# Copyright 2022 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#      http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

"""Blueprint for checking project status."""

import json
import logging

import flask
import requests
import status_utilities as su

status = flask.Blueprint("status", __name__)
logger = logging.getLogger(__name__)


@status.route("/restricted_services_status_cloudfunctions", methods=["GET"])
def restricted_services_status_cloudfunctions():
    """Get boolean status of wether cloudfunctions is restricted."""
    return su.get_restricted_service_status(flask.request, "cloudfunctions_restricted")


@status.route("/restricted_services_status_dialogflow", methods=["GET"])
def restricted_services_status_dialogflow():
    """Get boolean status of wether dialogflow is restricted."""
    return su.get_restricted_service_status(flask.request, "dialogflow_restricted")


@status.route("/webhook_ingress_internal_only_status", methods=["GET"])
def webhook_ingress_internal_only_status():
    """Get boolean status of internally restricted webhook ingress."""
    data = su.get_token_and_project(flask.request)
    if "response" in data:
        return data["response"]
    project_id, token = data["project_id"], data["token"]
    region = flask.request.args["region"]
    webhook_name = flask.request.args["webhook_name"]

    response = su.check_function_exists(token, project_id, region, webhook_name)
    if "response" in response:
        return response["response"]

    headers = {}
    headers["x-goog-user-project"] = project_id
    headers["Authorization"] = f"Bearer {token}"
    result = requests.get(
        (
            "https://cloudfunctions.googleapis.com/v1/projects/"
            f"{project_id}/locations/{region}/functions/{webhook_name}"
        ),
        headers=headers,
        timeout=10,
    )
    if result.status_code != 200:
        logger.info("  cloudfunctions API rejected request: %s", result.text)
        return flask.abort(result.status_code)
    result_dict = result.json()
    if result_dict["ingressSettings"] in [
        "ALLOW_INTERNAL_ONLY",
        "ALLOW_INTERNAL_AND_GCLB",
    ]:
        return flask.Response(status=200, response=json.dumps({"status": True}))
    return flask.Response(status=200, response=json.dumps({"status": False}))


@status.route("/webhook_access_allow_unauthenticated_status", methods=["GET"])
def webhook_access_allow_unauthenticated_status():  # pylint: disable=too-many-branches,too-many-return-statements
    """Get boolean status of allow unauthenticated webhook access."""
    data = su.get_token_and_project(flask.request)
    if "response" in data:
        return data["response"]
    project_id, token = data["project_id"], data["token"]
    region = flask.request.args["region"]
    webhook_name = flask.request.args["webhook_name"]

    response = su.check_function_exists(token, project_id, region, webhook_name)
    if "response" in response:
        return response["response"]

    headers = {}
    headers["x-goog-user-project"] = project_id
    headers["Authorization"] = f"Bearer {token}"
    result = requests.get(
        (
            "https://cloudfunctions.googleapis.com/v2/"
            f"projects/{project_id}/locations/{region}/"
            f"functions/{webhook_name}:getIamPolicy"
        ),
        headers=headers,
        timeout=10,
    )
    if result.status_code == 403:
        if (result.json()["error"]["status"] == "PERMISSION_DENIED") and (
            result.json()["error"]["message"].startswith(
                "Permission 'cloudfunctions.functions.getIamPolicy' denied"
            )
        ):
            return flask.Response(
                status=200,
                response=json.dumps(
                    {"status": "BLOCKED", "reason": "PERMISSION_DENIED"}
                ),
            )
        if (result.json()["error"]["status"] == "PERMISSION_DENIED") and (
            result.json()["error"]["message"].startswith(
                "Cloud Functions API has not been used in project"
            )
        ):
            return flask.Response(
                status=200,
                response=json.dumps(
                    {"status": "BLOCKED", "reason": "CLOUDFUNCTIONS_API_DISABLED"}
                ),
            )
        for details in result.json()["error"]["details"]:
            for violation in details["violations"]:
                if violation["type"] == "VPC_SERVICE_CONTROLS":
                    return flask.Response(
                        status=200,
                        response=json.dumps(
                            {"status": "BLOCKED", "reason": "VPC_SERVICE_CONTROLS"}
                        ),
                    )
        return flask.Response(status=500, response=result.text)
    if result.status_code != 200:
        logger.info("  cloudfunctions API rejected request: %s", result.text)
        return flask.abort(result.status_code)
    policy_dict = result.json()
    all_users_is_invoker_member = False
    for binding in policy_dict.get("bindings", []):
        for member in binding.get("members", []):
            if (
                member == "allUsers"
                and binding["role"] == "roles/cloudfunctions.invoker"
            ):
                all_users_is_invoker_member = True

    logger.info("  all_users_is_invoker_member: %s", all_users_is_invoker_member)
    if all_users_is_invoker_member:
        return flask.Response(status=200, response=json.dumps({"status": False}))
    return flask.Response(status=200, response=json.dumps({"status": True}))


@status.route("/service_directory_webhook_fulfillment_status", methods=["GET"])
def service_directory_webhook_fulfillment_status():
    """Get boolean status of service directory usage in webhook."""
    data = su.get_token_and_project(flask.request)
    if "response" in data:
        return data["response"]
    project_id, token = data["project_id"], data["token"]
    untrusted_region = flask.request.args["region"]
    if untrusted_region in ["us-central1"]:
        region = untrusted_region
    else:
        return flask.Response(
            status=200,
            response=json.dumps({"status": "BLOCKED", "reason": "UNKNOWN_REGION"}),
        )

    result = su.get_agents(token, project_id, region)
    if "response" in result:
        return result["response"]
    if "Telecommunications" not in result["data"]:
        return flask.Response(
            status=200,
            response=json.dumps({"status": "BLOCKED", "reason": "AGENT_NOT_FOUND"}),
        )
    agent_name = result["data"]["Telecommunications"]["name"]
    result = su.get_webhooks(token, agent_name, project_id, region)
    if "response" in result:
        response = result["response"]
    else:
        webhook_dict = result["data"]["cxPrebuiltAgentsTelecom"]
        if "serviceDirectory" in webhook_dict:
            response = flask.Response(status=200, response=json.dumps({"status": True}))
        else:
            response = flask.Response(
                status=200, response=json.dumps({"status": False})
            )
    return response