#!/usr/bin/python3
# -*- mode: python -*-
#
# This file is part of Plinth.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as
# published by the Free Software Foundation, either version 3 of the
# License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.
#

"""
Configuration helper for the Tor service
"""

import argparse
import codecs
import os
import re
import socket
import time

from plinth import action_utils
from plinth.modules.tor import is_enabled, is_running, get_augeas, \
    get_real_apt_uri_path, iter_apt_uris, APT_TOR_PREFIX

SERVICE_FILE = '/etc/firewalld/services/tor-{0}.xml'
TOR_CONFIG = '/etc/tor/torrc'
TOR_STATE_FILE = '/var/lib/tor/state'
TOR_AUTH_COOKIE = '/var/run/tor/control.authcookie'


def parse_arguments():
    """Return parsed command line arguments as dictionary"""
    parser = argparse.ArgumentParser()
    subparsers = parser.add_subparsers(dest='subcommand', help='Sub command')

    subparsers.add_parser('setup', help='Setup Tor configuration')
    subparsers.add_parser('get-ports', help='Get list of Tor ports')
    subparsers.add_parser('get-hs', help='Get hidden service')

    configure = subparsers.add_parser('configure', help='Configure Tor')
    configure.add_argument('--service', choices=['enable', 'disable'],
                           help='Configure Tor service')
    configure.add_argument('--hidden-service', choices=['enable', 'disable'],
                           help='Configure hidden service')
    configure.add_argument('--apt-transport-tor',
                           choices=['enable', 'disable'],
                           help='Configure package download over Tor')

    return parser.parse_args()


def subcommand_setup(_):
    """Setup Tor configuration after installing it."""
    # XXX: Performing this as a post-install step instead of
    # pre-install setup for now.  Creating a configuration before hand
    # leads dpkg to ask question about configuration overwrite which
    # makes aptcc backend of packagekit to wait forever even with
    # interactive=False.
    lines = """
# Run as non-exit bridge relay
SocksPort [::]:9050
SocksPort 0.0.0.0:9050
ORPort auto
ControlPort 9051
BridgeRelay 1
Exitpolicy reject *:*
Exitpolicy reject6 *:*

# Enable obfsproxy
ServerTransportPlugin obfs3,obfs4 exec /usr/bin/obfs4proxy
ExtORPort auto

# Enable transparent proxy
VirtualAddrNetworkIPv4 10.192.0.0/10
AutomapHostsOnResolve 1
TransPort 127.0.0.1:9040
TransPort [::1]:9040
DNSPort 127.0.0.1:9053
DNSPort [::1]:9053
"""
    with open(TOR_CONFIG, 'w') as conffile:
        conffile.writelines(lines)

    action_utils.service_restart('tor')
    _update_ports()


def subcommand_get_ports(_):
    """Get list of Tor ports."""
    ports = get_ports()
    for name, number in ports.items():
        print(name, number)


def subcommand_get_hs(_):
    """Print currently configured Tor hidden service information"""
    print(get_hidden_service())


def subcommand_configure(arguments):
    """Configure Tor."""
    if arguments.service == 'disable':
        _disable()

    restart = arguments.service == None
    if arguments.hidden_service == 'enable':
        _enable_hs(restart=restart)
    elif arguments.hidden_service == 'disable':
        _disable_hs(restart=restart)

    if arguments.service == 'enable':
        _enable()

    if arguments.apt_transport_tor == 'enable':
        _enable_apt_transport_tor()
    elif arguments.apt_transport_tor == 'disable':
        _disable_apt_transport_tor()


def get_ports():
    """Return dict mapping port names to numbers."""
    ports = {}
    try:
        ports['orport'] = _get_orport()
    except Exception:
        pass

    try:
        with open(TOR_STATE_FILE, 'r') as state_file:
            for line in state_file:
                matches = re.match(
                    r'^\s*TransportProxy\s+(\S*)\s+\S+:(\d+)\s*$', line)
                if matches:
                    ports[matches.group(1)] = matches.group(2)
    except FileNotFoundError:
        pass

    return ports


def _get_orport():
    """Return the ORPort by querying running instance."""
    cookie = open(TOR_AUTH_COOKIE, 'rb').read()
    cookie = codecs.encode(cookie, 'hex').decode()

    commands = '''AUTHENTICATE {cookie}
GETINFO net/listeners/or
QUIT
'''.format(cookie=cookie)

    tor_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    tor_socket.connect(('localhost', 9051))
    tor_socket.send(commands.encode())
    response = tor_socket.recv(1024)
    tor_socket.close()

    line = response.split(b'\r\n')[1].decode()
    matches = re.match(r'.*="[^:]+:(\d+)"', line)
    return matches.group(1)


def get_hidden_service():
    """Return a string with configured Tor hidden service information"""
    hs_dir = None
    hs_ports = []

