waltid-enterprise

#!/bin/bash

set -e

cli_name=${0##*/}
export WORKDIR=$(cd $(dirname $0) && pwd)

auth_token=""

init() {
    echo "Walt.id Enterprise Stack Quickstarter v$(cat $WORKDIR/VERSION)"
    info "Checking dependencies... TODO"
    # jq
    # curl
}

log() {
  script_name=${0##*/}
  timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
  echo "== $script_name $timestamp $1"
}

info() {
    log "[INFO] $1"
}

error() {
    log "[ERROR] $1"
}

docker_hub_login(){
    password=$(cat .docker-token | grep -v "#" | grep -v -e '^[[:space:]]*$')
    info "Autheticating to Docker Hub. Please use the password provided..."
    docker login -u waltid -p $password
    echo
}

pull_docker_image() {
    info "Pulling Enterprise Stack v0.1.0"
    docker pull waltid/waltid-enterprise-api:0.1.0
    echo
}

start_container() {
    info "Starting up Enterprise Stack v0.1.0"
    docker compose up
}

run() { 
    docker_hub_login
    pull_docker_image
    start_container
}

get_superadmin_auth_token() {
    if [ -f .auth_token ]; then
        info "Super admin already logged in." 
    else
        info "Logging super admin in..."
        superadmin_login
    fi
    
    AUTH_TOKEN=$(cat .auth_token)

    eval $1=$AUTH_TOKEN
}

clean_all() {
    info "Cleaning up..."
    recreate_collections
    rm -f .user_id
    rm -f .auth_token
    rm -f .user_auth_token
    rm -f .did
}

check_last_command_failure() {
    if [[ $result < 0 ]]; then
        echo "
        
        !!!!!!!!!!!
        !! ERROR !!
        !!!!!!!!!!!

        Oops. I'm sorry. Something went wrong. Contact the WaltId guys to help you with it. Bye.
        "

        return -1
    fi 

    result=0
}

pause() {
    read -n1 -s
}

get_user_auth_token() {
    if [ -f .user_auth_token ]; then
        info "User already logged in." 
    else
        info "Logging user in..."
        user_admin_login
    fi
    
    USER_AUTH_TOKEN=$(cat .user_auth_token)
    info "Auth token: $USER_AUTH_TOKEN"

    eval $1=$USER_AUTH_TOKEN
}

wizard_pre_message() {
    cat <<EOF
    $1
EOF
    pause
    result=0
}

wizard_pos_message() {
    check_last_command_failure
    cat <<EOF
    $1
EOF
}

wizard_welcome() {
    echo "Welcome to the Quickstart Wizard of the WaltId Enterprise Stack! We will now guide you through each step to get you onboarded on our platform."
}

wizard_disclaimer_disagree() {
    echo "        

    We understand. No worries. Friendship continues.

    Let us give you 2 options:

    1. Try each command by yourself and deal with eventual issues; or
    2. Save the data you don't want to lose and come back again to this wizard ;-)

    Tchüss!

    "
}

wizard_disclaimer_agreed() {
    echo "

    Cool. Thanks for understanding.

    "

}
wizard_disclaimer() {
    echo "
    In order to make you experience as smooth as possible, we need to recreate the whole database, just to make sure there's no data there that could cause any confusion and get in the way of the main purpose of this script: learning how to use the product.

    Which means: all the data in your local WaltId Enterprise Stack instance will be lost.

    "
    read -p "Are you ok with that? (y/N) " -n1 AGREED

    shopt -s nocasematch
    if [[ "$AGREED" != "y" ]]; then
        wizard_disclaimer_disagree
        return -1
    fi
        
    wizard_disclaimer_agreed

}

wizard_pre_suerpadmin_create_account() {

    wizard_pre_message "
    The first thing we need to do is the creation of the so called Super Admin user. It's something like the 'root' in your OS.

    Press any key to run the command below...

        $cli_name superadmin-create-account

    "
    pause
}

wizard_pos_suerpadmin_create_account() {
    wizard_pos_message "
    Nice! The Super Admin user has just been created with the email and password specified in the ./config/superadmin-registration.conf file.

    The Super Admin user can do anything in the platform. As the name suggests, he is the admin of the whole instance. He can manage all the resources in any tenant in any organization. So, please, never share this user's credential with anyone not related to the instance administration.
    "
}

wizard_pre_superadmin_login() {
    wizard_pre_message "
    Now, it's time to log him in.

    Press any key to run the command below to get access to super powers...

        $cli_name superadmin-login
    "
}

wizard_pos_superadmin_login() {
    wizard_pos_message "
    The Super Admin is now logged in.

