// GoCheese -- Python private package repository and caching proxy
// Copyright (C) 2019-2024 Sergey Matveev <stargrave@stargrave.org>
//               2019-2024 Elena Balakhonova <balakhonova_e@riseup.net>
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU General Public License as published by
// the Free Software Foundation, version 3 of the License.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
// GNU General Public License for more details.
//
// You should have received a copy of the GNU General Public License
// along with this program.  If not, see <http://www.gnu.org/licenses/>.

// Python private package repository and caching proxy
package main

import (
	"bytes"
	"context"
	"crypto/sha256"
	"crypto/tls"
	"encoding/hex"
	"errors"
	"flag"
	"fmt"
	"log"
	"net"
	"net/http"
	"net/url"
	"os"
	"os/signal"
	"path/filepath"
	"runtime"
	"strings"
	"syscall"
	"time"

	"golang.org/x/net/netutil"
)

const (
	Version   = "4.2.0"
	UserAgent = "GoCheese/" + Version
)

var (
	Root       string
	Bind       = flag.String("bind", DefaultBind, "")
	MaxClients = flag.Int("maxclients", DefaultMaxClients, "")
	DoUCSPI    = flag.Bool("ucspi", false, "")

	TLSCert = flag.String("tls-cert", "", "")
	TLSKey  = flag.String("tls-key", "", "")

	NoRefreshURLPath = flag.String("norefresh", DefaultNoRefreshURLPath, "")
	RefreshURLPath   = flag.String("refresh", DefaultRefreshURLPath, "")
	JSONURLPath      = flag.String("json", DefaultJSONURLPath, "")

	PyPIURL      = flag.String("pypi", DefaultPyPIURL, "")
	JSONURL      = flag.String("pypi-json", DefaultJSONURL, "")
	PyPICertHash = flag.String("pypi-cert-hash", "", "")

	PasswdPath     = flag.String("passwd", "", "")
	PasswdListPath = flag.String("passwd-list", "", "")
	PasswdCheck    = flag.Bool("passwd-check", false, "")
	AuthRequired   = flag.Bool("auth-required", false, "")

	LogTimestamped = flag.Bool("log-timestamped", false, "")
	FSCK           = flag.Bool("fsck", false, "")
	DoVersion      = flag.Bool("version", false, "")
	DoWarranty     = flag.Bool("warranty", false, "")

	Killed bool
)

func servePkg(w http.ResponseWriter, r *http.Request, pkgName, filename string) {
	log.Println(r.RemoteAddr, "get", filename)
	path := filepath.Join(Root, pkgName, filename)
	if _, err := os.Stat(path); os.IsNotExist(err) {
		if !refreshDir(w, r, pkgName, filename) {
			return
		}
	}
	http.ServeFile(w, r, path)
}

func handler(w http.ResponseWriter, r *http.Request) {
	w.Header().Set("Server", UserAgent)
	switch r.Method {
	case "GET":
		var path string
		var autorefresh bool
		if strings.HasPrefix(r.URL.Path, *NoRefreshURLPath) {
			path = strings.TrimPrefix(r.URL.Path, *NoRefreshURLPath)
		} else if strings.HasPrefix(r.URL.Path, *RefreshURLPath) {
			path = strings.TrimPrefix(r.URL.Path, *RefreshURLPath)
			autorefresh = true
		} else {
			http.Error(w, "unknown action", http.StatusBadRequest)
			return
		}
		parts := strings.Split(strings.TrimSuffix(path, "/"), "/")
		if len(parts) > 2 {
			http.Error(w, "invalid path", http.StatusBadRequest)
			return
		}
		if len(parts) == 1 {
			if parts[0] == "" {
				listRoot(w, r)
			} else {
				serveListDir(w, r, parts[0], autorefresh)
			}
		} else {
			servePkg(w, r, parts[0], parts[1])
		}
	case "POST":
		serveUpload(w, r)
	default:
		http.Error(w, "unknown action", http.StatusBadRequest)
	}
}

func main() {
	flag.Usage = usage
	flag.Parse()
	if *DoWarranty {
		fmt.Println(Warranty)
		return
	}
	if *DoVersion {
		fmt.Println("GoCheese", Version, "built with", runtime.Version())
		return
	}

	if *LogTimestamped {
		log.SetFlags(log.Ldate | log.Lmicroseconds | log.Lshortfile)
	} else {
		log.SetFlags(log.Lshortfile)
	}
	if !*DoUCSPI {
		log.SetOutput(os.Stdout)
	}

