#!/bin/sh
set -eu

log() {
  printf '%s\n' "$*" >&2
}

VAULT_ENABLED="${VAULT_ENABLED:-auto}"
if [ "$VAULT_ENABLED" = "false" ] || [ "$VAULT_ENABLED" = "0" ]; then
  exit 0
fi

if [ -z "${VAULT_ADDR:-}" ] || [ -z "${VAULT_TOKEN:-}" ]; then
  if [ "$VAULT_ENABLED" = "true" ] || [ "$VAULT_ENABLED" = "1" ]; then
    log "Vault bootstrap is required but VAULT_ADDR or VAULT_TOKEN is missing."
    exit 1
  fi
  exit 0
fi

if ! command -v curl >/dev/null 2>&1 || ! command -v jq >/dev/null 2>&1; then
  log "Vault bootstrap requires curl and jq."
  exit 1
fi

VAULT_KV_MOUNT="${VAULT_KV_MOUNT:-secret}"

load_secret_path() {
  path="$1"
  source_name="$2"
  if [ -z "$path" ]; then
    return 0
  fi

  url="${VAULT_ADDR%/}/v1/${VAULT_KV_MOUNT}/data/${path}"
  response="$(curl -fsS -H "X-Vault-Token: $VAULT_TOKEN" "$url")" || {
    log "Failed to load Vault path ${VAULT_KV_MOUNT}/${path}."
    return 1
  }

  encoded_items="$(printf '%s' "$response" | jq -r '.data.data // {} | to_entries[]? | @base64')"
  if [ -z "$encoded_items" ]; then
    return 0
  fi

  old_ifs="${IFS}"
  IFS='
'
  for encoded_item in $encoded_items; do
    key="$(printf '%s' "$encoded_item" | base64 -d | jq -r '.key')"
    value="$(printf '%s' "$encoded_item" | base64 -d | jq -r '.value | tostring')"
    export "$key=$value"
  done
  IFS="${old_ifs}"

  log "Loaded Vault ${source_name} secrets from ${VAULT_KV_MOUNT}/${path}."
}

load_secret_path "${VAULT_SHARED_PATH:-}" "shared"
load_secret_path "${VAULT_PROJECT_PATH:-}" "project"