#
# Copyright (c) 2023 YunoHost Contributors
#
# This file is part of YunoHost (see https://yunohost.org)
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as
# published by the Free Software Foundation, either version 3 of the
# License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
import os
import json
import glob
import base64
import subprocess
import hashlib
from logging import getLogger

from moulinette import Moulinette, m18n
from moulinette.core import MoulinetteError
from moulinette.utils.filesystem import write_to_file, rm, chown, chmod

from yunohost.utils.error import YunohostError, YunohostValidationError
from yunohost.domain import _get_maindomain
from yunohost.utils.network import get_public_ip
from yunohost.utils.dns import dig, is_yunohost_dyndns_domain
from yunohost.log import is_unit_operation
from yunohost.regenconf import regen_conf

logger = getLogger("yunohost.dyndns")

DYNDNS_PROVIDER = "dyndns.yunohost.org"
DYNDNS_DNS_AUTH = ["ns0.yunohost.org", "ns1.yunohost.org"]
MAX_DYNDNS_DOMAINS = 1


def is_subscribing_allowed():
    """
    Check if the limit of subscribed DynDNS domains has been reached

    Returns:
        True if the limit is not reached, False otherwise
    """
    return len(dyndns_list()["domains"]) < MAX_DYNDNS_DOMAINS


def _dyndns_available(domain):
    """
    Checks if a domain is available on dyndns.yunohost.org

    Keyword arguments:
        domain -- The full domain that you'd like.. e.g. "foo.nohost.me"

    Returns:
        True if the domain is available, False otherwise.
    """
    import requests  # lazy loading this module for performance reasons

    logger.debug(f"Checking if domain {domain} is available on {DYNDNS_PROVIDER} ...")

    try:
        r = requests.get(f"https://{DYNDNS_PROVIDER}/test/{domain}", timeout=30)
    except MoulinetteError as e:
        logger.error(str(e))
        raise YunohostError(
            "dyndns_could_not_check_available", domain=domain, provider=DYNDNS_PROVIDER
        )

    if r.status_code == 200:
        return r.text.strip('"') == f"Domain {domain} is available"
    elif r.status_code == 409:
        return False
    elif r.status_code == 429:
        raise YunohostValidationError("dyndns_too_many_requests")
    else:
        raise YunohostError(
            "dyndns_could_not_check_available", domain=domain, provider=DYNDNS_PROVIDER
        )


@is_unit_operation(exclude=["recovery_password"])
def dyndns_subscribe(operation_logger, domain=None, recovery_password=None):
    """
    Subscribe to a DynDNS service

    Keyword argument:
        domain -- Full domain to subscribe with
        recovery_password -- Password that will be used to delete the domain
    """

    # Verify if domain is provided by subscribe_host
    if not is_yunohost_dyndns_domain(domain):
        raise YunohostValidationError(
            "dyndns_domain_not_provided", domain=domain, provider=DYNDNS_PROVIDER
        )

    # Check adding another dyndns domain is still allowed
    if not is_subscribing_allowed():
        raise YunohostValidationError("domain_dyndns_already_subscribed")

    # Verify if domain is available
    if not _dyndns_available(domain):
        # Prompt for a password if running in CLI and no password provided
        if not recovery_password and Moulinette.interface.type == "cli":
            logger.warning(m18n.n("ask_dyndns_recovery_password_explain_unavailable"))
            recovery_password = Moulinette.prompt(
                m18n.n("ask_dyndns_recovery_password"), is_password=True
            )

        if recovery_password:
            # Try to unsubscribe the domain so it can be subscribed again
            # If successful, it will be resubscribed with the same recovery password
            dyndns_unsubscribe(domain=domain, recovery_password=recovery_password)
        else:
            raise YunohostValidationError("dyndns_unavailable", domain=domain)

    # Prompt for a password if running in CLI and no password provided
    if not recovery_password and Moulinette.interface.type == "cli":
        logger.warning(m18n.n("ask_dyndns_recovery_password_explain"))
        recovery_password = Moulinette.prompt(
            m18n.n("ask_dyndns_recovery_password"), is_password=True, confirm=True
        )

    if not recovery_password:
        logger.warning(m18n.n("dyndns_no_recovery_password"))

    if recovery_password:
        from yunohost.utils.password import assert_password_is_strong_enough

        assert_password_is_strong_enough("admin", recovery_password)
        operation_logger.data_to_redact.append(recovery_password)

    if domain is None:
        domain = _get_maindomain()
        operation_logger.related_to.append(("domain", domain))

    operation_logger.start()