	if len(flag.Args()) != 1 {
		usage()
		os.Exit(1)
	}
	Root = flag.Args()[0]
	if _, err := os.Stat(Root); err != nil {
		log.Fatal(err)
	}

	if *FSCK {
		if !goodIntegrity() {
			os.Exit(1)
		}
		return
	}

	if *PasswdCheck {
		if passwdReader(os.Stdin) {
			os.Exit(0)
		} else {
			os.Exit(1)
		}
	}

	if *PasswdPath != "" {
		go func() {
			for {
				fd, err := os.OpenFile(
					*PasswdPath,
					os.O_RDONLY,
					os.FileMode(0666),
				)
				if err != nil {
					log.Fatal(err)
				}
				passwdReader(fd)
				fd.Close()
			}
		}()
	}
	if *PasswdListPath != "" {
		go func() {
			for {
				fd, err := os.OpenFile(
					*PasswdListPath,
					os.O_WRONLY|os.O_APPEND,
					os.FileMode(0666),
				)
				if err != nil {
					log.Fatal(err)
				}
				passwdLister(fd)
				fd.Close()
			}
		}()
	}

	if (*TLSCert != "" && *TLSKey == "") || (*TLSCert == "" && *TLSKey != "") {
		log.Fatal("Both -tls-cert and -tls-key are required")
	}

	UmaskCur = syscall.Umask(0)
	syscall.Umask(UmaskCur)

	var err error
	PyPIURLParsed, err = url.Parse(*PyPIURL)
	if err != nil {
		log.Fatal(err)
	}
	tlsConfig := tls.Config{
		ClientSessionCache: tls.NewLRUClientSessionCache(16),
		NextProtos:         []string{"h2", "http/1.1"},
	}
	PyPIHTTPTransport = http.Transport{
		ForceAttemptHTTP2: true,
		TLSClientConfig:   &tlsConfig,
	}
	if *PyPICertHash != "" {
		ourDgst, err := hex.DecodeString(*PyPICertHash)
		if err != nil {
			log.Fatal(err)
		}
		tlsConfig.VerifyConnection = func(s tls.ConnectionState) error {
			spki := s.VerifiedChains[0][0].RawSubjectPublicKeyInfo
			theirDgst := sha256.Sum256(spki)
			if !bytes.Equal(ourDgst, theirDgst[:]) {
				return errors.New("certificate's SPKI digest mismatch")
			}
			return nil
		}
	}

	server := &http.Server{
		ReadTimeout:  time.Minute,
		WriteTimeout: time.Minute,
	}
	http.HandleFunc("/", checkAuth(serveHRRoot))
	http.HandleFunc("/hr/", checkAuth(serveHRPkg))
	http.HandleFunc(*JSONURLPath, checkAuth(serveJSON))
	http.HandleFunc(*NoRefreshURLPath, checkAuth(handler))
	http.HandleFunc(*RefreshURLPath, checkAuth(handler))

	if *DoUCSPI {
		server.SetKeepAlivesEnabled(false)
		ln := &UCSPI{}
		server.ConnState = connStater
		err := server.Serve(ln)
		if _, ok := err.(UCSPIAlreadyAccepted); !ok {
			log.Fatal(err)
		}
		UCSPIJob.Wait()
		return
	}

	ln, err := net.Listen("tcp", *Bind)
	if err != nil {
		log.Fatal(err)
	}
	ln = netutil.LimitListener(ln, *MaxClients)

	needsShutdown := make(chan os.Signal, 1)
	exitErr := make(chan error)
	signal.Notify(needsShutdown, syscall.SIGTERM, syscall.SIGINT)
	go func(s *http.Server) {
		<-needsShutdown
		Killed = true
		log.Println("shutting down")
		ctx, cancel := context.WithTimeout(context.TODO(), time.Minute)
		exitErr <- s.Shutdown(ctx)
		cancel()
	}(server)

	log.Println(
		UserAgent, "ready:",
		"root:", Root,
		"bind:", *Bind,
		"pypi:", *PyPIURL,
		"json:", *JSONURL,
	)
	if *TLSCert == "" {
		err = server.Serve(ln)
	} else {
		err = server.ServeTLS(ln, *TLSCert, *TLSKey)
	}
	if err != http.ErrServerClosed {
		log.Fatal(err)
	}
	if err := <-exitErr; err != nil {
		log.Fatal(err)
	}
}