// Copyright 2022 The Gitea Authors. All rights reserved.
// Copyright 2024 The Forgejo Authors. All rights reserved.
// SPDX-License-Identifier: MIT

// TODO: Think about whether this should be moved to services/activitypub (compare to exosy/services/activitypub/client.go)
package activitypub

import (
	"bytes"
	"context"
	"crypto/rsa"
	"crypto/x509"
	"encoding/pem"
	"fmt"
	"io"
	"net/http"
	"strings"
	"time"

	user_model "code.gitea.io/gitea/models/user"
	"code.gitea.io/gitea/modules/log"
	"code.gitea.io/gitea/modules/proxy"
	"code.gitea.io/gitea/modules/setting"

	"github.com/go-fed/httpsig"
)

const (
	// ActivityStreamsContentType const
	ActivityStreamsContentType = `application/ld+json; profile="https://www.w3.org/ns/activitystreams"`
	httpsigExpirationTime      = 60
)

func CurrentTime() string {
	return time.Now().UTC().Format(http.TimeFormat)
}

func containsRequiredHTTPHeaders(method string, headers []string) error {
	var hasRequestTarget, hasDate, hasDigest, hasHost bool
	for _, header := range headers {
		hasRequestTarget = hasRequestTarget || header == httpsig.RequestTarget
		hasDate = hasDate || header == "Date"
		hasDigest = hasDigest || header == "Digest"
		hasHost = hasHost || header == "Host"
	}
	if !hasRequestTarget {
		return fmt.Errorf("missing http header for %s: %s", method, httpsig.RequestTarget)
	} else if !hasDate {
		return fmt.Errorf("missing http header for %s: Date", method)
	} else if !hasHost {
		return fmt.Errorf("missing http header for %s: Host", method)
	} else if !hasDigest && method != http.MethodGet {
		return fmt.Errorf("missing http header for %s: Digest", method)
	}
	return nil
}

// Client struct
type ClientFactory struct {
	client      *http.Client
	algs        []httpsig.Algorithm
	digestAlg   httpsig.DigestAlgorithm
	getHeaders  []string
	postHeaders []string
}

// NewClient function
func NewClientFactory() (c *ClientFactory, err error) {
	if err = containsRequiredHTTPHeaders(http.MethodGet, setting.Federation.GetHeaders); err != nil {
		return nil, err
	} else if err = containsRequiredHTTPHeaders(http.MethodPost, setting.Federation.PostHeaders); err != nil {
		return nil, err
	}

	c = &ClientFactory{
		client: &http.Client{
			Transport: &http.Transport{
				Proxy: proxy.Proxy(),
			},
			Timeout: 5 * time.Second,
		},
		algs:        setting.HttpsigAlgs,
		digestAlg:   httpsig.DigestAlgorithm(setting.Federation.DigestAlgorithm),
		getHeaders:  setting.Federation.GetHeaders,
		postHeaders: setting.Federation.PostHeaders,
	}
	return c, err
}

type APClientFactory interface {
	WithKeys(ctx context.Context, user *user_model.User, pubID string) (APClient, error)
}

// Client struct
type Client struct {
	client      *http.Client
	algs        []httpsig.Algorithm
	digestAlg   httpsig.DigestAlgorithm
	getHeaders  []string
	postHeaders []string
	priv        *rsa.PrivateKey
	pubID       string
}

// NewRequest function
func (cf *ClientFactory) WithKeys(ctx context.Context, user *user_model.User, pubID string) (APClient, error) {
	priv, err := GetPrivateKey(ctx, user)
	if err != nil {
		return nil, err
	}
	privPem, _ := pem.Decode([]byte(priv))
	privParsed, err := x509.ParsePKCS1PrivateKey(privPem.Bytes)
	if err != nil {
		return nil, err
	}

	c := Client{
		client:      cf.client,
		algs:        cf.algs,
		digestAlg:   cf.digestAlg,
		getHeaders:  cf.getHeaders,
		postHeaders: cf.postHeaders,
		priv:        privParsed,
		pubID:       pubID,
	}
	return &c, nil
}

