local configmanager = require "core.configmanager";

local moduleapi = require "core.moduleapi";

local show_usage = require "util.prosodyctl".show_usage;

local show_warning = require "util.prosodyctl".show_warning;

local is_prosody_running = require "util.prosodyctl".isrunning;

local parse_args = require "util.argparse".parse;

local dependencies = require "util.dependencies";

local socket = require "socket";

local socket_url = require "socket.url";

local jid_split = require "util.jid".prepped_split;

local modulemanager = require "core.modulemanager";

local async = require "util.async";

local httputil = require "util.http";

local function api(host)

	return setmetatable({ name = "prosodyctl.check"; host = host; log = prosody.log }, { __index = moduleapi })

end

local function check_ojn(check_type, target_host)

	local http = require "net.http"; -- .new({});

	local json = require "util.json";

	local response, err = async.wait_for(http.request(

		("https://observe.jabber.network/api/v1/check/%s"):format(httputil.urlencode(check_type)),

		{

			method="POST",

			headers={["Accept"] = "application/json"; ["Content-Type"] = "application/json"},

			body=json.encode({target=target_host}),

		}));

	if not response then

		return false, err;

	end

	if response.code ~= 200 then

		return false, ("API replied with non-200 code: %d"):format(response.code);

	end

	local decoded_body, err = json.decode(response.body);

	if decoded_body == nil then

		return false, ("Failed to parse API JSON: %s"):format(err)

	end

	local success = decoded_body["success"];

	return success == true, nil;

end

local function check_probe(base_url, probe_module, target)

	local http = require "net.http"; -- .new({});

	local params = httputil.formencode({ module = probe_module; target = target })

	local response, err = async.wait_for(http.request(base_url .. "?" .. params));

	if not response then return false, err; end

	if response.code ~= 200 then return false, ("API replied with non-200 code: %d"):format(response.code); end

	for line in response.body:gmatch("[^\r\n]+") do

		local probe_success = line:match("^probe_success%s+(%d+)");

		if probe_success == "1" then

			return true;

		elseif probe_success == "0" then

			return false;

		end

	end

	return false, "Probe endpoint did not return a success status";

end

local function check_turn_service(turn_service, ping_service)

	local ip = require "util.ip";

	local stun = require "net.stun";

	-- Create UDP socket for communication with the server

	local sock = assert(require "socket".udp());

	sock:setsockname("*", 0);

	sock:setpeername(turn_service.host, turn_service.port);

	sock:settimeout(10);

	-- Helper function to receive a packet

	local function receive_packet()

		local raw_packet, err = sock:receive();

		if not raw_packet then

			return nil, err;

		end

		return stun.new_packet():deserialize(raw_packet);

	end

	local result = { warnings = {} };

	-- Send a "binding" query, i.e. a request for our external IP/port

	local bind_query = stun.new_packet("binding", "request");

	bind_query:add_attribute("software", "prosodyctl check turn");

	sock:send(bind_query:serialize());

	local bind_result, err = receive_packet();

	if not bind_result then

		result.error = "No STUN response: "..err;

		return result;

	elseif bind_result:is_err_resp() then

		result.error = ("STUN server returned error: %d (%s)"):format(bind_result:get_error());

		return result;

	elseif not bind_result:is_success_resp() then

		result.error = ("Unexpected STUN response: %d (%s)"):format(bind_result:get_type());

		return result;

	end

	result.external_ip = bind_result:get_xor_mapped_address();

	if not result.external_ip then

		result.error = "STUN server did not return an address";

		return result;

	end

	if ip.new_ip(result.external_ip.address).private then

		table.insert(result.warnings, "STUN returned a private IP! Is the TURN server behind a NAT and misconfigured?");

	end

	-- Send a TURN "allocate" request. Expected to fail due to auth, but

	-- necessary to obtain a valid realm/nonce from the server.

	local pre_request = stun.new_packet("allocate", "request");

	sock:send(pre_request:serialize());

	local pre_result, err = receive_packet();

	if not pre_result then

		result.error = "No initial TURN response: "..err;

		return result;

	elseif pre_result:is_success_resp() then

		result.error = "TURN server does not have authentication enabled";

		return result;

	end

	local realm = pre_result:get_attribute("realm");

	local nonce = pre_result:get_attribute("nonce");

	if not realm then

		table.insert(result.warnings, "TURN server did not return an authentication realm. Is authentication enabled?");

	end

	if not nonce then

		table.insert(result.warnings, "TURN server did not return a nonce");

	end

	-- Use the configured secret to obtain temporary user/pass credentials

	local turn_user, turn_pass = stun.get_user_pass_from_secret(turn_service.secret);

