#!/usr/bin/env python3
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements.  See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership.  The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License.  You may obtain a copy of the License at
#
#   http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied.  See the License for the
# specific language governing permissions and limitations
# under the License.

""" Machine fingerprint scanner and checker app thingy
Spits out:
    - index.html: a human readable page with all fingerprints
    - machines.json: a json file to keep score of previous fingerprints
    - fp.json: a json file for nodeping to work with
 """
import asyncio
from ..lib import config
from .. import plugins
import aiohttp
import aiohttp.client_exceptions
import functools
import os
import json
import requests
import subprocess
import base64
import hashlib
import time
import datetime
import fnmatch
import sys

KEYSCAN = "/usr/bin/ssh-keyscan"
IPDATA = requests.get(
    "https://svn.apache.org/repos/infra/infrastructure/trunk/dns/zones/ipdata.json",
    timeout=120
).json()
IGNORE_HOSTS = (
    "bb-win10",
    "ci.hive",
    "ci2.ignite",
    "cloudstack-gateway",
    "corpora.tika",
    "demo.*",
    "donate",
    "jenkins-*",
    "metrics.beam",
    "mtcga*.ignite",
    "reviews.ignite",
    "vpn.plc4x",
    "weex",
    "pnap-us-west-generic-nat",
    "bb-win-azr-1",
    "bb-win-azr-2",
    "www",
    "www.play*",
)
FPDATA = {}
COUNT = 0


def get_fps():
    if bool(globals()["FPDATA"]):
        return globals()["FPDATA"]
    else:
        return {"HTML": "<h4>Scanning machine fingerprints...</h4>"}


class Host:
    def __init__(self, name, ip):
        self.ips = [ip]
        self.name = name


def l2fp(line):
    """Public key to fingerprints"""
    key = base64.b64decode(line.strip().split()[-1])
    fp_plain = hashlib.md5(key).hexdigest()
    fp_md5 = ":".join(a + b for a, b in zip(fp_plain[::2], fp_plain[1::2]))
    fp_sha256 = (
        base64.b64encode(hashlib.sha256(key).digest()).decode("ascii").rstrip("=")
    )
    return fp_md5, fp_sha256


async def fpscan():
    old_hosts = {}
    hosts = {}
    for ip, name in IPDATA.items():
        if name in hosts:
            hosts[name].ips.append(ip)
        else:
            hosts[name] = Host(name, ip)

    reachable = 0
    unreachable = []
    all_notes = []
    for name, host_data in sorted(hosts.items()):
        if any(fnmatch.fnmatch(name, pattern) for pattern in IGNORE_HOSTS):
            continue
        ipv4 = [x for x in host_data.ips if "." in x][0]

        try:
            kdata_rsa = await asyncio.create_subprocess_shell(
                f"{KEYSCAN} -T 1 -4 -t rsa {name}.apache.org",
                stdout=asyncio.subprocess.PIPE,
                stderr=asyncio.subprocess.PIPE
                # (KEYSCAN, '-T', '1', '-4', '-t', 'rsa' f"{name}.apache.org"), stderr=asyncio.subprocess.PIPE
            )
            kdata_ecdsa = await asyncio.create_subprocess_shell(
                f"{KEYSCAN} -T  1  -4  -t  ecdsa  {name}.apache.org",
                stdout=asyncio.subprocess.PIPE,
                stderr=asyncio.subprocess.PIPE
                # (KEYSCAN, '-T', '1', '-4', '-t', 'ecdsa', f"{name}.apache.org"), stderr=asyncio.subprocess.PIPE
            )
            keydata_rsa, rsa_stderr = await kdata_rsa.communicate()
            keydata_ecdsa, ecdsa_stderr = await kdata_ecdsa.communicate()
            if not keydata_rsa:
                unreachable.append(name)
                continue
            gunk, rsa_sha256 = l2fp(keydata_rsa)
            gunk, ecdsa_sha256 = l2fp(keydata_ecdsa)
            reachable += 1
            now = int(time.time())
            now_str = datetime.datetime.fromtimestamp(now).strftime("%c")

