local configmanager = require "core.configmanager";

local show_usage = require "util.prosodyctl".show_usage;

local show_warning = require "util.prosodyctl".show_warning;

local is_prosody_running = require "util.prosodyctl".isrunning;

local dependencies = require "util.dependencies";

local socket = require "socket";

local socket_url = require "socket.url";

local jid_split = require "util.jid".prepped_split;

local modulemanager = require "core.modulemanager";

local async = require "util.async";

local httputil = require "util.http";

local function check_ojn(check_type, target_host)

	local http = require "net.http"; -- .new({});

	local json = require "util.json";

	local response, err = async.wait_for(http.request(

		("https://observe.jabber.network/api/v1/check/%s"):format(httputil.urlencode(check_type)),

		{

			method="POST",

			headers={["Accept"] = "application/json"; ["Content-Type"] = "application/json"},

			body=json.encode({target=target_host}),

		}));

	if not response then

		return false, err;

	end

	if response.code ~= 200 then

		return false, ("API replied with non-200 code: %d"):format(response.code);

	end

	local decoded_body, err = json.decode(response.body);

	if decoded_body == nil then

		return false, ("Failed to parse API JSON: %s"):format(err)

	end

	local success = decoded_body["success"];

	return success == true, nil;

end

local function check_probe(base_url, probe_module, target)

	local http = require "net.http"; -- .new({});

	local params = httputil.formencode({ module = probe_module; target = target })

	local response, err = async.wait_for(http.request(base_url .. "?" .. params));

	if not response then return false, err; end

	if response.code ~= 200 then return false, ("API replied with non-200 code: %d"):format(response.code); end

	for line in response.body:gmatch("[^\r\n]+") do

		local probe_success = line:match("^probe_success%s+(%d+)");

		if probe_success == "1" then

			return true;

		elseif probe_success == "0" then

			return false;

		end

	end

	return false, "Probe endpoint did not return a success status";

end

local function skip_bare_jid_hosts(host)

	if jid_split(host) then

		-- See issue #779

		return false;

	end

	return true;

end

local function check(arg)

	if arg[1] == "--help" then

		show_usage([[check]], [[Perform basic checks on your Prosody installation]]);

		return 1;

	end

	local what = table.remove(arg, 1);

	local array = require "util.array";

	local set = require "util.set";

	local it = require "util.iterators";

	local ok = true;

	local function disabled_hosts(host, conf) return host ~= "*" and conf.enabled ~= false; end

	local function enabled_hosts() return it.filter(disabled_hosts, pairs(configmanager.getconfig())); end

	if not (what == nil or what == "disabled" or what == "config" or what == "dns" or what == "certs" or what == "connectivity") then

		show_warning("Don't know how to check '%s'. Try one of 'config', 'dns', 'certs', 'disabled' or 'connectivity'.", what);

		show_warning("Note: The connectivity check will connect to a remote server.");

		return 1;

	end

	if not what or what == "disabled" then

		local disabled_hosts_set = set.new();

		for host, host_options in it.filter("*", pairs(configmanager.getconfig())) do

			if host_options.enabled == false then

				disabled_hosts_set:add(host);

			end

		end

		if not disabled_hosts_set:empty() then

			local msg = "Checks will be skipped for these disabled hosts: %s";

			if what then msg = "These hosts are disabled: %s"; end

			show_warning(msg, tostring(disabled_hosts_set));

			if what then return 0; end

			print""

		end

	end

	if not what or what == "config" then

		print("Checking config...");

		local obsolete = set.new({ --> remove

			"archive_cleanup_interval",

			"cross_domain_bosh",

			"cross_domain_websocket",

			"dns_timeout",

			"muc_log_cleanup_interval",

			"s2s_dns_resolvers",

			"setgid",

			"setuid",

		});

		local function instead_use(kind, name, value)

			if kind == "option" then

				if value then

					return string.format("instead, use '%s = %q'", name, value);

				else

					return string.format("instead, use '%s'", name);

				end

			elseif kind == "module" then

				return string.format("instead, add %q to '%s'", name, value or "modules_enabled");

			elseif kind == "community" then

				return string.format("instead, add %q from %s", name, value or "prosody-modules");

			end

			return kind

		end

		local deprecated_replacements = {

			anonymous_login = instead_use("option", "authentication", "anonymous");

			daemonize = "instead, use the --daemonize/-D or --foreground/-F command line flags";

			disallow_s2s = instead_use("module", "s2s");

			no_daemonize = "instead, use the --daemonize/-D or --foreground/-F command line flags";

			require_encryption = "instead, use 'c2s_require_encryption' and 's2s_require_encryption'";

			vcard_compatibility = instead_use("community", "mod_compat_vcard");

			use_libevent = instead_use("option", "network_backend", "event");

			whitelist_registration_only = instead_use("option", "allowlist_registration_only");

			registration_whitelist = instead_use("option", "registration_allowlist");

			registration_blacklist = instead_use("option", "registration_blocklist");

			blacklist_on_registration_throttle_overload = instead_use("blocklist_on_registration_throttle_overload");

