metacrypt/internal/server/routes.go

package server

import (
	"encoding/json"
	"errors"
	"io"
	"net/http"
	"strings"

	"github.com/go-chi/chi/v5"

	mcias "git.wntrmute.dev/kyle/mcias/clients/go"

	"git.wntrmute.dev/kyle/metacrypt/internal/crypto"
	"git.wntrmute.dev/kyle/metacrypt/internal/engine"
	"git.wntrmute.dev/kyle/metacrypt/internal/engine/ca"
	"git.wntrmute.dev/kyle/metacrypt/internal/policy"
	"git.wntrmute.dev/kyle/metacrypt/internal/seal"
)

func (s *Server) registerRoutes(r chi.Router) {
	// REST API routes — web UI served by metacrypt-web.
	r.Get("/v1/status", s.handleStatus)
	r.Post("/v1/init", s.handleInit)
	r.Post("/v1/unseal", s.handleUnseal)
	r.Post("/v1/seal", s.requireAdmin(s.handleSeal))

	r.Post("/v1/auth/login", s.handleLogin)
	r.Post("/v1/auth/logout", s.requireAuth(s.handleLogout))
	r.Get("/v1/auth/tokeninfo", s.requireAuth(s.handleTokenInfo))

	r.Get("/v1/engine/mounts", s.requireAuth(s.handleEngineMounts))
	r.Post("/v1/engine/mount", s.requireAdmin(s.handleEngineMount))
	r.Post("/v1/engine/unmount", s.requireAdmin(s.handleEngineUnmount))
	r.Post("/v1/engine/request", s.requireAuth(s.handleEngineRequest))

	// Public PKI routes (no auth required, but must be unsealed).
	r.Get("/v1/pki/{mount}/ca", s.requireUnseal(s.handlePKIRoot))
	r.Get("/v1/pki/{mount}/ca/chain", s.requireUnseal(s.handlePKIChain))
	r.Get("/v1/pki/{mount}/issuer/{name}", s.requireUnseal(s.handlePKIIssuer))

	r.HandleFunc("/v1/policy/rules", s.requireAuth(s.handlePolicyRules))
	r.HandleFunc("/v1/policy/rule", s.requireAuth(s.handlePolicyRule))
	s.registerACMERoutes(r)
}

// --- API Handlers ---

func (s *Server) handleStatus(w http.ResponseWriter, r *http.Request) {
	writeJSON(w, http.StatusOK, map[string]interface{}{
		"state": s.seal.State().String(),
	})
}

func (s *Server) handleInit(w http.ResponseWriter, r *http.Request) {
	var req struct {
		Password string `json:"password"`
	}
	if err := readJSON(r, &req); err != nil {
		http.Error(w, `{"error":"invalid request"}`, http.StatusBadRequest)
		return
	}
	if req.Password == "" {
		http.Error(w, `{"error":"password is required"}`, http.StatusBadRequest)
		return
	}

	params := crypto.Argon2Params{
		Time:    s.cfg.Seal.Argon2Time,
		Memory:  s.cfg.Seal.Argon2Memory,
		Threads: s.cfg.Seal.Argon2Threads,
	}
	if err := s.seal.Initialize(r.Context(), []byte(req.Password), params); err != nil {
		if err == seal.ErrAlreadyInitialized {
			http.Error(w, `{"error":"already initialized"}`, http.StatusConflict)
			return
		}
		s.logger.Error("init failed", "error", err)
		http.Error(w, `{"error":"initialization failed"}`, http.StatusInternalServerError)
		return
	}

	writeJSON(w, http.StatusOK, map[string]interface{}{
		"state": s.seal.State().String(),
	})
}

func (s *Server) handleUnseal(w http.ResponseWriter, r *http.Request) {
	var req struct {
		Password string `json:"password"`
	}
	if err := readJSON(r, &req); err != nil {
		http.Error(w, `{"error":"invalid request"}`, http.StatusBadRequest)
		return
	}