	-- Send a TURN allocate request, will fail if auth is wrong

	local alloc_request = stun.new_packet("allocate", "request");

	alloc_request:add_requested_transport("udp");

	alloc_request:add_attribute("username", turn_user);

	if realm then

		alloc_request:add_attribute("realm", realm);

	end

	if nonce then

		alloc_request:add_attribute("nonce", nonce);

	end

	local key = stun.get_long_term_auth_key(realm or turn_service.host, turn_user, turn_pass);

	alloc_request:add_message_integrity(key);

	sock:send(alloc_request:serialize());

	-- Check the response

	local alloc_response, err = receive_packet();

	if not alloc_response then

		result.error = "TURN server did not response to allocation request: "..err;

		return result;

	elseif alloc_response:is_err_resp() then

		result.error = ("TURN allocation failed: %d (%s)"):format(alloc_response:get_error());

		return result;

	elseif not alloc_response:is_success_resp() then

		result.error = ("Unexpected TURN response: %d (%s)"):format(alloc_response:get_type());

		return result;

	end

	result.relayed_addresses = alloc_response:get_xor_relayed_addresses();

	if not ping_service then

		-- Success! We won't be running the relay test.

		return result;

	end

	-- Run the relay test - i.e. send a binding request to ping_service

	-- and receive a response.

	-- Resolve the IP of the ping service

	local ping_host, ping_port = ping_service:match("^([^:]+):(%d+)$");

	if ping_host then

		ping_port = tonumber(ping_port);

	else

		-- Only a hostname specified, use default STUN port

		ping_host, ping_port = ping_service, 3478;

	end

	if ping_host == turn_service.host then

		result.error = ("Unable to perform ping test: please supply an external STUN server address. See https://prosody.im/doc/turn#prosodyctl-check");

		return result;

	end

	local ping_service_ip, err = socket.dns.toip(ping_host);

	if not ping_service_ip then

		result.error = "Unable to resolve ping service hostname: "..err;

		return result;

	end

	-- Ask the TURN server to allow packets from the ping service IP

	local perm_request = stun.new_packet("create-permission");

	perm_request:add_xor_peer_address(ping_service_ip);

	perm_request:add_attribute("username", turn_user);

	if realm then

		perm_request:add_attribute("realm", realm);

	end

	if nonce then

		perm_request:add_attribute("nonce", nonce);

	end

	perm_request:add_message_integrity(key);

	sock:send(perm_request:serialize());

	local perm_response, err = receive_packet();

	if not perm_response then

		result.error = "No response from TURN server when requesting peer permission: "..err;

		return result;

	elseif perm_response:is_err_resp() then

		result.error = ("TURN permission request failed: %d (%s)"):format(perm_response:get_error());

		return result;

	elseif not perm_response:is_success_resp() then

		result.error = ("Unexpected TURN response: %d (%s)"):format(perm_response:get_type());

		return result;

	end

	-- Ask the TURN server to relay a STUN binding request to the ping server

	local ping_data = stun.new_packet("binding"):serialize();

	local ping_request = stun.new_packet("send", "indication");

	ping_request:add_xor_peer_address(ping_service_ip, ping_port);

	ping_request:add_attribute("data", ping_data);

	ping_request:add_attribute("username", turn_user);

	if realm then

		ping_request:add_attribute("realm", realm);

	end

	if nonce then

		ping_request:add_attribute("nonce", nonce);

	end

	ping_request:add_message_integrity(key);

	sock:send(ping_request:serialize());

	local ping_response, err = receive_packet();

	if not ping_response then

		result.error = "No response from ping server ("..ping_service_ip.."): "..err;

		return result;

	elseif not ping_response:is_indication() or select(2, ping_response:get_method()) ~= "data" then

		result.error = ("Unexpected TURN response: %s %s"):format(select(2, ping_response:get_method()), select(2, ping_response:get_type()));