    # '165' is the convention identifier for hmac-sha512 algorithm
    # '1234' is idk? doesnt matter, but the old format contained a number here...
    key_file = f"/etc/yunohost/dyndns/K{domain}.+165+1234.key"

    if not os.path.exists("/etc/yunohost/dyndns"):
        os.makedirs("/etc/yunohost/dyndns")

    # Here, we emulate the behavior of the old 'dnssec-keygen' utility
    # which since bullseye was replaced by ddns-keygen which is now
    # in the bind9 package ... but installing bind9 will conflict with dnsmasq
    # and is just madness just to have access to a tsig keygen utility -.-

    # Use 512 // 8 = 64 bytes for hmac-sha512 (c.f. https://git.hactrn.net/sra/tsig-keygen/src/master/tsig-keygen.py)
    secret = base64.b64encode(os.urandom(512 // 8)).decode("ascii")

    # Idk why but the secret is split in two parts, with the first one
    # being 57-long char ... probably some DNS format
    secret = f"{secret[:56]} {secret[56:]}"

    key_content = f"{domain}. IN KEY 0 3 165 {secret}"
    write_to_file(key_file, key_content)

    chmod("/etc/yunohost/dyndns", 0o600, recursive=True)
    chown("/etc/yunohost/dyndns", "root", recursive=True)

    import requests  # lazy loading this module for performance reasons

    # Send subscription
    try:
        # Yeah the secret is already a base64-encoded but we double-bas64-encode it, whatever...
        b64encoded_key = base64.b64encode(secret.encode()).decode()
        data = {"subdomain": domain}
        if recovery_password:
            data["recovery_password"] = hashlib.sha256(
                (domain + ":" + recovery_password.strip()).encode("utf-8")
            ).hexdigest()
        r = requests.post(
            f"https://{DYNDNS_PROVIDER}/key/{b64encoded_key}?key_algo=hmac-sha512",
            data=data,
            timeout=30,
        )
    except Exception as e:
        rm(key_file, force=True)
        raise YunohostError("dyndns_subscribe_failed", error=str(e))
    if r.status_code != 201:
        rm(key_file, force=True)
        try:
            error = json.loads(r.text)["error"]
        except Exception:
            error = f'Server error, code: {r.status_code}. (Message: "{r.text}")'
        raise YunohostError("dyndns_subscribe_failed", error=error)

    # Yunohost regen conf will add the dyndns cron job if a key exists
    # in /etc/yunohost/dyndns
    regen_conf(["yunohost"])

    # Add some dyndns update in 2 and 4 minutes from now such that user should
    # not have to wait 10ish minutes for the conf to propagate
    cmd = (
        "at -M now + {t} >/dev/null 2>&1 <<< \"/bin/bash -c 'yunohost dyndns update'\""
    )
    # For some reason subprocess doesn't like the redirections so we have to use bash -c explicity...
    subprocess.check_call(["bash", "-c", cmd.format(t="2 min")])
    subprocess.check_call(["bash", "-c", cmd.format(t="4 min")])

    logger.success(m18n.n("dyndns_subscribed"))


@is_unit_operation(exclude=["recovery_password"])
def dyndns_unsubscribe(operation_logger, domain, recovery_password=None):
    """
    Unsubscribe from a DynDNS service

    Keyword argument:
        domain -- Full domain to unsubscribe with
        recovery_password -- Password that is used to delete the domain ( defined when subscribing )
    """

    import requests  # lazy loading this module for performance reasons

    # Unsubscribe the domain using the key if available
    keys = glob.glob(f"/etc/yunohost/dyndns/K{domain}.+*.key")
    if keys:
        key = keys[0]
        with open(key) as f:
            key = f.readline().strip().split(" ", 6)[-1]
        base64key = base64.b64encode(key.encode()).decode()
        credential = {"key": base64key}
    # Otherwise, ask for the recovery password
    else:
        if Moulinette.interface.type == "cli" and not recovery_password:
            logger.warning(
                m18n.n("ask_dyndns_recovery_password_explain_during_unsubscribe")
            )
            recovery_password = Moulinette.prompt(
                m18n.n("ask_dyndns_recovery_password"), is_password=True
            )

        if not recovery_password:
            logger.error(
                f"Cannot unsubscribe the domain {domain}: no credential provided"
            )
            return

        secret = str(domain) + ":" + str(recovery_password).strip()
        credential = {
            "recovery_password": hashlib.sha256(secret.encode("utf-8")).hexdigest()
        }

    operation_logger.start()

