#!/usr/bin/env bash
# onx-webmail-install — Webmail driver kurulum (Roundcube / SnappyMail / Rainloop)
#
# Input (stdin JSON):
#   {
#     "driver":       "roundcube" | "snappymail" | "rainloop",
#     "package":      "roundcubemail" | "snappymail" | "rainloop"  (paket adı veya release tag),
#     "install_path": "/usr/share/roundcubemail" | "/usr/share/snappymail" | "/usr/share/rainloop",
#     "url_path":     "/webmail" | "/snappymail" | "/rainloop"
#   }
#
# Output (stdout JSON):
#   {"ok":true,"installed":true,"driver":"...","install_path":"...","version":"...","message":"..."}
#
# Driver detayları:
#   - roundcube: EPEL paketi (dnf install roundcubemail)
#   - snappymail: GitHub release tar.gz indirip extract (sourceforge backup)
#   - rainloop: PHP installer (rainloop.net/repository/webmail)

set -euo pipefail

SCRIPT_DIR="$(dirname "$(readlink -f "$0")")"
# shellcheck source=_lib/common.sh
source "${SCRIPT_DIR}/_lib/common.sh"

INPUT=$(cat)
onx_require_json "${INPUT}"

DRIVER=$(onx_json_get "${INPUT}" "driver")
PACKAGE=$(onx_json_get "${INPUT}" "package" "")
INSTALL_PATH=$(onx_json_get "${INPUT}" "install_path")
URL_PATH=$(onx_json_get "${INPUT}" "url_path" "/webmail")

[[ -z "${DRIVER}" ]] && onx_die 1 "driver is required (roundcube|snappymail|rainloop)"
[[ -z "${INSTALL_PATH}" ]] && onx_die 1 "install_path is required"

# Path traversal koruması — INSTALL_PATH /usr/share veya /opt altında olmalı
case "${INSTALL_PATH}" in
    /usr/share/*|/opt/*) ;;
    *) onx_die 1 "install_path izinli dizinler dışında: ${INSTALL_PATH}" ;;
esac

VERSION=""
MESSAGE=""

case "${DRIVER}" in
    # ─── ROUNDCUBE (EPEL paket) ────────────────────────────────────────────
    roundcube)
        if rpm -q roundcubemail >/dev/null 2>&1; then
            VERSION=$(rpm -q --queryformat '%{VERSION}' roundcubemail)
            MESSAGE="Roundcube zaten kurulu (${VERSION})"
        else
            onx_log "Roundcube installation via dnf"
            if dnf install -y --enablerepo=epel roundcubemail >/dev/null 2>&1; then
                VERSION=$(rpm -q --queryformat '%{VERSION}' roundcubemail 2>/dev/null || echo "unknown")
                MESSAGE="Roundcube ${VERSION} kuruldu (EPEL)"
            else
                onx_die 3 "Roundcube kurulamadı (EPEL repo erişimi gerek)"
            fi
        fi

        # Roundcube config perms (multi-webserver: chown root:webserver)
        if getent group webserver >/dev/null 2>&1; then
            chown -R root:webserver /etc/roundcubemail/ 2>/dev/null || true
            chmod -R g+rX /etc/roundcubemail/ 2>/dev/null || true
        fi
        mkdir -p /var/log/roundcubemail /var/lib/roundcubemail/temp
        chown -R apache:webserver /var/log/roundcubemail /var/lib/roundcubemail 2>/dev/null || true
        chmod -R 770 /var/log/roundcubemail /var/lib/roundcubemail 2>/dev/null || true
        # RHEL paket symlink bug
        [[ ! -e /usr/share/roundcubemail/config ]] && \
            ln -sf /etc/roundcubemail /usr/share/roundcubemail/config 2>/dev/null
        ;;

    # ─── SNAPPYMAIL (GitHub release tar.gz) ────────────────────────────────
    snappymail)
        if [[ -f "${INSTALL_PATH}/index.php" ]]; then
            VERSION=$(grep -oP "VERSION', '\K[^']+" "${INSTALL_PATH}/index.php" 2>/dev/null | head -1 || echo "unknown")
            MESSAGE="SnappyMail zaten kurulu (${VERSION})"
        else
            onx_log "SnappyMail download + extract"
            mkdir -p "${INSTALL_PATH}"
            TMPDIR=$(mktemp -d /tmp/snappymail-XXXXXX)
            trap 'rm -rf "${TMPDIR}"' EXIT

