from __future__ import (absolute_import, division, print_function)
__metaclass__ = type

DOCUMENTATION = """
    name: onepassword
    author: Menno
    version_added: "1.0"
    short_description: fetch secrets from 1Password
    description:
        - Uses the 1Password CLI to fetch secrets from 1Password
    options:
        item:
            description: the item to fetch
            required: true
        field:
            description: the field to fetch from the item
            required: false
            default: password
        vault:
            description: the vault to fetch from
            required: false
"""

EXAMPLES = """
- name: fetch password for an item
  debug:
    msg: "{{ lookup('onepassword', 'storage-box', field='password') }}"
"""

RETURN = """
  _raw:
    description: field data requested
"""

from ansible.errors import AnsibleError
from ansible.plugins.lookup import LookupBase
from ansible.utils.display import Display
import subprocess

display = Display()

class LookupModule(LookupBase):
    def run(self, terms, variables=None, **kwargs):
        if len(terms) != 1:
            raise AnsibleError("onepassword lookup expects exactly one argument")
        
        item = terms[0]
        field = kwargs.get('field', 'password')
        vault = kwargs.get('vault', '')
        
        vault_arg = []
        if vault:
            vault_arg = ['--vault', vault]

        cmd = ['op', 'item', 'get', item, '--field', field] + vault_arg
        
        display.vvv(f"Executing command: {' '.join(cmd)}")
        
        try:
            result = subprocess.run(
                cmd,
                capture_output=True,
                text=True,
                check=True
            )
            return [result.stdout.strip()]
        except subprocess.CalledProcessError as e:
            raise AnsibleError(f"Error fetching from 1Password: {e.stderr}")