            if name not in old_hosts:
                old_hosts[name] = {
                    "ipv4": ipv4,
                    "fingerprint_ecdsa": ecdsa_sha256,
                    "fingerprint_rsa": rsa_sha256,
                    "first_seen": now,
                    "last_seen": now,
                    "okay": True,
                    "notes": [],
                }
            else:
                oho = old_hosts[name]
                if oho["fingerprint_rsa"] != rsa_sha256:
                    note = f"Fingerprint of {name} changed at {now_str}, from {oho['fingerprint_rsa']} to {rsa_sha256}!"
                    oho["okay"] = False
                    oho["notes"].append(note)
                    all_notes.append(note)
                    # print(note)

        except KeyboardInterrupt:
            break
        except subprocess.CalledProcessError as e:
            unreachable.append(name)

    stamp = time.strftime("%Y-%m-%d %H:%M:%S %z", time.gmtime())
    rtxt = ""
    if unreachable:
        rtxt = f"({len(unreachable)} hosts not reachable)"
    html = (
        """
        <style>
                    #fingerprints td:last-child {
        font-size: 0.8rem;
                        font-family: sans-serif;
                    }
                    #fingerprints tr:nth-child(even) {
        background-color: #f4f4f4
                    }
                    #fingerprints>kbd,#fingerprints td:not(:first-child) kbd,#fingerprints li>kbd {
        -moz-border-radius:3px;
                        -moz-box-shadow:0 1px 0 rgba(0,0,0,0.2),0 0 0 2px #fff inset;
                        -webkit-border-radius:3px;
                        -webkit-box-shadow:0 1px 0 rgba(0,0,0,0.2),0 0 0 2px #fff inset;
                        background-color:#f7f7f7;
                        border:1px solid #ccc;
                        border-radius:3px;
                        box-shadow:0 1px 0 rgba(0,0,0,0.2),0 0 0 2px #fff inset;
                        color:#333;
                        display:inline-block;
                        font-family:monospace;
                        font-size:11px;
                        line-height:1.4;
                        margin:0 .1em;
                        padding:.1em .6em;
                        text-shadow:0 1px 0 #fff;
                    }
                    #fingerprints th, #fingerprints td {
        padding: 6px !important;
                    }

                </style>
    """
        + f"<h2>{reachable} verified hosts {rtxt} @ {stamp}</h2>"
    )
    html += "<table id='fingerprints' cellpadding='6' cellspacing='0' style='border: 0.75px solid #333;'><tr><th>Hostname</th><th>IPv4</th><th>RSA Fingerprint (SHA256)</th><th>ECDSA Fingerprint (SHA256)</th><th>Status</th></tr>\n"

    # Print each known host
    for name, data in sorted(old_hosts.items()):
        if name in hosts:
            status = "Verified (OK)"
            if name in unreachable:
                status = "Unreachable"
            if data["notes"]:
                status = "<span color='F70'>CHANGED</span>"
            html += (
                "<tr style='background: inherit;'><td><kbd><b>%s</b></kbd></td><td><kbd>%s</kbd></td><td><kbd>%s</kbd></td><td><kbd>%s</kbd></td><td>%s</td></tr>\n"
                % (
                    name,
                    data["ipv4"],
                    data["fingerprint_rsa"],
                    data["fingerprint_ecdsa"],
                    status,
                )
            )

    # Print unknown unreachables at the bottom
    for name in unreachable:
        if name in old_hosts:
            continue
        data = hosts[name]
        ipv4 = [x for x in data.ips if "." in x][0]
        html += (
            "<tr style='background: inherit;'><td><kbd><b>%s</b></kbd></td><td><kbd>%s</kbd></td><td><kbd>N/A</kbd></td><td><kbd>N/A</kbd></td><td>Unreachable</td></tr>\n"
            % (name, ipv4)
        )
    html += "</table>"
    globals()["FPDATA"] = {
        "HTML": html,
        "changes": {"changed": len(all_notes), "notes": all_notes},
        "old_hosts": old_hosts,
    }
    print("Fingerprint roster updated!")


async def fp_scan_loop():
    while True:
        await fpscan()
        await asyncio.sleep(43200)

plugins.root.register(
    fp_scan_loop, slug="machines", title="Machine Fingerprints", icon="bi-fingerprint"
)