	if err := s.seal.Unseal([]byte(req.Password)); err != nil {
		switch err {
		case seal.ErrNotInitialized:
			http.Error(w, `{"error":"not initialized"}`, http.StatusPreconditionFailed)
		case seal.ErrInvalidPassword:
			http.Error(w, `{"error":"invalid password"}`, http.StatusUnauthorized)
		case seal.ErrRateLimited:
			http.Error(w, `{"error":"too many attempts, try again later"}`, http.StatusTooManyRequests)
		case seal.ErrNotSealed:
			http.Error(w, `{"error":"already unsealed"}`, http.StatusConflict)
		default:
			s.logger.Error("unseal failed", "error", err)
			http.Error(w, `{"error":"unseal failed"}`, http.StatusInternalServerError)
		}
		return
	}

	if err := s.engines.UnsealAll(r.Context()); err != nil {
		s.logger.Error("engine unseal failed", "error", err)
		http.Error(w, `{"error":"engine unseal failed"}`, http.StatusInternalServerError)
		return
	}

	writeJSON(w, http.StatusOK, map[string]interface{}{
		"state": s.seal.State().String(),
	})
}

func (s *Server) handleSeal(w http.ResponseWriter, r *http.Request) {
	if err := s.engines.SealAll(); err != nil {
		s.logger.Error("seal engines failed", "error", err)
	}

	if err := s.seal.Seal(); err != nil {
		s.logger.Error("seal failed", "error", err)
		http.Error(w, `{"error":"seal failed"}`, http.StatusInternalServerError)
		return
	}

	s.auth.ClearCache()
	writeJSON(w, http.StatusOK, map[string]interface{}{
		"state": s.seal.State().String(),
	})
}

func (s *Server) handleLogin(w http.ResponseWriter, r *http.Request) {
	if s.seal.State() != seal.StateUnsealed {
		http.Error(w, `{"error":"sealed"}`, http.StatusServiceUnavailable)
		return
	}

	var req struct {
		Username string `json:"username"`
		Password string `json:"password"`
		TOTPCode string `json:"totp_code"`
	}
	if err := readJSON(r, &req); err != nil {
		http.Error(w, `{"error":"invalid request"}`, http.StatusBadRequest)
		return
	}

	token, expiresAt, err := s.auth.Login(req.Username, req.Password, req.TOTPCode)
	if err != nil {
		http.Error(w, `{"error":"invalid credentials"}`, http.StatusUnauthorized)
		return
	}

	writeJSON(w, http.StatusOK, map[string]interface{}{
		"token":      token,
		"expires_at": expiresAt,
	})
}

func (s *Server) handleLogout(w http.ResponseWriter, r *http.Request) {
	token := extractToken(r)
	client, err := mcias.New(s.cfg.MCIAS.ServerURL, mcias.Options{
		CACertPath: s.cfg.MCIAS.CACert,
		Token:      token,
	})
	if err == nil {
		s.auth.Logout(client)
	}

	// Clear cookie.
	http.SetCookie(w, &http.Cookie{
		Name:     "metacrypt_token",
		Value:    "",
		Path:     "/",
		MaxAge:   -1,
		HttpOnly: true,
		Secure:   true,
		SameSite: http.SameSiteStrictMode,
	})

	writeJSON(w, http.StatusOK, map[string]interface{}{"ok": true})
}

func (s *Server) handleTokenInfo(w http.ResponseWriter, r *http.Request) {
	info := TokenInfoFromContext(r.Context())
	writeJSON(w, http.StatusOK, map[string]interface{}{
		"username": info.Username,
		"roles":    info.Roles,
		"is_admin": info.IsAdmin,
	})
}

func (s *Server) handleEngineMounts(w http.ResponseWriter, r *http.Request) {
	mounts := s.engines.ListMounts()
	writeJSON(w, http.StatusOK, mounts)
}

func (s *Server) handleEngineMount(w http.ResponseWriter, r *http.Request) {
	var req struct {
		Name   string                 `json:"name"`
		Type   string                 `json:"type"`
		Config map[string]interface{} `json:"config"`
	}
	if err := readJSON(r, &req); err != nil {
		http.Error(w, `{"error":"invalid request"}`, http.StatusBadRequest)
		return
	}
	if req.Name == "" || req.Type == "" {
		http.Error(w, `{"error":"name and type are required"}`, http.StatusBadRequest)
		return
	}

