#!/usr/bin/env python3
#
# Copyright (C) 2018-2020 VyOS maintainers and contributors
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 or later as
# published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.

import sys
import os
import re

from copy import deepcopy
from netifaces import interfaces

from vyos import ConfigError
from vyos.config import Config
from vyos.configdict import list_diff
from vyos.util import run
from vyos.ifconfig import WireGuardIf

kdir = r'/config/auth/wireguard'

def _check_kmod():
    if not os.path.exists('/sys/module/wireguard'):
        if run('modprobe wireguard') != 0:
            raise ConfigError("modprobe wireguard failed")


def _migrate_default_keys():
    if os.path.exists(f'{kdir}/private.key') and not os.path.exists(f'{kdir}/default/private.key'):
        old_umask = os.umask(0o027)
        location = f'{kdir}/default'
        run(f'sudo mkdir -p {location}')
        run(f'sudo chgrp vyattacfg {location}')
        run(f'sudo chmod 750 {location}')
        os.rename(f'{kdir}/private.key', f'{location}/private.key')
        os.rename(f'{kdir}/public.key', f'{location}/public.key')
        os.umask(old_umask)


def get_config():
    c = Config()
    if not c.exists(['interfaces', 'wireguard']):
        return None

    # determine tagNode instance
    if 'VYOS_TAGNODE_VALUE' not in os.environ:
        raise ConfigError('Interface (VYOS_TAGNODE_VALUE) not specified')

    dflt_cnf = {
        'intfc': '',
        'addr': [],
        'addr_remove': [],
        'descr': '',
        'lport': None,
        'delete': False,
        'state': 'up',
        'fwmark': 0x00,
        'mtu': 1420,
        'peer': {},
        'peer_remove': [],
        'pk': '{}/default/private.key'.format(kdir)
    }

    ifname = str(os.environ['VYOS_TAGNODE_VALUE'])
    wg = deepcopy(dflt_cnf)
    wg['intfc'] = ifname
    wg['descr'] = ifname

    c.set_level(['interfaces', 'wireguard'])

    # interface removal state
    if not c.exists(ifname) and c.exists_effective(ifname):
        wg['delete'] = True

    if not wg['delete']:
        c.set_level(['interfaces', 'wireguard', ifname])
        if c.exists(['address']):
            wg['addr'] = c.return_values(['address'])

        # determine addresses which need to be removed
        eff_addr = c.return_effective_values(['address'])
        wg['addr_remove'] = list_diff(eff_addr, wg['addr'])

        # ifalias description
        if c.exists(['description']):
            wg['descr'] = c.return_value(['description'])

        # link state
        if c.exists(['disable']):
            wg['state'] = 'down'

        # local port to listen on
        if c.exists(['port']):
            wg['lport'] = c.return_value(['port'])

        # fwmark value
        if c.exists(['fwmark']):
            wg['fwmark'] = c.return_value(['fwmark'])

        # mtu
        if c.exists('mtu'):
            wg['mtu'] = c.return_value('mtu')

        # private key
        if c.exists(['private-key']):
            wg['pk'] = "{0}/{1}/private.key".format(
                kdir, c.return_value(['private-key']))

        # peer removal, wg identifies peers by its pubkey
        peer_eff = c.list_effective_nodes(['peer'])
        peer_rem = list_diff(peer_eff, c.list_nodes(['peer']))
        for p in peer_rem:
            wg['peer_remove'].append(
                c.return_effective_value(['peer', p, 'pubkey']))

        # peer settings
        if c.exists(['peer']):
            for p in c.list_nodes(['peer']):
                if not c.exists(['peer', p, 'disable']):
                    wg['peer'].update(
                        {
                            p: {
                                'allowed-ips': [],
                              'address': '',
                              'port': '',
                              'pubkey': ''
                            }
                        }
                    )
                    # peer allowed-ips
                    if c.exists(['peer', p, 'allowed-ips']):
                        wg['peer'][p]['allowed-ips'] = c.return_values(
                            ['peer', p, 'allowed-ips'])
                    # peer address
                    if c.exists(['peer', p, 'address']):
                        wg['peer'][p]['address'] = c.return_value(
                            ['peer', p, 'address'])
                    # peer port
                    if c.exists(['peer', p, 'port']):
                        wg['peer'][p]['port'] = c.return_value(
                            ['peer', p, 'port'])
                    # persistent-keepalive
                    if c.exists(['peer', p, 'persistent-keepalive']):
                        wg['peer'][p]['persistent-keepalive'] = c.return_value(
                            ['peer', p, 'persistent-keepalive'])
                    # preshared-key
                    if c.exists(['peer', p, 'preshared-key']):
                        wg['peer'][p]['psk'] = c.return_value(
                            ['peer', p, 'preshared-key'])
                    # peer pubkeys
                    key_eff = c.return_effective_value(['peer', p, 'pubkey'])
                    key_cfg = c.return_value(['peer', p, 'pubkey'])
                    wg['peer'][p]['pubkey'] = key_cfg

