#!/bin/sh

# This file is part of Haketilo
#
# Copyright (C) 2021, Wojtek Kosior
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the CC0 1.0 Universal License as published by
# the Creative Commons Corporation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# CC0 1.0 Universal License for more details.

set -e

_PROG_NAME="$0"
OPERATION="$1"
API_KEY="$2"
SECRET="$3"
XPI_PATH="$4"

escape_regex_special() {
    printf %s "$1" | sed 's/\([]\.*[-]\)/\\\1/g'
}

# Note: We don't actually parse JSON. We extract needed keys with sed regexes
# which does not work in the general case but is sufficient for now.
_get_json_key() {
    local KEY_REG="$(escape_regex_special "$1")"
    printf %s "$2" |
	awk '{printf "%s", $0}' |
	sed 's/^.*\("'"$KEY_REG"'"[[:space:]]*:[[:space:]]*"\([^"]*\)"\).*$/\2/'
}

get_json_key() {
    local JSON="$2"
    local VALUE="$(_get_json_key "$@")"
    if [ "x$VALUE" != "x$JSON" ]; then
	printf %s "$VALUE"
    fi
}

base64url() {
    printf %s "$1" | base64 -w 0 | tr '/+' '_-' | tr -d '='
}

sha256hmac() {
    base64url "$(printf %s "$2" | openssl dgst -sha256 -hmac "$1" -binary -)"
}

get_manifest_key() {
    get_json_key "$1" "$(unzip -p "$2" manifest.json)"
}

generate_jwt() {
    local JWT_HEAD='{"alg":"HS256", "typ":"JWT"}'
    local JWT_ID=$(dd if=/dev/random bs=21 count=1 2>/dev/null | base64)
    local ISSUED_AT_TIME=$(date -u +%s)
    local EXPIRATION_TIME=$((ISSUED_AT_TIME + 300))
    local JWT_PAYLOAD="$(cat <<EOF
{
    "iss": "$API_KEY",
    "jti": "$JWT_ID",
    "iat": $ISSUED_AT_TIME,
    "exp": $EXPIRATION_TIME
}
EOF
	  )"
    local JWT_MESSAGE=$(base64url "$JWT_HEAD").$(base64url "$JWT_PAYLOAD")
    local JWT_SIGNATURE=$(sha256hmac "$SECRET" "$JWT_MESSAGE")
    local JWT=$JWT_MESSAGE.$JWT_SIGNATURE
    printf "Using JWT: $JWT\n" >&2
    printf $JWT
}

get_extension_url() {
    EXTENSION_ID="$(get_manifest_key id "$XPI_PATH")"
    EXTENSION_VER="$(get_manifest_key version "$XPI_PATH")"

    if [ -z "$EXTENSION_ID" -o -z "$EXTENSION_VER" ]; then
	printf "Couldn't extract extension id and version. Please check if %s contains proper manifest.json file.\n" \
	       "$XPI_PATH" >&2
	exit 1
    fi

    printf 'https://addons.mozilla.org/api/v4/addons/%s/versions/%s/' \
	   "$EXTENSION_ID" "$EXTENSION_VER"
}

print_usage() {
    printf 'Usage:  %s upload|check|test API_KEY SECRET XPI_PATH\n' \
	   "$_PROG_NAME" >&2
}

if [ $# != 4 ]; then
    print_usage
    exit 1
fi

unset RETURNED_DATA

case "$OPERATION" in
    test)
	curl "https://addons.mozilla.org/api/v4/accounts/profile/" \
	     -g -H "Authorization: JWT $(generate_jwt)"
	printf '\n'
	;;
    check)
	RETURNED_DATA="$(curl $(get_extension_url) \
			      -g -H "Authorization: JWT $(generate_jwt)")"
	;;
    upload)
	RETURNED_DATA="$(curl $(get_extension_url) \
			      -g -XPUT --form "upload=@$XPI_PATH" \
			      -H "Authorization: JWT $(generate_jwt)")"
	;;
    *)
	print_usage
	exit 1
	;;
esac

if [ -n "$RETURNED_DATA" ]; then
    printf "addons.mozilla.org says:\n%s\n" "$RETURNED_DATA"
    DOWNLOAD_URL="$(get_json_key download_url "$RETURNED_DATA")"
    if [ -n "$DOWNLOAD_URL" ]; then
	printf "Downloading extension file from %s\n" "$DOWNLOAD_URL"
	curl "$DOWNLOAD_URL" -g -H "Authorization: JWT $(generate_jwt)" -O
    fi
fi