#!/usr/bin/env python3

# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

import argparse
import os
import sys

import hvac
import yaml

from kolla_ansible.hashi_vault import hashicorp_vault_client


def readpwd(passwords_file, vault_kv_path, vault_mount_point, vault_namespace,
            vault_addr, vault_role_id, vault_secret_id, vault_token,
            vault_cacert):

    with open(passwords_file, 'r') as f:
        passwords = yaml.safe_load(f.read())

    if not isinstance(passwords, dict):
        print("ERROR: Passwords file not in expected key/value format")
        sys.exit(1)

    client = hashicorp_vault_client(vault_namespace, vault_addr, vault_role_id,
                                    vault_secret_id, vault_token, vault_cacert)

    vault_kv_passwords = dict()
    for password_key in passwords:
        try:
            password_data = client.secrets.kv.v2.read_secret_version(
                mount_point=vault_mount_point,
                path="{}/{}".format(vault_kv_path, password_key))
        except hvac.exceptions.InvalidPath:
            # Ignore passwords that are not found in Vault
            print("WARNING: '%s' not found in Vault" % password_key)
            vault_kv_passwords[password_key] = None
            continue
        try:
            vault_kv_passwords[password_key] =\
                password_data['data']['data']['password']
        except KeyError:
            vault_kv_passwords[password_key] = password_data['data']['data']

    with open(passwords_file, 'w') as f:
        yaml.safe_dump(vault_kv_passwords, f)


def main():
    parser = argparse.ArgumentParser()
    parser.add_argument(
        '-p', '--passwords', type=str,
        default=os.path.abspath('/etc/kolla/passwords.yml'),
        help='Path to the passwords.yml file')
    parser.add_argument(
        '-kv', '--vault-mount-point', type=str,
        default='kv',
        help='Path to the KV mount point')
    parser.add_argument(
        '-kvp', '--vault-kv-path', type=str,
        default='kolla_passwords',
        help='Path to store passwords within your configured KV mount point')
    parser.add_argument(
        '-n', '--vault-namespace', type=str,
        default='',
        help='Vault namespace (enterprise only)')
    parser.add_argument(
        '-v', '--vault-addr', type=str,
        required=True,
        help='Address to connect to an existing Hashicorp Vault')
    parser.add_argument(
        '-r', '--vault-role-id', type=str,
        default='',
        help='Role-ID to authenticate to Vault. This must be used in '
             'conjunction with --secret-id')
    parser.add_argument(
        '-s', '--vault-secret-id', type=str,
        default='',
        help='Secret-ID to authenticate to Vault. This must be used in '
             'conjunction with --role-id')
    parser.add_argument(
        '-t', '--vault-token', type=str,
        default='',
        help='Vault token to authenticate to Vault')
    parser.add_argument(
        '-c', '--vault-cacert', type=str,
        default='',
        help='Path to CA certificate file')

    args = parser.parse_args()
    passwords_file = os.path.expanduser(args.passwords)
    vault_kv_path = args.vault_kv_path
    vault_mount_point = args.vault_mount_point
    vault_namespace = args.vault_namespace
    vault_addr = args.vault_addr
    vault_role_id = args.vault_role_id
    vault_secret_id = args.vault_secret_id
    vault_token = args.vault_token
    vault_cacert = os.path.expanduser(args.vault_cacert)

    readpwd(passwords_file, vault_kv_path, vault_mount_point, vault_namespace,
            vault_addr, vault_role_id, vault_secret_id, vault_token,
            vault_cacert)


if __name__ == '__main__':
    main()