#!/usr/bin/env bash

set -euo pipefail

profile=$1
option=${2:-ff}

container_name() {
  if ! aws configure get "profile.$profile.ff_container"; then
    echo "Unknown profile"
    exit 1
  fi
}

urlencode() {
  # urlencode <string>
  local length="${#1}"
  for (( i = 0; i < length; i++ )); do
    local c="${1:i:1}"
    case $c in
      [a-zA-Z0-9.~_-]) printf '%s' "$c" ;;
      *) printf '%%%02X' "'$c" ;;
    esac
  done
}

get-credentials() {
  if command -v aws-keyring > /dev/null; then
    aws-keyring --profile "$profile" --duration=12h
  else
    get-aws-login --profile "$profile" --duration 43200 --output credential_process
  fi
}

container=$(container_name)
credentials=$(get-credentials | jq -c \
  '{
    sessionId: .AccessKeyId,
    sessionKey: .SecretAccessKey,
    sessionToken: .SessionToken
  }'
)

response=$(curl -sfS "https://signin.aws.amazon.com/federation?Action=getSigninToken&SessionDuration=28800&Session=$(urlencode "$credentials")")

url="https://signin.aws.amazon.com/federation?Action=login&Issuer=aws-web-login&Destination=$(urlencode "https://console.aws.amazon.com")&SigninToken=$(jq -r .SigninToken <<<"$response")"

if [ "$option" = "ff" ]; then
  firefox "ext+container:name=$(urlencode "$container")&url=$(urlencode "$url")"
else
  echo "$url"
fi