using System;
using System.Security.Cryptography;
namespace EonaCat.SecretVault.Helpers
{
    public static class TenantKeyProtector
    {
        public static string EncryptTenantKey(string base64Key, string rootKeyBase64)
        {
            var key = Convert.FromBase64String(rootKeyBase64);
            using var aes = Aes.Create();
            aes.Key = key;
            aes.GenerateIV();
            var encryptor = aes.CreateEncryptor();
            var encrypted = encryptor.TransformFinalBlock(Convert.FromBase64String(base64Key), 0, 32);
            return $"{Convert.ToBase64String(aes.IV)}.{Convert.ToBase64String(encrypted)}";
        }

        public static string DecryptTenantKey(string encryptedPayload, string rootKeyBase64)
        {
            var key = Convert.FromBase64String(rootKeyBase64);
            var parts = encryptedPayload.Split('.');
            var iv = Convert.FromBase64String(parts[0]);
            var encrypted = Convert.FromBase64String(parts[1]);
            using var aes = Aes.Create();
            aes.Key = key;
            aes.IV = iv;
            var decryptor = aes.CreateDecryptor();
            var decrypted = decryptor.TransformFinalBlock(encrypted, 0, encrypted.Length);
            return Convert.ToBase64String(decrypted);
        }
    }

}