package cmd

import (
	"fmt"
	"os"

	"github.com/spf13/cobra"
)

func newCredentialCmd() *cobra.Command {
	var (
		server     string
		noKerberos bool
		noCache    bool
		debugFlag  bool
	)

	cmd := &cobra.Command{
		Use:   "credential",
		Short: "kubectl exec credential plugin — serve a cached ExecCredential to kubectl",
		Long: `Acts as a kubectl exec credential plugin. Returns a cached ExecCredential
JSON to kubectl. On a cache miss, silently attempts Kerberos SPNEGO; if that
also fails, exits with an error directing the user to run 'ward login'.

Run 'ward login' once to authenticate and populate the cache. After that,
kubectl works silently until the credential expires.

Debug output goes to stderr (kubectl surfaces this to the terminal):

  WARD_DEBUG=1 kubectl get nodes`,
		RunE: func(cmd *cobra.Command, args []string) error {
			if server == "" {
				return fmt.Errorf("--server is required")
			}

			server = normalizeServer(server)

			logf := func(format string, a ...any) {
				if debugFlag {
					fmt.Fprintf(os.Stderr, "[ward] "+format+"\n", a...)
				}
			}

			if !noCache {
				if ec, ok := credReadCache(server, logf); ok {
					return credPrint(ec)
				}
			}

			ec, err := credFetch(server, noKerberos, logf)
			if err != nil {
				return err
			}

			if !noCache {
				credWriteCache(server, ec, logf)
			}
			return credPrint(ec)
		},
	}

	cmd.Flags().StringVar(&server, "server", "", "ward server URL (required)")
	cmd.Flags().BoolVar(&noKerberos, "no-kerberos", false, "skip Kerberos SPNEGO")
	cmd.Flags().BoolVar(&noCache, "no-cache", false, "bypass local cache; always fetch a fresh credential")
	cmd.Flags().BoolVar(&debugFlag, "debug", os.Getenv("WARD_DEBUG") != "", "verbose debug output to stderr (also: $WARD_DEBUG=1)")

	return cmd
}