/*
GoCheese -- Python private package repository and caching proxy
Copyright (C) 2019-2021 Sergey Matveev <stargrave@stargrave.org>
              2019-2021 Elena Balakhonova <balakhonova_e@riseup.net>

This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, version 3 of the License.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with this program.  If not, see <http://www.gnu.org/licenses/>.
*/

package main

import (
	"bufio"
	"bytes"
	"crypto/sha256"
	"encoding/hex"
	"io"
	"io/ioutil"
	"log"
	"net/http"
	"os"
	"path/filepath"
	"regexp"
	"strings"
	"time"

	"go.cypherpunks.ru/recfile"
)

var NormalizationRe = regexp.MustCompilePOSIX("[-_.]+")

func serveUpload(w http.ResponseWriter, r *http.Request) {
	// Authentication
	username, password, ok := r.BasicAuth()
	if !ok {
		log.Println(r.RemoteAddr, "unauthenticated", username)
		http.Error(w, "unauthenticated", http.StatusUnauthorized)
		return
	}
	PasswordsM.RLock()
	auther, ok := Passwords[username]
	PasswordsM.RUnlock()
	if !ok || !auther.Auth(password) {
		log.Println(r.RemoteAddr, "unauthenticated", username)
		http.Error(w, "unauthenticated", http.StatusUnauthorized)
		return
	}

	// Form parsing
	var err error
	if err = r.ParseMultipartForm(1 << 20); err != nil {
		http.Error(w, err.Error(), http.StatusBadRequest)
		return
	}
	pkgNames, exists := r.MultipartForm.Value["name"]
	if !exists || len(pkgNames) != 1 {
		http.Error(w, "single name is expected in request", http.StatusBadRequest)
		return
	}
	pkgName := strings.ToLower(NormalizationRe.ReplaceAllString(pkgNames[0], "-"))
	dirPath := filepath.Join(Root, pkgName)
	gpgSigsExpected := make(map[string]struct{})
	now := time.Now().UTC()

	var digestSHA256Expected []byte
	if digestSHA256ExpectedHex, exists := r.MultipartForm.Value["sha256_digest"]; exists {
		digestSHA256Expected, err = hex.DecodeString(digestSHA256ExpectedHex[0])
		if err != nil {
			http.Error(w, "bad sha256_digest: "+err.Error(), http.StatusBadRequest)
			return
		}
	}
	var digestBLAKE2b256Expected []byte
	if digestBLAKE2b256ExpectedHex, exists := r.MultipartForm.Value["blake2_256_digest"]; exists {
		digestBLAKE2b256Expected, err = hex.DecodeString(digestBLAKE2b256ExpectedHex[0])
		if err != nil {
			http.Error(w, "bad blake2_256_digest: "+err.Error(), http.StatusBadRequest)
			return
		}
	}

	// Checking is it internal package
	if _, err = os.Stat(filepath.Join(dirPath, InternalFlag)); err != nil {
		log.Println(r.RemoteAddr, "non-internal package", pkgName)
		http.Error(w, "unknown internal package", http.StatusUnauthorized)
		return
	}

	for _, file := range r.MultipartForm.File["content"] {
		filename := file.Filename
		gpgSigsExpected[filename+GPGSigExt] = struct{}{}
		log.Println(r.RemoteAddr, "put", filename, "by", username)
		path := filepath.Join(dirPath, filename)
		if _, err = os.Stat(path); err == nil {
			log.Println(r.RemoteAddr, filename, "already exists")
			http.Error(w, "already exists", http.StatusBadRequest)
			return
		}
		if !mkdirForPkg(w, r, pkgName) {
			return
		}
		src, err := file.Open()
		defer src.Close()
		if err != nil {
			log.Println("error", r.RemoteAddr, filename, err)
			http.Error(w, err.Error(), http.StatusInternalServerError)
			return
		}
		dst, err := TempFile(dirPath)
		if err != nil {
			log.Println("error", r.RemoteAddr, filename, err)
			http.Error(w, err.Error(), http.StatusInternalServerError)
			return
		}
		dstBuf := bufio.NewWriter(dst)
		hasherSHA256 := sha256.New()
		hasherBLAKE2b256 := blake2b256New()
		wr := io.MultiWriter(hasherSHA256, hasherBLAKE2b256, dst)
		if _, err = io.Copy(wr, src); err != nil {
			log.Println("error", r.RemoteAddr, filename, err)
			os.Remove(dst.Name())
			dst.Close()
			http.Error(w, err.Error(), http.StatusInternalServerError)
			return
		}
		if err = dstBuf.Flush(); err != nil {
			log.Println("error", r.RemoteAddr, filename, err)
			os.Remove(dst.Name())
			dst.Close()
			http.Error(w, err.Error(), http.StatusInternalServerError)
			return
		}
		if !NoSync {
			if err = dst.Sync(); err != nil {
				log.Println("error", r.RemoteAddr, filename, err)
				os.Remove(dst.Name())
				dst.Close()
				http.Error(w, err.Error(), http.StatusInternalServerError)
				return
			}
		}
		dst.Close()

