package main

import (
	"bytes"
	"context"
	"crypto/hmac"
	"crypto/sha1"
	"crypto/sha256"
	"encoding/hex"
	"flag"
	"fmt"
	"log"
	"net/http"
	"net/http/httputil"
	"net/url"
	"os"
	"os/exec"
	"os/signal"
	"strings"

	"io/ioutil"

	"github.com/shurcooL/github_flavored_markdown/gfmstyle"
	//blackfriday "gopkg.in/russross/blackfriday.v2"
)

const DEBUG = false

const DOMAIN_NAME = "threefortiethofonehamster.com"

const HTML_HEADER = `<!doctype html5>
<html>
<head>
  <meta charset=utf-8>
	<meta name="viewport" content="width=device-width, initial-scale=1">
	<title>%s | %s</title>
	<link href=/gfm/gfm.css media=all rel=stylesheet type=text/css></link>
	<link href=/main.css media=all rel=stylesheet type=text/css></link>
</head>
<body>
<nav>
<div class="nav-wrapper">
	<div class="nav-item"><a href="/">Home</a></div>
	<div class="nav-item"><a href="/builds.md">Projects</a></div>
	<div class="nav-item"><a href="https://git.threefortiethofonehamster.com/">Code</a></div>
	<div class="nav-item"><a href="/resume/resume-KelvinLy-hardware.pdf">Resume</a></div>
</div>
</nav>
<article class="markdown-body entry-content" style="padding:2em;">
`

const HTML_FOOTER = `
</article>
<footer>
<div class="footer-wrapper">
by Kelvin Ly, source available <a href="https://github.com/cactorium/threefortiethofonehamster.com">here</a>
</div>
</footer>
</body>
</html>`

func serveMarkdown(w http.ResponseWriter, r *http.Request, paths ...string) {
	bs := make([][]byte, 0, len(paths))
	for _, path := range paths {
		if b, err := ioutil.ReadFile(path); err != nil {
			w.WriteHeader(404)
			w.Write([]byte(fmt.Sprintf("file %s not found", path)))
			return
		} else {
			bs = append(bs, b)
		}
	}
	w.Header().Add("Content-Type", "text/html; charset=utf-8")
	title := ""
	if s := bytes.Index(bs[0], []byte("# ")); s != -1 {
		t := bs[0][s+2:]
		if e := bytes.Index(t, []byte("\n")); e != -1 {
			t = t[:e]
			title = string(t)
		}
	}
	w.Write([]byte(fmt.Sprintf(HTML_HEADER, string(title), r.Host)))
	for i, b := range bs {
		pathDir := paths[i][len("static/"):]
		lastSlash := strings.LastIndex(pathDir, "/")
		if lastSlash != -1 {
			pathDir = pathDir[:lastSlash]
		}
		// Markdown uses the path to generate the correct paths for resized images
		html := Markdown(b, pathDir)
		w.Write(html)
	}
	w.Write([]byte(HTML_FOOTER))
}

func rootHandler(w http.ResponseWriter, r *http.Request) {
	if r.Method == "GET" {
		if r.URL.Path == "/" {
			serveMarkdown(w, r, "static/intro.md")
		} else if strings.HasSuffix(r.URL.Path, ".md") {
			if strings.Contains(r.URL.Path, "..") {
				w.WriteHeader(403)
				w.Write([]byte("\"..\" forbidden in URL"))
				return
			}
			filepath := "static" + r.URL.Path
			serveMarkdown(w, r, filepath)
		} else {
			http.ServeFile(w, r, "static"+r.URL.Path)
		}
	} else {
		w.Write([]byte("unimplemented!"))
	}
}

var (
	serverShutdown chan struct{} = make(chan struct{})
)

func main() {
	flag.Parse()

	var redirect http.Server
	var srv http.Server

	go startRedirectServer(&redirect)
	go startServer(&srv)

	shutdown := make(chan os.Signal, 1)
	signal.Notify(shutdown, os.Interrupt)

	<-shutdown
	log.Println("shutting down server...")
	if err := srv.Shutdown(context.Background()); err != nil {
		log.Printf("server shutdown error: %v\n", err)
	}
	if err := redirect.Shutdown(context.Background()); err != nil {
		log.Printf("redirect shutdown error: %v\n", err)
	}

	log.Println("server terminated")
}

type auth struct {
	username, password []byte
}

func readAuth() []auth {
	ret := make([]auth, 0)
	b, err := os.ReadFile("auth_secret")
	if err != nil {
		log.Printf("[ERR] auth keys not found, authentication will not work!")
		return ret
	}
	lines := bytes.Split(b, []byte("\n"))
	for _, l := range lines {
		parts := bytes.Split(l, []byte(","))
		if len(parts) == 2 {
			user := sha256.Sum256(parts[0])
			password := sha256.Sum256(parts[1])
			ret = append(ret, auth{user[:], password[:]})
		}
	}

	return ret
}

func readWebhookKey() []byte {
	b, err := os.ReadFile("webhook_secret")
	if err != nil {
		log.Printf("[ERR] webhook key not found, webhook updates will not work!")
		return nil
	}
	/*
		ret := make([]byte, hex.DecodedLen(len(b)))
		// skip the ending 0x0a
		rl, err2 := hex.Decode(ret, b[:len(b)-1])
		if err2 != nil {
			log.Printf("[ERR] unable to decode webhook key! %v %s", b, err2)
			return nil
		}
	*/

	return b[:len(b)-1]
}

func startServer(srv *http.Server) {
	log.Print("installing handlers")

	webhookKey := readWebhookKey()

