#!/usr/bin/env bash
set -eo pipefail; [[ $DOKKU_TRACE ]] && set -x
source "$(dirname $0)/../common/functions"

validate_nginx () {
  set +e
  sudo /usr/sbin/nginx -t > /dev/null 2>&1
  exit_code=$?
  set -e
  if [[ "$exit_code" -ne "0" ]]; then
    sudo /usr/sbin/nginx -t
    exit "$exit_code"
  fi
}

restart_nginx () {
  case "$DOKKU_DISTRO" in
    ubuntu)
      sudo /etc/init.d/nginx reload > /dev/null
      ;;

    opensuse)
      sudo /sbin/service nginx reload > /dev/null
      ;;
  esac
}

case "$1" in
  nginx:build-config)
    APP="$2"; DOKKU_APP_LISTEN_PORT="$3"; DOKKU_APP_LISTEN_IP="${4}"
    verify_app_name "$APP"
    VHOST_PATH="$DOKKU_ROOT/$APP/VHOST"
    URLS_PATH="$DOKKU_ROOT/$APP/URLS"
    WILDCARD_SSL="$DOKKU_ROOT/tls"
    SSL="$DOKKU_ROOT/$APP/tls"
    APP_NGINX_TEMPLATE="$DOKKU_ROOT/$APP/nginx.conf.template"

    if [[ -z "$DOKKU_APP_LISTEN_PORT" ]] && [[ -z "$DOKKU_APP_LISTEN_IP" ]]; then
      shopt -s nullglob
      for DOKKU_APP_IP_FILE in $DOKKU_ROOT/$APP/IP.web.*;do
        DOKKU_APP_PORT_FILE=$(echo $DOKKU_APP_IP_FILE | sed -e "s:IP:PORT:g")
        DOKKU_APP_LISTENER_IP=$(< $DOKKU_APP_IP_FILE)
        DOKKU_APP_LISTENER_PORT=$(< $DOKKU_APP_PORT_FILE)

        DOKKU_APP_LISTENERS+=" "
        DOKKU_APP_LISTENERS+="$DOKKU_APP_LISTENER_IP:$DOKKU_APP_LISTENER_PORT"
        DOKKU_APP_LISTENERS+=" "
      done
      shopt -u nullglob
    fi

    [[ -f "$DOKKU_ROOT/ENV" ]] && source $DOKKU_ROOT/ENV
    [[ -f "$DOKKU_ROOT/$APP/ENV" ]] && source $DOKKU_ROOT/$APP/ENV
    [[ -f "$APP_NGINX_TEMPLATE" ]] && NGINX_TEMPLATE="$APP_NGINX_TEMPLATE" && NGINX_CUSTOM_TEMPLATE="true" && dokku_log_info1 'Overriding default nginx.conf with detected nginx.conf.template'

    if [[ ! -n "$NO_VHOST" ]] && [[ -f "$DOKKU_ROOT/$APP/VHOST" ]]; then
      NONSSL_VHOSTS=$(cat $VHOST_PATH)
      if [[ -e "$SSL/server.crt" ]] && [[ -e "$SSL/server.key" ]]; then
        SSL_INUSE="$SSL"
        SSL_DIRECTIVES=$(cat <<EOF
  ssl_certificate     $SSL_INUSE/server.crt;
  ssl_certificate_key $SSL_INUSE/server.key;
EOF
)
      elif  [[ -e "$WILDCARD_SSL/server.crt" ]] && [[ -e "$WILDCARD_SSL/server.key" ]]; then
        SSL_INUSE="$WILDCARD_SSL"
        SSL_DIRECTIVES=""
      fi

      NGINX_CONF=$(mktemp -t "nginx.conf.XXXXXX")
      SCHEME="http"
      if [[ -n "$SSL_INUSE" ]]; then
        SCHEME="https"

        [[ -z "$NGINX_TEMPLATE" ]] && NGINX_TEMPLATE="$PLUGIN_PATH/nginx-vhosts/templates/nginx.ssl.conf.template"
        SSL_HOSTNAME=$(openssl x509 -in $SSL_INUSE/server.crt -noout -subject | tr '/' '\n' | grep CN= | cut -c4-)
        if [[ -n "$SSL_HOSTNAME" ]]; then
          SSL_HOSTNAME_REGEX=$(echo "$SSL_HOSTNAME" | sed 's|\.|\\.|g' | sed 's/\*/\[^\.\]\*/g')
          [[ -z "$(egrep "^${SSL_HOSTNAME_REGEX}$" $VHOST_PATH)" ]] && [[ ! "$SSL_HOSTNAME" =~ ^\*.* ]] && echo "$SSL_HOSTNAME" >> $VHOST_PATH
        fi

        SSL_HOSTNAME_ALT=$(openssl x509 -in $SSL_INUSE/server.crt -noout -text | grep --after-context=1 '509v3 Subject Alternative Name:' | tail -n 1 | sed -e "s/[[:space:]]*DNS://g"  | tr ',' '\n' || true)
        if [[ -n "$SSL_HOSTNAME_ALT" ]]; then
          SSL_HOSTNAME_ALT_REGEX=$(echo "$SSL_HOSTNAME_ALT" | sed 's|\.|\\.|g' | sed 's/\*/\[^\.\]\*/g')
          [[ -z "$(egrep "^${SSL_HOSTNAME_ALT_REGEX}$" $VHOST_PATH)" ]] && [[ ! "$SSL_HOSTNAME_ALT" =~ ^\*.* ]] && echo "$SSL_HOSTNAME_ALT" >> $VHOST_PATH
        fi

