#!/usr/bin/env python3
# -*- coding: utf-8; py-indent-offset: 4 -*-
#
# Author:  Linuxfabrik GmbH, Zurich, Switzerland
# Contact: info (at) linuxfabrik (dot) ch
#          https://www.linuxfabrik.ch/
# License: The Unlicense, see LICENSE file.

# https://github.com/Linuxfabrik/monitoring-plugins/blob/main/CONTRIBUTING.md

"""See the check's README for more details."""

import argparse
import sys

import lib.args
import lib.base
import lib.human
import lib.keycloak
from lib.globals import STATE_OK, STATE_UNKNOWN

__author__ = 'Linuxfabrik GmbH, Zurich/Switzerland'
__version__ = '2025100601'

DESCRIPTION = """Reports statistics from a Keycloak server via its HTTP API, including realm count,
client count, user count, and active sessions. Tested with Keycloak 18 and later."""

DEFAULT_CLIENT_ID = 'admin-cli'
DEFAULT_INSECURE = False
DEFAULT_NO_PROXY = False
# Keycloak's install-time default password, not a real secret.
DEFAULT_PASSWORD = 'admin'  # nosec B105
DEFAULT_REALM = 'master'
DEFAULT_TIMEOUT = 8
DEFAULT_URL = 'http://127.0.0.1:8080'
DEFAULT_USERNAME = 'admin'


def parse_args():
    """Parse command line arguments using argparse."""
    parser = argparse.ArgumentParser(description=DESCRIPTION)

    parser.add_argument(
        '-V',
        '--version',
        action='version',
        version=f'%(prog)s: v{__version__} by {__author__}',
    )

    parser.add_argument(
        '--client-id',
        help='Keycloak API Client-ID. Default: %(default)s',
        dest='CLIENT_ID',
        default=DEFAULT_CLIENT_ID,
    )

    parser.add_argument(
        '--insecure',
        help=lib.args.help('--insecure'),
        dest='INSECURE',
        action='store_true',
        default=DEFAULT_INSECURE,
    )

    parser.add_argument(
        '--no-proxy',
        help=lib.args.help('--no-proxy'),
        dest='NO_PROXY',
        action='store_true',
        default=DEFAULT_NO_PROXY,
    )

    parser.add_argument(
        '-p',
        '--password',
        help='Keycloak API password. Default: %(default)s',
        dest='PASSWORD',
        default=DEFAULT_PASSWORD,
    )

    parser.add_argument(
        '--realm',
        help='Keycloak API realm. Default: %(default)s',
        dest='REALM',
        default=DEFAULT_REALM,
    )

    parser.add_argument(
        '--timeout',
        help=lib.args.help('--timeout') + ' Default: %(default)s (seconds)',
        dest='TIMEOUT',
        type=int,
        default=DEFAULT_TIMEOUT,
    )

    parser.add_argument(
        '--url',
        help='Keycloak API URL. Default: %(default)s',
        dest='URL',
        default=DEFAULT_URL,
    )

    parser.add_argument(
        '--username',
        help='Keycloak API username. Default: %(default)s',
        dest='USERNAME',
        default=DEFAULT_USERNAME,
    )

    args, _ = parser.parse_known_args()
    return args


def main():
    """The main function. This is where the magic happens."""

    # parse the command line
    try:
        args = parse_args()
    except SystemExit:
        sys.exit(STATE_UNKNOWN)

    # init some vars
    msg = ''
    state = STATE_OK
    perfdata = ''

    # fetch data
    # Discover the OIDC endpoints for the realm (no authentication needed),
    # obtain an admin access token and call the Admin REST API (fetch the realm's details).
    oidc_config = lib.base.coe(lib.keycloak.discover_oidc_endpoints(args))
    admin_token = lib.base.coe(lib.keycloak.obtain_admin_token(args, oidc_config))
    server_info = lib.base.coe(
        lib.keycloak.get_data(args, admin_token, '/admin/serverinfo')
    )

    # build the message
    uptime = server_info.get('systemInfo').get('uptimeMillis') / 1000
    msg += f'Up {lib.human.seconds2human(uptime)}, '
    msg += f'running under user `{server_info.get("systemInfo").get("userName")}`; '

    msg += f'Java v{server_info.get("systemInfo").get("javaVersion")}, '
    msg += f'{server_info.get("systemInfo").get("javaVm")}, '
    msg += f'{server_info.get("systemInfo").get("javaHome")}\n'

    if server_info.get('features'):
        # available in newer keycloak versions
        enabled_features, disabled_features = [], []
        for feature in server_info.get('features', []):
            if feature.get('enabled'):
                enabled_features.append(
                    f'{feature.get("name")} ({feature.get("type").lower()})'
                )
            else:
                disabled_features.append(
                    f'{feature.get("name")} ({feature.get("type").lower()})'
                )
        enabled_features.sort()
        enabled_features = '\n* '.join(enabled_features)
        msg += '\nEnabled Features: '
        msg += f'\n* {enabled_features}\n' if enabled_features else 'None\n'
    else:
        disabled_features = server_info.get('profileInfo').get('disabledFeatures')
    disabled_features.sort()
    disabled_features = '\n* '.join(disabled_features) + '\n'
    msg += '\nDisabled Features: '
    msg += f'\n* {disabled_features}\n' if disabled_features else 'None\n'

    perfdata += lib.base.get_perfdata(
        'uptime',
        uptime,
        uom='s',
        warn=None,
        crit=None,
        _min=0,
        _max=None,
    )

    # over and out
    lib.base.oao(msg, state, perfdata)


if __name__ == '__main__':
    try:
        main()
    except Exception:
        lib.base.cu()