    # Send delete request
    try:
        r = requests.delete(
            f"https://{DYNDNS_PROVIDER}/domains/{domain}",
            data=credential,
            timeout=30,
        )
    except Exception as e:
        raise YunohostError("dyndns_unsubscribe_failed", error=str(e))

    if r.status_code == 200:  # Deletion was successful
        for key_file in glob.glob(f"/etc/yunohost/dyndns/K{domain}.+*.key"):
            rm(key_file, force=True)
        # Yunohost regen conf will add the dyndns cron job if a key exists
        # in /etc/yunohost/dyndns
        regen_conf(["yunohost"])
    elif r.status_code == 403:
        raise YunohostValidationError("dyndns_unsubscribe_denied")
    elif r.status_code == 409:
        raise YunohostValidationError("dyndns_unsubscribe_already_unsubscribed")
    elif r.status_code == 429:
        raise YunohostValidationError("dyndns_too_many_requests")
    else:
        raise YunohostError(
            "dyndns_unsubscribe_failed",
            error=f"The server returned code {r.status_code}",
        )

    logger.success(m18n.n("dyndns_unsubscribed"))


def dyndns_set_recovery_password(domain, recovery_password):
    keys = glob.glob(f"/etc/yunohost/dyndns/K{domain}.+*.key")

    if not keys:
        raise YunohostValidationError("dyndns_key_not_found")

    from yunohost.utils.password import assert_password_is_strong_enough

    assert_password_is_strong_enough("admin", recovery_password)
    secret = str(domain) + ":" + str(recovery_password).strip()

    key = keys[0]
    with open(key) as f:
        key = f.readline().strip().split(" ", 6)[-1]
    base64key = base64.b64encode(key.encode()).decode()

    import requests  # lazy loading this module for performance reasons

    # Send delete request
    try:
        r = requests.put(
            f"https://{DYNDNS_PROVIDER}/domains/{domain}/recovery_password",
            data={
                "key": base64key,
                "recovery_password": hashlib.sha256(secret.encode("utf-8")).hexdigest(),
            },
            timeout=30,
        )
    except Exception as e:
        raise YunohostError("dyndns_set_recovery_password_failed", error=str(e))

    if r.status_code == 200:
        logger.success(m18n.n("dyndns_set_recovery_password_success"))
    elif r.status_code == 403:
        raise YunohostError("dyndns_set_recovery_password_denied")
    elif r.status_code == 404:
        raise YunohostError("dyndns_set_recovery_password_unknown_domain")
    elif r.status_code == 409:
        raise YunohostError("dyndns_set_recovery_password_invalid_password")
    else:
        raise YunohostError(
            "dyndns_set_recovery_password_failed",
            error=f"The server returned code {r.status_code}",
        )


def dyndns_list():
    """
    Returns all currently subscribed DynDNS domains ( deduced from the key files )
    """

    from yunohost.domain import domain_list

    domains = domain_list(exclude_subdomains=True)["domains"]
    dyndns_domains = [
        d
        for d in domains
        if is_yunohost_dyndns_domain(d)
        and glob.glob(f"/etc/yunohost/dyndns/K{d}.+*.key")
    ]

    return {"domains": dyndns_domains}


@is_unit_operation()
def dyndns_update(
    operation_logger,
    domain=None,
    force=False,
    dry_run=False,
):
    """
    Update IP on DynDNS platform

    Keyword argument:
        domain -- Full domain to update
    """

    from yunohost.dns import _build_dns_conf
    import dns.query
    import dns.tsig
    import dns.tsigkeyring
    import dns.update

    # If domain is not given, update all DynDNS domains
    if domain is None:
        dyndns_domains = dyndns_list()["domains"]

        if not dyndns_domains:
            raise YunohostValidationError("dyndns_no_domain_registered")

        for domain in dyndns_domains:
            dyndns_update(domain, force=force, dry_run=dry_run)

        return

    # If key is not given, pick the first file we find with the domain given
    keys = glob.glob(f"/etc/yunohost/dyndns/K{domain}.+*.key")

    if not keys:
        raise YunohostValidationError("dyndns_key_not_found")

    key = keys[0]