            # Latest release URL — GitHub API ile son release tar.gz
            RELEASE_URL=$(curl -sf "https://api.github.com/repos/the-djmaze/snappymail/releases/latest" 2>/dev/null \
                | grep -oP '"browser_download_url":\s*"\K[^"]*snappymail-[\d.]+\.tar\.gz' | head -1)

            if [[ -z "${RELEASE_URL}" ]]; then
                # Fallback: bilinen stable v2.40
                RELEASE_URL="https://github.com/the-djmaze/snappymail/releases/download/v2.40.0/snappymail-2.40.0.tar.gz"
            fi

            onx_log "SnappyMail URL: ${RELEASE_URL}"
            if ! curl -fsSL -o "${TMPDIR}/snappymail.tar.gz" "${RELEASE_URL}"; then
                onx_die 3 "SnappyMail indirme hatası: ${RELEASE_URL}"
            fi

            tar xzf "${TMPDIR}/snappymail.tar.gz" -C "${INSTALL_PATH}/" --strip-components=0
            VERSION=$(echo "${RELEASE_URL}" | grep -oP 'snappymail-\K[\d.]+' | head -1)

            # Perms — apache write için data/
            mkdir -p "${INSTALL_PATH}/data"
            chown -R apache:webserver "${INSTALL_PATH}/data" 2>/dev/null || true
            chmod -R 770 "${INSTALL_PATH}/data" 2>/dev/null || true
            chown -R root:webserver "${INSTALL_PATH}" 2>/dev/null || true
            find "${INSTALL_PATH}" -type d -exec chmod g+rx {} \; 2>/dev/null
            find "${INSTALL_PATH}" -type f -exec chmod g+r {} \; 2>/dev/null

            MESSAGE="SnappyMail ${VERSION} kuruldu"
        fi

        # v82.10: SnappyMail tarball çift "snappymail/" dizini layout fix.
        # Tarball extract /usr/share/snappymail/ → içeride "snappymail/v/X.Y.Z/..."
        # SnappyMail HTML output asset URL'i /snappymail/v/X.Y.Z/... formatında üretir
        # (URL'de tek "snappymail" prefix). Caddy handle_path /snappymail/* strip eder
        # → /v/X.Y.Z/... arar → /usr/share/snappymail/v/... yok (gerçek path subdir'de).
        # Symlink ile fix — /v -> /snappymail/v:
        if [[ -d "${INSTALL_PATH}/snappymail/v" ]] && [[ ! -e "${INSTALL_PATH}/v" ]]; then
            ln -sfn "${INSTALL_PATH}/snappymail/v" "${INSTALL_PATH}/v"
            onx_log "SnappyMail v-symlink: ${INSTALL_PATH}/v → snappymail/v"
        fi

        # v82.8: Sec-Fetch cross-site bypass — panel.X → webmail.Y navigate
        # SnappyMail default cross-site request'leri 'Access Denied' ile reddeder.
        # Bridge meta refresh ile yönlendirme cross-site flag'ini kaldırmaz.
        # PHP code-level patch: Service.php Sec-Fetch reject if-block'unu disable.
        for SV in /usr/share/snappymail/snappymail/v/*/app/libraries/RainLoop/Service.php; do
            [[ -f "$SV" ]] || continue
            if grep -q "ONOX_SECFETCH_BYPASS" "$SV"; then
                continue # zaten patched
            fi
            # Backup once
            [[ ! -f "${SV}.bak.onox" ]] && cp "$SV" "${SV}.bak.onox"
            # Sec-Fetch reject if-block'unu false yap (line-based replace)
            # Pattern: bizim Service.php satır ~115:
            #   if ('mailto' !== ... && !SecFetch::matchAnyRule(...)) {
            python3 -c "
import re
path = '$SV'
with open(path) as f: c = f.read()
new = re.sub(
    r\"if \(\\'mailto\\' !== \\\\\\\\strtolower\(\\\$aPaths\[0\]\) && !\\\\\\\\SnappyMail\\\\\\\\HTTP\\\\\\\\SecFetch::matchAnyRule\([^{]+\) \{\",
    \"if (false) { // ONOX_SECFETCH_BYPASS v82.8\",
    c
)
if new != c:
    with open(path, 'w') as f: f.write(new)
    print('Patched Service.php')
else:
    # Line-based fallback — satır 115 civarı
    lines = c.split('\n')
    for i, ln in enumerate(lines):
        if 'matchAnyRule' in ln and 'secfetch_allow' in ln:
            lines[i] = '                        if (false) { // ONOX_SECFETCH_BYPASS v82.8'
            with open(path, 'w') as f: f.write('\n'.join(lines))
            print(f'Patched Service.php line {i+1}')
            break
" 2>/dev/null || true
            onx_log "SnappyMail Sec-Fetch bypass applied: ${SV}"
        done
        ;;

