#!/usr/bin/env python3
#
# Copyright (C) 2022 VyOS maintainers and contributors
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 or later as
# published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.

import re

from sys import argv
from sys import exit

from vyos.configtree import ConfigTree
from vyos.template import is_ipv4
from vyos.template import is_ipv6


if (len(argv) < 1):
    print("Must specify file name!")
    exit(1)

file_name = argv[1]

with open(file_name, 'r') as f:
    config_file = f.read()

base = ['vpn', 'ipsec']
config = ConfigTree(config_file)

if not config.exists(base):
    # Nothing to do
    exit(0)

# IKE changes, T4118:
if config.exists(base + ['ike-group']):
    for ike_group in config.list_nodes(base + ['ike-group']):
        # replace 'ipsec ike-group <tag> mobike disable'
        #      => 'ipsec ike-group <tag> disable-mobike'
        mobike = base + ['ike-group', ike_group, 'mobike']
        if config.exists(mobike):
            if config.return_value(mobike) == 'disable':
                config.set(base + ['ike-group', ike_group, 'disable-mobike'])
            config.delete(mobike)

        # replace 'ipsec ike-group <tag> ikev2-reauth yes'
        #      => 'ipsec ike-group <tag> ikev2-reauth'
        reauth = base + ['ike-group', ike_group, 'ikev2-reauth']
        if config.exists(reauth):
            if config.return_value(reauth) == 'yes':
                config.delete(reauth)
                config.set(reauth)
            else:
                config.delete(reauth)

# ESP changes
# replace 'ipsec esp-group <tag> compression enable'
#      => 'ipsec esp-group <tag> compression'
if config.exists(base + ['esp-group']):
    for esp_group in config.list_nodes(base + ['esp-group']):
        compression = base + ['esp-group', esp_group, 'compression']
        if config.exists(compression):
            if config.return_value(compression) == 'enable':
                config.delete(compression)
                config.set(compression)
            else:
                config.delete(compression)

# PEER changes
if config.exists(base + ['site-to-site', 'peer']):
    for peer in config.list_nodes(base + ['site-to-site', 'peer']):
        peer_base = base + ['site-to-site', 'peer', peer]

        # replace: 'peer <tag> id x'
        #       => 'peer <tag> local-id x'
        if config.exists(peer_base + ['authentication', 'id']):
            config.rename(peer_base + ['authentication', 'id'], 'local-id')

        # For the peer '@foo' set remote-id 'foo' if remote-id is not defined
        # For the peer '192.0.2.1' set remote-id '192.0.2.1' if remote-id is not defined
        if not config.exists(peer_base + ['authentication', 'remote-id']):
            tmp = peer.replace('@', '') if peer.startswith('@') else peer
            config.set(peer_base + ['authentication', 'remote-id'], value=tmp)

        # replace: 'peer <tag> force-encapsulation enable'
        #       => 'peer <tag> force-udp-encapsulation'
        force_enc = peer_base + ['force-encapsulation']
        if config.exists(force_enc):
            if config.return_value(force_enc) == 'enable':
                config.delete(force_enc)
                config.set(peer_base + ['force-udp-encapsulation'])
            else:
                config.delete(force_enc)

        # add option: 'peer <tag> remote-address x.x.x.x'
        remote_address = peer
        if peer.startswith('@'):
            remote_address = 'any'
        config.set(peer_base + ['remote-address'], value=remote_address)
        # Peer name it is swanctl connection name and shouldn't contain dots or colons
        # rename peer:
        #   peer 192.0.2.1   => peer peer_192-0-2-1
        #   peer 2001:db8::2 => peer peer_2001-db8--2
        #   peer @foo        => peer peer_foo
        re_peer_name = re.sub(':|\.', '-', peer)
        if re_peer_name.startswith('@'):
            re_peer_name = re.sub('@', '', re_peer_name)
        new_peer_name = f'peer_{re_peer_name}'

        config.rename(peer_base, new_peer_name)

# remote-access/road-warrior changes
if config.exists(base + ['remote-access', 'connection']):
    for connection in config.list_nodes(base + ['remote-access', 'connection']):
        ra_base = base + ['remote-access', 'connection', connection]
        # replace: 'remote-access connection <tag> authentication id x'
        #       => 'remote-access connection <tag> authentication local-id x'
        if config.exists(ra_base + ['authentication', 'id']):
            config.rename(ra_base + ['authentication', 'id'], 'local-id')

try:
    with open(file_name, 'w') as f:
        f.write(config.to_string())
except OSError as e:
    print(f'Failed to save the modified config: {e}')
    exit(1)