package ca

import (
	"fmt"

	"github.com/aliyun/alibaba-cloud-sdk-go/sdk/auth/credentials/providers"
	"github.com/hashicorp/consul/agent/structs"
	"github.com/hashicorp/vault-plugin-auth-alicloud/tools"
)

func NewAliCloudAuthClient(authMethod *structs.VaultAuthMethod) (*VaultAuthClient, error) {
	params := authMethod.Params
	authClient := NewVaultAPIAuthClient(authMethod, "")
	// check for login data already in params (for backwards compability)
	legacyKeys := []string{"access_key", "secret_key", "access_token"}
	if legacyCheck(params, legacyKeys...) {
		return authClient, nil
	}

	if r, ok := params["role"].(string); !ok || r == "" {
		return nil, fmt.Errorf("role is required for AliCloud login")
	}
	if r, ok := params["region"].(string); !ok || r == "" {
		return nil, fmt.Errorf("region is required for AliCloud login")
	}
	client := NewVaultAPIAuthClient(authMethod, "")
	client.LoginDataGen = AliLoginDataGen
	return client, nil
}

func AliLoginDataGen(authMethod *structs.VaultAuthMethod) (map[string]any, error) {
	// validity of these params is checked above in New..
	role := authMethod.Params["role"].(string)
	region := authMethod.Params["region"].(string)
	// Credentials can be provided either explicitly via env vars,
	// or we will try to derive them from instance metadata.
	credentialChain := []providers.Provider{
		providers.NewEnvCredentialProvider(),
		providers.NewInstanceMetadataProvider(),
	}
	creds, err := providers.NewChainProvider(credentialChain).Retrieve()
	if err != nil {
		return nil, err
	}

	loginData, err := tools.GenerateLoginData(role, creds, region)
	if err != nil {
		return nil, err
	}

	return loginData, nil
}