#!/usr/bin/env bash
set -euo pipefail

usage() {
  cat <<EOF
Usage: $0 --vault-id VAULT_ID

Options:
  --vault-id VALUE   (required) Vault ID to use
EOF
  exit 2
}

VAULT_ID=""

while [[ $# -gt 0 ]]; do
  case "$1" in
    --vault-id)
      shift
      [[ $# -gt 0 ]] || usage
      VAULT_ID="$1"
      shift
      ;;
    *)
      echo "Unknown argument: $1" >&2
      usage
      ;;
  esac
done

if [[ -z "$VAULT_ID" ]]; then
  echo "Error: --vault-id is required" >&2
  usage
fi

# Resolve repo root (script location)
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
REPO_ROOT="$(cd "$SCRIPT_DIR" && pwd)"

VAULT_PASSWORDS_GPG="$REPO_ROOT/vault-passwords.gpg"

# 1. Prefer GPG-encrypted vault-passwords file if present
if [[ -f "$VAULT_PASSWORDS_GPG" ]]; then
  PASSWORD="$(
    gpg --quiet --decrypt "$VAULT_PASSWORDS_GPG" \
    | awk -v id="$VAULT_ID" '$1 == id { print $2; exit }'
  )"

  if [[ -n "$PASSWORD" ]]; then
    printf '%s\n' "$PASSWORD"
    exit 0
  fi

  echo "Error: Vault ID '$VAULT_ID' not found in vault-passwords.gpg" >&2
  exit 1
fi

# 2. Fallback to secret-tool
PASSWORD="$(secret-tool lookup ansible-vault-id "$VAULT_ID" || true)"

if [[ -n "$PASSWORD" ]]; then
  printf '%s\n' "$PASSWORD"
  exit 0
fi

echo "Error: No password found for vault ID '$VAULT_ID'" >&2
exit 1