// Package headers performs a detailed inspection of HTTP response headers
// and reports every missing or misconfigured security control. Unlike v1's
// lightweight header check, this module flags each issue as an individual
// VulnerabilityFound event with remediation guidance aligned to OWASP
// Secure Headers Project.
package headers

import (
	"context"
	"net/http"
	"strings"
	"sync"
	"time"

	"god-eye/internal/eventbus"
	gohttp "god-eye/internal/http"
	"god-eye/internal/module"
	"god-eye/internal/store"
)

const ModuleName = "vuln.security-headers"

type hdrModule struct{}

func Register() { module.Register(&hdrModule{}) }

func (*hdrModule) Name() string                   { return ModuleName }
func (*hdrModule) Phase() module.Phase            { return module.PhaseAnalysis }
func (*hdrModule) Consumes() []eventbus.EventType { return []eventbus.EventType{eventbus.EventHTTPProbed} }
func (*hdrModule) Produces() []eventbus.EventType {
	return []eventbus.EventType{eventbus.EventVulnerability}
}
func (*hdrModule) DefaultEnabled() bool { return true }

func (*hdrModule) Run(mctx module.Context) error {
	timeout := mctx.Config.Int("timeout", 10)
	client := gohttp.GetSharedClient(timeout)

	processed := make(map[string]struct{})
	var mu sync.Mutex
	shouldProcess := func(host string) bool {
		mu.Lock()
		defer mu.Unlock()
		if _, ok := processed[host]; ok {
			return false
		}
		processed[host] = struct{}{}
		return true
	}

	var wg sync.WaitGroup

	// Drain the store.
	for _, h := range mctx.Store.All(mctx.Ctx) {
		if h == nil || h.StatusCode == 0 {
			continue
		}
		if !shouldProcess(h.Subdomain) {
			continue
		}
		host := h.Subdomain
		wg.Add(1)
		go func() { defer wg.Done(); inspect(mctx, client, host) }()
	}

	// Late events.
	sub := mctx.Bus.Subscribe(eventbus.EventHTTPProbed, func(_ context.Context, e eventbus.Event) {
		ev, ok := e.(eventbus.HTTPProbed)
		if !ok || ev.StatusCode == 0 {
			return
		}
		host := ev.Meta().Target
		if !shouldProcess(host) {
			return
		}
		wg.Add(1)
		go func() { defer wg.Done(); inspect(mctx, client, host) }()
	})
	defer sub.Unsubscribe()

	select {
	case <-time.After(500 * time.Millisecond):
	case <-mctx.Ctx.Done():
	}

	wg.Wait()
	return nil
}

func inspect(mctx module.Context, client *http.Client, host string) {
	req, err := http.NewRequest("GET", "https://"+host, nil)
	if err != nil {
		return
	}
	req.Header.Set("User-Agent", "god-eye-v2")
	resp, err := client.Do(req)
	if err != nil {
		return
	}
	defer resp.Body.Close()

	issues := assess(resp.Header)
	if len(issues) == 0 {
		return
	}

	_ = mctx.Store.Upsert(mctx.Ctx, host, func(h *store.Host) {
		now := time.Now()
		for _, iss := range issues {
			h.Vulnerabilities = append(h.Vulnerabilities, store.Vulnerability{
				ID:          iss.id,
				Title:       iss.title,
				Description: iss.desc,
				Severity:    string(iss.sev),
				URL:         "https://" + host,
				Remediation: iss.fix,
				OWASP:       "A05:2021-Security Misconfiguration",
				FoundAt:     now,
			})
		}
	})
	for _, iss := range issues {
		mctx.Bus.Publish(mctx.Ctx, eventbus.VulnerabilityFound{
			EventMeta:   eventbus.EventMeta{At: time.Now(), Source: ModuleName, Target: host},
			ID:          iss.id,
			Title:       iss.title,
			Description: iss.desc,
			Severity:    iss.sev,
			URL:         "https://" + host,
			Remediation: iss.fix,
			OWASP:       "A05:2021-Security Misconfiguration",
		})
	}
}

type issue struct {
	id, title, desc, fix string
	sev                  eventbus.Severity
}

func assess(h http.Header) []issue {
	var out []issue
	hasHeader := func(k string) bool { return strings.TrimSpace(h.Get(k)) != "" }

