class AzureBlob::SharedKeySigner

def authorization_header(uri:, verb:, headers: {})
  canonicalized_headers = CanonicalizedHeaders.new(headers)
  canonicalized_resource = CanonicalizedResource.new(uri, account_name)
  to_sign = [
    verb,
    *sanitize_headers(headers).fetch_values(
      :"Content-Encoding",
      :"Content-Language",
      :"Content-Length",
      :"Content-MD5",
      :"Content-Type",
      :"Date",
      :"If-Modified-Since",
      :"If-Match",
      :"If-None-Match",
      :"If-Unmodified-Since",
      :"Range"
    ) { nil },
    canonicalized_headers,
    canonicalized_resource,
  ].join("\n")
  "SharedKey #{account_name}:#{sign(to_sign)}"
end

def initialize(account_name:, access_key:)
  @account_name = account_name
  @access_key = Base64.decode64(access_key)
end

def sanitize_headers(headers)
  headers = headers.dup
  headers[:"Content-Length"] = nil if headers[:"Content-Length"].to_i == 0
  headers
end

def sas_token(uri, options = {})
  to_sign = [
    options[:permissions],
    options[:start],
    options[:expiry],
    CanonicalizedResource.new(uri, account_name, url_safe: false, service_name: :blob),
    options[:identifier],
    options[:ip],
    options[:protocol],
    SAS::Version,
    SAS::Resources::Blob,
    nil,
    nil,
    nil,
    options[:content_disposition],
    nil,
    nil,
    options[:content_type],
  ].join("\n")
  query = {
    SAS::Fields::Permissions => options[:permissions],
    SAS::Fields::Version => SAS::Version,
    SAS::Fields::Expiry => options[:expiry],
    SAS::Fields::Resource => SAS::Resources::Blob,
    SAS::Fields::Disposition => options[:content_disposition],
    SAS::Fields::Type => options[:content_type],
    SAS::Fields::Signature => sign(to_sign),
  }.reject { |_, value| value.nil? }
  URI.encode_www_form(**query)
end

def sign(body)
  Base64.strict_encode64(OpenSSL::HMAC.digest("sha256", access_key, body))
end