    Every command from now on will be executed with the Super Admin account. Take care.
    "
}

wizard_pre_init_db() {
    wizard_pre_message "
    The next step is the database initialization. Since we've just recreated everything from scratch, it's not strictly necessary, but I'll show you how does it work anyway.

    Press any key to run the command below...

        $cli_name init-db

    "
}

wizard_pos_init_db() {
    wizard_pos_message "
    The database has been initialized according to the information provided in the config/database.conf file.
    "
}

wizard_pre_create_organization() {
    wizard_pre_message "
    It's now time to create the root organization. If you allow me, I will call it "waltid". Once you learn how to do it, you should use your company's name instead.
    
    You can find more about organizations in the docs (https://docs.walt.id/enterprise-stack/concepts#the-organization)

    Press any key to run the command below and create the "waltid" root organization...

       $cli_name create-organization
    "
}

wizard_pos_create_organization() {
    wizard_pos_message "
    Awesome. The "waltid" root organization has been created.

    This is how you database structure looks like so far.

        ┌────────────┐   
        │            │   
        │   waltid   │   
        │            │   
        └────────────┘   
                            
    "
}

wizard_pre_list_organizations() {
	wizard_pre_message "
    At any time, you can list all the organizations in... #TODO
    
    Press any key to run the command bellow to list all the organizations... #TODO

        $(basename "$0") list-organizations
	"
}

wizard_pos_list_organizations() {
	wizard_pos_message "
	"
}

wizard_pre_create_user_account() {
	wizard_pre_message "
    You are probably aware that it's not a good idea to use a super powered user for daily tasks, right?  And, you know... big power leads to big responsibilities. We'd better create a less powered user.

    We will now use the Super Admin account to create a new user account. 

    Press any key to run the command below to create a not-so-super user...

       $cli_name create-user-account
	"
}

wizard_pos_create_user_account() {
	wizard_pos_message "
    The user "max.mustermann@example.org" was successfuly created with password "password123456".

    We will use it from now on.
	"
}

wizard_pre_list_accounts() {
	wizard_pre_message "
    Press any key to run the command below to list all users registered in your instance.

        $cli_name list-accounts
	"
}

wizard_pos_list_accounts1() {
	wizard_pos_message "
    Notice that there are two user accounts: Superadmin and Max.

    And, before we move forward, let's take a closer look to the "role" property of each account. What does it mean?

    Each property in the "roles" object represents the set of roles assingned to that user in a specific organization.

    Take Max as our first example. He doesn't have any specifc role. Which means he doesn't have any privilege on any resource (we will talk more about it later).

    On the other hand, look at the Superadmin account. It has the role "admin" in the "waltid" organization. And, why does it have such privilege? Just because it's the account who created that organization.

    Every time an organization is created, an "admin" role is automatically generated and assigned to its creator.
	"
}

wizard_pos_list_accounts2() {
    wizard_pos_message "
    Now notice that Max also has the role "waltid.admin".
    "
}


wizard_pre_list_resources() {
	wizard_pre_message "

	"
}

wizard_pos_list_resources() {
	wizard_pos_message "

	"
}


wizard_pre_list_keys() {
	wizard_pre_message "

	"
}

wizard_pos_list_keys() {
	wizard_pos_message "

	"
}

wizard_pre_add_admin_role() {
	wizard_pre_message "
    What if we now assign the same "waltid.admin" role to Max? Does he deserve it?

     Press any key to run the command below and give Max some powers on the "waltid" organization.

       $cli_name add-admin-role
	"
}

wizard_pos_add_admin_role() {
	wizard_pos_message "
    Congratz, Max. You are now a VIP at "waltid". Oh, ok, no so VIP as the Super Admin. But you understand, right? ;-)
	"
}


wizard_pre_user_admin_login() {
	wizard_pre_message "
    Let's switch to Max's account and stop using the Super Admin account.

    Press any key to log Max in.

        $cli_name user-admin-login
	"
}

wizard_pos_user_admin_login() {
	wizard_pos_message "
    Max is in charge now. He logged in successfuly.
	"
}


wizard_pre_create_tenant() {
	wizard_pre_message "

	"
}

wizard_pos_create_tenant() {
	wizard_pos_message "
    The root organization is like the '/' directory of a file system. 

