rules_api.go

package main

import (
	"encoding/json"
	"fmt"
	"net/http"
	"strconv"
	"strings"
	"time"
)

// Rule management API endpoints

// rulesListHandler handles GET /_waf/rules - list all rules with pagination and filtering
func (w *WAF) rulesListHandler(rw http.ResponseWriter, r *http.Request) {
	if r.Method != http.MethodGet {
		http.Error(rw, "Method not allowed", http.StatusMethodNotAllowed)
		return
	}

	// Parse query parameters
	query := r.URL.Query()
	
	// Pagination
	limit := 50
	if l := query.Get("limit"); l != "" {
		if parsed, err := strconv.Atoi(l); err == nil && parsed > 0 && parsed <= 1000 {
			limit = parsed
		}
	}
	
	offset := 0
	if o := query.Get("offset"); o != "" {
		if parsed, err := strconv.Atoi(o); err == nil && parsed >= 0 {
			offset = parsed
		}
	}

	// Filters
	var enabled *bool
	if e := query.Get("enabled"); e != "" {
		if e == "true" {
			t := true
			enabled = &t
		} else if e == "false" {
			f := false
			enabled = &f
		}
	}

	action := query.Get("action")
	if action != "" && !isValidAction(action) {
		http.Error(rw, "Invalid action parameter", http.StatusBadRequest)
		return
	}

	// Query database
	rules, total, err := w.ruleDB.ListRules(enabled, action, limit, offset)
	if err != nil {
		http.Error(rw, fmt.Sprintf("Failed to list rules: %v", err), http.StatusInternalServerError)
		return
	}

	response := map[string]interface{}{
		"rules":  rules,
		"total":  total,
		"limit":  limit,
		"offset": offset,
	}

	rw.Header().Set("Content-Type", "application/json")
	json.NewEncoder(rw).Encode(response)
}

// ruleGetHandler handles GET /_waf/rules/{id} - get a specific rule
func (w *WAF) ruleGetHandler(rw http.ResponseWriter, r *http.Request) {
	if r.Method != http.MethodGet {
		http.Error(rw, "Method not allowed", http.StatusMethodNotAllowed)
		return
	}

	ruleID := extractRuleIDFromPath(r.URL.Path, "/_waf/rules/")
	if ruleID == "" {
		http.Error(rw, "Rule ID is required", http.StatusBadRequest)
		return
	}

	rule, err := w.ruleDB.GetRule(ruleID)
	if err != nil {
		if strings.Contains(err.Error(), "not found") {
			http.Error(rw, "Rule not found", http.StatusNotFound)
		} else {
			http.Error(rw, fmt.Sprintf("Failed to get rule: %v", err), http.StatusInternalServerError)
		}
		return
	}

	rw.Header().Set("Content-Type", "application/json")
	json.NewEncoder(rw).Encode(rule)
}

// ruleCreateHandler handles POST /_waf/rules - create a new rule
func (w *WAF) ruleCreateHandler(rw http.ResponseWriter, r *http.Request) {
	if r.Method != http.MethodPost {
		http.Error(rw, "Method not allowed", http.StatusMethodNotAllowed)
		return
	}

	var rule RuleRecord
	if err := json.NewDecoder(r.Body).Decode(&rule); err != nil {
		http.Error(rw, "Invalid JSON payload", http.StatusBadRequest)
		return
	}

	// Validate required fields
	if rule.RuleID == "" || rule.Name == "" || rule.Pattern == "" {
		http.Error(rw, "rule_id, name, and pattern are required", http.StatusBadRequest)
		return
	}

	// Set defaults
	if rule.Action == "" {
		rule.Action = "block"
	}

	if !isValidAction(rule.Action) {
		http.Error(rw, "Invalid action value", http.StatusBadRequest)
		return
	}

	// Create rule in database
	if err := w.ruleDB.CreateRule(&rule); err != nil {
		if strings.Contains(err.Error(), "UNIQUE constraint failed") {
			http.Error(rw, "Rule ID already exists", http.StatusConflict)
		} else {
			http.Error(rw, fmt.Sprintf("Failed to create rule: %v", err), http.StatusInternalServerError)
		}
		return
	}

