// -*- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*-
// vim: ts=8 sw=2 smarttab

#include <errno.h>

#include "common/ceph_json.h"
#include "rgw_policy_s3.h"
#include "rgw_common.h"
#include "rgw_crypt_sanitize.h"

#define dout_context g_ceph_context
#define dout_subsys ceph_subsys_rgw

class RGWPolicyCondition {
protected:
  string v1;
  string v2;

  virtual bool check(const string& first, const string& second, string& err_msg) = 0;

public:
  virtual ~RGWPolicyCondition() {}

  void set_vals(const string& _v1, const string& _v2) {
    v1 = _v1;
    v2 = _v2;
  }

  bool check(RGWPolicyEnv *env, map<string, bool, ltstr_nocase>& checked_vars, string& err_msg) {
     string first, second;
     env->get_value(v1, first, checked_vars);
     env->get_value(v2, second, checked_vars);
     dout(1) << "policy condition check " << v1 << " ["
         << rgw::crypt_sanitize::s3_policy{v1, first}
         << "] " << v2 << " ["
         << rgw::crypt_sanitize::s3_policy{v2, second}
         << "]" << dendl;
     bool ret = check(first, second, err_msg);
     if (!ret) {
       err_msg.append(": ");
       err_msg.append(v1);
       err_msg.append(", ");
       err_msg.append(v2);
     }
     return ret;
  }

};


class RGWPolicyCondition_StrEqual : public RGWPolicyCondition {
protected:
  bool check(const string& first, const string& second, string& msg) override {
    bool ret = first.compare(second) == 0;
    if (!ret) {
      msg = "Policy condition failed: eq";
    }
    return ret;
  }
};

class RGWPolicyCondition_StrStartsWith : public RGWPolicyCondition {
protected:
  bool check(const string& first, const string& second, string& msg) override {
    bool ret = first.compare(0, second.size(), second) == 0;
    if (!ret) {
      msg = "Policy condition failed: starts-with";
    }
    return ret;
  }
};

void RGWPolicyEnv::add_var(const string& name, const string& value)
{
  vars[name] = value;
}

bool RGWPolicyEnv::get_var(const string& name, string& val)
{
  map<string, string, ltstr_nocase>::iterator iter = vars.find(name);
  if (iter == vars.end())
    return false;

  val = iter->second;

  return true;
}

bool RGWPolicyEnv::get_value(const string& s, string& val, map<string, bool, ltstr_nocase>& checked_vars)
{
  if (s.empty() || s[0] != '$') {
    val = s;
    return true;
  }

  const string& var = s.substr(1);
  checked_vars[var] = true;

  return get_var(var, val);
}


bool RGWPolicyEnv::match_policy_vars(map<string, bool, ltstr_nocase>& policy_vars, string& err_msg)
{
  map<string, string, ltstr_nocase>::iterator iter;
  string ignore_prefix = "x-ignore-";
  for (iter = vars.begin(); iter != vars.end(); ++iter) {
    const string& var = iter->first;
    if (strncasecmp(ignore_prefix.c_str(), var.c_str(), ignore_prefix.size()) == 0)
      continue;
    if (policy_vars.count(var) == 0) {
      err_msg = "Policy missing condition: ";
      err_msg.append(iter->first);
      dout(1) << "env var missing in policy: " << iter->first << dendl;
      return false;
    }
  }
  return true;
}

RGWPolicy::~RGWPolicy()
{
  list<RGWPolicyCondition *>::iterator citer;
  for (citer = conditions.begin(); citer != conditions.end(); ++citer) {
    RGWPolicyCondition *cond = *citer;
    delete cond;
  }
}

int RGWPolicy::set_expires(const string& e)
{
  struct tm t;
  if (!parse_iso8601(e.c_str(), &t))
      return -EINVAL;

  expires = internal_timegm(&t);

  return 0;
}

int RGWPolicy::add_condition(const string& op, const string& first, const string& second, string& err_msg)
{
  RGWPolicyCondition *cond = NULL;
  if (stringcasecmp(op, "eq") == 0) {
    cond = new RGWPolicyCondition_StrEqual;
  } else if (stringcasecmp(op, "starts-with") == 0) {
    cond = new RGWPolicyCondition_StrStartsWith;
  } else if (stringcasecmp(op, "content-length-range") == 0) {
    off_t min, max;
    int r = stringtoll(first, &min);
    if (r < 0) {
      err_msg = "Bad content-length-range param";
      dout(0) << "bad content-length-range param: " << first << dendl;
      return r;
    }

