#!/bin/bash

MFA_TOKEN=$1
# Capture everything from second argument onward as a command
shift
COMMAND=("$@")

if [ -z "MFA_TOKEN" ]; then
  echo "Error: Run with MFA token!"
  exit 1
fi

if [ -z $BW_AWS_ACCOUNT_SECRET_ID ]; then
  echo "env var BW_AWS_ACCOUNT_SECRET_ID must be set!"
  exit 1
fi

AWS_SECRETS=$(bw get item $BW_AWS_ACCOUNT_SECRET_ID)

export AWS_ACCESS_KEY_ID=$(echo "$AWS_SECRETS" | jq -r '.fields[0].value')
export AWS_SECRET_ACCESS_KEY=$(echo "$AWS_SECRETS" | jq '.fields[1].value' | tr -d '"')

SESSION_OUTPUT=$(aws sts assume-role --role-arn $S3_ROLE --role-session-name $SESSION_TYPE --serial-number $MFA_IDENTIFIER --token-code $MFA_TOKEN)
#echo $SESSION_OUTPUT
export AWS_SESSION_TOKEN=$(echo "$SESSION_OUTPUT" | jq '.Credentials.SessionToken' | tr -d '"')
export AWS_ACCESS_KEY_ID=$(echo "$SESSION_OUTPUT" | jq '.Credentials.AccessKeyId' | tr -d '"')
export AWS_SECRET_ACCESS_KEY=$(echo "$SESSION_OUTPUT" | jq '.Credentials.SecretAccessKey' | tr -d '"')
#echo $AWS_SESSION_TOKEN
#echo $AWS_ACCESS_KEY_ID
#echo $AWS_SECRET_ACCESS_KEY

if command -v "$COMMAND" >/dev/null 2>&1; then
  "${COMMAND[@]}"
else
  aws s3 ls s3://witch-lab-3
fi