package smartconfig

import (
	"context"
	"fmt"
	"strings"

	"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
	"github.com/Azure/azure-sdk-for-go/sdk/keyvault/azsecrets"
)

// AzureKeyVaultResolver retrieves secrets from Azure Key Vault.
// Usage: ${AZURESM:https://myvault.vault.azure.net:secretname}
type AzureKeyVaultResolver struct{}

// Resolve retrieves the secret value from Azure Key Vault.
func (r *AzureKeyVaultResolver) Resolve(value string) (string, error) {
	// Expect format: "https://myvault.vault.azure.net:secretname"
	parts := strings.SplitN(value, ":", 2)
	if len(parts) != 2 {
		return "", fmt.Errorf("invalid Azure Key Vault format, expected VAULT_URL:SECRET_NAME")
	}

	vaultURL := parts[0]
	secretName := parts[1]

	cred, err := azidentity.NewDefaultAzureCredential(nil)
	if err != nil {
		return "", fmt.Errorf("failed to create Azure credential: %w", err)
	}

	client, err := azsecrets.NewClient(vaultURL, cred, nil)
	if err != nil {
		return "", fmt.Errorf("failed to create Azure Key Vault client: %w", err)
	}

	ctx := context.Background()
	resp, err := client.GetSecret(ctx, secretName, "", nil)
	if err != nil {
		return "", fmt.Errorf("failed to get secret %s: %w", secretName, err)
	}

	return *resp.Value, nil
}