	if err := s.engines.Mount(r.Context(), req.Name, engine.EngineType(req.Type), req.Config); err != nil {
		s.logger.Error("mount engine", "name", req.Name, "type", req.Type, "error", err)
		http.Error(w, `{"error":"`+err.Error()+`"}`, http.StatusBadRequest)
		return
	}
	writeJSON(w, http.StatusOK, map[string]interface{}{"ok": true})
}

func (s *Server) handleEngineUnmount(w http.ResponseWriter, r *http.Request) {
	var req struct {
		Name string `json:"name"`
	}
	if err := readJSON(r, &req); err != nil {
		http.Error(w, `{"error":"invalid request"}`, http.StatusBadRequest)
		return
	}
	if err := s.engines.Unmount(r.Context(), req.Name); err != nil {
		http.Error(w, `{"error":"`+err.Error()+`"}`, http.StatusNotFound)
		return
	}
	writeJSON(w, http.StatusOK, map[string]interface{}{"ok": true})
}

func (s *Server) handleEngineRequest(w http.ResponseWriter, r *http.Request) {
	var req struct {
		Mount     string                 `json:"mount"`
		Operation string                 `json:"operation"`
		Path      string                 `json:"path"`
		Data      map[string]interface{} `json:"data"`
	}
	if err := readJSON(r, &req); err != nil {
		http.Error(w, `{"error":"invalid request"}`, http.StatusBadRequest)
		return
	}
	if req.Mount == "" || req.Operation == "" {
		http.Error(w, `{"error":"mount and operation are required"}`, http.StatusBadRequest)
		return
	}

	info := TokenInfoFromContext(r.Context())
	engReq := &engine.Request{
		Operation: req.Operation,
		Path:      req.Path,
		Data:      req.Data,
		CallerInfo: &engine.CallerInfo{
			Username: info.Username,
			Roles:    info.Roles,
			IsAdmin:  info.IsAdmin,
		},
	}

	resp, err := s.engines.HandleRequest(r.Context(), req.Mount, engReq)
	if err != nil {
		status := http.StatusInternalServerError
		switch {
		case errors.Is(err, engine.ErrMountNotFound):
			status = http.StatusNotFound
		case strings.Contains(err.Error(), "forbidden"):
			status = http.StatusForbidden
		case strings.Contains(err.Error(), "authentication required"):
			status = http.StatusUnauthorized
		case strings.Contains(err.Error(), "not found"):
			status = http.StatusNotFound
		}
		http.Error(w, `{"error":"`+err.Error()+`"}`, status)
		return
	}

	writeJSON(w, http.StatusOK, resp.Data)
}

func (s *Server) handlePolicyRules(w http.ResponseWriter, r *http.Request) {
	info := TokenInfoFromContext(r.Context())
	switch r.Method {
	case http.MethodGet:
		if !info.IsAdmin {
			http.Error(w, `{"error":"forbidden"}`, http.StatusForbidden)
			return
		}
		rules, err := s.policy.ListRules(r.Context())
		if err != nil {
			s.logger.Error("list policies", "error", err)
			http.Error(w, `{"error":"internal error"}`, http.StatusInternalServerError)
			return
		}
		if rules == nil {
			rules = []policy.Rule{}
		}
		writeJSON(w, http.StatusOK, rules)
	case http.MethodPost:
		if !info.IsAdmin {
			http.Error(w, `{"error":"forbidden"}`, http.StatusForbidden)
			return
		}
		var rule policy.Rule
		if err := readJSON(r, &rule); err != nil {
			http.Error(w, `{"error":"invalid request"}`, http.StatusBadRequest)
			return
		}
		if rule.ID == "" {
			http.Error(w, `{"error":"id is required"}`, http.StatusBadRequest)
			return
		}
		if err := s.policy.CreateRule(r.Context(), &rule); err != nil {
			s.logger.Error("create policy", "error", err)
			http.Error(w, `{"error":"internal error"}`, http.StatusInternalServerError)
			return
		}
		writeJSON(w, http.StatusCreated, rule)
	default:
		http.Error(w, `{"error":"method not allowed"}`, http.StatusMethodNotAllowed)
	}
}

func (s *Server) handlePolicyRule(w http.ResponseWriter, r *http.Request) {
	info := TokenInfoFromContext(r.Context())
	if !info.IsAdmin {
		http.Error(w, `{"error":"forbidden"}`, http.StatusForbidden)
		return
	}

