package vault

import (
	"context"
	"fmt"
	"time"

	vault "github.com/hashicorp/vault-client-go"
)

func ReadKVv2(addr, token, mountPath, key string) (map[string]any, error) {
	ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
	defer cancel()

	client, err := vault.New(
		vault.WithAddress(addr),
		vault.WithRequestTimeout(30*time.Second),
	)
	if err != nil {
		return nil, fmt.Errorf("vault new: %w", err)
	}
	if err := client.SetToken(token); err != nil {
		return nil, fmt.Errorf("set token: %w", err)
	}

	resp, err := client.Secrets.KvV2Read(ctx, key, vault.WithMountPath(mountPath))
	if err != nil {
		return nil, err
	}
	if resp == nil || resp.Data.Data == nil {
		return nil, fmt.Errorf("vault: empty response for %s/%s", mountPath, key)
	}
	return resp.Data.Data, nil
}

// tiny typed error
type ErrNotFound string

func (e ErrNotFound) Error() string {
	return "vault: secret not found at " + string(e)
}