use aes_gcm_siv::{
    AeadCore, Aes256GcmSiv, KeyInit,
    aead::{Aead, OsRng, generic_array::GenericArray},
};
use base64::{Engine, prelude::BASE64_STANDARD};

use crate::DbPool;

use super::write_new_root_key;

pub async fn init_simple(pool: &DbPool) -> String {
    let root_key = Aes256GcmSiv::generate_key(&mut OsRng);
    let nonce: GenericArray<u8, <Aes256GcmSiv as AeadCore>::NonceSize> =
        Aes256GcmSiv::generate_nonce(&mut OsRng); // 96-bits; unique per message
    let root_key = root_key.as_slice().to_owned();

    let (user_key, protected_rk) = {
        let key = Aes256GcmSiv::generate_key(&mut OsRng);
        let cipher = Aes256GcmSiv::new(&key);
        let nonce: &[u8] = nonce.as_slice();
        debug_assert_eq!(nonce.len(), 12);
        let nonce = aes_gcm_siv::aead::generic_array::GenericArray::from_slice(nonce);
        let enc = cipher.encrypt(nonce, root_key.as_slice()).unwrap();
        (key, enc)
    };
    write_new_root_key(pool, protected_rk, "simple", Some(nonce.as_slice())).await;
    BASE64_STANDARD.encode(user_key)
}

pub async fn unseal(protected_rk: &Vec<u8>, key: String, nonce: &[u8]) -> Vec<u8> {
    let key = BASE64_STANDARD.decode(key).unwrap();
    let cipher = Aes256GcmSiv::new_from_slice(&key).unwrap();
    debug_assert_eq!(nonce.len(), 12);
    let nonce = aes_gcm_siv::aead::generic_array::GenericArray::from_slice(nonce);
    cipher.decrypt(nonce, protected_rk.as_ref()).unwrap()
}