#!/bin/sh

enable -f libjsonget.so jsonget

PATH=/sbin:/bin:/usr/sbin:/usr/bin
DAEMON=/usr/sbin/lighttpd
NAME=lighttpd
ANGEL=/sbin/lighttpd-angel
DESC="Lighttpd Web Server"
# Web UI
OPTS="-D -f /etc/lighttpd.conf"
# Node-RED stub
OPTS_NRS="-f /etc/lighttpd_nrs.conf"

CAPA_NODE_RED=$(jsonget "$(< /var/run/config/device_info.json)" /capabilities/nodeRed)

CONF_DIR=/var/config
RUN_CONF_DIR=/var/run/config

true2enable() {
  if [[ "$1" == "true" ]]; then
    echo "enable"
  else
    echo "disable"
  fi
}

#Generates additional lighttpd configuration files
#1) Enables HTTPS
#2) Allows port configurations for HTTP and HTTPS
#3) Enables dipservice
#4) Allows port configurations for dipservice
generate_config() {
  FILE="$RUN_CONF_DIR/lighttpd_port.conf"
  FILE_DIP="$RUN_CONF_DIR/lighttpd_dipservice.conf"

  #Pull Webserver Ports
  RMA=$(jsonget "$(< "/var/config/db.json")" /remoteAccess)
  HTTP_ENABLED=$(jsonget "$RMA" /http/enabled)
  HTTP_PORT=$(jsonget "$RMA" /http/port)
  HTTPS_REDIRECT=$(jsonget "$RMA" /http/redirectToHttps)
  HTTPS_ENABLED=$(jsonget "$RMA" /https/enabled)
  HTTPS_PORT=$(jsonget "$RMA" /https/port)

  # Advanced secure protocol settings
  ADVANCED_SEC_VALID="false"
  ADVANCED_SEC=$(jsonget "$(< "/var/config/db.json")" /secureProtocols/2)

  if [[ "0" == "$?" ]]; then
    ADVANCED_SEC_NAME=$(jsonget "$ADVANCED_SEC" /name)
    if [[ "$ADVANCED_SEC_NAME" == "lighttpd" ]]; then
      ADVANCED_SEC_VALID="true"
      HTTPS_SSL3=$(true2enable "false") # $(true2enable $(jsonget "$ADVANCED_SEC" /protocol/ssl3))
      HTTPS_TLS1=$(true2enable "false") # $(true2enable $(jsonget "$ADVANCED_SEC" /protocol/tls1))
      HTTPS_TLS1_1=$(true2enable $(jsonget "$ADVANCED_SEC" /protocol/tls1_1))
      HTTPS_TLS1_2=$(true2enable $(jsonget "$ADVANCED_SEC" /protocol/tls1_2))
      HTTPS_CIPHER=$(jsonget "$ADVANCED_SEC" /cipherSuite)
      if [[ -z $HTTPS_CIPHER && -f /etc/ssl/allowed_ciphersuites ]]; then
        HTTPS_CIPHER=$( cat /etc/ssl/allowed_ciphersuites | tr "\n" ":" )
      fi
      CLIENT_VERIFY=$(jsonget "$ADVANCED_SEC" /client/verify )
    fi
  fi

  if [[ "$ADVANCED_SEC_VALID" != "true" ]]; then
    echo "API init. Using default SSL security settings"
    # In case of invalid Advanced Security section - start with default parameters
    HTTPS_SSL3=$(true2enable "false")
    HTTPS_TLS1=$(true2enable "false")
    HTTPS_TLS1_1=$(true2enable "false")
    HTTPS_TLS1_2=$(true2enable "true")
    HTTPS_CIPHER=""
    CLIENT_VERIFY="false"
  fi

  #("Protocol" => "-ALL, TLSv1.2")
  HTTPS_SSL_CONF='("Protocol" => "-ALL'

  if [[ "$HTTPS_TLS1" == "enable" ]]; then
    HTTPS_SSL_CONF+=', TLSv1'
  fi
  if [[ "$HTTPS_TLS1_1" == "enable" ]]; then
    HTTPS_SSL_CONF+=', TLSv1.1'
  fi
  if [[ "$HTTPS_TLS1_2" == "enable" ]]; then
    HTTPS_SSL_CONF+=', TLSv1.2'
  fi
  HTTPS_SSL_CONF+='")'

