"""Defines a rule that serializes a cosign key into the Bazel graph"""

load("//hack/build/rules/container/sign:cosign_key.bzl", "CosignKeyInfo")

def _gcp_kms_key(ctx):
    key_file = ctx.actions.declare_file("{0}.txt".format(ctx.label.name))
    key_template = "gcpkms://projects/{project}/locations/{location}/keyRings/{keyring}/cryptoKeys/{key}"
    key_value = key_template.format(
        project = ctx.attr.project,
        location = ctx.attr.location,
        keyring = ctx.attr.keyring,
        key = ctx.attr.key,
    )
    if ctx.attr.version:
        key_value = "{key_value}/versions/{version}".format(
            key_value = key_value,
            version = ctx.attr.version,
        )
    ctx.actions.write(
        output = key_file,
        content = key_value,
    )

    return [
        DefaultInfo(
            files = depset([key_file]),
        ),
        CosignKeyInfo(
            key_name = ctx.label.name,
            key_file = key_file,
        ),
    ]

gcp_kms_key = rule(
    doc = """
        A GCP KMS Key Rule that can be used to sign containers. Creates a file target containing a valid GCP KMS path i.e. gcpkms://projects/[PROJECT]/locations/global/keyRings/[KEYRING]/cryptoKeys/[KEY]
        Optionally provide a version number to specify a specific version. Otherwise the latest version is accessed.
    """,
    implementation = _gcp_kms_key,
    attrs = {
        "key": attr.string(
            doc = "The name of the key",
            mandatory = True,
        ),
        "keyring": attr.string(
            doc = "The name of the keyring",
            mandatory = True,
        ),
        "location": attr.string(
            doc = "The location of the keyring and key",
            mandatory = True,
        ),
        "project": attr.string(
            doc = "The GCP project containing the keyring and key",
            mandatory = True,
        ),
        "version": attr.int(
            doc = "The version of the key to use",
        ),
    },
)