	id := r.URL.Query().Get("id")
	if id == "" {
		http.Error(w, `{"error":"id parameter required"}`, http.StatusBadRequest)
		return
	}

	switch r.Method {
	case http.MethodGet:
		rule, err := s.policy.GetRule(r.Context(), id)
		if err != nil {
			http.Error(w, `{"error":"not found"}`, http.StatusNotFound)
			return
		}
		writeJSON(w, http.StatusOK, rule)
	case http.MethodDelete:
		if err := s.policy.DeleteRule(r.Context(), id); err != nil {
			http.Error(w, `{"error":"not found"}`, http.StatusNotFound)
			return
		}
		writeJSON(w, http.StatusOK, map[string]interface{}{"ok": true})
	default:
		http.Error(w, `{"error":"method not allowed"}`, http.StatusMethodNotAllowed)
	}
}

// --- Public PKI Handlers ---

func (s *Server) handlePKIRoot(w http.ResponseWriter, r *http.Request) {
	mountName := chi.URLParam(r, "mount")
	caEng, err := s.getCAEngine(mountName)
	if err != nil {
		http.Error(w, `{"error":"`+err.Error()+`"}`, http.StatusNotFound)
		return
	}

	certPEM, err := caEng.GetRootCertPEM()
	if err != nil {
		http.Error(w, `{"error":"sealed"}`, http.StatusServiceUnavailable)
		return
	}

	w.Header().Set("Content-Type", "application/x-pem-file")
	w.Write(certPEM)
}

func (s *Server) handlePKIChain(w http.ResponseWriter, r *http.Request) {
	mountName := chi.URLParam(r, "mount")
	issuerName := r.URL.Query().Get("issuer")
	if issuerName == "" {
		http.Error(w, `{"error":"issuer query parameter required"}`, http.StatusBadRequest)
		return
	}

	caEng, err := s.getCAEngine(mountName)
	if err != nil {
		http.Error(w, `{"error":"`+err.Error()+`"}`, http.StatusNotFound)
		return
	}

	chainPEM, err := caEng.GetChainPEM(issuerName)
	if err != nil {
		if errors.Is(err, ca.ErrIssuerNotFound) {
			http.Error(w, `{"error":"issuer not found"}`, http.StatusNotFound)
			return
		}
		http.Error(w, `{"error":"sealed"}`, http.StatusServiceUnavailable)
		return
	}

	w.Header().Set("Content-Type", "application/x-pem-file")
	w.Write(chainPEM)
}

func (s *Server) handlePKIIssuer(w http.ResponseWriter, r *http.Request) {
	mountName := chi.URLParam(r, "mount")
	issuerName := chi.URLParam(r, "name")

	caEng, err := s.getCAEngine(mountName)
	if err != nil {
		http.Error(w, `{"error":"`+err.Error()+`"}`, http.StatusNotFound)
		return
	}

	certPEM, err := caEng.GetIssuerCertPEM(issuerName)
	if err != nil {
		if errors.Is(err, ca.ErrIssuerNotFound) {
			http.Error(w, `{"error":"issuer not found"}`, http.StatusNotFound)
			return
		}
		http.Error(w, `{"error":"sealed"}`, http.StatusServiceUnavailable)
		return
	}

	w.Header().Set("Content-Type", "application/x-pem-file")
	w.Write(certPEM)
}

func (s *Server) getCAEngine(mountName string) (*ca.CAEngine, error) {
	mount, err := s.engines.GetMount(mountName)
	if err != nil {
		return nil, err
	}
	if mount.Type != engine.EngineTypeCA {
		return nil, errors.New("mount is not a CA engine")
	}
	caEng, ok := mount.Engine.(*ca.CAEngine)
	if !ok {
		return nil, errors.New("mount is not a CA engine")
	}
	return caEng, nil
}

func writeJSON(w http.ResponseWriter, status int, v interface{}) {
	w.Header().Set("Content-Type", "application/json")
	w.WriteHeader(status)
	json.NewEncoder(w).Encode(v)
}

func readJSON(r *http.Request, v interface{}) error {
	defer r.Body.Close()
	body, err := io.ReadAll(io.LimitReader(r.Body, 1<<20)) // 1MB limit
	if err != nil {
		return err
	}
	return json.Unmarshal(body, v)
}