	serveMux := http.NewServeMux()
	url, err := url.Parse("http://localhost:8081")
	if err != nil {
		log.Fatalf("unable to parse reverse proxy path: %v", err)
		return
	}
	serveMux.Handle("dev."+DOMAIN_NAME+"/", httputil.NewSingleHostReverseProxy(url))

	gogsUrl, err := url.Parse("http://localhost:7000")
	if err != nil {
		log.Fatalf("unable to parse reverse proxy path: %v", err)
		return
	}
	serveMux.Handle("git."+DOMAIN_NAME+"/", httputil.NewSingleHostReverseProxy(gogsUrl))

	shroomsUrl, err := url.Parse("http://localhost:8085")
	if err != nil {
		log.Fatalf("unable to parse reverse proxy path: %v", err)
		return
	}
	serveMux.Handle("shrooms."+DOMAIN_NAME+"/", httputil.NewSingleHostReverseProxy(shroomsUrl))

	octoUrl, err := url.Parse("http://localhost:9000")
	if err != nil {
		log.Fatalf("unable to parse reverse proxy path: %v", err)
		return
	}

	auths := readAuth()

	octoProxy := httputil.NewSingleHostReverseProxy(octoUrl)
	serveMux.HandleFunc("octo."+DOMAIN_NAME+"/", func(w http.ResponseWriter, r *http.Request) {
		username, password, ok := r.BasicAuth()
		if ok {
			userHash := sha256.Sum256([]byte(username))
			passwordHash := sha256.Sum256([]byte(password))
			match := false
			for _, a := range auths {
				userMatch := bytes.Compare(userHash[:], a.username)
				passwordMatch := bytes.Compare(passwordHash[:], a.password)
				if userMatch == 0 && passwordMatch == 0 {
					match = true
				}
			}

			if match {
				octoProxy.ServeHTTP(w, r)
				return
			}
		}
		w.Header().Set("WWW-Authenticate", `Basic realm="restricted", charset="UTF-8"`)
		http.Error(w, "Unauthorized", http.StatusUnauthorized)
	})

	serveMux.HandleFunc("/", rootHandler)
	//serveMux.Handle("/certbot/", http.StripPrefix("/certbot/", http.FileServer(http.Dir("./certbot-tmp"))))
	serveMux.Handle("/gfm/", http.StripPrefix("/gfm", http.FileServer(gfmstyle.Assets)))
	serveMux.Handle("/resize/", Resize(640, http.StripPrefix("/resize", http.FileServer(http.Dir("static/")))))
	if webhookKey != nil {
		log.Print("web hook found")
		serveMux.HandleFunc("/update", func(w http.ResponseWriter, r *http.Request) {
			if r.Method != "POST" {
				w.WriteHeader(403)
				w.Write([]byte("invalid request type"))
				return
			}
			signature := r.Header.Get("X-Hub-Signature")
			if len(signature) == 0 {
				w.WriteHeader(403)
				w.Write([]byte("invalid request"))
				return
			}

			payload, e := ioutil.ReadAll(r.Body)
			if e != nil {
				w.WriteHeader(403)
				w.Write([]byte("unable to read body: " + e.Error()))
				return
			}

			mac := hmac.New(sha1.New, webhookKey)
			mac.Write(payload)
			expected := mac.Sum(nil)

			signatureDec := make([]byte, hex.DecodedLen(len(signature)))
			// skip the "sha1=" part
			sdl, e2 := hex.Decode(signatureDec, []byte(signature)[5:])
			if e2 != nil {
				w.WriteHeader(403)
				w.Write([]byte("unable to read signature"))
				return
			}

			signatureDec = signatureDec[:sdl]
			if !hmac.Equal(expected, signatureDec) {
				log.Print("webhook hmac match failed; expected %v found %v", expected, signatureDec)
				w.WriteHeader(403)
				w.Write([]byte("invalid request"))
				return
			}
			// TODO parse payload

			pullCmd := exec.Command("git", "pull", "--recurse-submodules")
			pullCmd.Dir = "./static/"
			_ = pullCmd.Run()

			updateCmd := exec.Command("git", "submodule", "update", "--remote")
			updateCmd.Dir = "./static/"
			_ = updateCmd.Run()

			w.Write([]byte("success"))
		})
	}

	srv.Addr = ":8443"
	srv.Handler = Gzip(serveMux)
	log.Print("starting server at " + srv.Addr)
	if !DEBUG {
		log.Fatal(srv.ListenAndServeTLS("/etc/letsencrypt/live/"+DOMAIN_NAME+"/fullchain.pem",
			"/etc/letsencrypt/live/"+DOMAIN_NAME+"/privkey.pem"))
	} else {
		log.Fatal(srv.ListenAndServe())
	}
	close(serverShutdown)
}

func startRedirectServer(srv *http.Server) {
	serveMux := http.NewServeMux()
	// copied from https://gist.github.com/d-schmidt/587ceec34ce1334a5e60
	url, err := url.Parse("http://localhost:8081")
	if err != nil {
		log.Fatalf("unable to parse reverse proxy path: %v", err)
		return
	}
	serveMux.Handle("dev."+DOMAIN_NAME+"/", httputil.NewSingleHostReverseProxy(url))

	serveMux.HandleFunc("/", func(w http.ResponseWriter, req *http.Request) {
		target := "https://" + req.Host + req.URL.Path
		if len(req.URL.RawQuery) > 0 {
			target += "?" + req.URL.RawQuery
		}
		http.Redirect(w, req, target, http.StatusTemporaryRedirect)
	})

	srv.Addr = ":8080"
	srv.Handler = serveMux
	log.Print("starting server")
	log.Fatal(srv.ListenAndServe())
	close(serverShutdown)
}