	// Reload WAF rules
	if err := w.reloadRulesFromDB(); err != nil {
		// Rule was created but reload failed - log error but don't fail the request
		fmt.Printf("Warning: Failed to reload WAF rules after creating rule %s: %v\n", rule.RuleID, err)
	}

	rw.Header().Set("Content-Type", "application/json")
	rw.WriteHeader(http.StatusCreated)
	json.NewEncoder(rw).Encode(map[string]interface{}{
		"status":  "success",
		"message": "Rule created successfully",
		"rule":    rule,
	})
}

// ruleUpdateHandler handles PUT /_waf/rules/{id} - update an existing rule
func (w *WAF) ruleUpdateHandler(rw http.ResponseWriter, r *http.Request) {
	if r.Method != http.MethodPut {
		http.Error(rw, "Method not allowed", http.StatusMethodNotAllowed)
		return
	}

	ruleID := extractRuleIDFromPath(r.URL.Path, "/_waf/rules/")
	if ruleID == "" {
		http.Error(rw, "Rule ID is required", http.StatusBadRequest)
		return
	}

	var updates RuleRecord
	if err := json.NewDecoder(r.Body).Decode(&updates); err != nil {
		http.Error(rw, "Invalid JSON payload", http.StatusBadRequest)
		return
	}

	// Validate required fields
	if updates.Name == "" || updates.Pattern == "" {
		http.Error(rw, "name and pattern are required", http.StatusBadRequest)
		return
	}

	// Set defaults
	if updates.Action == "" {
		updates.Action = "block"
	}

	if !isValidAction(updates.Action) {
		http.Error(rw, "Invalid action value", http.StatusBadRequest)
		return
	}

	// Update rule in database
	if err := w.ruleDB.UpdateRule(ruleID, &updates); err != nil {
		if strings.Contains(err.Error(), "not found") {
			http.Error(rw, "Rule not found", http.StatusNotFound)
		} else {
			http.Error(rw, fmt.Sprintf("Failed to update rule: %v", err), http.StatusInternalServerError)
		}
		return
	}

	// Reload WAF rules
	if err := w.reloadRulesFromDB(); err != nil {
		// Rule was updated but reload failed - log error but don't fail the request
		fmt.Printf("Warning: Failed to reload WAF rules after updating rule %s: %v\n", ruleID, err)
	}

	// Get updated rule
	updatedRule, err := w.ruleDB.GetRule(ruleID)
	if err != nil {
		http.Error(rw, fmt.Sprintf("Rule updated but failed to fetch: %v", err), http.StatusInternalServerError)
		return
	}

	rw.Header().Set("Content-Type", "application/json")
	json.NewEncoder(rw).Encode(map[string]interface{}{
		"status":  "success",
		"message": "Rule updated successfully",
		"rule":    updatedRule,
	})
}

// ruleDeleteHandler handles DELETE /_waf/rules/{id} - delete a rule (soft delete)
func (w *WAF) ruleDeleteHandler(rw http.ResponseWriter, r *http.Request) {
	if r.Method != http.MethodDelete {
		http.Error(rw, "Method not allowed", http.StatusMethodNotAllowed)
		return
	}

	ruleID := extractRuleIDFromPath(r.URL.Path, "/_waf/rules/")
	if ruleID == "" {
		http.Error(rw, "Rule ID is required", http.StatusBadRequest)
		return
	}

	// Check for hard delete parameter
	hardDelete := r.URL.Query().Get("hard") == "true"

	var err error
	if hardDelete {
		err = w.ruleDB.HardDeleteRule(ruleID)
	} else {
		err = w.ruleDB.DeleteRule(ruleID)
	}

	if err != nil {
		if strings.Contains(err.Error(), "not found") {
			http.Error(rw, "Rule not found", http.StatusNotFound)
		} else {
			http.Error(rw, fmt.Sprintf("Failed to delete rule: %v", err), http.StatusInternalServerError)
		}
		return
	}

	// Reload WAF rules
	if err := w.reloadRulesFromDB(); err != nil {
		// Rule was deleted but reload failed - log error but don't fail the request
		fmt.Printf("Warning: Failed to reload WAF rules after deleting rule %s: %v\n", ruleID, err)
	}

	rw.Header().Set("Content-Type", "application/json")
	json.NewEncoder(rw).Encode(map[string]interface{}{
		"status":  "success",
		"message": fmt.Sprintf("Rule %s successfully", map[bool]string{true: "permanently deleted", false: "disabled"}[hardDelete]),
	})
}