		digestSHA256 := hasherSHA256.Sum(nil)
		digestBLAKE2b256 := hasherBLAKE2b256.Sum(nil)
		if digestSHA256Expected != nil {
			if bytes.Compare(digestSHA256Expected, digestSHA256) == 0 {
				log.Println(r.RemoteAddr, filename, "good SHA256 checksum received")
			} else {
				log.Println(r.RemoteAddr, filename, "bad SHA256 checksum received")
				http.Error(w, "bad sha256 checksum", http.StatusBadRequest)
				os.Remove(dst.Name())
				return
			}
		}
		if digestBLAKE2b256Expected != nil {
			if bytes.Compare(digestBLAKE2b256Expected, digestBLAKE2b256) == 0 {
				log.Println(r.RemoteAddr, filename, "good BLAKE2b-256 checksum received")
			} else {
				log.Println(r.RemoteAddr, filename, "bad BLAKE2b-256 checksum received")
				http.Error(w, "bad blake2_256 checksum", http.StatusBadRequest)
				os.Remove(dst.Name())
				return
			}
		}

		if err = os.Rename(dst.Name(), path); err != nil {
			log.Println("error", r.RemoteAddr, path, err)
			http.Error(w, err.Error(), http.StatusInternalServerError)
			return
		}
		if err = DirSync(dirPath); err != nil {
			log.Println("error", r.RemoteAddr, dirPath, err)
			http.Error(w, err.Error(), http.StatusInternalServerError)
			return
		}
		if err = WriteFileSync(dirPath, path+"."+HashAlgoSHA256, digestSHA256, now); err != nil {
			log.Println("error", r.RemoteAddr, path+"."+HashAlgoSHA256, err)
			http.Error(w, err.Error(), http.StatusInternalServerError)
			return
		}
		if err = WriteFileSync(dirPath, path+"."+HashAlgoBLAKE2b256, digestBLAKE2b256, now); err != nil {
			log.Println("error", r.RemoteAddr, path+"."+HashAlgoBLAKE2b256, err)
			http.Error(w, err.Error(), http.StatusInternalServerError)
			return
		}
	}
	for _, file := range r.MultipartForm.File["gpg_signature"] {
		filename := file.Filename
		if _, exists := gpgSigsExpected[filename]; !exists {
			log.Println(r.RemoteAddr, filename, "unexpected GPG signature filename")
			http.Error(w, "unexpected GPG signature filename", http.StatusBadRequest)
			return
		}
		delete(gpgSigsExpected, filename)
		log.Println(r.RemoteAddr, "put", filename, "by", username)
		path := filepath.Join(dirPath, filename)
		if _, err = os.Stat(path); err == nil {
			log.Println(r.RemoteAddr, filename, "already exists")
			http.Error(w, "already exists", http.StatusBadRequest)
			return
		}
		src, err := file.Open()
		if err != nil {
			log.Println("error", r.RemoteAddr, filename, err)
			http.Error(w, err.Error(), http.StatusInternalServerError)
			return
		}
		sig, err := ioutil.ReadAll(src)
		src.Close()
		if err != nil {
			log.Println("error", r.RemoteAddr, filename, err)
			http.Error(w, err.Error(), http.StatusInternalServerError)
			return
		}
		if err = WriteFileSync(dirPath, path, sig, now); err != nil {
			log.Println("error", r.RemoteAddr, path, err)
			http.Error(w, err.Error(), http.StatusInternalServerError)
			return
		}
	}

	var buf bytes.Buffer
	wr := recfile.NewWriter(&buf)
	for _, m := range [][2]string{
		{"name", MetadataFieldName},
		{"version", MetadataFieldVersion},
		{"platform", MetadataFieldPlatform},
		{"supported_platform", MetadataFieldSupportedPlatform},
		{"summary", MetadataFieldSummary},
		{"description", MetadataFieldDescription},
		{"description_content_type", MetadataFieldDescriptionContentType},
		{"keywords", MetadataFieldKeywords},
		{"home_page", MetadataFieldHomePage},
		{"author", MetadataFieldAuthor},
		{"author_email", MetadataFieldAuthorEmail},
		{"maintainer", MetadataFieldMaintainer},
		{"maintainer_email", MetadataFieldMaintainerEmail},
		{"license", MetadataFieldLicense},
		{"classifiers", MetadataFieldClassifier},
		{"requires_dist", MetadataFieldRequiresDist},
		{"requires_python", MetadataFieldRequiresPython},
		{"requires_external", MetadataFieldRequiresExternal},
		{"project_url", MetadataFieldProjectURL},
		{"provides_extra", MetadataFieldProvidesExtra},
	} {
		formField, recField := m[0], m[1]
		if vs, exists := r.MultipartForm.Value[formField]; exists {
			for _, v := range vs {
				lines := strings.Split(v, "\n")
				if len(lines) > 1 {
					_, err = wr.WriteFieldMultiline(
						metadataFieldToRecField(recField),
						lines,
					)
				} else {
					_, err = wr.WriteFields(recfile.Field{
						Name:  metadataFieldToRecField(recField),
						Value: lines[0],
					})
				}
				if err != nil {
					log.Fatalln(err)
				}
			}
		}
	}
	path := filepath.Join(dirPath, MetadataFile)
	if err = WriteFileSync(dirPath, path, buf.Bytes(), now); err != nil {
		log.Println("error", r.RemoteAddr, path, err)
		http.Error(w, err.Error(), http.StatusInternalServerError)
		return
	}
}