    The WaltId Enterprise Stack
	"
}


wizard_pre_create_kms_service() {
	wizard_pre_message "

	"
}

wizard_pos_create_kms_service() {
	wizard_pos_message "

	"
}


wizard_pre_generate_did_key() {
	wizard_pre_message "

	"
}

wizard_pos_generate_did_key() {
	wizard_pos_message "

	"
}


wizard_pre_generate_status_key() {
	wizard_pre_message "

	"
}

wizard_pos_generate_status_key() {
	wizard_pos_message "

	"
}


wizard_pre_create_did_service() {
	wizard_pre_message "

	"
}

wizard_pos_create_did_service() {
	wizard_pos_message "

	"
}


wizard_pre_create_did() {
	wizard_pre_message "

	"
}

wizard_pos_create_did() {
	wizard_pos_message "

	"
}


wizard_pre_create_credential_status_service() {
	wizard_pre_message "

	"
}

wizard_pos_create_credential_status_service() {
	wizard_pos_message "

	"
}


wizard_pre_create_issuer_service() {
	wizard_pre_message "

	"
}

wizard_pos_create_issuer_service() {
	wizard_pos_message "

	"
}


wizard_pre_create_verifier_service() {
	wizard_pre_message "

	"
}

wizard_pos_create_verifier_service() {
	wizard_pos_message "

	"
}


wizard_pre_issue_jwt_vc() {
	wizard_pre_message "

	"
}

wizard_pos_issue_jwt_vc() {
	wizard_pos_message "

	"
}

wizard() {
    wizard_welcome
    wizard_disclaimer
    clean_all

    wizard_pre_suerpadmin_create_account
    superadmin_create_account
    wizard_pos_suerpadmin_create_account

    wizard_pre_superadmin_login
    superadmin_login
    wizard_pos_superadmin_login

    wizard_pre_init_db
    init_db
    wizard_pos_init_db

    wizard_pre_create_organization
    create_organization
    wizard_pos_create_organization

    wizard_pre_list_organizations
    list_organizations
    wizard_pos_list_organizations

    wizard_pre_create_user_account
    create_user_account
    wizard_pos_create_user_account

    wizard_pre_list_accounts
    list_accounts
    wizard_pos_list_accounts1

    wizard_pre_add_admin_role
    add_admin_role_to_user
    wizard_pos_add_admin_role

    wizard_pre_list_accounts
    list_accounts
    wizard_pos_list_accounts2

    wizard_pre_user_admin_login
    user_admin_login
    wizard_pos_user_admin_login

    wizard_pre_create_tenant
    create_tenant
    wizard_pos_create_tenant

    wizard_pre_list_resources
    list_resources
    wizard_pos_list_resources

    wizard_pre_create_kms_service
    create_kms_service
    wizard_pos_create_kms_service

    wizard_pre_list_resources
    list_resources
    wizard_pos_list_resources

    wizard_pre_generate_did_key
    generate_did_key
    wizard_pos_generate_did_key

    wizard_pre_generate_status_key
    generate_status_key
    wizard_pos_generate_status_key

    wizard_pre_create_did_service
    create_did_service
    wizard_pos_create_did_service

    wizard_pre_list_resources
    list_resources
    wizard_pos_list_resources

    wizard_pre_create_did
    create_did
    wizard_pos_create_did

    # wizard_pre_create_credential_status_service
    # create_credential_status_service
    # wizard_pos_create_credential_status_service

    wizard_pre_create_issuer_service
    create_issuer_service
    wizard_pos_create_issuer_service

    wizard_pre_list_resources
    list_resources
    wizard_pos_list_resources

    wizard_pre_create_verifier_service
    create_verifier_service
    wizard_pos_create_verifier_service

    wizard_pre_list_resources
    list_resources
    wizard_pos_list_resources

    wizard_pre_issue_jwt_vc
    issue_jwt_vc
    wizard_pos_issue_jwt_vc

}


superadmin_create_account() {
    superadmin_token=$(cat config/superadmin-registration.conf | sed -n '2 p' | cut -d \" -f 2)

    info "Registering token \"${superadmin_token}\" provided in the superadmin-registration.conf file"
    response=$(curl -X 'POST' \
        'http://localhost:3000/v1/superadmin/create-by-token' \
        -H 'accept: */*' \
        -H 'Content-Type: application/json' \
        -d "${superadmin_token}" 2> /dev/null)

    if [[ $response == *"exception"* ]]; then
        error "Super admin account could not be created."
        error "$response"
        result=-1
    else 
        info "Super admin account successfully created."
    fi
}

superadmin_login() {

    superadmin_email=$(cat config/superadmin-registration.conf | grep identifier | cut -d \" -f 2)
    superadmin_password=$(cat config/superadmin-registration.conf | grep password | cut -d \" -f 2)

    info "Logging in super admin with credentials provided in the superadmin-registration.conf file"
    response=$(curl -X 'POST' \
        'http://localhost:3000/auth/account/emailpass' \
        -H 'accept: application/json' \
        -H 'Content-Type: application/json' \
        -d "{
            \"email\": \"${superadmin_email}\",
            \"password\": \"${superadmin_password}\"
        }" 2> /dev/null)
    if [[ $response == *"exception"* ]]; then
        error "Super admin could not be logged in."
        error "$response"
        result=-1
    else
        info "Super admin logged in successfully."
        info "$response"