    r = stringtoll(second, &max);
    if (r < 0) {
      err_msg = "Bad content-length-range param";
      dout(0) << "bad content-length-range param: " << second << dendl;
      return r;
    }

    if (min > min_length)
      min_length = min;

    if (max < max_length)
      max_length = max;

    return 0;
  }

  if (!cond) {
    err_msg = "Invalid condition: ";
    err_msg.append(op);
    dout(0) << "invalid condition: " << op << dendl;
    return -EINVAL;
  }

  cond->set_vals(first, second);
  
  conditions.push_back(cond);

  return 0;
}

int RGWPolicy::check(RGWPolicyEnv *env, string& err_msg)
{
  uint64_t now = ceph_clock_now().sec();
  if (expires <= now) {
    dout(0) << "NOTICE: policy calculated as expired: " << expiration_str << dendl;
    err_msg = "Policy expired";
    return -EACCES; // change to condition about expired policy following S3
  }

  list<pair<string, string> >::iterator viter;
  for (viter = var_checks.begin(); viter != var_checks.end(); ++viter) {
    pair<string, string>& p = *viter;
    const string& name = p.first;
    const string& check_val = p.second;
    string val;
    if (!env->get_var(name, val)) {
      dout(20) << " policy check failed, variable not found: '" << name << "'" << dendl;
      err_msg = "Policy check failed, variable not found: ";
      err_msg.append(name);
      return -EACCES;
    }

    set_var_checked(name);

    dout(20) << "comparing " << name << " [" << val << "], " << check_val << dendl;
    if (val.compare(check_val) != 0) {
      err_msg = "Policy check failed, variable not met condition: ";
      err_msg.append(name);
      dout(1) << "policy check failed, val=" << val << " != " << check_val << dendl;
      return -EACCES;
    }
  }

  list<RGWPolicyCondition *>::iterator citer;
  for (citer = conditions.begin(); citer != conditions.end(); ++citer) {
    RGWPolicyCondition *cond = *citer;
    if (!cond->check(env, checked_vars, err_msg)) {
      return -EACCES;
    }
  }

  if (!env->match_policy_vars(checked_vars, err_msg)) {
    dout(1) << "missing policy condition" << dendl;
    return -EACCES;
  }
  return 0;
}


int RGWPolicy::from_json(bufferlist& bl, string& err_msg)
{
  JSONParser parser;

  if (!parser.parse(bl.c_str(), bl.length())) {
    err_msg = "Malformed JSON";
    dout(0) << "malformed json" << dendl;
    return -EINVAL;
  }

  // as no time was included in the request, we hope that the user has included a short timeout
  JSONObjIter iter = parser.find_first("expiration");
  if (iter.end()) {
    err_msg = "Policy missing expiration";
    dout(0) << "expiration not found" << dendl;
    return -EINVAL; // change to a "no expiration" error following S3
  }

  JSONObj *obj = *iter;
  expiration_str = obj->get_data();
  int r = set_expires(expiration_str);
  if (r < 0) {
    err_msg = "Failed to parse policy expiration";
    return r;
  }

  iter = parser.find_first("conditions");
  if (iter.end()) {
    err_msg = "Policy missing conditions";
    dout(0) << "conditions not found" << dendl;
    return -EINVAL; // change to a "no conditions" error following S3
  }

  obj = *iter;

  iter = obj->find_first();
  for (; !iter.end(); ++iter) {
    JSONObj *child = *iter;
    dout(20) << "data=" << child->get_data() << dendl;
    dout(20) << "is_object=" << child->is_object() << dendl;
    dout(20) << "is_array=" << child->is_array() << dendl;
    JSONObjIter citer = child->find_first();
    if (child->is_array()) {
      vector<string> v;
      int i;
      for (i = 0; !citer.end() && i < 3; ++citer, ++i) {
	JSONObj *o = *citer;
        v.push_back(o->get_data());
      }
      if (i != 3 || !citer.end()) { /* we expect exactly 3 arguments here */
        err_msg = "Bad condition array, expecting 3 arguments";
        return -EINVAL;
      }

      int r = add_condition(v[0], v[1], v[2], err_msg);
      if (r < 0)
        return r;
    } else if (!citer.end()) {
      JSONObj *c = *citer;
      dout(20) << "adding simple_check: " << c->get_name() << " : " << c->get_data() << dendl;

      add_simple_check(c->get_name(), c->get_data());
    } else {
      return -EINVAL;
    }
  }
  return 0;
}