                    # on a pubkey change we need to remove the pubkey first
                    # peers are identified by pubkey, so key update means
                    # peer removal and re-add
                    if key_eff != key_cfg and key_eff != None:
                        wg['peer_remove'].append(key_cfg)

                # if a peer is disabled, we have to exec a remove for it's pubkey
                else:
                  peer_key = c.return_value(['peer', p, 'pubkey'])
                  wg['peer_remove'].append(peer_key)
    return wg


def verify(c):
    if not c:
        return None

    if not os.path.exists(c['pk']):
        raise ConfigError(
            "No keys found, generate them by executing: \'run generate wireguard [keypair|named-keypairs]\'")

    if not c['delete']:
        if not c['addr']:
            raise ConfigError("ERROR: IP address required")
        if not c['peer']:
            raise ConfigError("ERROR: peer required")
        for p in c['peer']:
            if not c['peer'][p]['allowed-ips']:
                raise ConfigError("ERROR: allowed-ips required for peer " + p)
            if not c['peer'][p]['pubkey']:
                raise ConfigError("peer pubkey required for peer " + p)


def apply(c):
    # no wg configs left, remove all interface from system
    # maybe move it into ifconfig.py
    if not c:
        net_devs = os.listdir('/sys/class/net/')
        for dev in net_devs:
            if os.path.isdir('/sys/class/net/' + dev):
                buf = open('/sys/class/net/' + dev + '/uevent', 'r').read()
                if re.search("DEVTYPE=wireguard", buf, re.I | re.M):
                    wg_intf = re.sub("INTERFACE=", "", re.search(
                        "INTERFACE=.*", buf, re.I | re.M).group(0))
                    # XXX: we are ignoring any errors here
                    run(f'ip l d dev {wg_intf} >/dev/null')
        return None

    # init wg class
    intfc = WireGuardIf(c['intfc'])

    # single interface removal
    if c['delete']:
        intfc.remove()
        return None

    # remove IP addresses
    for ip in c['addr_remove']:
        intfc.del_addr(ip)

    # add IP addresses
    for ip in c['addr']:
        intfc.add_addr(ip)

    # interface mtu
    intfc.set_mtu(int(c['mtu']))

    # ifalias for snmp from description
    intfc.set_alias(str(c['descr']))

    # remove peers
    if c['peer_remove']:
        for pkey in c['peer_remove']:
            intfc.remove_peer(pkey)

    # peer pubkey
    # setting up the wg interface
    intfc.config['private-key'] = c['pk']
    for p in c['peer']:
        # peer pubkey
        intfc.config['pubkey'] = str(c['peer'][p]['pubkey'])
        # peer allowed-ips
        intfc.config['allowed-ips'] = c['peer'][p]['allowed-ips']
        # local listen port
        if c['lport']:
            intfc.config['port'] = c['lport']
        # fwmark
        if c['fwmark']:
            intfc.config['fwmark'] = c['fwmark']
        # endpoint
        if c['peer'][p]['address'] and c['peer'][p]['port']:
            intfc.config['endpoint'] = "{}:{}".format(c['peer'][p]['address'], c['peer'][p]['port'])

        # persistent-keepalive
        if 'persistent-keepalive' in c['peer'][p]:
            intfc.config['keepalive'] = c['peer'][p]['persistent-keepalive']

        # maybe move it into ifconfig.py
        # preshared-key - needs to be read from a file
        if 'psk' in c['peer'][p]:
            psk_file = '/config/auth/wireguard/psk'
            old_umask = os.umask(0o077)
            open(psk_file, 'w').write(str(c['peer'][p]['psk']))
            os.umask(old_umask)
            intfc.config['psk'] = psk_file
        intfc.update()

    # interface state
    intfc.set_admin_state(c['state'])

    return None

if __name__ == '__main__':
    try:
        _check_kmod()
        _migrate_default_keys()
        c = get_config()
        verify(c)
        apply(c)
    except ConfigError as e:
        print(e)
        sys.exit(1)