    try:
        with open(TOR_CONFIG, 'r') as conf_file:
            for line in conf_file:
                if line.startswith('HiddenServiceDir'):
                    hs_dir = line.split()[1]
                elif line.startswith('HiddenServicePort'):
                    hs_ports.append(line.split()[1])
    except FileNotFoundError:
        return 'error'

    if not hs_dir:
        return ''

    try:
        with open(os.path.join(hs_dir, 'hostname'), 'r') as conf_file:
            hs_hostname = conf_file.read().strip()
    except Exception:
        return 'error'

    return hs_hostname + ' ' + ','.join(hs_ports)


def _enable():
    """Enable and start the service."""
    action_utils.service_enable('tor')
    _update_ports()


def _disable():
    """Disable and stop the service."""
    _disable_apt_transport_tor()
    action_utils.service_disable('tor')


def _enable_hs(restart=True):
    """Enable Tor hidden service"""
    if get_hidden_service():
        return

    with open(TOR_CONFIG, 'r') as conffile:
        lines = conffile.readlines()

    lines.append('# Hidden Service configured by Plinth\n')
    lines.append('HiddenServiceDir /var/lib/tor/hidden_service/\n')
    lines.append('HiddenServicePort 80 127.0.0.1:80\n')
    lines.append('HiddenServicePort 443 127.0.0.1:443\n')
    lines.append('# end of Plinth Hidden Service config\n')

    with open(TOR_CONFIG, 'w') as conffile:
        conffile.writelines(lines)

    if restart:
        if is_enabled() and is_running():
            action_utils.service_restart('tor')

            # wait until hidden service information is available
            tries = 0
            while get_hidden_service() in ('', 'error'):
                tries += 1
                if tries >= 12:
                    return

                time.sleep(10)


def _disable_hs(restart=True):
    """Disable Tor hidden service"""
    if not get_hidden_service():
        return

    with open(TOR_CONFIG, 'r') as conffile:
        lines = conffile.readlines()

        filtered_lines = []
        removing = False
        for line in lines:
            if removing:
                if line.startswith('# end of Plinth Hidden Service config'):
                    # last line of Plinth hidden service block
                    # stop removing after this line
                    removing = False
                elif not line.startswith('HiddenService'):
                    # end of Plinth hidden service block
                    # stop removing lines
                    removing = False
                    filtered_lines.append(line)
            else:
                if line.startswith('# Hidden Service configured by Plinth'):
                    # start of Plinth hidden service block
                    # remove following HiddenService lines
                    removing = True
                else:
                    filtered_lines.append(line)

    with open(TOR_CONFIG, 'w') as conffile:
        conffile.writelines(filtered_lines)

    if restart:
        if is_enabled() and is_running():
            action_utils.service_restart('tor')


def _enable_apt_transport_tor():
    """Enable package download over Tor."""
    try:
        aug = get_augeas()
    except Exception:
        # If there was an error, don't proceed
        print('Error: Unable to understand sources format.')
        exit(1)

    for uri_path in iter_apt_uris(aug):
        uri_path = get_real_apt_uri_path(aug, uri_path)
        uri = aug.get(uri_path)
        if uri.startswith('http://') or uri.startswith('https://'):
            aug.set(uri_path, APT_TOR_PREFIX + uri)

    aug.save()


def _disable_apt_transport_tor():
    """Disable package download over Tor."""
    try:
        aug = get_augeas()
    except Exception:
        # Disable what we can, so APT is not unusable.
        pass

    for uri_path in iter_apt_uris(aug):
        uri_path = get_real_apt_uri_path(aug, uri_path)
        uri = aug.get(uri_path)
        if uri.startswith(APT_TOR_PREFIX):
            aug.set(uri_path, uri[len(APT_TOR_PREFIX):])

    aug.save()


def _update_ports():
    """Update firewall service information."""
    ready = False
    tries = 0

    # port information may not be available immediately after Tor started
    while not ready:
        ports = get_ports()
        ready = 'orport' in ports and 'obfs3' in ports and 'obfs4' in ports
        if ready:
            break

        tries += 1
        if tries >= 12:
            return

        time.sleep(10)

    lines = """<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>Tor - {0}</short>
  <port protocol="tcp" port="{1}"/>
</service>
"""
    for name, number in ports.items():
        try:
            with open(SERVICE_FILE.format(name), 'w') as service_file:
                service_file.writelines(lines.format(name, number))
        except FileNotFoundError:
            return

    # XXX: We should ideally do firewalld reload instead.  However,
    # firewalld seems to fail to successfully reload sometimes.
    action_utils.service_restart('firewalld')


def main():
    """Parse arguments and perform all duties"""
    arguments = parse_arguments()

    subcommand = arguments.subcommand.replace('-', '_')
    subcommand_method = globals()['subcommand_' + subcommand]
    subcommand_method(arguments)


if __name__ == '__main__':
    main()
