"""
Helpers for re-encrypting all sensitive DB fields during key rotation.
"""
from app.core.security import decrypt_field, encrypt_field


def reencrypt(data: bytes, old_key_hex: str, new_key_hex: str) -> bytes:
    """Re-encrypt a bytea field from old key to new key."""
    from cryptography.hazmat.primitives.ciphers.aead import AESGCM
    import os

    old_key = bytes.fromhex(old_key_hex)
    new_key = bytes.fromhex(new_key_hex)

    # Decrypt with old key
    iv = data[:12]
    ciphertext_with_tag = data[12:]
    aesgcm_old = AESGCM(old_key)
    plaintext = aesgcm_old.decrypt(iv, ciphertext_with_tag, None)

    # Encrypt with new key
    new_iv = os.urandom(12)
    aesgcm_new = AESGCM(new_key)
    return new_iv + aesgcm_new.encrypt(new_iv, plaintext, None)