    # Get current IPv4 and IPv6
    ipv4 = get_public_ip()
    ipv6 = get_public_ip(6)

    if ipv4 is None and ipv6 is None:
        logger.debug(
            "No ipv4 nor ipv6 ?! Sounds like the server is not connected to the internet, or the ip.yunohost.org infrastructure is down somehow"
        )
        return

    # Extract 'host', e.g. 'nohost.me' from 'foo.nohost.me'
    zone = domain.split(".")[1:]
    zone = ".".join(zone)

    logger.debug("Building zone update ...")

    with open(key) as f:
        key = f.readline().strip().split(" ", 6)[-1]

    keyring = dns.tsigkeyring.from_text({f"{domain}.": key})
    # Python's dns.update is similar to the old nsupdate cli tool
    update = dns.update.Update(zone, keyring=keyring, keyalgorithm=dns.tsig.HMAC_SHA512)

    auth_resolvers = []

    for dns_auth in DYNDNS_DNS_AUTH:
        for type_ in ["A", "AAAA"]:
            ok, result = dig(dns_auth, type_)
            if ok == "ok" and len(result) and result[0]:
                auth_resolvers.append(result[0])

    if not auth_resolvers:
        raise YunohostError(
            f"Failed to resolve IPv4/IPv6 for {DYNDNS_DNS_AUTH} ?", raw_msg=True
        )

    def resolve_domain(domain, rdtype):
        ok, result = dig(domain, rdtype, resolvers=auth_resolvers)
        if ok == "ok":
            return result[0] if len(result) else None
        elif result[0] == "Timeout":
            logger.debug(
                f"Timed-out while trying to resolve {rdtype} record for {domain}"
            )
        else:
            return None

        logger.debug("Falling back to external resolvers")
        ok, result = dig(domain, rdtype, resolvers="force_external")
        if ok == "ok":
            return result[0] if len(result) else None
        elif result[0] == "Timeout":
            logger.debug(
                "Timed-out while trying to resolve %s record for %s using external resolvers : %s"
                % (rdtype, domain, result)
            )
        else:
            return None

        raise YunohostError(f"Failed to resolve {rdtype} for {domain}", raw_msg=True)

    old_ipv4 = resolve_domain(domain, "A")
    old_ipv6 = resolve_domain(domain, "AAAA")

    logger.debug(f"Old IPv4/v6 are ({old_ipv4}, {old_ipv6})")
    logger.debug(f"Requested IPv4/v6 are ({ipv4}, {ipv6})")

    # no need to update
    if (not force and not dry_run) and (old_ipv4 == ipv4 and old_ipv6 == ipv6):
        logger.info("No updated needed.")
        return
    else:
        operation_logger.related_to.append(("domain", domain))
        operation_logger.start()
        logger.info("Updated needed, going on...")

    dns_conf = _build_dns_conf(domain)

    # Delete custom DNS records, we don't support them (have to explicitly
    # authorize them on dynette)
    for category in dns_conf.keys():
        if category not in ["basic", "mail", "xmpp", "extra"]:
            del dns_conf[category]

    # Delete the old records for all domain/subdomains

    # every dns_conf.values() is a list of :
    # [{"name": "...", "ttl": "...", "type": "...", "value": "..."}]
    for records in dns_conf.values():
        for record in records:
            name = (
                f"{record['name']}.{domain}." if record["name"] != "@" else f"{domain}."
            )
            update.delete(name)

    # Add the new records for all domain/subdomains

    for records in dns_conf.values():
        for record in records:
            # (For some reason) here we want the format with everytime the
            # entire, full domain shown explicitly, not just "muc" or "@", it
            # should be muc.the.domain.tld. or the.domain.tld
            if record["value"] == "@":
                record["value"] = domain
            record["value"] = record["value"].replace(";", r"\;")
            name = (
                f"{record['name']}.{domain}." if record["name"] != "@" else f"{domain}."
            )

            update.add(name, record["ttl"], record["type"], record["value"])

    logger.debug("Now pushing new conf to DynDNS host...")
    logger.debug(update)

    if not dry_run:
        try:
            r = dns.query.tcp(update, auth_resolvers[0])
        except Exception as e:
            logger.error(e)
            raise YunohostError("dyndns_ip_update_failed")

        if "rcode NOERROR" not in str(r):
            logger.error(str(r))
            raise YunohostError("dyndns_ip_update_failed")

        logger.success(m18n.n("dyndns_ip_updated"))
    else:
        print(
            "Warning: dry run, this is only the generated config, it won't be applied"
        )