		};

		-- FIXME all the singular _port and _interface options are supposed to be deprecated too

		local deprecated_ports = { bosh = "http", legacy_ssl = "c2s_direct_tls" };

		local port_suffixes = set.new({ "port", "ports", "interface", "interfaces", "ssl" });

		for port, replacement in pairs(deprecated_ports) do

			for suffix in port_suffixes do

				local rsuffix = (suffix == "port" or suffix == "interface") and suffix.."s" or suffix;

				deprecated_replacements[port.."_"..suffix] = "instead, use '"..replacement.."_"..rsuffix.."'"

			end

		end

		local deprecated = set.new(array.collect(it.keys(deprecated_replacements)));

		local known_global_options = set.new({

			"access_control_allow_credentials",

			"access_control_allow_headers",

			"access_control_allow_methods",

			"access_control_max_age",

			"admin_socket",

			"body_size_limit",

			"bosh_max_inactivity",

			"bosh_max_polling",

			"bosh_max_wait",

			"buffer_size_limit",

			"c2s_close_timeout",

			"c2s_stanza_size_limit",

			"c2s_tcp_keepalives",

			"c2s_timeout",

			"component_stanza_size_limit",

			"component_tcp_keepalives",

			"consider_bosh_secure",

			"consider_websocket_secure",

			"console_banner",

			"console_prettyprint_settings",

			"daemonize",

			"gc",

			"http_default_host",

			"http_errors_always_show",

			"http_errors_default_message",

			"http_errors_detailed",

			"http_errors_messages",

			"http_max_buffer_size",

			"http_max_content_size",

			"installer_plugin_path",

			"limits",

			"limits_resolution",

			"log",

			"multiplex_buffer_size",

			"network_backend",

			"network_default_read_size",

			"network_settings",

			"openmetrics_allow_cidr",

			"openmetrics_allow_ips",

			"pidfile",

			"plugin_paths",

			"plugin_server",

			"prosodyctl_timeout",

			"prosody_group",

			"prosody_user",

			"run_as_root",

			"s2s_close_timeout",

			"s2s_insecure_domains",

			"s2s_require_encryption",

			"s2s_secure_auth",

			"s2s_secure_domains",

			"s2s_stanza_size_limit",

			"s2s_tcp_keepalives",

			"s2s_timeout",

			"statistics",

			"statistics_config",

			"statistics_interval",

			"tcp_keepalives",

			"tls_profile",

			"trusted_proxies",

			"umask",

			"use_dane",

			"use_ipv4",

			"use_ipv6",

			"websocket_frame_buffer_limit",

			"websocket_frame_fragment_limit",

			"websocket_get_response_body",

			"websocket_get_response_text",

		});

		local config = configmanager.getconfig();

		-- Check that we have any global options (caused by putting a host at the top)

		if it.count(it.filter("log", pairs(config["*"]))) == 0 then

			ok = false;

			print("");

			print("    No global options defined. Perhaps you have put a host definition at the top")

			print("    of the config file? They should be at the bottom, see https://prosody.im/doc/configure#overview");

		end

		if it.count(enabled_hosts()) == 0 then

			ok = false;

			print("");

			if it.count(it.filter("*", pairs(config))) == 0 then

				print("    No hosts are defined, please add at least one VirtualHost section")

			elseif config["*"]["enabled"] == false then

				print("    No hosts are enabled. Remove enabled = false from the global section or put enabled = true under at least one VirtualHost section")

			else

				print("    All hosts are disabled. Remove enabled = false from at least one VirtualHost section")

			end

		end

		if not config["*"].modules_enabled then

			print("    No global modules_enabled is set?");

			local suggested_global_modules;

			for host, options in enabled_hosts() do --luacheck: ignore 213/host

				if not options.component_module and options.modules_enabled then

					suggested_global_modules = set.intersection(suggested_global_modules or set.new(options.modules_enabled), set.new(options.modules_enabled));

				end

			end

			if suggested_global_modules and not suggested_global_modules:empty() then

				print("    Consider moving these modules into modules_enabled in the global section:")

				print("    "..tostring(suggested_global_modules / function (x) return ("%q"):format(x) end));

			end

			print();

		end

		do -- Check for modules enabled both normally and as components

			local modules = set.new(config["*"]["modules_enabled"]);

			for host, options in enabled_hosts() do

				local component_module = options.component_module;

				if component_module and modules:contains(component_module) then

					print(("    mod_%s is enabled both in modules_enabled and as Component %q %q"):format(component_module, host, component_module));

					print("    This means the service is enabled on all VirtualHosts as well as the Component.");

					print("    Are you sure this what you want? It may cause unexpected behaviour.");