        AUTH_TOKEN=$(echo $response | jq .token | tr -d '"')
        echo $AUTH_TOKEN > .auth_token
    fi
}

init_db() {

    get_superadmin_auth_token AUTH_TOKEN

    info "Initializing the database based on the config/database.conf file"
    response=$(curl -X 'POST' \
        'http://localhost:3000/v1/admin/initial-setup' \
        -H 'accept: */*' \
        -H "Authorization: Bearer $AUTH_TOKEN" \
        -d '' 2> /dev/null)

    if [[ $response == *"Unauthorized"* ]]; then
        error "Database could not be initialized. Access denied."
        error "$response"
        result=-1
    else
        info "Database successfully initialized."
    fi
}

recreate_collections() {

    # get_superadmin_auth_token AUTH_TOKEN

    response=$(curl -X 'POST' \
        'http://localhost:3000/v1/dev/database-recreate' \
        -H 'accept: */*' \
        -d '' 2> /dev/null)

    if [[ $response == *"exception"* ]]; then
        error "Database could not be recreated."
        error "$response"
    else
        info "Database successfully recreated."
    fi
}

create_organization() {

    get_superadmin_auth_token AUTH_TOKEN

    response=$(curl -X 'POST' \
        'http://localhost:3000/v1/organization/create' \
        -H 'accept: */*' \
        -H "Authorization: Bearer $AUTH_TOKEN" \
        -H 'Content-Type: application/json' \
        -d '{
            "_id": "waltid",
            "profile": {
                "name": "walt.id GmbH"
            },
            "billing": {
                "billingCountry": "AT",
                "billingAddress": "Liechtensteinstraße 111/115, 1090 Vienna",
                "vatNr": "ATU75569617"
            }
        }' 2> /dev/null)

    if [[ $response == *"exception"* ]]; then
        error "Organization could not be created."
        error "$response"
    else
        info "Organization successfully created."
    fi

}

create_user_account() {

    get_superadmin_auth_token AUTH_TOKEN

    rm -f .user_id

    response=$(curl -X 'POST' \
        'http://localhost:3000/v1/admin/account/register' \
        -H 'accept: application/json' \
        -H "Authorization: Bearer $AUTH_TOKEN" \
        -H 'Content-Type: application/json' \
        -d '{
        "profile": {
            "name": "Max Mustermann",
            "email": "max.mustermann@example.org",
            "addressCountry": "AT",
            "address": "Liechtensteinstraße 111/115, 1090 Vienna"
        },
        "preferences": {
            "timeZone": "UTC",
            "languagePreference": "EN"
        },
        "initialAuth": {
            "type": "email",
            "identifier": {
            "type": "email",
            "email": "max.mustermann@example.org"
            },
            "data": {
            "type": "email",
            "password": "password123456"
            }
        }
        }' 2> /dev/null)

    if [[ $response == *"exception"* ]]; then
        error "User account could not be created."
        error "$response"

        # TODO Offer to select an existing user to be used
    else

        # TODO Handle user already exists

        info "User account successfully created."

        regex="\"_id\":\"([0-9a-z-]+)\","
        if [[ "$response" =~ $regex ]]; then
            user_id=${BASH_REMATCH[1]}
            info "User ID: $user_id"

            echo $user_id > .user_id
            info "User ID saved at .user_id"
        else
            error "User ID not found in the HTTP response."
        fi
    fi

}

get_user_id() {

    if [ -f .user_id ]; then
        USER_ID=$(cat .user_id)
        info "User ID found: $USER_ID"
    else
        error "No user id found. Please run '$0 create-user-account' first. "
        exit -1
    fi

    eval $1=$USER_ID
}

add_admin_role_to_user() {

    # TODO Parameterise USER and ORG 

    get_superadmin_auth_token AUTH_TOKEN
    get_user_id USER_ID

    ROLE="waltid.admin"
    ORGANIZATION="waltid"

    info "Adding role '$ROLE' to user '$USER_ID' from organization '$ORGANIZATION'..."
    response=$(curl -X 'POST' \
        "http://localhost:3000/v1/admin/account/$USER_ID/roles/add/$ORGANIZATION/$ROLE" \
        -H 'accept: application/json' \
        -H "Authorization: Bearer $AUTH_TOKEN" \
        -d '' 2> /dev/null)

    if [[ $response == *"exception"* ]]; then
        error "Role could not be added."
        error "$response"
    else
        # TODO If response = {}, role hasn't been added either
        
