#!/usr/bin/env ruby
# Utility function to scan various scripts
#   Docs: for Wvisible PAGETITLE and categories in .cgi
#   Repos: for ASF::SVN access in .cgi|rb
$LOAD_PATH.unshift '/srv/whimsy/lib'
require 'wunderbar'
require 'whimsy/asf'
SCANDIR = '../www'
ISERR = '!'
AUTHMAP = { # From whimsy-vm4.apache.org.yaml
  'ASF Committers' => 'text-muted',
  'ASF Members and Officers' => 'text-primary',
  'ASF Members and Incubator PMC' => 'text-success',
  'ASF Members' => 'text-warning',
  'ASF Secretarial Team' => 'text-danger'
}
AUTHPUBLIC = 'glyphicon-eye-open'
ASFSVN = /ASF::SVN/
SCANDIRSVN = '../'
WWWAUTH = /WWW-Authenticate: Basic realm/
CONSTANT_DEF = /(?<matchconst>[A-Z_]+)\s+=\s+['"](?<matchval>[^#]+)['"]/ # Attempt to capture CONSTANT = "value"

HTTPD_SITES = '/etc/apache2/sites-enabled'
# Use wild-card to allow for possible renames (normally 10-whimsy-vm-443.conf)
# Also allows testing on a developer system (use a different suffix that is not Included by httpd)
WHIMSY_CONF = File.join(HTTPD_SITES, '*-whimsy-vm-443.*')

# Output ul of key of AUTHMAP for use in helpblock
def emit_authmap
  _ul do
    _li do
      _span.glyphicon :aria_hidden, :class => AUTHPUBLIC
      _ 'Publicly available'
    end
    AUTHMAP.each do |realm, style|
      _li do
        _span.glyphicon.glyphicon_lock :aria_hidden, :class =>  style, aria_label: realm
        _ realm
      end
    end
  end
end

# Output a span with the auth level
def emit_auth_level(level)
  if level
    _span :class =>  level, aria_label: AUTHMAP.key(level) do
      _span.glyphicon.glyphicon_lock :aria_hidden
    end
  else
    _span.glyphicon :aria_hidden, :class =>  AUTHPUBLIC
  end
end

# Scan single file for PAGETITLE and categories when Wvisible
# @return [PAGETITLE, [cat,egories] ] or ["!Bogosity error", "stacktrace"]
def scan_file(f)
  begin
    File.open(f).each_line.map(&:chomp).each do |line|
      if line =~ /\APAGETITLE\s?=\s?"([^"]+)"\s?#\s?Wvisible:(.*)/i then
        return [$1, $2.chomp.split(%r{[\s,]})]
      end
    end
    return nil
  rescue Exception => e
    return ["#{ISERR}Bogosity! #{e.message[0..255]}", "\t#{e.backtrace.join("\n\t")}"]
  end
end

# Return data only about Wvisible cgis, plus any errors
# @return [ [PAGETITLE, [cat,egories] ], ... ]
def scan_dir(dir)
  links = {}
  Dir["#{dir}/**/*.cgi"].each do |f|
    l = scan_file(f)
    links[f.sub(dir, '')] = l if l
  end
  return links
end


# Parse httpd config file so we can annotate links with access hints
# Sample data:
# <LocationMatch ^/board/subscriptions>
#   AuthName "ASF Committers"
# <Directory /x1/srv/whimsy/www/committers>
#   AuthName "ASF Committers"
# @return { "/path" => "auth realm",... }
def get_auth
  hash = {}
  files = Dir[WHIMSY_CONF]
  return hash unless files.size == 1 # must match just one
  file = files.first
  loc = nil
  File.read(file).each_line do |l|
    if l =~ %r{<LocationMatch ([^>]+)>}
      loc = $1.gsub(/^\^/,'') # remove ^ prefix
    elsif l =~ %r{<Directory ([^>]+)>}
      # remove standard prefix and append '/' directory marker
      loc = $1.sub(%r{^(/x1)?/srv/whimsy/www},'')+'/'
    elsif l =~ %r{AuthName\s+"(.+)"} # generate the entry
      hash[loc] = $1 if loc
      loc = nil
    end
  end
  hash
end

# Annotate scan_dir entries with hints only for paths that require auth
# Side Effects:
#   - REMOVES any error scan entries
#   - Adds array element of auth realm if login required
def annotate_scan(scan, auth)
  annotated = scan.reject{ |_k, v| v[0] =~ /\A#{ISERR}/ }
  annotated.each do |path, ary|
    realm = auth.select { |k, _v| path.match(/\A#{k}/) }
    if realm.values.first
      ary << AUTHMAP[realm.values.first]
    end
  end
  return annotated
end

# Common use case # TODO these could be static generated files nightly
def get_annotated_scan(dir)
  scan = scan_dir(dir)
  auth = get_auth()
  return annotate_scan(scan, auth)
end

# Build a regex union from ASFSVN and an array
# @return Regexp.union(r...)
def build_regexp(list)
  r = []
  list.each do |itm|
    r << "#{ASFSVN.source}\['#{itm}']"
  end
  return Regexp.union(r)
end

# Scan file for use of ASF::SVN symbolic names like apmail_bin; unmapping any CONSTANT_DEF
# @return [["x = ASF::SVN['Meetings'] # Whole line of code accessing private repo", ...], [<public repos same>], 'WWW-Authenticate code line' ]
def scan_file_svn(f, regexs)
  repos = [[], [], []]
  consts = {}
  begin
    File.open(f).each_line.map(&:chomp).each do |line|
      line.strip!
      if line =~ WWWAUTH # Fastest compare first
        repos[2] << line
      elsif line =~ ASFSVN # Find all ASF::SVN and also map if it uses a CONSTANT_DEF
        consts.each do |k,v|
          line.sub!(k, v)
        end
        if line =~ regexs[0]
          repos[0] << line
        elsif line =~ regexs[1]
          repos[1] << line
        end
      elsif line =~ CONSTANT_DEF
        consts[$~['matchconst']] = "'#{$~['matchval']}'"
      end
    end
    return repos
  rescue Exception => e
    return [["#{ISERR}Bogosity! #{e.message[0..255]}", "\t#{e.backtrace.join("\n\t")}"],[]]
  end
end

# Scan directory for use of ASF::SVN (private or public)
# @return { "file" => [['private line', ...], ['public svn', ...], 'WWW-Authenticate code line' (, 'authrealm')] }
def scan_dir_svn(dir, regexs)
  links = {}
  auth = get_auth()
  Dir["#{dir}/**/*.{cgi,rb}"].sort.each do |f|
    l = scan_file_svn(f, regexs)
    if (l[0].length + l[1].length) > 0
      fbase = f.sub(dir, '')
      realm = auth.select { |k, _v| fbase.sub('/www', '').match(/\A#{k}/) }
      if realm.values.first
        l << AUTHMAP[realm.values.first]
      end
      links[fbase] = l
    end
  end
  return links
end