#!/usr/bin/env ruby

require 'logger'
require 'json'
require 'net/http'
require 'net/https'
require 'stringio'
require 'yaml'
require 'singleton'

# Logging
LOG = Logger.new($stderr)
LOG.formatter = proc { |severity, datetime, progname, msg| "#{severity}: #{msg}\n" }

class Settings
  include Singleton

  def initialize
    @settings = {}
  end

  def load!
    settings_path = ENV['FOREMAN_COCKPIT_SETTINGS'] || '/etc/foreman-cockpit/settings.yml'
    @settings = YAML.safe_load(File.read(settings_path), [Symbol])
    LOG.level = Logger.const_get(@settings.fetch(:log_level, 'INFO'))
    LOG.info("Running foreman-cockpit-session with settings from #{settings_path}:\n#{@settings.inspect}")
  end

  def [](key)
    @settings[key]
  end
end

class CockpitError < StandardError
  attr_reader :additional

  def initialize(message, additional = nil)
    @additional = additional
    super message
  end
end

class AuthenticationError < CockpitError; end
class AccessDeniedError < CockpitError; end

class Cockpit
  class << self
    def encode_message(payload)
      data = JSON.dump(payload).bytes.pack("c*")
      "#{data.length + 1}\n\n#{data}"
    end

    def send_control(io, msg)
      LOG.debug("Sending control message #{msg}")
      io.write(encode_message(msg))
      io.flush
    end

    def read_control(io, fatal: false)
      size = io.readline.chomp.to_i
      raise ArgumentError, 'Invalid frame: invalid size' if size.zero?

      data = io.read(size)
      LOG.debug("Received control message #{data.lstrip}")
      raise ArgumentError, 'Invalid frame: too short' if data.nil? || data.length < size

      JSON.parse(data)
    rescue JSON::ParserError, ArgumentError => e
      raise e if fatal
    end
  end
end

class Utils
  class << self
    def safe_log(format_string, data = nil)
      if data.is_a? Hash
        data = data.dup
        data.each_key do |key|
          data[key] = '*******' if key.to_s =~ /password|passphrase/
        end
      end
      format_string % [data]
    end
  end
end

class ProxyBuffer
  attr_reader :src_io, :dst_io, :buffer

  def initialize(src_io, dst_io)
    @src_io = src_io
    @dst_io = dst_io
    @buffer = ''
  end

  def close
    @src_io.close unless @src_io.closed?
    @dst_io.close unless @dst_io.closed?
  end

  def read_available!
    data = ''
    loop { data += @src_io.read_nonblock(4096) }
  rescue IO::WaitReadable
  rescue IO::WaitWritable
    # This might happen with SSL during a renegotiation.  Block a
    # bit to get it over with.
    IO.select(nil, [@src_io])
    retry
  rescue EOFError
    @src_io.close unless @src_io.closed?
  ensure
    @buffer += with_data_callback(data)
  end

  def with_data_callback(data)
    if @data_callback
      @data_callback.call(data)
    else
      data
    end
  end

  def write_available!
    count = @dst_io.write_nonblock(@buffer)
    @buffer = @buffer[count..]
  rescue IO::WaitWritable
    0
  rescue IO::WaitReadable
    # This might happen with SSL during a renegotiation.  Block a
    # bit to get it over with.
    IO.select([@dst_io])
    retry
  end

  def flush_pending_writes!
    write_available! until @buffer.empty?
  end

  def pending_writes?
    !(@buffer.empty? || @dst_io.closed?)
  end

  def readable?
    !@src_io.closed?
  end

  def enqueue(data)
    @buffer += data
  end

  def on_data(&block)
    @data_callback = block
  end
end

class Relay
  attr_reader :proxy

  def self.start(proxy, params)
    new(proxy, params).run
  end

  def run
    initialize_proxy_connection!
    proxy_loop
  end

  def initialize(proxy, params)
    @proxy = proxy
    @params = params
    @inject_authorization = @params['ssh_user'] != 'root' && @params['effective_user_password']
  end

  def proxy_loop
    proxy1 = ProxyBuffer.new($stdin, @sock)
    proxy2 = ProxyBuffer.new(@sock, $stdout)
    proxy2.on_data do |data|
      if @inject_authorization
        sio = StringIO.new(data)
        begin
          message = Cockpit.read_control(sio)
        rescue StandardError
          # We're looking for one specific message, but the expectation that one
          # invocation of this callback processes one message doesn't really
          # hold. The message we're looking for is sent quite early in the
          # communication, if at all, so the chance that it will be aligned with
          # the beginning of the buffer is quite high. If we somehow fail to
          # process the contents of the buffer, we should just carry on.
          #
          # With the authorization injection check in place, this is more of a
          # precaution so that unexpectedly big message won't bring the entire
          # thing down.
        end
        if message.is_a?(Hash) && message['command'] == 'authorize'
          response = {
            'command' => 'authorize',
            'cookie' => message['cookie'],
            'response' => @params['effective_user_password'],
          }
          proxy1.enqueue(Cockpit.encode_message(response))
          @inject_authorization = false
          data = sio.read # Return whatever was left unread after read_control
        end
      end
      data
    end

    proxies = [proxy1, proxy2]

    loop do
      writers = proxies.select(&:pending_writes?)
      readers = proxies.select(&:readable?)

      break if readers.empty? && writers.empty?