        info "Role successfully added."
        info $response
    fi
}

user_admin_login() {
    
    # get_superadmin_auth_token AUTH_TOKEN

    USER="max.mustermann@example.org"
    PASS="password123456"

    response=$(curl -X 'POST' \
        'http://waltid.enterprise.localhost:3000/auth/account/emailpass' \
        -H 'accept: application/json' \
        -H 'Content-Type: application/json' \
        -d "{
            \"email\": \"$USER\",
            \"password\": \"$PASS\"
        }" 2> /dev/null)

    if [[ $response == *"exception"* ]]; then
        error "User $USER could not be logged in."
        error "$response"
    else
        
        regex="\"token\":\"([A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+)\""
        if [[ "$response" =~ $regex ]]; then
            AUTH_TOKEN=${BASH_REMATCH[1]}
            # info "User ID: $user_id"

            rm -f .user_auth_token 
            echo $AUTH_TOKEN > .user_auth_token
            info "User $USER successfully logged in with token $AUTH_TOKEN"
        else
            error "Auth token not found in the HTTP response."
        fi
    fi
}
         
create_tenant() {
    
    get_user_auth_token AUTH_TOKEN

    TENANT_ID="waltid.tenant1"

    response=$(curl -X 'POST' \
        "http://waltid.enterprise.localhost:3000/v1/$TENANT_ID/resource-api/tenants/create" \
        -H 'accept: */*' \
        -H "Authorization: Bearer $AUTH_TOKEN" \
        -H 'Content-Type: application/json' \
        -d '{
            "name":"My first Tenant with Tamino"
        }' 2> /dev/null)

    if [[ $response == *"exception"* ]]; then
        error "Tenant $TENANT_ID could not be created."
        error "$response"
    else
        info "Tenant $TENANT_ID successfully created."
    fi
}

create_service() {
    
    get_user_auth_token AUTH_TOKEN

    SERVICE_TYPE=$1
    SERVICE_NAME=$2

    SERVICE_ID="waltid.tenant1.$SERVICE_NAME"

    response=$(curl -X 'POST' \
        "http://waltid.enterprise.localhost:3000/v1/$SERVICE_ID/resource-api/services/create" \
        -H 'accept: */*' \
        -H "Authorization: Bearer $AUTH_TOKEN" \
        -H 'Content-Type: application/json' \
        -d "{
            \"type\": \"$SERVICE_TYPE\"
        }" 2> /dev/null)

    if [[ $response == *"exception"* ]]; then
        error "$SERVICE_ID could not be created."
        error "$response"
    else
        info "$SERVICE_ID successfully created."
        echo "$response" | jq
    fi
}

create_kms_service() {
    create_service "kms" "kms1"
}

generate_key() {
    
    get_user_auth_token AUTH_TOKEN

    PURPOSE=$1
    KEY_FILE=$2

    KMS_ID="waltid.tenant1.kms1"

    response=$(curl -X 'POST' \
        "http://waltid.enterprise.localhost:3000/v1/$KMS_ID/kms-service-api/keys/generate" \
        -H 'accept: application/json' \
        -H "Authorization: Bearer $AUTH_TOKEN" \
        -H 'Content-Type: application/json' \
        -d '{
            "backend": "jwk",
            "keyType": "Ed25519"
        }' 2> /dev/null)

    if [[ $response == *"exception"* ]]; then
        error "$PURPOSE key could not be generate from $KMS_ID."
        error "$response"
    else
        info "$PURPOSE key successfully generated."
        echo "$response" | jq
        echo "$response"

        DID_KEY=$(echo $response | jq "._id" | cut -d\" -f2)
        echo $DID_KEY > $KEY_FILE

        info "Key saved in the $KEY_FILE file"
    fi
}

generate_did_key() {
    generate_key "DID" ".did_key"
}

generate_status_key() {
    generate_key "Credential Status" ".status_key"
}

create_did_service() {
   create_service "did" "did1"
}

create_did() {

    get_user_auth_token AUTH_TOKEN

    DID_SERVICE_ID="waltid.tenant1.did1"
    
    if [[ ! -f .did_key ]]; then
        info "DID key doesn't exist. Let's create one..."
        generate_did_key
    fi

    KEY_ID=$(cat .did_key)

    response=$(curl -X 'POST' \
        "http://waltid.enterprise.localhost:3000/v1/$DID_SERVICE_ID/did-service-api/dids/create/key" \
        -H 'accept: application/json' \
        -H "Authorization: Bearer $AUTH_TOKEN" \
        -H 'Content-Type: application/json' \
        -d "{
            \"keyId\": \"$KEY_ID\",
            \"useJwkJcsPub\": true
        }" 2> /dev/null)

    if [[ $response == *"exception"* ]]; then
        error "did:key could not be created."
        error "$response"
    else
        echo $response > .did
        info "did:key successfully created and saved in the .did file:"
        echo "$response" | jq ".did"
    fi