  #Generate Lighttpd dipservice config
  DIP=$(jsonget "$(< "$CONF_DIR/db.json")" /customDiagnostic || echo '{ "enabled": false, "port":8080 }')
  DIP_ENABLED=$(jsonget "$DIP" /enabled)
  DIP_PORT=$(jsonget "$DIP" /port)

  echo "Generating $FILE_DIP"
  > "$FILE_DIP"

  #Generate Lighttpd Port Config
  echo "Generating $FILE"
  > "$FILE"

  if [[ "$DIP_ENABLED" == "true" ]]; then
    cat >> $FILE_DIP <<END
\$SERVER["socket"] == "0.0.0.0:$DIP_PORT" {
  fastcgi.server = (
    "/" => (
      (
        "host" => "127.0.0.1",
        "port" => 9009,
        "check-local" => "disable",
        "bin-path" => "/sbin/dipservice -d /var/config/dipdata",
        "max-procs" => 1,
        "docroot" => "/var/config/dipdata"
      )
    )
  )
}
END
  fi

  cat >> $FILE <<END
#AUTO-GENERATED LIGHTTPD HTTP/HTTPS CONFIGURATIONS
#DO NOT CHANGE THIS FILE -> CHANGE $0
END

#Explicitly set the default listening port to HTTP port.
cat >> $FILE <<END

# listen to ipv4
server.bind = "0.0.0.0"
server.port = "$HTTP_PORT"
END

  if [ "$HTTPS_ENABLED" = "true" ]; then
    # Enable HTTPS for ipv4/ipv6
    # See (https://redmine.lighttpd.net/projects/lighttpd/wiki/IPv6-Config#Recommended-IPv6-setup)

    HTTPS_SSL_ENGINE_CONFIG="ssl.engine = \"enable\"
    ssl.use-sslv3 = \"$HTTPS_SSL3\"
    ssl.openssl.ssl-conf-cmd = $HTTPS_SSL_CONF
    ssl.pemfile = \"$CONF_DIR/server.pem\""

    if [ "$CLIENT_VERIFY" = "true" ]; then
      HTTPS_SSL_ENGINE_CONFIG+="ssl.ca-file = \"/etc/ssl/certs/ca-certificates.crt\"
    ssl.verifyclient.activate = \"enable\"
    ssl.verifyclient.enforce = \"enable\""
    fi

    if [ -n "$HTTPS_CIPHER" ]; then
      HTTPS_SSL_ENGINE_CONFIG+="
    ssl.cipher-list = \"$HTTPS_CIPHER\""
    fi

    cat >> $FILE <<END

# ipv4 socket
\$SERVER["socket"] == "0.0.0.0:$HTTPS_PORT" {
  $HTTPS_SSL_ENGINE_CONFIG
}

# ipv6 socket
\$SERVER["socket"] == "[::]:$HTTPS_PORT" {
  $HTTPS_SSL_ENGINE_CONFIG
}

END

  fi


  # Ensure that loopback can always access port 80
  if [ "$HTTP_PORT" != 80 ]; then
    echo "\$SERVER[\"socket\"] == \"127.0.0.1:80\" { }" >> $FILE
  fi

  # Enable redirect from HTTP to HTTPS if enabled
  if [ "$HTTPS_REDIRECT" == "true" ]; then
    HTTPS_REDIRECT_CONFIG="\$SERVER[\"socket\"] == \":$HTTP_PORT\" {
      \$HTTP[\"host\"] =~ \"^([^:^/]*)(:\d*)?(.*)\" {
        url.redirect = ( \"^/(.*)\" => \"https://%1:$HTTPS_PORT/\$1\" )
      }
    } else "
  fi

  HTTPX_REWRITE_URL='url.rewrite-once = ( "^/(?!static|api|tmp|help)(.+)/?$" => "/index.html" )'

