"""
Flare – Fernet şifreleme yardımcıları
- encrypt(): düz string → "enc:<blob>"
- decrypt(): enc:<blob> → düz string (veya enc: yoksa aynen döner)
Anahtar: FLARE_TOKEN_KEY (32-bayt, base64, URL-safe)

CLI Kullanımı:
  python encryption_utils.py enc "şifrelenecek metin" [--key KEY]
  python encryption_utils.py dec "enc:..." [--key KEY]
"""

import os
import sys
import argparse
from typing import Optional
from cryptography.fernet import Fernet, InvalidToken

try:
    from .logger import log_error, log_warning
except ImportError:
    # Fallback to simple print
    def log_error(msg, error=None):
        print(f"ERROR: {msg}", file=sys.stderr)
        if error:
            print(f"Details: {error}", file=sys.stderr)
    
    def log_warning(msg):
        print(f"WARNING: {msg}", file=sys.stderr)

_ENV_KEY = "FLARE_TOKEN_KEY"

def _get_key() -> Fernet:
    """Get encryption key with better error messages"""
    # Direkt environment variable kullan
    key = os.getenv(_ENV_KEY)
    
    # .env dosyasından yüklemeyi dene
    if not key:
        try:
            from dotenv import load_dotenv
            load_dotenv()
            key = os.getenv(_ENV_KEY)
        except ImportError:
            pass
    
    if not key:
        error_msg = (
            f"{_ENV_KEY} ortam değişkeni tanımlanmadı. "
            f"Lütfen 32-byte base64 key oluşturun: python generate_key.py"
        )
        log_error(error_msg)
        raise RuntimeError(error_msg)
    
    # Key formatını kontrol et
    try:
        return Fernet(key.encode())
    except Exception as e:
        error_msg = (
            f"{_ENV_KEY} geçersiz format. "
            f"32-byte base64 URL-safe key olmalı. "
            f"Yeni key için: python generate_key.py"
        )
        log_error(error_msg, error=str(e))
        raise RuntimeError(error_msg)

def encrypt(plain: str, key: Optional[str] = None) -> str:
    """düz string → enc:..."""
    if not plain:
        log_warning("Empty string passed to encrypt")
        return ""
    
    try:
        if key:
            f = Fernet(key.encode())
        else:
            f = _get_key()
        
        encrypted = f.encrypt(plain.encode()).decode()
        return "enc:" + encrypted
    except Exception as e:
        log_error("Encryption failed", error=str(e))
        raise

def decrypt(value: Optional[str], key: Optional[str] = None) -> Optional[str]:
    """enc:... ise çözer, değilse aynen döndürür"""
    if value is None or not isinstance(value, str):
        return value
    
    if not value.startswith("enc:"):
        return value
    
    token = value.split("enc:", 1)[1]
    
    try:
        if key:
            f = Fernet(key.encode())
        else:
            f = _get_key()
        
        decrypted = f.decrypt(token.encode()).decode()
        return decrypted
    except InvalidToken:
        error_msg = (
            "Şifre çözme başarısız. Muhtemel sebepler:\n"
            "1. FLARE_TOKEN_KEY değişti\n"
            "2. Şifreli veri bozuldu\n"
            "3. Farklı bir key ile şifrelendi"
        )
        log_error(error_msg)
        raise RuntimeError(error_msg)
    except Exception as e:
        log_error("Decryption error", error=str(e))
        raise

def generate_key() -> str:
    """Generate a new Fernet encryption key"""
    return Fernet.generate_key().decode()

def main():
    """CLI entry point"""
    parser = argparse.ArgumentParser(
        description="Fernet encryption/decryption utility",
        formatter_class=argparse.RawDescriptionHelpFormatter,
        epilog="""
Examples:
  # Generate a new key
  python encryption_utils.py keygen
  
  # Save generated key to .env file
  python encryption_utils.py keygen >> .env
  # Then edit .env to add: FLARE_TOKEN_KEY=<generated-key>
  
  # Encrypt with environment key
  python encryption_utils.py enc "secret message"
  
  # Encrypt with custom key
  python encryption_utils.py enc "secret message" --key "your-32-byte-base64-key"
  
  # Decrypt
  python encryption_utils.py dec "enc:gAAAAABh..."
  
  # Decrypt with custom key
  python encryption_utils.py dec "enc:gAAAAABh..." --key "your-32-byte-base64-key"
        """
    )
    
    parser.add_argument(
        "command",
        choices=["enc", "dec", "keygen"],
        help="Command to execute: 'enc' for encrypt, 'dec' for decrypt, 'keygen' to generate new key"
    )
    
    parser.add_argument(
        "text",
        nargs="?",
        help="Text to encrypt or decrypt (not needed for keygen)"
    )
    
    parser.add_argument(
        "--key",
        help="Optional Fernet key (32-byte base64). If not provided, uses FLARE_TOKEN_KEY env var"
    )
    
    args = parser.parse_args()
    
    try:
        if args.command == "keygen":
            key = generate_key()
            print(key)
        elif args.command == "enc":
            if not args.text:
                parser.error("Text is required for encryption")
            result = encrypt(args.text, args.key)
            print(result)
        else:  # dec
            if not args.text:
                parser.error("Text is required for decryption")
            result = decrypt(args.text, args.key)
            print(result)
    except Exception as e:
        print(f"Error: {e}", file=sys.stderr)
        sys.exit(1)


if __name__ == "__main__":
    main()