}

create_issuer_service() {

    ISSUER_SERVICE_ID="waltid.tenant1.issuer1"
    KMS_SERVICE_ID="waltid.tenant1.kms1"
    KEY_ID="test.tenant1.kms1.2CP9-WVc83iO4gAtOYrJhc-gy1nl73fWXOChG1hnI44"

    get_user_auth_token AUTH_TOKEN


    response=$(curl -X 'POST' \
        "http://waltid.enterprise.localhost:3000/v1/$ISSUER_SERVICE_ID/resource-api/services/create" \
        -H 'accept: */*' \
        -H "Authorization: Bearer $AUTH_TOKEN" \
        -H 'Content-Type: application/json' \
        -d "{
            \"type\": \"issuer\",
            \"kms\": \"$KMS_SERVICE_ID\",
            \"tokenKeyId\": \"$KEY_ID\",
            \"supportedCredentialTypes\": {
                \"identity_credential_vc+sd-jwt\": {
                \"format\": \"vc+sd-jwt\",
                \"vct\": \"{vctBaseURL}/identity_credential\",
                \"cryptographic_binding_methods_supported\": [
                    \"jwk\"
                ],
                \"credential_signing_alg_values_supported\": [
                    \"ES256\"
                ],
                \"sdJwtVcTypeMetadata\": {
                    \"name\": \"Identity Credential\",
                    \"description\": \"The Identity Verifiable Credential\",
                    \"vct\": \"{vctBaseURL}/identity_credential\"
                }
                },
                \"OpenBadgeCredential_jwt_vc_json\": {
                \"format\": \"jwt_vc_json\",
                \"cryptographic_binding_methods_supported\": [
                    \"did\"
                ],
                \"credential_signing_alg_values_supported\": [
                    \"ES256\"
                ],
                \"credential_definition\": {
                    \"type\": [
                    \"VerifiableCredential\",
                    \"OpenBadgeCredential\"
                    ]
                }
                }
            }
        }" 2> /dev/null)

    if [[ $response == *"exception"* ]]; then
        error "Issuer Service $ISSUER_SERVICE_ID could not be created."
        error "$response"
    else
        info "Issuer Service $ISSUER_SERVICE_ID successfully created."
    fi
}

create_verifier_service() {
    
    VERIFIER_SERVICE_ID="waltid.tenant1.verifier1"

    get_user_auth_token AUTH_TOKEN

    response=$(curl -X 'POST' \
        "http://waltid.enterprise.localhost:3000/v1/$VERIFIER_SERVICE_ID/resource-api/services/create" \
        -H 'accept: */*' \
        -H "Authorization: Bearer $AUTH_TOKEN" \
        -H 'Content-Type: application/json' \
        -d '{
            "type": "verifier",
            "baseUrl": "http://localhost:3000"
        }' 2> /dev/null)

    if [[ $response == *"exception"* ]]; then
        error "Verifier Service $VERIFIER_SERVICE_ID could not be created."
        error "$response"
    else
        info "Verifier Service $VERIFIER_SERVICE_ID successfully created."
    fi
}

issue_jwt_vc() {

    ISSUER_SERVICE_ID="waltid.tenant1.issuer1"
    KMS_SERVICE_ID="waltid.tenant1.kms1"
    KEY_ID="test.tenant1.kms1.2CP9-WVc83iO4gAtOYrJhc-gy1nl73fWXOChG1hnI44"

