package bannerctl

import (
	"context"
	"fmt"
	"time"

	kms "cloud.google.com/go/kms/apiv1"
	"github.com/golang-jwt/jwt"

	"edge-infra.dev/pkg/edge/edgeencrypt"
)

func CreateDecryptionInfra(ctx context.Context, kmsClient *kms.KeyManagementClient, _sm jwt.SigningMethod, sm secretManager, kmsKey edgeencrypt.KmsKey, timeout time.Duration) error {
	err := createKeyRing(ctx, kmsClient, kmsKey, kmsKey.ProjectID) // use foreman as ring for decryption signing key
	if err != nil {
		return err
	}

	secretClient, err := sm.NewWithOptions(ctx, kmsKey.ProjectID)
	if err != nil {
		return fmt.Errorf("failed to create secret manager client: %w", err)
	}

	err = createKmsKey(ctx, kmsClient, secretClient, kmsKey, kmsKey.ProjectID, edgeencrypt.DecryptionJWTSecret, nil,
		edgeencrypt.DefaultSigningCryptoKeyPurpose, edgeencrypt.DefaultSigningCryptoKeyAlgorithm,
		edgeencrypt.DecryptionJWTSecretManager, timeout)
	if err != nil {
		return fmt.Errorf("failed to create decryption jwt secret: %w", err)
	}

	key := kmsKey.KeyPath(kmsKey.ProjectID, edgeencrypt.DecryptionJWTSecret, "1")

	return createBearerToken(ctx, secretClient, _sm, key, edgeencrypt.DecryptionJWTSecret, edgeencrypt.DecryptionJWTSecret,
		edgeencrypt.DecryptionTokenSecretManager, edgeencrypt.Decryption, 1, nil)
}