package main

import (
	"bufio"
	"bytes"
	"crypto/tls"
	"crypto/x509"
	"encoding/json"
	"fmt"
	"io"
	"io/ioutil"
	"log"
	"net/http"
	"os"
	"strings"
)

type jsonInput struct {
	Action string          `json:"action"`
	Params jsonInputParams `json:"params"`
}

type jsonInputParams struct {
	Id      int    `json:"id"`
	Session string `json:"session"`
}

type HttpServer struct {
	Port          string
	ovpn          *OpenVpnMgt
	key           string
	cert          string
	minProfile    string
	neededProfile string
	certPool      *x509.CertPool
}

func parseJsonQuery(r *http.Request) (*jsonInput, error) {
	var in jsonInput
	body, err := ioutil.ReadAll(r.Body)
	if err != nil {
		return nil, err
	}
	if err = json.Unmarshal(body, &in); err !=
		nil {
		return nil, err
	}
	return &in, nil
}

func (h *HttpServer) handler(w http.ResponseWriter, r *http.Request) {
	w.Header().Set("Content-type", "application/javascript")
	fmt.Fprintf(w, "\n")
}

func (h *HttpServer) versionHandler(w http.ResponseWriter, r *http.Request) {
	err, message := h.ovpn.Version()
	if err != nil {
		fmt.Fprintf(w, "Error : %s", err)
	}

	jsonStr, err := json.Marshal(message)
	if err != nil {
		fmt.Fprintf(w, "Error : %s", err)
	}
	fmt.Fprintf(w, "%s", jsonStr)
}

func (h *HttpServer) helpHandler(w http.ResponseWriter, r *http.Request) {
	err, message := h.ovpn.Help()
	if err != nil {
		fmt.Fprintf(w, "Error : %s", err)
	}
	jsonStr, err := json.Marshal(message)
	if err != nil {
		fmt.Fprintf(w, "Error : %s", err)
	}
	fmt.Fprintf(w, "%s", jsonStr)
}

func (h *HttpServer) ajaxHandler(w http.ResponseWriter, r *http.Request) {
	var sslUsage = []x509.ExtKeyUsage{x509.ExtKeyUsageAny}

	w.Header().Set("Content-type", "application/json")

	// deactivate if there is no https auth
	if h.key == "" || h.cert == "" || h.certPool == nil {
		http.Error(w, "No security, deactivated", 403)
		return
	}

	// add CORS headers
	w.Header().Set("Access-Control-Allow-Origin", r.Header.Get("Origin"))
	w.Header().Set("Access-Control-Allow-Methods", "POST")
	w.Header().Set("Access-Control-Allow-Credentials", "true")
	w.Header().Set("Access-Control-Allow-Headers", "content-type, accept, origin, user-agent, Accept-Encoding")

	// stop here if the method is OPTIONS, to allow CORS to work
	if r.Method == "OPTIONS" {
		return
	}

	// stop here if the method is OPTIONS, to allow CORS to work
	if r.Method != "POST" {
		http.Error(w, "post only", 405)
		return
	}

	// ssl auth
	if len(r.TLS.PeerCertificates) == 0 {
		log.Println(len(r.TLS.PeerCertificates))
		http.Error(w, "Need certificate", 403)
		return
	}
	opts := x509.VerifyOptions{Roots: h.certPool, KeyUsages: sslUsage}
	if _, err := r.TLS.PeerCertificates[0].Verify(opts); err != nil {
		http.Error(w, "Bad certificate", 403)
		return
	}

	webuser := strings.Replace(r.TLS.PeerCertificates[0].Subject.CommonName, " ", "", -1)
	profile, _, _ := h.ovpn.AuthLoop(h.minProfile, webuser, "", false)
	if profile != h.neededProfile {
		http.Error(w, fmt.Sprintf("You need the %s profile", h.neededProfile), 403)
		return
	}
	log.Printf("%s is connected via the web interfaces\n", webuser)

	req, err := parseJsonQuery(r)
	if err != nil {
		log.Println(err)
		http.Error(w, "Invalid request", 500)
		return
	}

	switch req.Action {
	case "stats":
		jsonStr, err := json.Marshal(h.ovpn.Stats())
		if err != nil {
			http.Error(w, fmt.Sprintf("%s", err), 500)
		}
		fmt.Fprintf(w, "%s", jsonStr)

	case "kill":
		if err := h.ovpn.Kill(req.Params.Session, req.Params.Id, webuser); err != nil {
			http.Error(w, fmt.Sprintf("%s", err), 500)
		}
		fmt.Fprintf(w, "{}")
	default:
		http.Error(w, "Invalid request", 500)
	}
	return
}

func NewHTTPServer(port, key, cert, ca, minProfile, neededProfile string, s *OpenVpnMgt) {
	h := &HttpServer{
		Port:          port,
		ovpn:          s,
		key:           key,
		cert:          cert,
		minProfile:    minProfile,
		neededProfile: neededProfile,
	}

	http.HandleFunc("/help", h.helpHandler)
	http.HandleFunc("/ajax", h.ajaxHandler)
	http.HandleFunc("/version", h.versionHandler)
	http.HandleFunc("/", h.handler)

	switch {
	case key == "" || cert == "":
		log.Fatal(http.ListenAndServe(port, nil))
	case ca != "":
		h.certPool = x509.NewCertPool()
		fi, err := os.Open(ca)
		if err != nil {
			log.Fatal(err)
		}
		defer fi.Close()
		buf := new(bytes.Buffer)
		reader := bufio.NewReader(fi)
		io.Copy(buf, reader)
		if ok := h.certPool.AppendCertsFromPEM(buf.Bytes()); !ok {
			log.Fatal("Failed to append PEM.")
		}
		server := &http.Server{
			Addr: port,
			TLSConfig: &tls.Config{
				ClientAuth: tls.RequireAndVerifyClientCert,
				ClientCAs:  h.certPool,
			},
		}
		log.Fatal(server.ListenAndServeTLS(cert, key))
	default:
		log.Fatal(http.ListenAndServeTLS(port, cert, key, nil))
	}
}