// Package passmgr wraps calls to the secret-mgr binary for secret resolution.
package passmgr

import (
	"fmt"
	"os/exec"
	"strings"
)

// GetSecret calls: secret-mgr get-secret [--public] --key <key>
func GetSecret(key string, public bool) (string, error) {
	args := []string{"get-secret"}
	if public {
		args = append(args, "--public")
	}
	args = append(args, "--key", key)
	out, err := exec.Command("secret-mgr", args...).Output()
	if err != nil {
		return "", fmt.Errorf("secret-mgr get-secret --key %s failed: %w", key, err)
	}
	return strings.TrimSpace(string(out)), nil
}

// SetSecret calls: secret-mgr set [--public] --key <key> --secret <secret>
func SetSecret(key, secret string, public bool) error {
	args := []string{"set"}
	if public {
		args = append(args, "--public")
	}
	args = append(args, "--key", key, "--secret", secret)
	if err := exec.Command("secret-mgr", args...).Run(); err != nil {
		return fmt.Errorf("secret-mgr set --key %s failed: %w", key, err)
	}
	return nil
}

// GeneratePassword calls: secret-mgr generate --key <key> --username <username>
func GeneratePassword(key, username string) (string, error) {
	args := []string{"generate", "--key", key, "--username", username}
	out, err := exec.Command("secret-mgr", args...).Output()
	if err != nil {
		return "", fmt.Errorf("secret-mgr generate failed: %w", err)
	}
	return strings.TrimSpace(string(out)), nil
}

// GetToken retrieves the normal hf-token via secret-mgr.
func GetToken() (string, error) {
	return GetSecret("hf-token", false)
}

// GetAccountManagerToken retrieves the public hf-acc-mgr-token via secret-mgr.
func GetAccountManagerToken() (string, error) {
	return GetSecret("hf-acc-mgr-token", true)
}

// SetAccountManagerToken stores the acc-mgr-token as a public secret.
func SetAccountManagerToken(token string) error {
	return SetSecret("hf-acc-mgr-token", token, true)
}