package iam

import (
	"context"

	"google.golang.org/api/googleapi"
	"google.golang.org/api/iam/v1"
)

// NewServiceAccount returns a new iam serviceaccount.
func NewServiceAccount(displayName, description string) *iam.ServiceAccount {
	return &iam.ServiceAccount{
		DisplayName: displayName,
		Description: description,
	}
}

// NewServiceAccountRequest returns a new createserviceaccount request.
func NewServiceAccountRequest(accountID string, serviceAccount *iam.ServiceAccount) *iam.CreateServiceAccountRequest {
	return &iam.CreateServiceAccountRequest{
		AccountId:      accountID,
		ServiceAccount: serviceAccount,
	}
}

// CreateServiceAccount projectID in the form of projects/ID.
func (i *IAMService) CreateServiceAccount(ctx context.Context, projectID string, serviceAccount *iam.CreateServiceAccountRequest) (*iam.ServiceAccount, error) {
	return i.Projects.ServiceAccounts.Create(projectID, serviceAccount).Context(ctx).Do()
}

// name: The resource name of the service account in the following
//
//	format: `projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}`
func (i *IAMService) DeleteServiceAccount(ctx context.Context, name string) error {
	_, err := i.Projects.ServiceAccounts.Delete(name).Context(ctx).Do()
	return err
}

// GetServiceAccount gets a service account with the specified name.
// where name is in the form projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}
func (i *IAMService) GetServiceAccount(ctx context.Context, name string) (*iam.ServiceAccount, error) {
	return i.Projects.ServiceAccounts.Get(name).Context(ctx).Do()
}

// NewServiceAccountKeyRequest creates a new iam service account key request.
func NewServiceAccountKeyRequest() *iam.CreateServiceAccountKeyRequest {
	return &iam.CreateServiceAccountKeyRequest{}
}

// CreateServiceAccountKey calls the iam endpoint and returns a sa key object.
func (i *IAMService) CreateServiceAccountKey(ctx context.Context, name string, saKeyRequest *iam.CreateServiceAccountKeyRequest, opts ...googleapi.CallOption) (*iam.ServiceAccountKey, error) {
	return i.Projects.ServiceAccounts.Keys.Create(name, saKeyRequest).Context(ctx).Do(opts...)
}

// DeleteExcessServiceAccountKeys deletes keys for a Service account if it's reached the limit of keys created for the
// service account. Will only be used when bootstrap is called repeatedly.
func (i *IAMService) DeleteExcessServiceAccountKeys(ctx context.Context, name string, opts ...googleapi.CallOption) error {
	accs, err := i.Projects.ServiceAccounts.Keys.List(name).Context(ctx).Do(opts...)
	if err != nil {
		return err
	}
	if len(accs.Keys) < 10 {
		return nil
	}
	for _, acc := range accs.Keys {
		if acc.KeyType == "SYSTEM_MANAGED" {
			continue
		}
		_, err = i.Projects.ServiceAccounts.Keys.Delete(acc.Name).Context(ctx).Do(opts...)
		if err != nil {
			return err
		}
	}
	return nil
}

// GetServiceAccountIamPolicy calls the iam endpoint to fetch the iam policy of a service account.
func (i *IAMService) GetServiceAccountIamPolicy(ctx context.Context, resource string) (*iam.Policy, error) {
	return i.Projects.ServiceAccounts.GetIamPolicy(resource).Context(ctx).Do()
}

// SetServiceAccountIamPolicy calls the iam endpoint to set the iam policy of a service account.
func (i *IAMService) SetServiceAccountIamPolicy(ctx context.Context, resource string, policyRequest *iam.SetIamPolicyRequest) (*iam.Policy, error) {
	return i.Projects.ServiceAccounts.SetIamPolicy(resource, policyRequest).Context(ctx).Do()
}