package main

import (
	"crypto/tls"
	"encoding/base64"
	"flag"
	"io"
	"log"
	"net"
	"net/http"
	"strings"
	"time"
)

type ProxyServer struct {
	port     string
	username string
	password string
}

func (ps *ProxyServer) isAuthRequired() bool {
	return ps.username != "" && ps.password != ""
}

func (ps *ProxyServer) checkProxyAuth(r *http.Request) bool {
	if !ps.isAuthRequired() {
		return true
	}

	authHeader := r.Header.Get("Proxy-Authorization")
	const prefix = "Basic "
	if !strings.HasPrefix(authHeader, prefix) {
		return false
	}

	payload, err := base64.StdEncoding.DecodeString(authHeader[len(prefix):])
	if err != nil {
		return false
	}

	pair := strings.SplitN(string(payload), ":", 2)
	if len(pair) != 2 {
		return false
	}

	return pair[0] == ps.username && pair[1] == ps.password
}

func (ps *ProxyServer) requestHandler(w http.ResponseWriter, r *http.Request) {
	if !ps.checkProxyAuth(r) {
		w.Header().Set("Proxy-Authenticate", `Basic realm="Provide username and password"`)
		http.Error(w, "Proxy authentication required", http.StatusProxyAuthRequired)
		return
	}

	if r.Method == http.MethodConnect {
		handleTunneling(w, r)
	} else {
		handleHTTP(w, r)
	}
}

// Manages tunneling requests (used for HTTPS connections).
func handleTunneling(w http.ResponseWriter, r *http.Request) {
	logRequest(r)

	destConn, err := net.DialTimeout("tcp", r.Host, 10*time.Second)
	if err != nil {
		http.Error(w, err.Error(), http.StatusServiceUnavailable)
		return
	}

	w.WriteHeader(http.StatusOK)

	// Hijack the connection to manage it at the TCP level
	hijacker, ok := w.(http.Hijacker)
	if !ok {
		http.Error(w, "Hijacking not supported", http.StatusInternalServerError)
		return
	}
	clientConn, _, err := hijacker.Hijack()
	if err != nil {
		http.Error(w, err.Error(), http.StatusServiceUnavailable)
		return
	}

	// Transfer data between client and destination
	go transfer(destConn, clientConn)
	go transfer(clientConn, destConn)
}

func transfer(destination io.WriteCloser, source io.ReadCloser) {
	defer destination.Close()
	defer source.Close()
	io.Copy(destination, source)
}

func handleHTTP(w http.ResponseWriter, req *http.Request) {
	logRequest(req)

	resp, err := http.DefaultTransport.RoundTrip(req)
	if err != nil {
		http.Error(w, err.Error(), http.StatusServiceUnavailable)
		return
	}
	defer resp.Body.Close()

	copyHeader(w.Header(), resp.Header)
	w.WriteHeader(resp.StatusCode)
	io.Copy(w, resp.Body)
}

func copyHeader(dst, src http.Header) {
	for k, vv := range src {
		for _, v := range vv {
			dst.Add(k, v)
		}
	}
}

func logRequest(r *http.Request) {
	log.Printf("Method: %s, URL: %s", r.Method, r.URL.String())
}

func main() {
	var port, username, password string

	flag.StringVar(&port, "port", "3000", "Specify the port the proxy will run on")
	flag.StringVar(&username, "username", "", "Username for proxy authentication")
	flag.StringVar(&password, "password", "", "Password for proxy authentication")
	flag.Parse()

	if (username == "" && password != "") || (username != "" && password == "") {
		log.Fatal("Error: Both username and password must be provided, or neither should be.")
	}

	proxy := &ProxyServer{port: port, username: username, password: password}
	server := &http.Server{
		Addr:    ":" + proxy.port,
		Handler: http.HandlerFunc(proxy.requestHandler),
		// Disable HTTP/2 (https://github.com/golang/go/issues/14797#issuecomment-196103814)
		TLSNextProto: make(map[string]func(*http.Server, *tls.Conn, http.Handler)),
	}
	log.Printf("Starting proxy server on :%s\n", proxy.port)
	log.Fatal(server.ListenAndServe())
}