// ruleHistoryHandler handles GET /_waf/rules/{id}/history - get rule change history
func (w *WAF) ruleHistoryHandler(rw http.ResponseWriter, r *http.Request) {
	if r.Method != http.MethodGet {
		http.Error(rw, "Method not allowed", http.StatusMethodNotAllowed)
		return
	}

	ruleID := extractRuleIDFromPath(r.URL.Path, "/_waf/rules/")
	if ruleID == "" {
		http.Error(rw, "Rule ID is required", http.StatusBadRequest)
		return
	}

	// Parse limit parameter
	limit := 20
	if l := r.URL.Query().Get("limit"); l != "" {
		if parsed, err := strconv.Atoi(l); err == nil && parsed > 0 && parsed <= 100 {
			limit = parsed
		}
	}

	history, err := w.ruleDB.GetRuleHistory(ruleID, limit)
	if err != nil {
		http.Error(rw, fmt.Sprintf("Failed to get rule history: %v", err), http.StatusInternalServerError)
		return
	}

	rw.Header().Set("Content-Type", "application/json")
	json.NewEncoder(rw).Encode(map[string]interface{}{
		"rule_id": ruleID,
		"history": history,
		"limit":   limit,
	})
}

// rulesStatsHandler handles GET /_waf/rules/stats - get rules database statistics
func (w *WAF) rulesStatsHandler(rw http.ResponseWriter, r *http.Request) {
	if r.Method != http.MethodGet {
		http.Error(rw, "Method not allowed", http.StatusMethodNotAllowed)
		return
	}

	stats, err := w.ruleDB.GetStats()
	if err != nil {
		http.Error(rw, fmt.Sprintf("Failed to get rules stats: %v", err), http.StatusInternalServerError)
		return
	}

	// Add timestamp
	stats["timestamp"] = time.Now()

	rw.Header().Set("Content-Type", "application/json")
	json.NewEncoder(rw).Encode(stats)
}

// rulesExportHandler handles GET /_waf/rules/export - export rules to JSON
func (w *WAF) rulesExportHandler(rw http.ResponseWriter, r *http.Request) {
	if r.Method != http.MethodGet {
		http.Error(rw, "Method not allowed", http.StatusMethodNotAllowed)
		return
	}

	data, err := w.ruleDB.ExportToJSON()
	if err != nil {
		http.Error(rw, fmt.Sprintf("Failed to export rules: %v", err), http.StatusInternalServerError)
		return
	}

	rw.Header().Set("Content-Type", "application/json")
	rw.Header().Set("Content-Disposition", fmt.Sprintf("attachment; filename=waf_rules_%s.json", time.Now().Format("20060102_150405")))
	rw.Write(data)
}

// rulesImportHandler handles POST /_waf/rules/import - import rules from JSON
func (w *WAF) rulesImportHandler(rw http.ResponseWriter, r *http.Request) {
	if r.Method != http.MethodPost {
		http.Error(rw, "Method not allowed", http.StatusMethodNotAllowed)
		return
	}

	var payload struct {
		Rules []WAFRule `json:"rules"`
	}

	if err := json.NewDecoder(r.Body).Decode(&payload); err != nil {
		http.Error(rw, "Invalid JSON payload", http.StatusBadRequest)
		return
	}

	if len(payload.Rules) == 0 {
		http.Error(rw, "No rules provided", http.StatusBadRequest)
		return
	}

	// Validate rules
	for i, rule := range payload.Rules {
		if rule.ID == "" || rule.Name == "" || rule.Pattern == "" {
			http.Error(rw, fmt.Sprintf("Rule %d: id, name, and pattern are required", i), http.StatusBadRequest)
			return
		}
		if !isValidAction(rule.Action) && rule.Action != "" {
			http.Error(rw, fmt.Sprintf("Rule %d: invalid action value", i), http.StatusBadRequest)
			return
		}
	}

	// Create rules in database
	created := 0
	updated := 0
	for _, rule := range payload.Rules {
		ruleRecord := &RuleRecord{
			RuleID:      rule.ID,
			Name:        rule.Name,
			Pattern:     rule.Pattern,
			Action:      rule.Action,
			RedirectURL: rule.RedirectURL,
			Enabled:     rule.Enabled,
			Description: rule.Description,
		}

