package middlewares

import (
	"fmt"
	"net"
	"net/http"

	"github.com/containous/traefik/log"
	"github.com/pkg/errors"
	"github.com/urfave/negroni"
)

// IPWhitelister is a middleware that provides Checks of the Requesting IP against a set of Whitelists
type IPWhitelister struct {
	handler    negroni.Handler
	whitelists []*net.IPNet
}

// NewIPWhitelister builds a new IPWhitelister given a list of CIDR-Strings to whitelist
func NewIPWhitelister(whitelistStrings []string) (*IPWhitelister, error) {

	if len(whitelistStrings) == 0 {
		return nil, errors.New("no whitelists provided")
	}

	whitelister := IPWhitelister{}

	for _, whitelistString := range whitelistStrings {
		_, whitelist, err := net.ParseCIDR(whitelistString)
		if err != nil {
			return nil, fmt.Errorf("parsing CIDR whitelist %s: %v", whitelist, err)
		}
		whitelister.whitelists = append(whitelister.whitelists, whitelist)
	}

	whitelister.handler = negroni.HandlerFunc(whitelister.handle)
	log.Debugf("configured %u IP whitelists: %s", len(whitelister.whitelists), whitelister.whitelists)

	return &whitelister, nil
}

func (whitelister *IPWhitelister) handle(w http.ResponseWriter, r *http.Request, next http.HandlerFunc) {
	remoteIP, err := ipFromRemoteAddr(r.RemoteAddr)
	if err != nil {
		log.Warnf("unable to parse remote-address from header: %s - rejecting", r.RemoteAddr)
		reject(w)
		return
	}

	for _, whitelist := range whitelister.whitelists {
		if whitelist.Contains(*remoteIP) {
			log.Debugf("source-IP %s matched whitelist %s - passing", remoteIP, whitelist)
			next.ServeHTTP(w, r)
			return
		}
	}

	log.Debugf("source-IP %s matched none of the whitelists - rejecting", remoteIP)
	reject(w)
}

func reject(w http.ResponseWriter) {
	statusCode := http.StatusForbidden

	w.WriteHeader(statusCode)
	w.Write([]byte(http.StatusText(statusCode)))
}

func ipFromRemoteAddr(addr string) (*net.IP, error) {
	ip, _, err := net.SplitHostPort(addr)
	if err != nil {
		return nil, fmt.Errorf("can't extract IP/Port from address %s: %s", addr, err)
	}

	userIP := net.ParseIP(ip)
	if userIP == nil {
		return nil, fmt.Errorf("can't parse IP from address %s", ip)
	}

	return &userIP, nil
}

func (whitelister *IPWhitelister) ServeHTTP(rw http.ResponseWriter, r *http.Request, next http.HandlerFunc) {
	whitelister.handler.ServeHTTP(rw, r, next)
}