    # REQUEST_BODY=`cat <<EOF
    #read -r -d '' REQUEST_BODY <<'EOF'
    REQUEST_BODY=$(cat <<'EOF'
{
    "issuerKeyId": "$KEY_ID",
    "credentialConfigurationId": "OpenBadgeCredential_jwt_vc_json",
    "credentialData":
    {
        "@context":
        [
            "https://www.w3.org/2018/credentials/v1",
            "https://purl.imsglobal.org/spec/ob/v3p0/context.json"
        ],
        "id": "urn:uuid:THIS WILL BE REPLACED WITH DYNAMIC DATA FUNCTION (see below)",
        "type":
        [
            "VerifiableCredential",
            "OpenBadgeCredential"
        ],
        "name": "JFF x vc-edu PlugFest 3 Interoperability",
        "issuer":
        {
            "type":
            [
                "Profile"
            ],
            "name": "Jobs for the Future (JFF)",
            "url": "https://www.jff.org/",
            "image": "https://w3c-ccg.github.io/vc-ed/plugfest-1-2022/images/JFF_LogoLockup.png"
        },
        "credentialSubject":
        {
            "type":
            [
                "AchievementSubject"
            ],
            "achievement":
            {
                "id": "urn:uuid:ac254bd5-8fad-4bb1-9d29-efd938536926",
                "type":
                [
                    "Achievement"
                ],
                "name": "JFF x vc-edu PlugFest 3 Interoperability",
                "description": "This wallet supports the use of W3C Verifiable Credentials and has demonstrated interoperability during the presentation request workflow during JFF x VC-EDU PlugFest 3.",
                "criteria":
                {
                    "type": "Criteria",
                    "narrative": "Wallet solutions providers earned this badge by demonstrating interoperability during the presentation request workflow. This includes successfully receiving a presentation request, allowing the holder to select at least two types of verifiable credentials to create a verifiable presentation, returning the presentation to the requestor, and passing verification of the presentation and the included credentials."
                },
                "image":
                {
                    "id": "https://w3c-ccg.github.io/vc-ed/plugfest-3-2023/images/JFF-VC-EDU-PLUGFEST3-badge-image.png",
                    "type": "Image"
                }
            }
        }
    },
    "mapping":
    {
        "id": "<uuid>",
        "issuer":
        {
            "id": "<issuerDid>"
        },
        "credentialSubject":
        {
            "id": "<subjectDid>"
        },
        "issuanceDate": "<timestamp>",
        "expirationDate": "<timestamp-in:365d>"
    },
    "selectiveDisclosure":
    {
        "fields":
        {
            "name":
            {
                "sd": true
            },
            "credentialSubject":
            {
                "sd": false,
                "children":
                {
                    "fields":
                    {
                        "achievement":
                        {
                            "sd": false,
                            "children":
                            {
                                "fields":
                                {
                                    "name":
                                    {
                                        "sd": true
                                    }
                                },
                                "decoyMode": "NONE",
                                "decoys": 0
                            }
                        }
                    },
                    "decoyMode": "NONE",
                    "decoys": 0
                }
            }
        },
        "decoyMode": "NONE",
        "decoys": 0
    },
    "authenticationMethod": "PRE_AUTHORIZED",
    "issuerDid": "<ISSUER_DID>",
    "expiresInSeconds": 300
}
EOF
    )

    get_user_auth_token AUTH_TOKEN

    response=$(curl -X 'POST' \
        "http://waltid.enterprise.localhost:3000/v1/$ISSUER_SERVICE_ID/issuer-service-api/credentials/issue" \
        -H 'accept: */*' \
        -H 'statusCallbackUri: https://example.com/status_callback/$id' \
        -H 'statusCallbackApiKey: 1671a86d-84e8-4d0d-a35e-efb49b728b7e' \
        -H "Authorization: Bearer $AUTH_TOKEN" \
        -H 'Content-Type: application/json' \
        -d "$REQUEST_BODY"
    2> /dev/null)

    if [[ $response == *"exception"* ]]; then
        error "Credential could not be issued."
        error "$response"
    else
        info "Credential successfully issued."
        echo $response
    fi
}



list_organizations() {

    # TODO Print only relevant infos

    get_superadmin_auth_token AUTH_TOKEN

    response=$(curl -X 'GET' \
        'http://localhost:3000/v1/admin/organizations?maxPageSize=100&page=0' \
        -H 'accept: application/json' \
        -H "Authorization: Bearer $AUTH_TOKEN" 2> /dev/null)

    if [[ $response == *"exception"* ]]; then
        error "Organizations could not be listed."
        error "$response"
    else
        info "Organizations list:"
        echo "$response" | jq
    fi
}

list_accounts() {

    # TODO Print only relevant infos

    get_superadmin_auth_token AUTH_TOKEN

    response=$(curl -X 'GET' \
        'http://localhost:3000/v1/admin/accounts?maxPageSize=100&page=0' \
        -H 'accept: application/json' \
        -H "Authorization: Bearer $AUTH_TOKEN" 2> /dev/null)

    if [[ $response == *"exception"* ]]; then
        error "Accounts could not be listed."
        error "$response"
    else
        info "Account list:"
        echo "$response" | jq
    fi

}

list_resources() {

    get_user_auth_token AUTH_TOKEN

    TENANT_ID="waltid.tenant1"

    response=$(curl -X 'GET' \
        "http://waltid.enterprise.localhost:3000/v1/$TENANT_ID/resource-api/resources/list" \
        -H 'accept: application/json' \
        -H "Authorization: Bearer $AUTH_TOKEN" 2> /dev/null)

    if [[ $response == *"exception"* ]]; then
        error "Resources could not be listed."
        error "$response"
    else
        info "Resource list:"
        echo "$response" | jq
    fi