// NewRequest function
func (c *Client) newRequest(method string, b []byte, to string) (req *http.Request, err error) {
	buf := bytes.NewBuffer(b)
	req, err = http.NewRequest(method, to, buf)
	if err != nil {
		return nil, err
	}
	req.Header.Add("Accept", "application/json, "+ActivityStreamsContentType)
	req.Header.Add("Date", CurrentTime())
	req.Header.Add("Host", req.URL.Host)
	req.Header.Add("User-Agent", "Gitea/"+setting.AppVer)
	req.Header.Add("Content-Type", ActivityStreamsContentType)

	return req, err
}

// Post function
func (c *Client) Post(b []byte, to string) (resp *http.Response, err error) {
	var req *http.Request
	if req, err = c.newRequest(http.MethodPost, b, to); err != nil {
		return nil, err
	}

	signer, _, err := httpsig.NewSigner(c.algs, c.digestAlg, c.postHeaders, httpsig.Signature, httpsigExpirationTime)
	if err != nil {
		return nil, err
	}
	if err := signer.SignRequest(c.priv, c.pubID, req, b); err != nil {
		return nil, err
	}

	resp, err = c.client.Do(req)
	return resp, err
}

// Create an http GET request with forgejo/gitea specific headers
func (c *Client) Get(to string) (resp *http.Response, err error) {
	var req *http.Request
	if req, err = c.newRequest(http.MethodGet, nil, to); err != nil {
		return nil, err
	}
	signer, _, err := httpsig.NewSigner(c.algs, c.digestAlg, c.getHeaders, httpsig.Signature, httpsigExpirationTime)
	if err != nil {
		return nil, err
	}
	if err := signer.SignRequest(c.priv, c.pubID, req, nil); err != nil {
		return nil, err
	}

	resp, err = c.client.Do(req)
	return resp, err
}

// Create an http GET request with forgejo/gitea specific headers
func (c *Client) GetBody(uri string) ([]byte, error) {
	response, err := c.Get(uri)
	if err != nil {
		return nil, err
	}
	log.Debug("Client: got status: %v", response.Status)
	if response.StatusCode != 200 {
		err = fmt.Errorf("got non 200 status code for id: %v", uri)
		return nil, err
	}
	defer response.Body.Close()
	body, err := io.ReadAll(response.Body)
	if err != nil {
		return nil, err
	}
	log.Debug("Client: got body: %v", charLimiter(string(body), 120))
	return body, nil
}

// Limit number of characters in a string (useful to prevent log injection attacks and overly long log outputs)
// Thanks to https://www.socketloop.com/tutorials/golang-characters-limiter-example
func charLimiter(s string, limit int) string {
	reader := strings.NewReader(s)
	buff := make([]byte, limit)
	n, _ := io.ReadAtLeast(reader, buff, limit)
	if n != 0 {
		return fmt.Sprint(string(buff), "...")
	}
	return s
}

type APClient interface {
	newRequest(method string, b []byte, to string) (req *http.Request, err error)
	Post(b []byte, to string) (resp *http.Response, err error)
	Get(to string) (resp *http.Response, err error)
	GetBody(uri string) ([]byte, error)
}

// contextKey is a value for use with context.WithValue.
type contextKey struct {
	name string
}

// clientFactoryContextKey is a context key. It is used with context.Value() to get the current Food for the context
var (
	clientFactoryContextKey                 = &contextKey{"clientFactory"}
	_                       APClientFactory = &ClientFactory{}
)

// Context represents an activitypub client factory context
type Context struct {
	context.Context
	e APClientFactory
}

func NewContext(ctx context.Context, e APClientFactory) *Context {
	return &Context{
		Context: ctx,
		e:       e,
	}
}

// APClientFactory represents an activitypub client factory
func (ctx *Context) APClientFactory() APClientFactory {
	return ctx.e
}

// provides APClientFactory
type GetAPClient interface {
	GetClientFactory() APClientFactory
}

// GetClientFactory will get an APClientFactory from this context or returns the default implementation
func GetClientFactory(ctx context.Context) (APClientFactory, error) {
	if e := getClientFactory(ctx); e != nil {
		return e, nil
	}
	return NewClientFactory()
}

// getClientFactory will get an APClientFactory from this context or return nil
func getClientFactory(ctx context.Context) APClientFactory {
	if clientFactory, ok := ctx.(APClientFactory); ok {
		return clientFactory
	}
	clientFactoryInterface := ctx.Value(clientFactoryContextKey)
	if clientFactoryInterface != nil {
		return clientFactoryInterface.(GetAPClient).GetClientFactory()
	}
	return nil
}