/* eslint-disable @typescript-eslint/no-var-requires, no-console */
require("dotenv").config();
const child_process = require("child_process");
const path = require("path");

const { flipFuses, FuseVersion, FuseV1Options } = require("@electron/fuses");
const builder = require("electron-builder");
const fse = require("fs-extra");

exports.default = run;

async function run(context) {
  console.log("## After pack");
  // console.log(context);

  if (context.packager.platform.nodeName !== "darwin" || context.arch === builder.Arch.universal) {
    await addElectronFuses(context);
  }

  if (context.electronPlatformName === "linux") {
    console.log("Creating memory-protection wrapper script");
    const appOutDir = context.appOutDir;
    const oldBin = path.join(appOutDir, context.packager.executableName);
    const newBin = path.join(appOutDir, "bitwarden-app");
    fse.moveSync(oldBin, newBin);
    console.log("Moved binary to bitwarden-app");

    const wrapperScript = path.join(__dirname, "../resources/memory-dump-wrapper.sh");
    const wrapperBin = path.join(appOutDir, context.packager.executableName);
    fse.copyFileSync(wrapperScript, wrapperBin);
    fse.chmodSync(wrapperBin, "755");
    console.log("Copied memory-protection wrapper script");
  }

  if (["darwin", "mas"].includes(context.electronPlatformName)) {
    const is_mas = context.electronPlatformName === "mas";
    const is_mas_dev = context.targets.some((e) => e.name === "mas-dev");

    let id;

    // Only use the Bitwarden Identities on CI
    if (process.env.GITHUB_ACTIONS === "true") {
      if (is_mas) {
        id = is_mas_dev
          ? "E7C9978F6FBCE0553429185C405E61F5380BE8EB"
          : "3rd Party Mac Developer Application: Bitwarden Inc";
      } else {
        id = "Developer ID Application: 8bit Solutions LLC";
      }
      // Locally, use the first valid code signing identity, unless CSC_NAME is set
    } else if (process.env.CSC_NAME) {
      id = process.env.CSC_NAME;
    } else {
      const identities = getIdentities();
      if (identities.length === 0) {
        throw new Error("No valid identities found");
      }
      id = identities[0].id;
    }

    console.log(
      `Signing proxy binary before the main bundle, using identity '${id}', for build ${context.electronPlatformName}`,
    );

    const appName = context.packager.appInfo.productFilename;
    const appPath = `${context.appOutDir}/${appName}.app`;
    const proxyPath = path.join(appPath, "Contents", "MacOS", "desktop_proxy");
    const inheritProxyPath = path.join(appPath, "Contents", "MacOS", "desktop_proxy.inherit");

    const packageId = "com.bitwarden.desktop";

    if (is_mas) {
      const entitlementsName = "entitlements.desktop_proxy.plist";
      const entitlementsPath = path.join(__dirname, "..", "resources", entitlementsName);
      child_process.execSync(
        `codesign -s '${id}' -i ${packageId} -f --timestamp --options runtime --entitlements ${entitlementsPath} ${proxyPath}`,
      );

      const inheritEntitlementsName = "entitlements.desktop_proxy.inherit.plist";
      const inheritEntitlementsPath = path.join(
        __dirname,
        "..",
        "resources",
        inheritEntitlementsName,
      );
      child_process.execSync(
        `codesign -s '${id}' -i ${packageId} -f --timestamp --options runtime --entitlements ${inheritEntitlementsPath} ${inheritProxyPath}`,
      );
    } else {
      // For non-Appstore builds, we don't need the inherit binary as they are not sandboxed,
      // but we sign and include it anyway for consistency. It should be removed once DDG supports the proxy directly.
      const entitlementsName = "entitlements.mac.plist";
      const entitlementsPath = path.join(__dirname, "..", "resources", entitlementsName);
      child_process.execSync(
        `codesign -s '${id}' -i ${packageId} -f --timestamp --options runtime --entitlements ${entitlementsPath} ${proxyPath}`,
      );
      child_process.execSync(
        `codesign -s '${id}' -i ${packageId} -f --timestamp --options runtime --entitlements ${entitlementsPath} ${inheritProxyPath}`,
      );
    }
  }
}

// Partially based on electron-builder code:
// https://github.com/electron-userland/electron-builder/blob/master/packages/app-builder-lib/src/macPackager.ts
// https://github.com/electron-userland/electron-builder/blob/master/packages/app-builder-lib/src/codeSign/macCodeSign.ts

const appleCertificatePrefixes = [
  "Developer ID Application:",
  // "Developer ID Installer:",
  // "3rd Party Mac Developer Application:",
  // "3rd Party Mac Developer Installer:",
  "Apple Development:",
];

function getIdentities() {
  const ids = child_process
    .execSync("/usr/bin/security find-identity -v -p codesigning")
    .toString();

  return ids
    .split("\n")
    .filter((line) => {
      for (const prefix of appleCertificatePrefixes) {
        if (line.includes(prefix)) {
          return true;
        }
      }
      return false;
    })
    .map((line) => {
      const split = line.trim().split(" ");
      const id = split[1];
      const name = split.slice(2).join(" ").replace(/"/g, "");
      return { id, name };
    });
}

/**
 * @param {import("electron-builder").AfterPackContext} context
 */
async function addElectronFuses(context) {
  const platform = context.packager.platform.nodeName;

  const ext = {
    darwin: ".app",
    win32: ".exe",
    linux: "",
  }[platform];

  const IS_LINUX = platform === "linux";
  const executableName = IS_LINUX
    ? context.packager.appInfo.productFilename.toLowerCase().replace("-dev", "").replace(" ", "-")
    : context.packager.appInfo.productFilename; // .toLowerCase() to accomodate Linux file named `name` but productFileName is `Name` -- Replaces '-dev' because on Linux the executable name is `name` even for the DEV builds

  const electronBinaryPath = path.join(context.appOutDir, `${executableName}${ext}`);

  console.log("## Adding fuses to the electron binary", electronBinaryPath);

  await flipFuses(electronBinaryPath, {
    version: FuseVersion.V1,
    strictlyRequireAllFuses: true,
    resetAdHocDarwinSignature: platform === "darwin" && context.arch === builder.Arch.universal,

    // List of fuses and their default values is available at:
    // https://www.electronjs.org/docs/latest/tutorial/fuses

    [FuseV1Options.RunAsNode]: false,
    [FuseV1Options.EnableCookieEncryption]: true,
    [FuseV1Options.EnableNodeOptionsEnvironmentVariable]: false,
    [FuseV1Options.EnableNodeCliInspectArguments]: false,

    // Currently, asar integrity is only implemented for macOS and Windows
    // https://www.electronjs.org/docs/latest/tutorial/asar-integrity
    // On macOS, it works by default, but on Windows it requires the
    // asarIntegrity feature of electron-builder v25, currently in alpha
    // https://github.com/electron-userland/electron-builder/releases/tag/v25.0.0-alpha.10
    [FuseV1Options.EnableEmbeddedAsarIntegrityValidation]: platform === "darwin",

    [FuseV1Options.OnlyLoadAppFromAsar]: true,

    // App refuses to open when enabled
    [FuseV1Options.LoadBrowserProcessSpecificV8Snapshot]: false,

    // To disable this, we should stop using the file:// protocol to load the app bundle
    // This can be done by defining a custom app:// protocol and loading the bundle from there,
    // but then any requests to the server will be blocked by CORS policy
    [FuseV1Options.GrantFileProtocolExtraPrivileges]: true,
  });
}