicy_tbl (
    role_id,
    project_id,
    policy_id,
    auth,
    created_at,
    updated_at,
    update_version,
    deleted
) VALUES (
    @admin_role_id,
    @system_project_id,
    @policy_id,
    1,
    NOW(),
    NOW(),
    0,
    0
);

-- 启用sysadmin用户的web控制台访问
UPDATE user SET allow_web_console = 1 WHERE name = 'sysadmin';

SELECT 'Policy created and bound successfully' as status;
EOF

echo "✓ 系统管理员策略创建成功"
echo ""
echo "策略详情:"
echo "  - 名称: system-admin-allow-all"
echo "  - 范围: system"
echo "  - 权限: 允许所有操作 (*/*/*)"
echo "  - 绑定: admin角色 + system项目"
echo "  - Web访问: 已启用"