package secret

import (
	"context"

	"github.com/aws/aws-sdk-go-v2/config"
	"github.com/aws/aws-sdk-go-v2/credentials"
	"github.com/aws/aws-sdk-go-v2/service/kms"
	"github.com/aws/aws-sdk-go-v2/service/ssm"
)

type awskms struct {
	options *providerOptions
	service *kms.Client
}

// AWSKeyManagementService uses AWS KMS for decrypting blobs.
//
// The keys passed in GetSecret are the encrypted blobs and will be converted with [ToBinary].
func AWSKeyManagementService(opts ...Option) (Provider, error) {
	var options = newProviderOptions(opts...)

	var awsOptions []func(*config.LoadOptions) error
	if options.clientID != "" {
		// Configure OAuth
		awsOptions = append(awsOptions, config.WithCredentialsProvider(credentials.NewStaticCredentialsProvider(options.clientID, options.secretID, "")))
	}
	if options.region != "" {
		awsOptions = append(awsOptions, config.WithRegion(options.region))
	}

	config, err := config.LoadDefaultConfig(context.Background(), awsOptions...)
	if err != nil {
		return nil, err
	}

	if options.region != "" {
		config.Region = options.region
	}

	return awskms{
		options: options,
		service: kms.NewFromConfig(config),
	}, nil
}

func (p awskms) GetSecret(key string) (value []byte, err error) {
	input := new(kms.DecryptInput)
	input.CiphertextBlob = ToBinary(key)

	var output *kms.DecryptOutput
	if output, err = p.service.Decrypt(context.TODO(), input); err != nil {
		return
	}

	return output.Plaintext, nil
}

type awsps struct {
	service *ssm.Client
}

// AWSParameterStorage uses AWS Session Manager Parameter Storage for obtaining secrets.
func AWSParameterStorage(options ...func(*config.LoadOptions) error) (Provider, error) {
	config, err := config.LoadDefaultConfig(context.TODO(), options...)
	if err != nil {
		return nil, err
	}

	return awsps{service: ssm.NewFromConfig(config)}, nil
}

func (p awsps) GetSecret(key string) (value []byte, err error) {
	var yesPlease = true
	input := new(ssm.GetParameterInput)
	input.Name = &key
	input.WithDecryption = &yesPlease

	var output *ssm.GetParameterOutput
	if output, err = p.service.GetParameter(context.TODO(), input); err != nil {
		return
	}

	if output.Parameter == nil {
		return nil, NotFound{Key: key}
	}

	return []byte(*output.Parameter.Value), nil
}