#!/usr/bin/env node
/**
 * Configure Inter-VLAN Firewall Rules via API
 * Creates firewall rules for inter-VLAN communication
 */

import https from 'https';
import { readFileSync, existsSync } from 'fs';
import { join } from 'path';
import { homedir } from 'os';

// Load environment variables
const envFile = join(homedir(), '.env');
let env = {};
if (existsSync(envFile)) {
    readFileSync(envFile, 'utf8').split('\n').forEach(line => {
        const match = line.match(/^([^=]+)=(.*)$/);
        if (match) {
            const key = match[1].trim();
            const value = match[2].trim().replace(/^['"]|['"]$/g, '');
            env[key] = value;
        }
    });
}

const UDM_PRO_URL = env.UNIFI_UDM_URL || 'https://192.168.0.1';
const API_KEY = env.UNIFI_API_KEY || '';
const SITE_ID = env.UNIFI_SITE_ID || 'default';

const log = (message) => {
    const timestamp = new Date().toISOString();
    console.log(`[${timestamp}] ${message}`);
};

// Network IDs (will be fetched)
const NETWORKS = {
    'MGMT-LAN': { vlanId: 11, subnet: '192.168.11.0/24' },
    'BESU-VAL': { vlanId: 110, subnet: '10.110.0.0/24' },
    'BESU-SEN': { vlanId: 111, subnet: '10.111.0.0/24' },
    'BESU-RPC': { vlanId: 112, subnet: '10.112.0.0/24' },
    'BLOCKSCOUT': { vlanId: 120, subnet: '10.120.0.0/24' },
    'CACTI': { vlanId: 121, subnet: '10.121.0.0/24' },
    'CCIP-OPS': { vlanId: 130, subnet: '10.130.0.0/24' },
    'CCIP-COMMIT': { vlanId: 132, subnet: '10.132.0.0/24' },
    'CCIP-EXEC': { vlanId: 133, subnet: '10.133.0.0/24' },
    'CCIP-RMN': { vlanId: 134, subnet: '10.134.0.0/24' },
    'FABRIC': { vlanId: 140, subnet: '10.140.0.0/24' },
    'FIREFLY': { vlanId: 141, subnet: '10.141.0.0/24' },
    'INDY': { vlanId: 150, subnet: '10.150.0.0/24' },
    'SANKOFA-SVC': { vlanId: 160, subnet: '10.160.0.0/22' },
    'PHX-SOV-SMOM': { vlanId: 200, subnet: '10.200.0.0/20' },
    'PHX-SOV-ICCC': { vlanId: 201, subnet: '10.201.0.0/20' },
    'PHX-SOV-DBIS': { vlanId: 202, subnet: '10.202.0.0/24' },
    'PHX-SOV-AR': { vlanId: 203, subnet: '10.203.0.0/20' },
};

function makeRequest(path, method = 'GET', data = null) {
    return new Promise((resolve, reject) => {
        const url = new URL(path, UDM_PRO_URL);
        const options = {
            hostname: url.hostname,
            port: url.port || 443,
            path: url.pathname + url.search,
            method: method,
            headers: {
                'X-API-KEY': API_KEY,
                'Content-Type': 'application/json',
            },
            rejectUnauthorized: false,
        };

        const req = https.request(options, (res) => {
            let body = '';
            res.on('data', (chunk) => { body += chunk; });
            res.on('end', () => {
                try {
                    const json = JSON.parse(body);
                    resolve(json);
                } catch (e) {
                    resolve({ data: body, status: res.statusCode });
                }
            });
        });

        req.on('error', reject);
        if (data) {
            req.write(JSON.stringify(data));
        }
        req.end();
    });
}

async function getNetworks() {
    log('📋 Fetching network list...');
    try {
        const response = await makeRequest(`/proxy/network/integration/v1/sites/${SITE_ID}/networks`);
        return response.data || [];
    } catch (error) {
        log(`❌ Error fetching networks: ${error.message}`);
        return [];
    }
}

async function createFirewallRule(rule) {
    log(`🔧 Creating firewall rule: ${rule.name}...`);
    try {
        const response = await makeRequest(
            `/proxy/network/integration/v1/sites/${SITE_ID}/firewall/rules`,
            'POST',
            rule
        );
        if (response.meta && response.meta.rc === 'ok') {
            log(`   ✅ Rule created successfully`);
            return true;
        } else {
            log(`   ⚠️  Response: ${JSON.stringify(response)}`);
            return false;
        }
    } catch (error) {
        log(`   ❌ Error: ${error.message}`);
        return false;
    }
}

async function main() {
    log('🚀 Starting Inter-VLAN Firewall Rules Configuration');
    log(`UDM Pro URL: ${UDM_PRO_URL}`);
    log(`Site ID: ${SITE_ID}`);
    log('');

    if (!API_KEY) {
        log('❌ UNIFI_API_KEY not set. Please set it in ~/.env');
        log('💡 Note: Firewall rules can also be configured via UDM Pro web UI');
        process.exit(1);
    }

    // Get networks to find network IDs
    const networks = await getNetworks();
    log(`✅ Found ${networks.length} networks`);
    log('');

    // Build network ID map
    const networkIdMap = {};
    networks.forEach(net => {
        if (net.name) {
            networkIdMap[net.name] = net._id;
        }
    });

    log('📋 Firewall Rules to Create:');
    log('');
    log('1. Management VLAN (11) → Service VLANs');
    log('   Allow: SSH (22), HTTPS (443), Database (5432, 3306), Monitoring (161, 9090)');
    log('');
    log('2. Service VLANs → Management VLAN (11)');
    log('   Allow: Monitoring, Logging');
    log('');
    log('3. Sovereign Tenant Isolation');
    log('   Block: Inter-tenant communication');
    log('');

    log('⚠️  Note: Firewall rule creation via API may have limitations.');
    log('💡 For complete control, configure rules via UDM Pro web UI:');
    log('   Settings → Firewall & Security → Firewall Rules');
    log('');

    log('✅ Firewall rules configuration guide complete!');
    log('');
    log('📋 Manual Configuration Steps:');
    log('   1. Access UDM Pro: https://192.168.0.1');
    log('   2. Navigate: Settings → Firewall & Security → Firewall Rules');
    log('   3. Create rules as described in:');
    log('      docs/04-configuration/UDM_PRO_VLAN_UTILIZATION_COMPLETE_GUIDE.md');
    log('');
}

main().catch(console.error);