# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
# frozen_string_literal: true

require 'resolv'
require 'timeout'

require 'contrast/utils/object_share'
require 'contrast/utils/string_utils'
require 'contrast/utils/hash_digest'
require 'contrast/components/logger'
require 'contrast/components/scope'
require 'contrast/utils/request_utils'

module Contrast
  module Agent
    # This class is the Contrast representation of the Rack::Request object. It
    # provides access to the original Rack::Request object as well as extracts
    # data in a format that the Agent expects, caching those transformations in
    # order to avoid repeatedly creating Strings & thrashing GC.
    #
    # @attr_reader rack_request [Rack::Request] The passed to the Agent RackRequest to be wrapped.
    # @attr_accessor route [Contrast::Api::Dtm::RouteCoverage] the route, used for findings, of this request
    # @attr_accessor observed_route [Contrast::Api::Dtm::ObservedRoute] the route, used for coverage of this request
    # @attr_accessor new_observed_route [Contrast::Agent::Reporting::ObservedRoute] the route, used for coverage, of
    # this request
    class Request
      include Contrast::Utils::RequestUtils
      include Contrast::Components::Logger::InstanceMethods
      include Contrast::Components::Scope::InstanceMethods

      extend Forwardable

      INNER_REST_TOKEN = %r{/\d+/}.cs__freeze
      LAST_REST_TOKEN = %r{/\d+$}.cs__freeze
      INNER_NUMBER_MARKER = '/{n}/'
      LAST_NUMBER_MARKER = '/{n}'

      attr_reader :rack_request
      attr_accessor :route, :observed_route, :new_observed_route

      # Delegate calls to the following methods to the attribute @rack_request
      def_delegators :@rack_request, :base_url, :cookies, :env, :ip, :media_type, :path, :port, :query_string,
                     :request_method, :scheme, :url, :user_agent

      # Initialize new Contrast Request
      #
      # @param rack_request [Rack::Request] The passed to the Agent RackRequest to be wrapped.
      def initialize rack_request
        @rack_request = rack_request
      end

      # The HTTP version of this request
      # @return [String]
      def version
        env = rack_request.env
        return '1.1' unless env

        version = env['HTTP_VERSION']
        return '1.1' unless version

        version.split('/')[-1]
      end

      # Returns a normalized form of the URI. In "normal" URIs
      # this will return an unchanged String, but in REST-y
      # URIs this will normalize the digit path tokens, e.g.:
      #
      # /accounts/5/view
      # ...becomes:
      # /accounts/{n}/view
      #
      # Should also handle the ;jsessionid.
      #
      # @return uri [String]
      def normalized_uri
        @_normalized_uri ||= begin
          path = rack_request.path_info
          uri = path.split(Contrast::Utils::ObjectShare::SEMICOLON)[0]    # remove ;jsessionid
          uri = uri.split(Contrast::Utils::ObjectShare::QUESTION_MARK)[0] # remove ?query_string=
          uri.gsub(INNER_REST_TOKEN, INNER_NUMBER_MARKER)                 # replace interior tokens
          uri.gsub(LAST_REST_TOKEN, LAST_NUMBER_MARKER)                   # replace last token
        end
      end

      # Returns the request file type
      #
      # @return type [Symbol<:XML, :JSON, :NORMAL>]
      def document_type
        @_document_type ||= if /xml/i.match?(media_type) || body&.start_with?('<?xml')
                              :XML
                            elsif /json/i.match?(media_type) || body&.match?(/\s*[{\[]/)
                              :JSON
                            else
                              :NORMAL
                            end
      end

      # Header keys upcased and any underscores replaced with dashes
      #
      # @return headers [Hash]
      def headers
        @_headers ||= with_contrast_scope do
          hash = {}
          env.each do |key, value|
            next unless key

            name = key.to_s
            next unless name.start_with?(Contrast::Utils::ObjectShare::HTTP_SCORE)

            hash[Contrast::Utils::StringUtils.normalized_key(name)] = value
          end
          hash
        end
      end

      # Try and read the body and return memorized object of the body.
      # If body contains file, do not parse it, otherwiseBody might be nil
      #
      # @return @_body [String, nil] The body of the Rack::Request
      def body
        # Memoize a flag indicating whether we've tried to read the body or not
        # (can't use body because it might be nil)
        @_body_read ||= begin
          body = rack_request.body
          if defined?(Rack::Multipart) &&
                defined?(Rack::Multipart::UploadedFile) &&
                body.is_a?(Rack::Multipart::UploadedFile)

            logger.trace('not parsing uploaded file body',
                         file_name: body.original_filename,
                         content_type: body.content_type)
            @_body = nil
          else
            logger.trace('parsing body from request', body_type: body.cs__class.cs__name)
            @_body = Contrast::Utils::StringUtils.force_utf8(read_body(body))
          end

          true
        end

        # Return memoized body (which might be nil)
        @_body
      end

      # Unlike most of our translation, which is called where needed for each
      # message and forgotten, we'll leave this method to call the build as we
      # don't want to pay to reconstruct the DTM for this Request multiple
      # times.
      #
      # @return [Contrast::Api::Dtm::HttpRequest] the SpeedRacer compatible
      #   form of this Request
      def dtm
        @_dtm ||= Contrast::Api::Dtm::HttpRequest.build(self)
      end

      # flattened hash of request params
      #
      # @return parameters [Hash]
      def parameters
        @_parameters ||= with_contrast_scope { normalize_params(rack_request.params) }
      end

      # returns multipart filenames
      #
      # @return file_names [Hash]
      def file_names
        @_file_names ||= begin
          names = {}
          parsed_data = Rack::Multipart.parse_multipart(rack_request.env)
          traverse_parsed_multipart(parsed_data, names)
        rescue StandardError => _e
          logger.warn('Unable to parse multipart request!')
          {}
        end
      end

      # returns or fenerates the hash checksum for the request
      #
      # @return @_hash_id [String] Contrast::Utils::HashDigest generated string checksum
      def hash_id
        @_hash_id ||= Contrast::Utils::HashDigest.generate_request_hash(self)
      end

      STATIC_SUFFIXES = /\.(?:js|css|jpeg|jpg|gif|png|ico|woff|svg|pdf|eot|ttf|jar)$/i.cs__freeze
      MEDIA_TYPE_MARKERS = %w[image/ text/css text/javascript].cs__freeze
      # Utility method for checking if a request is for a static resource.
      # @return [Boolean] true, if the request is for a well-known static
      #  type as determined by the request suffix or the accept header.
      def static?
        return true if normalized_uri&.match?(STATIC_SUFFIXES)

        accepts = Array(headers['ACCEPT'])&.first&.to_s
        return false unless accepts
        return false if accepts.start_with?('*/*')

        accepts.start_with?(*MEDIA_TYPE_MARKERS)
      end
    end
  end
end