				end

			end

		end

		-- Check for global options under hosts

		local global_options = set.new(it.to_array(it.keys(config["*"])));

		local obsolete_global_options = set.intersection(global_options, obsolete);

		if not obsolete_global_options:empty() then

			print("");

			print("    You have some obsolete options you can remove from the global section:");

			print("    "..tostring(obsolete_global_options))

			ok = false;

		end

		local deprecated_global_options = set.intersection(global_options, deprecated);

		if not deprecated_global_options:empty() then

			print("");

			print("    You have some deprecated options in the global section:");

			for option in deprecated_global_options do

				print(("    '%s' -- %s"):format(option, deprecated_replacements[option]));

			end

			ok = false;

		end

		for host, options in it.filter(function (h) return h ~= "*" end, pairs(configmanager.getconfig())) do

			local host_options = set.new(it.to_array(it.keys(options)));

			local misplaced_options = set.intersection(host_options, known_global_options);

			for name in pairs(options) do

				if name:match("^interfaces?")

				or name:match("_ports?$") or name:match("_interfaces?$")

				or (name:match("_ssl$") and not name:match("^[cs]2s_ssl$")) then

					misplaced_options:add(name);

				end

			end

			-- FIXME These _could_ be misplaced, but we would have to check where the corresponding module is loaded to be sure

			misplaced_options:exclude(set.new({ "external_service_port", "turn_external_port" }));

			if not misplaced_options:empty() then

				ok = false;

				print("");

				local n = it.count(misplaced_options);

				print("    You have "..n.." option"..(n>1 and "s " or " ").."set under "..host.." that should be");

				print("    in the global section of the config file, above any VirtualHost or Component definitions,")

				print("    see https://prosody.im/doc/configure#overview for more information.")

				print("");

				print("    You need to move the following option"..(n>1 and "s" or "")..": "..table.concat(it.to_array(misplaced_options), ", "));

			end

		end

		for host, options in enabled_hosts() do

			local host_options = set.new(it.to_array(it.keys(options)));

			local subdomain = host:match("^[^.]+");

			if not(host_options:contains("component_module")) and (subdomain == "jabber" or subdomain == "xmpp"

			   or subdomain == "chat" or subdomain == "im") then

				print("");

				print("    Suggestion: If "..host.. " is a new host with no real users yet, consider renaming it now to");

				print("     "..host:gsub("^[^.]+%.", "")..". You can use SRV records to redirect XMPP clients and servers to "..host..".");

				print("     For more information see: https://prosody.im/doc/dns");

			end

		end

		local all_modules = set.new(config["*"].modules_enabled);

		local all_options = set.new(it.to_array(it.keys(config["*"])));

		for host in enabled_hosts() do

			all_options:include(set.new(it.to_array(it.keys(config[host]))));

			all_modules:include(set.new(config[host].modules_enabled));

		end

		for mod in all_modules do

			if mod:match("^mod_") then

				print("");

				print("    Modules in modules_enabled should not have the 'mod_' prefix included.");

				print("    Change '"..mod.."' to '"..mod:match("^mod_(.*)").."'.");

			elseif mod:match("^auth_") then

				print("");

				print("    Authentication modules should not be added to modules_enabled,");

				print("    but be specified in the 'authentication' option.");

				print("    Remove '"..mod.."' from modules_enabled and instead add");

				print("        authentication = '"..mod:match("^auth_(.*)").."'");

				print("    For more information see https://prosody.im/doc/authentication");

			elseif mod:match("^storage_") then

				print("");

				print("    storage modules should not be added to modules_enabled,");

				print("    but be specified in the 'storage' option.");

				print("    Remove '"..mod.."' from modules_enabled and instead add");

				print("        storage = '"..mod:match("^storage_(.*)").."'");

				print("    For more information see https://prosody.im/doc/storage");

			end

		end

		if all_modules:contains("vcard") and all_modules:contains("vcard_legacy") then

			print("");

			print("    Both mod_vcard_legacy and mod_vcard are enabled but they conflict");

			print("    with each other. Remove one.");

		end

		if all_modules:contains("pep") and all_modules:contains("pep_simple") then

			print("");

			print("    Both mod_pep_simple and mod_pep are enabled but they conflict");

			print("    with each other. Remove one.");

		end

		for host, host_config in pairs(config) do --luacheck: ignore 213/host

			if type(rawget(host_config, "storage")) == "string" and rawget(host_config, "default_storage") then

				print("");

				print("    The 'default_storage' option is not needed if 'storage' is set to a string.");

				break;

			end

		end

		local require_encryption = set.intersection(all_options, set.new({

			"require_encryption", "c2s_require_encryption", "s2s_require_encryption"

		})):empty();

		local ssl = dependencies.softreq"ssl";

		if not ssl then

			if not require_encryption then

				print("");

				print("    You require encryption but LuaSec is not available.");

				print("    Connections will fail.");

				ok = false;