    # ─── RAINLOOP (Legacy — GitHub Community Edition) ──────────────────────
    # NOT: RainLoop projesi 2024'te kullanıcı tarafından terkedildi.
    # SnappyMail fork'u aktif gelişen alternatif. Geriye dönük uyumluluk için
    # buradayız ama yeni kurulumlar için SnappyMail önerilir.
    # rainloop.net repository down — GitHub release kullan.
    rainloop)
        if [[ -f "${INSTALL_PATH}/index.php" ]]; then
            VERSION=$(grep -oP "'APP_VERSION', '\K[^']+" "${INSTALL_PATH}/index.php" 2>/dev/null | head -1 || echo "1.x")
            MESSAGE="RainLoop zaten kurulu (${VERSION})"
        else
            onx_log "RainLoop download + extract (GitHub community releases)"
            mkdir -p "${INSTALL_PATH}"
            TMPDIR=$(mktemp -d /tmp/rainloop-XXXXXX)
            trap 'rm -rf "${TMPDIR}"' EXIT

            # GitHub API ile latest release tar.gz
            RELEASE_URL=$(curl -sf "https://api.github.com/repos/RainLoop/rainloop-webmail/releases/latest" 2>/dev/null \
                | grep -oP '"browser_download_url":\s*"\K[^"]*rainloop-community-[\d.]+\.zip' | head -1)

            # Fallback URL'leri (sırayla dene)
            FALLBACK_URLS=(
                "${RELEASE_URL}"
                "https://github.com/RainLoop/rainloop-webmail/releases/download/v1.17.0/rainloop-community-1.17.0.zip"
                "https://github.com/RainLoop/rainloop-webmail/releases/download/v1.16.0/rainloop-community-1.16.0.zip"
            )

            DOWNLOAD_OK=0
            for url in "${FALLBACK_URLS[@]}"; do
                [[ -z "${url}" ]] && continue
                onx_log "Trying RainLoop URL: ${url}"
                if curl -fsSL -o "${TMPDIR}/rainloop.zip" "${url}" 2>/dev/null; then
                    DOWNLOAD_OK=1
                    DOWNLOADED_URL="${url}"
                    break
                fi
            done

            if [[ "${DOWNLOAD_OK}" -ne 1 ]]; then
                onx_die 3 "RainLoop indirme tüm URL'lerde başarısız. SnappyMail önerilir (modern fork). Manuel: github.com/RainLoop/rainloop-webmail/releases"
            fi

            command -v unzip >/dev/null 2>&1 || dnf install -y unzip >/dev/null 2>&1
            unzip -q "${TMPDIR}/rainloop.zip" -d "${INSTALL_PATH}/"

            VERSION=$(grep -oP "'APP_VERSION', '\K[^']+" "${INSTALL_PATH}/index.php" 2>/dev/null | head -1 \
                || echo "${DOWNLOADED_URL}" | grep -oP 'community-\K[\d.]+' | head -1 \
                || echo "1.x")

            # Perms — apache write için data/
            mkdir -p "${INSTALL_PATH}/data"
            chown -R apache:webserver "${INSTALL_PATH}/data" 2>/dev/null || true
            chmod -R 770 "${INSTALL_PATH}/data" 2>/dev/null || true
            chown -R root:webserver "${INSTALL_PATH}" 2>/dev/null || true
            find "${INSTALL_PATH}" -type d -exec chmod 755 {} \; 2>/dev/null
            find "${INSTALL_PATH}" -type f -exec chmod 644 {} \; 2>/dev/null
            chmod -R 770 "${INSTALL_PATH}/data" 2>/dev/null || true

            MESSAGE="RainLoop ${VERSION} kuruldu (Legacy — SnappyMail önerilir)"
        fi
        ;;

    *)
        onx_die 1 "Bilinmeyen webmail driver: ${DRIVER} (roundcube|snappymail|rainloop)"
        ;;
esac

# Success
onx_json_out \
    "installed"    "true" \
    "driver"       "${DRIVER}" \
    "install_path" "${INSTALL_PATH}" \
    "url_path"     "${URL_PATH}" \
    "version"      "${VERSION}" \
    "message"      "${MESSAGE}"