    

}

list_keys() {
    
    get_user_auth_token AUTH_TOKEN

    KMS_ID="waltid.tenant1.kms1"

    response=$(curl -X 'GET' \
        "http://waltid.enterprise.localhost:3000/v1/$KMS_ID/kms-service-api/keys/list" \
        -H 'accept: application/json' \
        -H "Authorization: Bearer $AUTH_TOKEN" 2> /dev/null)

    if [[ $response == *"exception"* ]]; then
        error "$KMS_ID keys could not be listed."
        error "$response"
    else
        info "$KMS_ID keys:"
        echo "$response" | jq
    fi
}

aa() {
    
    get_user_auth_token AUTH_TOKEN

    response=$( 2> /dev/null)

    if [[ $response == *"exception"* ]]; then
        error "XXX could not be added."
        error "$response"
    else
        info "XXX successfully added."
    fi
}

help() {
    cli_name=${0##*/}
    echo "Walt.id Enterprise Stack Quickstarter v$(cat $WORKDIR/VERSION)

Usage: 

    $cli_name [command]

Instructions:

    This is a very simple script that aims to give you 
    a first experience of using our Enterprise Stack so 
    that you can assimilate its conceptual architecture 
    in a playful and gradual way.

    We suggest that you open 2 terminals: 
    
    1. one to run the stack 
    2. and another one to run the commands against the 
       running instance

    To start running the commands, there are two options:

    1. Via wizard, which will guide you through each step.
    1. By running each command independently, according to 
       your needs or curiosity.

    Should you have any doubt, just try it out. Nothing will break ;-)
    
    And, if you feel it happened, the last command is there 
    to give you another chance :-)

    !!! Disclaimer !!!

    - This is a tool for demonstration purposes only.
    - This is not a tool to be used in production.
    - Make sure to run it on a local instance.
    - Eventually, we will recreate the whole database in order redo something we did wrong.
    - So, use it for educational purposes only, with no critical data at all.

Commands:

  tl;dr
  -------------
  run                               Run the Enterprise Stack
  wizard                            Start a step by step wizard to guide you 
                                    through all important operations

  expert mode
  -------------
  superadmin-create-account         Create the super admin account
  init-db                           Initialize the database
  superadmin-login                  Log in the super admin
  create-organization               Create (an | the root) Organization
  create-user-account               Create a new user
  add-admin-role                    Assign the 'admin' role to the user previously created
  user-admin-login                  Log in user with admin role
  create-tenant                     Create tenant in the organization created with the superadmin user
  create-kms-service                Create KMS service in the tenant
  generate-did-key                  Generate a key to be later used on DID creation
  generate-status-key               Generate a key to be later used on...
  create-did-service                Create DID service in the tenant
  create-did                        Create a did:key for the credential issuance
  create-credential-status-service  Create credential status service
  create-issuer-service             Create issuer service in the tenant
  create-verifier-service           Create verifier service in the tenant
  issue-jwt-vc                      Issue a W3C JWT credential
  list-organizations                List all organizations under the superadmin account
  list-accounts                     List all accounts under...
  list-resources                    List all account in the tenant
  recreate-db                       Delete all data and restart it from scratch
   "
  exit 1
}

case "$1" in
    run)
        run
        ;;
    wizard)
        init
        wizard
        ;;
    superadmin-create-account)
        init
        superadmin_create_account
        ;;
    superadmin-login)
        init
        superadmin_login
        ;;
    init-db)
        init
        init_db
        ;;
    create-organization)
        init
        create_organization
        ;;
    create-user-account)
        init
        create_user_account
        ;;
    add-admin-role)
        init
        add_admin_role_to_user
        ;;
    user-admin-login)
        init
        user_admin_login
        ;;
    create-tenant)
        init
        create_tenant
        ;;
    create-kms-service)
        init
        create_kms_service
        ;;
    generate-did-key)
        init
        generate_did_key
        ;;
    generate-status-key)
        init
        generate_status_key
        ;;
    create-did-service)
        init
        create_did_service
        ;;
    create-did)
        init
        create_did
        ;;
    create-credential-status-service)
        init
        create_credential_status_service
        ;;
    create-issuer-service)
        init
        create_issuer_service
        ;;
    create-verifier-service)
        init
        create_verifier_service
        ;;
    issue-jwt-vc)
        init
        issue_jwt_vc
        ;;
    list-organizations)
        init
        list_organizations
        ;;
    list-accounts)
        init
        list_accounts
        ;;
    list-resources)
        init
        list_resources
        ;;
    list-keys)
        init
        list_keys
        ;;
    recreate-db)
        init
        recreate_collections
        ;;
    *)
        help
        ;;
esac