package secret

import (
	"context"
	"fmt"

	"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
	"github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azsecrets"
)

type azureKeyVaultProvider struct {
	options  *providerOptions
	vaultURL string
	client   *azsecrets.Client
}

func AzureKeyVault(tenant, name string, opts ...Option) (Provider, error) {
	var options = newProviderOptions(opts...)

	p := &azureKeyVaultProvider{
		options:  options,
		vaultURL: fmt.Sprintf("https://%s.vault.azure.net", name),
	}

	creds, err := azidentity.NewDefaultAzureCredential(nil)
	if err != nil {
		return nil, err
	}

	if p.client, err = azsecrets.NewClient(p.vaultURL, creds, nil); err != nil {
		return nil, err
	}

	return p, nil
}

func (p *azureKeyVaultProvider) GetSecret(key string) (value []byte, err error) {
	ctx := context.Background()
	if p.options.timeout > 0 {
		var cancel func()
		ctx, cancel = context.WithTimeout(ctx, p.options.timeout)
		defer cancel()
	}

	var secret azsecrets.GetSecretResponse
	if secret, err = p.client.GetSecret(ctx, key, "", nil); err != nil {
		return
	}

	return []byte(*secret.Value), nil
}