  #BREAKDOWN
  # LINE 1: CHECK: REMOTE IP IS NOT 127.0.0.1 (LOOPBACK)
  # LINE 2: CHECK: DEST PORT IS THE HTTP PORT LIGHTTPD IS LISTENING ON
  # LINE 3: CHECK: HOST ADDRESS (ex: 192.168.2.1:81/whatever) MATCHES THE REGEX [DOMAIN][PORT (optional)][URI]
  #   THE REGEX FROM LINE 3 CAN BE ACCESSED IN LINE 4 WITH '%#' (ex: %1 == DOMAIN, %2 == PORT, %3 == URI)
  # LINE 4: FUNCTION: REGEX THE URI ([MATCH ALL]) AND BUILD THE REDIRECT URL
  #   THE REGEX FROM LINE 4 CAN BE ACCESSED IN THE REDIRECT CONSTRUCTION WITH '$#' (ex: $1 == THE ENTIRE URI)

  cat >> $FILE <<END
\$HTTP["remoteip"] != "127.0.0.1" {
  $HTTPS_REDIRECT_CONFIG \$HTTP["host"] =~ "^([^:^/]*)(:\d*)?(.*)" {
    \$SERVER["socket"] == "[::]:$HTTPS_PORT" {
      $HTTPX_REWRITE_URL
    }
    \$SERVER["socket"] == ":$HTTPS_PORT" {
      $HTTPX_REWRITE_URL
    }
    \$SERVER["socket"] == ":$HTTP_PORT" {
      $HTTPX_REWRITE_URL
    }
  }
}
END
}

populate_www_images() {
  local CONFIGIMAGES="/var/config/images"
  local OEMIMAGES="/var/oem/images"
  local WWWIMAGES="/var/volatile/www/images"
  local WWWIMAGES_RO="/var/www/images_ro"

  # Populate images only once per boot
  if [ ! -d $WWWIMAGES ]; then

    # Copy from oem partition to config partition
    if [ ! -d $CONFIGIMAGES ]; then
      if [ -d $OEMIMAGES ]; then
        echo "Copying oem images"
        mkdir -p $CONFIGIMAGES
        cp -rf $OEMIMAGES/* $CONFIGIMAGES
      fi
    fi

    # Copy from root partition to RAM
    mkdir -p $WWWIMAGES
    cp -rf $WWWIMAGES_RO/* $WWWIMAGES

    # Overwrite with /var/config/images
    if [ -d $CONFIGIMAGES ]; then
      cp -rf $CONFIGIMAGES/* $WWWIMAGES
    fi
  fi
}

wait_ready() {
  # wait api
  local retry=0
  local MAX=30
  sleep 1
  while [ $retry -lt $MAX ]; do
    if [ "200" == "$(curl -s --unix-socket /var/run/api/http.sock -I -o /dev/null -w "%{http_code}" http://localhost/api/system)" ]; then
      return
    fi
    retry=$(( $retry + 1 ))
    echo "Waiting for API ($retry/$MAX)..."
    sleep 1
  done
  echo "Failed waiting API!"
}

start() {
  mkdir -p /var/volatile/www/tmp
  lighttpd_custom_images_setup  # detect mime types for UI Customization images and generate Lighttpd config fragment

  generate_config

  start-stop-daemon --start --background --exec $ANGEL -- $DAEMON $OPTS

  if [ "$CAPA_NODE_RED" = "true" ]; then
    start-stop-daemon --start -x "$DAEMON" -p /var/run/lighttpd_nrs.pid -- $OPTS_NRS
  fi

  wait_ready
}

stop() {
  start-stop-daemon --stop --exec $ANGEL

  if [ "$CAPA_NODE_RED" = "true" ]; then
    start-stop-daemon --stop -x "$DAEMON" -p /var/run/lighttpd_nrs.pid
    rm -f /var/run/lighttpd_nrs.pid
  fi

  rm -f /var/run/config/lighttpd_*
}

populate_www_images

case "$1" in
  start)
	echo -n "Starting $DESC: "
	start
	echo "$NAME."
	;;
  stop)
	echo -n "Stopping $DESC: "
	stop
	echo "$NAME."
	;;
  restart|force-reload)
	echo -n "Restarting $DESC: "
	stop
	sleep 1
	start
	echo "$NAME."
	;;
  *)
    N=/etc/init.d/$NAME
    echo "Usage: $N {start|stop|restart|force-reload}" >&2
    exit 1
    ;;
esac

exit 0