        SSL_VHOSTS=$(egrep "^${SSL_HOSTNAME_REGEX}$|^${SSL_HOSTNAME_ALT_REGEX}$" $VHOST_PATH || exit 0)
        NONSSL_VHOSTS=$(egrep -v "^${SSL_HOSTNAME_REGEX}$|^${SSL_HOSTNAME_ALT_REGEX}$" $VHOST_PATH || exit 0)

        while read line; do
          [[ -z "$line" ]] && continue
          dokku_log_info1 "Configuring SSL for $line..."
          SSL_SERVER_NAME=$line
          NOSSL_SERVER_NAME=$line
          eval "cat <<< \"$(< $NGINX_TEMPLATE)\" >> $NGINX_CONF"
        done <<< "$SSL_VHOSTS"
      fi

      if [[ -n "$NONSSL_VHOSTS" ]]; then
        NOSSL_SERVER_NAME=$(echo $NONSSL_VHOSTS | tr '\n' ' ')
        xargs -i echo "-----> Configuring {}..." <<< "$NONSSL_VHOSTS"
        [[ -z "$NGINX_CUSTOM_TEMPLATE" ]] && NGINX_TEMPLATE="$PLUGIN_PATH/nginx-vhosts/templates/nginx.conf.template"
        eval "cat <<< \"$(< $NGINX_TEMPLATE)\" >> $NGINX_CONF"
      fi

      if [[ -n "$DOKKU_APP_LISTEN_PORT" ]] && [[ -n "$DOKKU_APP_LISTEN_IP" ]]; then
        echo "upstream $APP { server $DOKKU_APP_LISTEN_IP:$DOKKU_APP_LISTEN_PORT; }" >> $NGINX_CONF
      elif [[ -n "$DOKKU_APP_LISTENERS" ]]; then
        echo "upstream $APP { " >> $NGINX_CONF
        for listener in $DOKKU_APP_LISTENERS;do
          echo "  server $listener;" >> $NGINX_CONF
        done
        echo "}" >> $NGINX_CONF
      fi

      dokku_log_info1 "Creating $SCHEME nginx.conf"
      mv $NGINX_CONF "$DOKKU_ROOT/$APP/nginx.conf"

      if is_deployed "$APP"; then
        dokku_log_info1 "Running nginx-pre-reload"
        pluginhook nginx-pre-reload $APP $DOKKU_APP_LISTEN_PORT $DOKKU_APP_LISTEN_IP

        dokku_log_verbose "Reloading nginx"
        validate_nginx && restart_nginx
      fi

      echo "# THIS FILE IS GENERATED BY DOKKU - DO NOT EDIT, YOUR CHANGES WILL BE OVERWRITTEN" > $URLS_PATH
      xargs -i echo "https://{}" <<< "${SSL_VHOSTS}" >> $URLS_PATH
      xargs -i echo "http://{}" <<< "${NONSSL_VHOSTS}" >> $URLS_PATH
    else
      if [[ -f "$DOKKU_ROOT/$APP/VHOST" ]]; then
        dokku_log_info1 "VHOST support disabled, deleting $APP/VHOST"
        rm "$DOKKU_ROOT/$APP/VHOST"
      fi
      if [[ -f "$DOKKU_ROOT/$APP/nginx.conf" ]]; then
        dokku_log_info1 "VHOST support disabled, deleting nginx.conf"
        rm "$DOKKU_ROOT/$APP/nginx.conf"

        if is_deployed "$APP"; then
          dokku_log_info1 "VHOST support disabled, reloading nginx after nginx.conf deletion"
          validate_nginx && restart_nginx
        fi
      fi
    fi
    ;;

  nginx:import-ssl)
    [[ -z $2 ]] && echo "Please specify an app to run the command on" && exit 1
    verify_app_name "$2"
    [[ -t 0 ]] && echo "Tar archive containing server.crt and server.key expected on stdin" && exit 1
    APP="$2"

    TEMP_DIR=$(mktemp -d)
    cd $TEMP_DIR
    tar xvf - <&0
    [[ ! -f "$TEMP_DIR/server.crt" ]] && echo "Tar archive missing server.crt" && exit 1
    [[ ! -f "$TEMP_DIR/server.key" ]] && echo "Tar archive missing server.key" && exit 1

    mkdir -p "$DOKKU_ROOT/$APP/tls"
    mv "$TEMP_DIR/server.crt" "$DOKKU_ROOT/$APP/tls/server.crt"
    mv "$TEMP_DIR/server.key" "$DOKKU_ROOT/$APP/tls/server.key"
    cd $DOKKU_ROOT
    rm -rf $TEMP_DIR
    dokku nginx:build-config $APP
    ;;

  help | nginx:help)
    cat && cat<<EOF
    nginx:import-ssl <app>                          Imports a tarball from stdin; should contain server.crt and server.key
    nginx:build-config <app>                        (Re)builds nginx config for given app
EOF
    ;;

  *)
    exit $DOKKU_NOT_IMPLEMENTED_EXIT
    ;;

esac