	if !hasHeader("Strict-Transport-Security") {
		out = append(out, issue{
			id:    "hdr-missing-hsts",
			title: "Missing Strict-Transport-Security",
			desc:  "HSTS is absent; clients may accept plaintext downgrades.",
			fix:   "Add: Strict-Transport-Security: max-age=63072000; includeSubDomains; preload",
			sev:   eventbus.SeverityMedium,
		})
	} else if hsts := h.Get("Strict-Transport-Security"); !strings.Contains(strings.ToLower(hsts), "max-age=") ||
		!strings.Contains(strings.ToLower(hsts), "includesubdomains") {
		out = append(out, issue{
			id:    "hdr-weak-hsts",
			title: "Weak HSTS policy",
			desc:  "HSTS set but missing includeSubDomains and/or sufficient max-age.",
			fix:   "Use: max-age=63072000; includeSubDomains; preload",
			sev:   eventbus.SeverityLow,
		})
	}

	if !hasHeader("Content-Security-Policy") {
		out = append(out, issue{
			id:    "hdr-missing-csp",
			title: "Missing Content-Security-Policy",
			desc:  "No CSP header; XSS mitigations rely solely on upstream filtering.",
			fix:   "Deploy a nonce-based CSP restricting script-src, object-src 'none'.",
			sev:   eventbus.SeverityMedium,
		})
	} else if strings.Contains(strings.ToLower(h.Get("Content-Security-Policy")), "unsafe-inline") {
		out = append(out, issue{
			id:    "hdr-weak-csp",
			title: "Weak CSP (allows unsafe-inline)",
			desc:  "CSP allows unsafe-inline, neutralizing most XSS protection.",
			fix:   "Remove unsafe-inline; use nonces or hashes.",
			sev:   eventbus.SeverityMedium,
		})
	}

	if !hasHeader("X-Frame-Options") {
		// Only flag if CSP doesn't include frame-ancestors.
		csp := strings.ToLower(h.Get("Content-Security-Policy"))
		if !strings.Contains(csp, "frame-ancestors") {
			out = append(out, issue{
				id:    "hdr-missing-clickjack",
				title: "Clickjacking not prevented",
				desc:  "Neither X-Frame-Options nor CSP frame-ancestors is set.",
				fix:   "Add: X-Frame-Options: DENY OR CSP with frame-ancestors 'none'.",
				sev:   eventbus.SeverityLow,
			})
		}
	}

	if !hasHeader("X-Content-Type-Options") {
		out = append(out, issue{
			id:    "hdr-missing-nosniff",
			title: "Missing X-Content-Type-Options",
			desc:  "MIME sniffing permitted; certain XSS escalations become easier.",
			fix:   "Add: X-Content-Type-Options: nosniff",
			sev:   eventbus.SeverityLow,
		})
	}

	if !hasHeader("Referrer-Policy") {
		out = append(out, issue{
			id:    "hdr-missing-referrer-policy",
			title: "Missing Referrer-Policy",
			desc:  "Default browser Referrer-Policy leaks URLs to third parties.",
			fix:   "Add: Referrer-Policy: strict-origin-when-cross-origin",
			sev:   eventbus.SeverityLow,
		})
	}

	if !hasHeader("Permissions-Policy") && !hasHeader("Feature-Policy") {
		out = append(out, issue{
			id:    "hdr-missing-permissions-policy",
			title: "Missing Permissions-Policy",
			desc:  "Browser features (camera, geolocation, USB, etc.) are unrestricted by default.",
			fix:   "Add: Permissions-Policy: camera=(), microphone=(), geolocation=()",
			sev:   eventbus.SeverityInfo,
		})
	}

	// Dangerous information disclosure via default server banner.
	if srv := h.Get("Server"); looksLikeBanner(srv) {
		out = append(out, issue{
			id:    "hdr-server-banner",
			title: "Server banner leaks version",
			desc:  "Server header exposes exact software + version: " + srv,
			fix:   "Strip or generalize via proxy/web-server config.",
			sev:   eventbus.SeverityInfo,
		})
	}

	return out
}

func looksLikeBanner(s string) bool {
	s = strings.ToLower(s)
	return strings.Contains(s, "/") && (strings.Contains(s, ".") || anyDigit(s))
}

func anyDigit(s string) bool {
	for _, r := range s {
		if r >= '0' && r <= '9' {
			return true
		}
	}
	return false
}