package vault

import (
	"context"
	"fmt"
)

// SealAccess is a wrapper around Seal that exposes accessor methods
// through Core.SealAccess() while restricting the ability to modify
// Core.seal itself.
type SealAccess struct {
	seal Seal
}

func NewSealAccess(seal Seal) *SealAccess {
	return &SealAccess{seal: seal}
}

func (s *SealAccess) StoredKeysSupported() bool {
	return s.seal.StoredKeysSupported()
}

func (s *SealAccess) BarrierType() string {
	return s.seal.BarrierType()
}

func (s *SealAccess) BarrierConfig(ctx context.Context) (*SealConfig, error) {
	return s.seal.BarrierConfig(ctx)
}

func (s *SealAccess) RecoveryKeySupported() bool {
	return s.seal.RecoveryKeySupported()
}

func (s *SealAccess) RecoveryConfig(ctx context.Context) (*SealConfig, error) {
	return s.seal.RecoveryConfig(ctx)
}

func (s *SealAccess) VerifyRecoveryKey(ctx context.Context, key []byte) error {
	return s.seal.VerifyRecoveryKey(ctx, key)
}

func (s *SealAccess) ClearCaches(ctx context.Context) {
	s.seal.SetBarrierConfig(ctx, nil)
	if s.RecoveryKeySupported() {
		s.seal.SetRecoveryConfig(ctx, nil)
	}
}

type SealAccessTestingParams struct {
	PretendToAllowStoredShares bool
	PretendToAllowRecoveryKeys bool
	PretendRecoveryKey         []byte
}

func (s *SealAccess) SetTestingParams(params *SealAccessTestingParams) error {
	d, ok := s.seal.(*defaultSeal)
	if !ok {
		return fmt.Errorf("not a defaultseal")
	}
	d.PretendToAllowRecoveryKeys = params.PretendToAllowRecoveryKeys
	d.PretendToAllowStoredShares = params.PretendToAllowStoredShares
	if params.PretendRecoveryKey != nil {
		d.PretendRecoveryKey = params.PretendRecoveryKey
	}
	return nil
}