use std::fs;
use std::os::linux::fs::MetadataExt;
use std::{env, os::unix::prelude::PermissionsExt};
use std::process::ExitCode;
use std::time::SystemTime;
use pwd::Passwd;
use nix::unistd;
use serde_json::Value;

extern crate time;

const ERROR_ARGS:           u8 = 1;
const ERROR_CONFIG:         u8 = 2;
const ERROR_NO_USER:        u8 = 3;
const ERROR_NOT_AUTHORIZED: u8 = 4;
const ERROR_AUTH_FAILED:    u8 = 5;
const ERROR_RUN_ROOT:       u8 = 6;
const SUCCESS:              u8 = 0;

const PERSIST_TIME:         u64 = 60 * 3;


fn main() -> ExitCode {
    let args: Vec<String> = env::args().collect();
    if args.len() < 2 {
        println!("usage: crab command [args]");
        return ExitCode::from(ERROR_ARGS);
    }
    let config = match config("/etc/crab.conf") {
        Some(data) => data,
        None => return ExitCode::from(ERROR_CONFIG)
    };
    let user = match Passwd::current_user() {
        Some(data) => data,
        None => {
            eprintln!("You dont exist.");
            return ExitCode::from(ERROR_NO_USER);
        }
    };
    let persist = match allowed(&config, &user.name) {
        Some(data) => data,
        None => {
            eprintln!("Operation Not Permitted.");
            return ExitCode::from(ERROR_NOT_AUTHORIZED);
        }
    };

    if !validate(&user.name, persist) {
        eprintln!("Authentication failed.");
        return ExitCode::from(ERROR_AUTH_FAILED);
    }

    if !unistd::setuid(unistd::geteuid()).is_ok() || !unistd::setgid(unistd::getegid()).is_ok() {
        eprintln!("Failed to set root permissions");
        return ExitCode::from(ERROR_RUN_ROOT);
    };

    let err = exec::execvp(&args[1], &args[1..]);
    println!("Error: {}", err);
    
    ExitCode::from(SUCCESS)
}

struct Config {
    users: Vec<(String, bool)>
}

fn validate(user: &str, persist: bool) -> bool {
    if persist && get_persist(user) {
        return true;
    }
    let input = match rpassword::prompt_password(format!("crab ({}) password: ", user)) {
        Ok(data) => data,
        Err(_) => return false
    };
    let mut auth = match pam::Authenticator::with_password("crab") {
        Ok(data) => data,
        Err(_) => return false
    };
    auth.get_handler().set_credentials(user.to_owned(), input);
    if !auth.authenticate().is_ok() || !auth.open_session().is_ok() {
        return false;
    }
    if persist {
        set_persist(user);
    }
    return true;
}

fn allowed(config: &Config, user: &str) -> Option<bool> {
    for (name, persist) in &config.users {
        if name == user {
            return Some(persist.clone());
        }
    }
    None
}

fn config(path: &str) -> Option<Config> {
    let file = match std::fs::read_to_string(path) {
        Err(e) => {
            eprintln!("{}: {}", &path, e);
            return None
        },
        Ok(data) => data
    };

    let mut users = vec![];
    for (line_num, line) in file.split("\n").enumerate() {
        let args: Vec<&str> = line.split(" ").collect();
        if line.trim() == "" {
            continue;
        }
        if args.len() < 2 {
            eprintln!("Error in config at line {}: Not enough arguments", line_num);
            continue;
        }
        let user: String = args[0].to_string();
        let persist: bool = match args[1].parse() {
            Err(e) => {
                eprintln!("Error in config at line {}: {}", line_num, e);
                continue;
            },
            Ok(data) => data
        };
        users.push((user, persist));
    }
    Some(Config{users})
}

fn get_terminal_process() -> Option<i32> {
    let id: i32 = match std::process::id().try_into() {
        Ok(data) => data,
        Err(_) => return None
    };
    let stat = match procinfo::pid::stat(id) {
        Ok(data) => data,
        Err(_) => return None
    };
    Some(stat.session)
}

fn is_file_root_only(id: &i32) -> bool {
    let metadata = match std::fs::metadata(path(&id)) {
        Ok(data) => data,
        Err(e) => {
            if let Some(err) = e.raw_os_error() {
                return err == 2;
            }
            return true
        }
    };
    let perms = metadata.permissions();
    return perms.mode() == 33200 && metadata.st_uid() == 0 && metadata.st_gid() == 0;
}

fn get_terminal_config() -> Option<Value> {
    let id = match get_terminal_process() {
        Some(data) => data,
        None => return None
    };
    if !is_file_root_only(&id) {
        return None;
    }
    let data = match std::fs::read_to_string(path(&id)) {
        Ok(data) => data,
        Err(_) => "{}".to_string()
    };
    let json: Value = match serde_json::from_str(&data) {
        Ok(data) => data,
        Err(_) => return None
    };
    Some(json)
}

fn write_terminal_config(id: &i32, data: &str) -> Result<(), Box<dyn std::error::Error>> {
    std::fs::write(path(&id), data)?;
    unistd::chown(std::path::Path::new(&path(&id)), Some(unistd::Uid::from(0)), Some(unistd::Gid::from(0)))?;
    let metadata = std::fs::metadata(path(&id))?;
    let mut perms = metadata.permissions();
    perms.set_mode(0o660);
    fs::set_permissions(path(&id), perms)?;
    Ok(())
}

fn get_persist(user: &str) -> bool {
    let json = match get_terminal_config() {
        Some(data) => data,
        None => return false
    };
    let timestamp = match json[user].as_u64() {
        Some(data) => data,
        None => return false
    };
    return now() - timestamp < PERSIST_TIME;
}

fn set_persist(user: &str) {
    let mut json = match get_terminal_config() {
        Some(data) => data,
        None => return
    };
    json[user] = Value::from(now());
    let id = match get_terminal_process() {
        Some(data) => data,
        None => return
    };
    match write_terminal_config(&id, &json.to_string()) {
        Ok(_) => {},
        Err(e) => {
            eprintln!("Internal Error: {}", e)
        }
    };
}

fn now() -> u64 {
    return SystemTime::now().duration_since(SystemTime::UNIX_EPOCH).unwrap().as_secs();
}

fn path(id: &i32) -> String {
    return format!("/tmp/crab-{}", id);
}