# Copyright (C) 2020 The Android Open Source Project
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

import subprocess

import gnupg


ENCRYPTED_KEYS = [
    "accessToken",
    "apiUrl",
    "caCert",
    "cert",
    "htpasswd",
    "key",
    "password",
    "secret",
]


def encrypt(pgp_identifier, config_path):
    """Encrypt the config file using sops and a PGP key.

    Arguments:
        pgp_identifier {string} -- A unique identifier of the PGP key to be used.
            This can be the fingerprint, keyid or part of the uid (e.g. the email
            address)
        config_path {string} -- The path to the config file to be encrypted

    Raises:
        ValueError: Error, if no (unique) PGP key could be found
    """
    gpg = gnupg.GPG()
    gpg_keys = gpg.list_keys()
    selected_keys = list(
        filter(
            lambda k: pgp_identifier in k["fingerprint"]
            or pgp_identifier in k["keyid"]
            or len([v for v in k["uids"] if pgp_identifier in v]) > 0,
            gpg_keys,
        )
    )

    if not selected_keys:
        raise ValueError("PGP key not found.")

    if len(selected_keys) > 1:
        raise ValueError("Identifier of PGP not unique.")

    command = [
        "sops",
        "--encrypt",
        "--in-place",
        "--encrypted-regex",
        f"({'|'.join(ENCRYPTED_KEYS)})",
        "--pgp",
        selected_keys[0]["fingerprint"],
        config_path,
    ]
    subprocess.check_output(command)