#  Copyright 2023 Amazon.com, Inc. or its affiliates. All Rights Reserved.
#  SPDX-License-Identifier: Apache-2.0

"""Console script for aws-msk-iam-sasl-signer-python."""
import sys

import click

from aws_msk_iam_sasl_signer.MSKAuthTokenProvider import (
    generate_auth_token, generate_auth_token_from_profile,
    generate_auth_token_from_role_arn)


def validate_options(ctx):
    region = ctx.params.get("region")
    aws_profile = ctx.params.get("aws_profile")
    role_arn = ctx.params.get("role_arn")

    if region is None:
        raise click.UsageError("--region must be provided.")

    if aws_profile and role_arn:
        raise click.UsageError(
            "Only one of --aws-profile and --role-arn should be provided."
        )


@click.command()
@click.option("--region", default=None, help="AWS region")
@click.option("--aws-profile", default=None, help="Name of the AWS profile")
@click.option("--role-arn", default=None, help="ARN of the role to assume")
@click.option("--sts-session-name", default=None, help="STS Session name")
@click.pass_context
def execute(ctx, region, aws_profile, role_arn, sts_session_name):
    ctx.ensure_object(dict)
    ctx.obj["region"] = region
    ctx.obj["aws_profile"] = aws_profile
    ctx.obj["role_arn"] = role_arn
    ctx.obj["sts_session_name"] = sts_session_name

    validate_options(ctx)

    if aws_profile:
        response = generate_auth_token_from_profile(region, aws_profile)
    elif role_arn:
        response = generate_auth_token_from_role_arn(region, role_arn,
                                                     sts_session_name)
    else:
        response = generate_auth_token(region)

    click.echo(response)


if __name__ == "__main__":
    try:
        sys.exit(execute(obj={}))
    except click.UsageError as e:
        click.echo(e, err=True)
        sys.exit(1)