      r, w = select(readers, writers)

      r.each(&:read_available!)
      w.each(&:flush_pending_writes!)
    end
  ensure
    proxies.each(&:close)
    @raw_sock.close
  end

  private

  def select(readers, writers)
    r_ios, w_ios, = IO.select(readers.map(&:src_io), writers.map(&:dst_io))

    [ r_ios.map { |io| readers.find { |r| r.src_io == io } },
      w_ios.map { |io| writers.find { |w| w.dst_io == io } } ]
  end

  def initialize_proxy_connection!
    url = URI(proxy)
    LOG.debug("Connecting to proxy at #{url}")
    @raw_sock = TCPSocket.open(url.hostname, url.port)
    if url.scheme == 'https'
      ssl_context = OpenSSL::SSL::SSLContext.new
      ssl_context.cert = OpenSSL::X509::Certificate.new(File.read(Settings.instance[:ssl_certificate]))
      ssl_context.key = OpenSSL::PKey.read(File.read(Settings.instance[:ssl_private_key]))
      @sock = OpenSSL::SSL::SSLSocket.new(@raw_sock, ssl_context)
      @sock.sync_close = true
      @sock.connect
    else
      @sock = raw_sock
    end

    upgrade_connection!(url)
  end

  def upgrade_connection!(url)
    data = JSON.dump(@params)
    payload = <<~HTTP
      POST /ssh/session HTTP/1.1
      Host: #{url.host}:#{url.port}
      Connection: upgrade
      Upgrade: raw
      Content-Length: #{data.bytes.length + 2}
      Content-Type: application/json

      #{data}
    HTTP

    @sock.write(payload.gsub("\n", "\r\n"))
    @sock.flush

    buf_io = Net::BufferedIO.new(@sock)

    # This is ugly, but Net::HTTP doesn't seem to be able to parse upgrade replies properly
    headers = {}
    Net::HTTPResponse.send(:each_response_header, buf_io) { |key, value| headers[key] = value }

    status = headers['Status'].to_i
    body = buf_io.read(headers['Content-Length'].to_i)
    case status
    when 101
      return
    when 404
      raise AccessDeniedError, "The proxy #{url.hostname} does not support web console sessions"
    when (400..499)
      message = if body.include? 'cockpit-bridge: command not found'
                  "#{params['hostname']} has no web console"
                else
                  body
                end
      raise AccessDeniedError, message
    else
      raise CockpitError, "Error talking to smart proxy: #{body}"
    end
  end
end

class Session
  def initialize(host)
    @host = host
  end

  def run
    send_auth_challenge('*')
    token = read_auth_reply.match(/^Bearer (.*)$/)[1]
    params = get_host_params(token)

    LOG.debug(Utils.safe_log('SSH parameters %s', params))

    params['command'] = 'cockpit-bridge'
    case params['proxy']
    when 'not_available'
      raise AccessDeniedError, "A proxy is required to reach #{@host} but all of them are down"
    when 'not_defined'
      raise AccessDeniedError, "A proxy is required to reach #{@host} but none has been configured"
    when 'direct'
      raise AccessDeniedError, 'Web console sessions require a proxy but none has been configured'
    else
      Relay.start(params['proxy'], params)
    end
  rescue CockpitError => e
    exit_with_error(e)
  end

  def exit_with_error(exception)
    problem = case exception
              when AuthenticationError
                'authentication-failed'
              when AccessDeniedError
                'access-denied'
              else
                'error'
              end

    Cockpit.send_control($stdout, { 'command' => 'init',
      'problem' => problem,
      'message' => exception.message,
      'auth-method-results' => exception.additional})
    exit 1
  end

  def get_host_params(token)
    foreman = Settings.instance[:foreman_url] || 'https://localhost/'
    uri = URI(foreman + '/' + 'cockpit/host_ssh_params/' + @host)

    LOG.debug("Foreman request GET #{uri}")

    http = Net::HTTP.new(uri.hostname, uri.port)
    if uri.scheme == 'https'
      http.use_ssl = true
      http.verify_mode = OpenSSL::SSL::VERIFY_PEER
      http.ca_file = Settings.instance[:ssl_ca_file]
    end

    req = Net::HTTP::Get.new(uri)
    req['Cookie'] = "_session_id=#{token}"
    res = http.request(req)

    LOG.debug do
      body = JSON.parse(res.body) rescue res.body
      Utils.safe_log("Foreman response #{res.code} - %s", body)
    end

    case res.code.to_i
    when 200
      return JSON.parse(res.body)
    when 401
      raise AuthenticationError, 'Token was not valid', { 'password' => 'not-tried', 'token' => 'denied' }
    when 404
      raise AccessDeniedError, "Host #{@host} is not known"
    else
      raise CockpitError, "Error talking to Foreman: #{res.body}"
    end
  end

  # Specific control messages
  def send_auth_challenge(challenge)
    Cockpit.send_control($stdout, { 'command' => 'authorize',
      'cookie' => '1234', # must be present, but value doesn't matter
      'challenge' => challenge})
  end

  def read_auth_reply
    cmd = Cockpit.read_control($stdin, fatal: true)
    response = cmd['response']
    raise ArgumentError, 'Did not receive a valid authorize command' if cmd['command'] != 'authorize' || !response

    response
  end
end

# Load the settings
Settings.instance.load!
Session.new(ARGV[0]).run