		// Set default action
		if ruleRecord.Action == "" {
			ruleRecord.Action = "block"
		}

		// Try to create, if exists then update
		err := w.ruleDB.CreateRule(ruleRecord)
		if err != nil && strings.Contains(err.Error(), "already exists") {
			err = w.ruleDB.UpdateRule(rule.ID, ruleRecord)
			if err == nil {
				updated++
			}
		} else if err == nil {
			created++
		}

		if err != nil {
			http.Error(rw, fmt.Sprintf("Failed to import rule %s: %v", rule.ID, err), http.StatusInternalServerError)
			return
		}
	}

	// Reload WAF rules
	if err := w.reloadRulesFromDB(); err != nil {
		fmt.Printf("Warning: Failed to reload WAF rules after import: %v\n", err)
	}

	rw.Header().Set("Content-Type", "application/json")
	json.NewEncoder(rw).Encode(map[string]interface{}{
		"status":  "success",
		"message": fmt.Sprintf("Successfully imported %d rules", len(payload.Rules)),
		"created": created,
		"updated": updated,
		"total":   len(payload.Rules),
	})
}

// rulesReloadHandler handles POST /_waf/rules/reload - reload rules from database
func (w *WAF) rulesReloadHandler(rw http.ResponseWriter, r *http.Request) {
	if r.Method != http.MethodPost {
		http.Error(rw, "Method not allowed", http.StatusMethodNotAllowed)
		return
	}

	if err := w.reloadRulesFromDB(); err != nil {
		http.Error(rw, fmt.Sprintf("Failed to reload rules: %v", err), http.StatusInternalServerError)
		return
	}

	rw.Header().Set("Content-Type", "application/json")
	json.NewEncoder(rw).Encode(map[string]interface{}{
		"status":    "success",
		"message":   "Rules reloaded successfully",
		"timestamp": time.Now(),
	})
}

// rulesRouteHandler routes requests for individual rules
func (w *WAF) rulesRouteHandler(rw http.ResponseWriter, r *http.Request) {
	path := r.URL.Path
	
	if strings.HasSuffix(path, "/history") {
		// Handle /_waf/rules/{id}/history
		w.ruleHistoryHandler(rw, r)
	} else if path == "/_waf/rules/" {
		// Handle /_waf/rules/ (create new rule)
		w.ruleCreateHandler(rw, r)
	} else {
		// Handle /_waf/rules/{id} (get/update/delete)
		switch r.Method {
		case http.MethodGet:
			w.ruleGetHandler(rw, r)
		case http.MethodPut:
			w.ruleUpdateHandler(rw, r)
		case http.MethodDelete:
			w.ruleDeleteHandler(rw, r)
		default:
			http.Error(rw, "Method not allowed", http.StatusMethodNotAllowed)
		}
	}
}

// Helper functions

// extractRuleIDFromPath extracts rule ID from URL path
func extractRuleIDFromPath(path, prefix string) string {
	if !strings.HasPrefix(path, prefix) {
		return ""
	}
	ruleID := strings.TrimPrefix(path, prefix)
	
	// Remove any additional path segments (for /rules/{id}/history)
	if slashIndex := strings.Index(ruleID, "/"); slashIndex != -1 {
		ruleID = ruleID[:slashIndex]
	}
	
	return ruleID
}

// isValidAction checks if the action is valid
func isValidAction(action string) bool {
	validActions := map[string]bool{
		"block":    true,
		"log":      true,
		"redirect": true,
	}
	return validActions[action]
}

// reloadRulesFromDB reloads rules from database into memory
func (w *WAF) reloadRulesFromDB() error {
	if w.ruleDB == nil {
		return fmt.Errorf("rule database not initialized")
	}

	rules, err := w.ruleDB.LoadRules()
	if err != nil {
		return fmt.Errorf("failed to load rules from database: %v", err)
	}

	// Update WAF rules
	w.mu.Lock()
	defer w.mu.Unlock()

	w.rules = rules
	
	// TODO: Recompile patterns for Vectorscan if needed

	fmt.Printf("Successfully reloaded %d rules from database\n", len(rules))
	return nil
}