package secrets

import (
	"context"
	"encoding/json"
	"fmt"
	"github.com/aws/aws-sdk-go-v2/config"
	"github.com/aws/aws-sdk-go-v2/service/secretsmanager"
)

type SAMLSecrets struct {
	Certificate string `json:"certificate"`
	PrivateKey  string `json:"privateKey"`
	IDPMetadata string `json:"idpMetadata"`
	RootURL     string `json:"rootURL"`
	AdminGroup  string `json:"adminGroup"`
	ViewerGroup string `json:"viewerGroup"`
}

type SecretManager struct {
	client *secretsmanager.Client
}

func NewSecretManager(ctx context.Context) (*SecretManager, error) {
	cfg, err := config.LoadDefaultConfig(ctx)
	if err != nil {
		return nil, fmt.Errorf("unable to load AWS config: %w", err)
	}

	client := secretsmanager.NewFromConfig(cfg)

	return &SecretManager{
		client: client,
	}, nil
}

func (s *SecretManager) GetSAMLConfig(ctx context.Context, secretId string) (*SAMLSecrets, error) {
	input := &secretsmanager.GetSecretValueInput{
		SecretId: &secretId,
	}

	result, err := s.client.GetSecretValue(ctx, input)
	if err != nil {
		return nil, fmt.Errorf("unable to get secret: %w", err)
	}

	var secrets SAMLSecrets
	if err := json.Unmarshal([]byte(*result.SecretString), &secrets); err != nil {
		return nil, fmt.Errorf("unable to unmarshal secret: %w", err)
	}

	return &secrets, nil
}