		return result;

	end

	local pong_data = ping_response:get_attribute("data");

	if not pong_data then

		result.error = "No data relayed from remote server";

		return result;

	end

	local pong = stun.new_packet():deserialize(pong_data);

	result.external_ip_pong = pong:get_xor_mapped_address();

	if not result.external_ip_pong then

		result.error = "Ping server did not return an address";

		return result;

	end

	local relay_address_found, relay_port_matches;

	for _, relayed_address in ipairs(result.relayed_addresses) do

		if relayed_address.address == result.external_ip_pong.address then

			relay_address_found = true;

			relay_port_matches = result.external_ip_pong.port == relayed_address.port;

		end

	end

	if not relay_address_found then

		table.insert(result.warnings, "TURN external IP vs relay address mismatch! Is the TURN server behind a NAT and misconfigured?");

	elseif not relay_port_matches then

		table.insert(result.warnings, "External port does not match reported relay port! This is probably caused by a NAT in front of the TURN server.");

	end

	--

	return result;

end

local function skip_bare_jid_hosts(host)

	if jid_split(host) then

		-- See issue #779

		return false;

	end

	return true;

end

local check_opts = {

	short_params = {

		h = "help", v = "verbose";

	};

	value_params = {

		ping = true;

	};

};

local function check(arg)

	if arg[1] == "help" or arg[1] == "--help" then

		show_usage([[check]], [[Perform basic checks on your Prosody installation]]);

		return 1;

	end

	local what = table.remove(arg, 1);

	local opts, opts_err, opts_info = parse_args(arg, check_opts);

	if opts_err == "missing-value" then

		print("Error: Expected a value after '"..opts_info.."'");

		return 1;

	elseif opts_err == "param-not-found" then

		print("Error: Unknown parameter: "..opts_info);

		return 1;

	end

	local array = require "util.array";

	local set = require "util.set";

	local it = require "util.iterators";

	local ok = true;

	local function disabled_hosts(host, conf) return host ~= "*" and conf.enabled ~= false; end

	local function enabled_hosts() return it.filter(disabled_hosts, pairs(configmanager.getconfig())); end

	if not (what == nil or what == "disabled" or what == "config" or what == "dns" or what == "certs" or what == "connectivity" or what == "turn") then

		show_warning("Don't know how to check '%s'. Try one of 'config', 'dns', 'certs', 'disabled', 'turn' or 'connectivity'.", what);

		show_warning("Note: The connectivity check will connect to a remote server.");

		return 1;

	end

	if not what or what == "disabled" then

		local disabled_hosts_set = set.new();

		for host in it.filter("*", pairs(configmanager.getconfig())) do

			if api(host):get_option_boolean("enabled") == false then

				disabled_hosts_set:add(host);

			end

		end

		if not disabled_hosts_set:empty() then

			local msg = "Checks will be skipped for these disabled hosts: %s";

			if what then msg = "These hosts are disabled: %s"; end

			show_warning(msg, tostring(disabled_hosts_set));

			if what then return 0; end

			print""

		end

	end

	if not what or what == "config" then

		print("Checking config...");

		if what == "config" then

			local files = configmanager.files();

			print("    The following configuration files have been loaded:");

			print("      -  "..table.concat(files, "\n      -  "));

		end

		local obsolete = set.new({ --> remove

			"archive_cleanup_interval",

			"dns_timeout",

			"muc_log_cleanup_interval",

			"s2s_dns_resolvers",

			"setgid",

			"setuid",

		});

		local function instead_use(kind, name, value)

			if kind == "option" then

				if value then

					return string.format("instead, use '%s = %q'", name, value);

				else

					return string.format("instead, use '%s'", name);

				end

			elseif kind == "module" then

				return string.format("instead, add %q to '%s'", name, value or "modules_enabled");

			elseif kind == "community" then

				return string.format("instead, add %q from %s", name, value or "prosody-modules");

			end

			return kind

		end

		local deprecated_replacements = {

			anonymous_login = instead_use("option", "authentication", "anonymous");

			daemonize = "instead, use the --daemonize/-D or --foreground/-F command line flags";

			disallow_s2s = instead_use("module", "s2s", "modules_disabled");

			no_daemonize = "instead, use the --daemonize/-D or --foreground/-F command line flags";