#!/usr/bin/python
#

# Copyright (C) 2006, 2007 Google Inc.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
# General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
# 02110-1301, USA.

""" Ganeti Remote API master script.
"""

import glob
import logging
import optparse
import sys
import os
import os.path
import signal

from ganeti import constants
from ganeti import errors
from ganeti import http
from ganeti import daemon
from ganeti import ssconf
from ganeti import utils
from ganeti import luxi
from ganeti import serializer
from ganeti.rapi import connector

import ganeti.http.auth
import ganeti.http.server


class RemoteApiRequestContext(object):
  """Data structure for Remote API requests.

  """
  def __init__(self):
    self.handler = None
    self.handler_fn = None
    self.handler_access = None


class JsonErrorRequestExecutor(http.server.HttpServerRequestExecutor):
  """Custom Request Executor class that formats HTTP errors in JSON.

  """
  error_content_type = "application/json"

  def _FormatErrorMessage(self, values):
    """Formats the body of an error message.

    @type values: dict
    @param values: dictionary with keys code, message and explain.
    @rtype: string
    @return: the body of the message

    """
    return serializer.DumpJson(values, indent=True)


class RemoteApiHttpServer(http.auth.HttpServerRequestAuthentication,
                          http.server.HttpServer):
  """REST Request Handler Class.

  """
  AUTH_REALM = "Ganeti Remote API"

  def __init__(self, *args, **kwargs):
    http.server.HttpServer.__init__(self, *args, **kwargs)
    http.auth.HttpServerRequestAuthentication.__init__(self)
    self._resmap = connector.Mapper()

    # Load password file
    if os.path.isfile(constants.RAPI_USERS_FILE):
      self._users = http.auth.ReadPasswordFile(constants.RAPI_USERS_FILE)
    else:
      self._users = None

  def _GetRequestContext(self, req):
    """Returns the context for a request.

    The context is cached in the req.private variable.

    """
    if req.private is None:
      (HandlerClass, items, args) = \
                     self._resmap.getController(req.request_path)

      ctx = RemoteApiRequestContext()
      ctx.handler = HandlerClass(items, args, req)

      method = req.request_method.upper()
      try:
        ctx.handler_fn = getattr(ctx.handler, method)
      except AttributeError, err:
        raise http.HttpBadRequest("Method %s is unsupported for path %s" %
                                  (method, req.request_path))

      ctx.handler_access = getattr(ctx.handler, "%s_ACCESS" % method, None)

      # Require permissions definition (usually in the base class)
      if ctx.handler_access is None:
        raise AssertionError("Permissions definition missing")

      req.private = ctx

    return req.private

  def GetAuthRealm(self, req):
    """Override the auth realm for queries.

    """
    ctx = self._GetRequestContext(req)
    if ctx.handler_access:
      return self.AUTH_REALM
    else:
      return None

  def Authenticate(self, req, username, password):
    """Checks whether a user can access a resource.

    """
    ctx = self._GetRequestContext(req)

    # Check username and password
    valid_user = False
    if self._users:
      user = self._users.get(username, None)
      if user and user.password == password:
        valid_user = True

    if not valid_user:
      # Unknown user or password wrong
      return False

    if (not ctx.handler_access or
        set(user.options).intersection(ctx.handler_access)):
      # Allow access
      return True

    # Access forbidden
    raise http.HttpForbidden()

  def HandleRequest(self, req):
    """Handles a request.

    """
    ctx = self._GetRequestContext(req)

    try:
      result = ctx.handler_fn()
      sn = ctx.handler.getSerialNumber()
      if sn:
        req.response_headers[http.HTTP_ETAG] = str(sn)
    except luxi.TimeoutError:
      raise http.HttpGatewayTimeout()
    except luxi.ProtocolError, err:
      raise http.HttpBadGateway(str(err))
    except:
      method = req.request_method.upper()
      logging.exception("Error while handling the %s request", method)
      raise

    return result


def ParseOptions():
  """Parse the command line options.

  @return: (options, args) as from OptionParser.parse_args()

  """
  parser = optparse.OptionParser(description="Ganeti Remote API",
                    usage="%prog [-d] [-p port]",
                    version="%%prog (ganeti) %s" %
                                 constants.RAPI_VERSION)
  parser.add_option("-d", "--debug", dest="debug",
                    help="Enable some debug messages",
                    default=False, action="store_true")
  parser.add_option("-p", "--port", dest="port",
                    help="Port to run API (%s default)." %
                                 constants.RAPI_PORT,
                    default=constants.RAPI_PORT, type="int")
  parser.add_option("--no-ssl", dest="ssl",
                    help="Do not secure HTTP protocol with SSL",
                    default=True, action="store_false")
  parser.add_option("-K", "--ssl-key", dest="ssl_key",
                    help="SSL key",
                    default=constants.RAPI_CERT_FILE, type="string")
  parser.add_option("-C", "--ssl-cert", dest="ssl_cert",
                    help="SSL certificate",
                    default=constants.RAPI_CERT_FILE, type="string")
  parser.add_option("-f", "--foreground", dest="fork",
                    help="Don't detach from the current terminal",
                    default=True, action="store_false")

  options, args = parser.parse_args()

  if len(args) != 0:
    print >> sys.stderr, "Usage: %s [-d] [-p port]" % sys.argv[0]
    sys.exit(1)

  if options.ssl and not (options.ssl_cert and options.ssl_key):
    print >> sys.stderr, ("For secure mode please provide "
                         "--ssl-key and --ssl-cert arguments")
    sys.exit(1)

  return options, args


def main():
  """Main function.

  """
  options, args = ParseOptions()

  if options.fork:
    utils.CloseFDs()

  if options.ssl:
    # Read SSL certificate
    try:
      ssl_params = http.HttpSslParams(ssl_key_path=options.ssl_key,
                                      ssl_cert_path=options.ssl_cert)
    except Exception, err:
      sys.stderr.write("Can't load the SSL certificate/key: %s\n" % (err,))
      sys.exit(1)
  else:
    ssl_params = None

  ssconf.CheckMaster(options.debug)

  if options.fork:
    utils.Daemonize(logfile=constants.LOG_RAPISERVER)

  utils.SetupLogging(constants.LOG_RAPISERVER, debug=options.debug,
                     stderr_logging=not options.fork)

  utils.WritePidFile(constants.RAPI_PID)
  try:
    mainloop = daemon.Mainloop()
    server = RemoteApiHttpServer(mainloop, "", options.port,
                                 ssl_params=ssl_params, ssl_verify_peer=False,
                                 request_executor_class=
                                 JsonErrorRequestExecutor)
    server.Start()
    try:
      mainloop.Run()
    finally:
      server.Stop()
  finally:
    utils.RemovePidFile(constants.RAPI_PID)


if __name__ == '__main__':
  main()