# typed: false
# frozen_string_literal: true

def fetch_plug_env_secret(label:, default:)
  if productionish?
    op_read("op://Plug-#{plug_name}/#{ENV["RAILS_ENV"].capitalize}/#{label}")
  else
    ENV.fetch(label.to_s, default.is_a?(Pathname) ? default.read : default)
  end
end

def fetch_infra_secret(label:, default:)
  if productionish?
    op_read("op://Infra/Global Secrets/#{label}")
  else
    ENV.fetch(label, default.is_a?(Pathname) ? default.read : default)
  end
end

def fetch_document_secret(document_secrets, label:, default:)
  if productionish?
    document_secrets[label]
  else
    ENV.fetch(label, default.is_a?(Pathname) ? default.read : default)
  end
end

def op_read(label)
  %x(#{include_sudo?}op read "#{label}").chomp.tap do
    raise "Failed to fetch `#{label}` from 1Password" unless $CHILD_STATUS.success?
  end
end

# technically, this gets every secret, including ones UNIQUE
# to the platform, but we're not using those yet. feels "better"
# to have the plugs manage those on their own
def op_get_secrets(vault:, tag:)
  %x(#{include_sudo?}op item list --vault #{vault} --tags #{tag} --format json | #{include_sudo?}op item get - --reveal --format=json).tap do
    raise "Failed to fetch value `#{vault}` for `#{tag}` from 1Password" unless $CHILD_STATUS.success?
  end
end

def check_dependencies!
  raise "1Password CLI is not installed" unless cli_installed?
end

def cli_installed?
  %x(#{include_sudo?}op --version 2> /dev/null)
  $CHILD_STATUS.success?
end

def include_sudo?
  productionish? ? "sudo -E " : ""
end

def productionish?
  Rails.env.production? || Rails.env.staging?
end

def print_user_api_errors?
  (Rails.env.development? || Rails.env.staging?) || ENV.fetch("DEBUG", false)
end

def plug_shortname
  plug_name.downcase
end

def plug_name
  plug_module[4..] # 4= "Plug".length
end

def plug_module
  Rails.application.class.module_parent.name
end

def plug_url
  if Rails.env.production?
    "#{plug_shortname}.plugs.yetto.app"
  elsif Rails.env.staging?
    "#{plug_shortname}.plugs.yetto.dev"
  elsif Rails.env.development?
    "#{%x(hostname).chomp.downcase}-plug-#{plug_shortname}.ngrok.io"
  elsif Rails.env.test?
    "#{plug_shortname}.plugs.yetto.test"
  end
end

module Hephaestus
  YETTO_EMAIL_DOMAIN = if Rails.env.production?
    "yetto.email"
  elsif Rails.env.staging?
    "yetto.dev"
  elsif Rails.env.development?
    "yetto-dev.email"
  elsif Rails.env.test?
    "yetto.test"
  end

  PROTOCOL = Rails.env.development? ? "http://" : "https://"
  YETTO_URL = if Rails.env.production?
    "web.yetto.app"
  elsif Rails.env.staging?
    "web.yetto.dev"
  elsif Rails.env.development?
    "localhost:3000"
  elsif Rails.env.test?
    "web.yetto.test"
  end

  # Every plug has these secrets; to reduce the amount of API calls to 1Password,
  # we can grab one document that contains all the secrets we need
  if productionish?
    check_dependencies!
    fetched_secrets = op_get_secrets(vault: "Plug-#{plug_name}", tag: ENV["RAILS_ENV"])
  end

  SLACK_LOG_URL = fetch_document_secret(
    fetched_secrets,
    label: "SLACK_LOG_URL",
    default: "https://slack.com/the_log_room",
  )

  YETTO_API_URL = "#{YETTO_URL}/api"
  YETTO_REDIRECT_URL = productionish? ? "#{PROTOCOL}#{YETTO_URL}" : "#{PROTOCOL}127.0.0.1:3000"

  YETTO_PLUG_PEM = fetch_document_secret(
    fetched_secrets,
    label: "YETTO_PLUG_PEM",
    default: Rails.root.join("test/fixtures/files/fake_pem_file/fake.pem"),
  )

  YETTO_SIGNING_SECRET = fetch_document_secret(
    fetched_secrets,
    label: "YETTO_SIGNING_SECRET",
    default: "super-secret",
  )

  YETTO_PLUG_ID = fetch_document_secret(
    fetched_secrets,
    label: "YETTO_PLUG_ID",
    default: "plug-id",
  )
end