package orchestrator

import (
	"crypto/rand"
	"crypto/sha256"
	"encoding/hex"
	"fmt"
)

// IssueRunToken returns (plaintext, hashHex). The plaintext is passed
// to the host via the iPXE kernel cmdline; the hash is persisted in the
// runs table for later constant-time comparison.
func IssueRunToken() (string, string, error) {
	b := make([]byte, 32)
	if _, err := rand.Read(b); err != nil {
		return "", "", fmt.Errorf("random: %w", err)
	}
	plain := hex.EncodeToString(b)
	sum := sha256.Sum256([]byte(plain))
	return plain, hex.EncodeToString(sum[:]), nil
}

func HashRunToken(plain string) string {
	sum := sha256.Sum256([]byte(plain))
	return hex.EncodeToString(sum[:])
}