#!/usr/bin/env python3
"""utility that generates Ed25519 key and a JWT for testing

the public key is stored in jwt_key.pem (in PEM format) and jwt_key.base64 (raw
base64 format) and the JWT is printed to stdout
"""
import base64
import datetime
import jwt
from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.primitives.asymmetric.ed25519 import Ed25519PrivateKey

privkey = Ed25519PrivateKey.generate()
pubkey = privkey.public_key()

pubkey_pem = pubkey.public_bytes(
    encoding=serialization.Encoding.PEM,
    format=serialization.PublicFormat.SubjectPublicKeyInfo,
)

pubkey_base64 = base64.b64encode(
    pubkey.public_bytes(
        encoding=serialization.Encoding.Raw,
        format=serialization.PublicFormat.Raw,
    ),
    altchars=b"-_",
)
while pubkey_base64[-1] == ord("="):
    pubkey_base64 = pubkey_base64[:-1]

privkey_pem = privkey.private_bytes(
    encoding=serialization.Encoding.PEM,
    format=serialization.PrivateFormat.PKCS8,
    encryption_algorithm=serialization.NoEncryption(),
)

exp = datetime.datetime.now(datetime.timezone.utc) + datetime.timedelta(days=3)
claims = {
    "exp": int(exp.timestamp()),
}
token = jwt.encode(claims, privkey_pem, "EdDSA")

claims["a"] = "ro"
ro_token = jwt.encode(claims, privkey_pem, "EdDSA")

open("jwt_key.pem", "wb").write(pubkey_pem)
open("jwt_key.base64", "wb").write(pubkey_base64)
print(f"Full access: {token}")
print(f"Read-only:   {ro_token}")