#!/bin/bash


# Parse input arguments
while [[ $# -gt 0 ]]; do
    case "$1" in
        --vault-id)
            VAULT_ID="$2"
            shift 2
            ;;
        *)
            echo "Usage: $0 --vault-id <vault id>" >&2
            exit 1
            ;;
    esac
done

# Validate vault ID
if [[ -z "$VAULT_ID" ]]; then
    echo "Error: Missing required --vault-id argument" >&2
    exit 1
fi

# Skip silently for the default vault ID (no named vault to look up)
if [[ "$VAULT_ID" == "default" ]]; then
    exit 0
fi

ITEM_NAME="${VAULT_ID} vault key"
FIELD_NAME="password"

# Skip silently if 1Password is not available or not authenticated
if ! command -v op &>/dev/null; then
    exit 0
fi
if [[ -z "$OP_SERVICE_ACCOUNT_TOKEN" && -z "$OP_CONNECT_HOST" && ! -S "${HOME}/.1password/agent.sock" ]]; then
    exit 0
fi

# Fetch the vault password from 1Password
VAULT_PASSWORD=$(op item get "$ITEM_NAME" --fields "$FIELD_NAME" --format=json  --vault LabSecrets 2>/dev/null | jq -r '.value')

# Output the password or report error
if [[ -n "$VAULT_PASSWORD" && "$VAULT_PASSWORD" != "null" ]]; then
    echo "$VAULT_PASSWORD"
else
    echo "Error: Could not retrieve vault password for vault ID '$VAULT_ID' (item: '$ITEM_NAME')" >&2
    exit 1
fi