/* 
   Unix SMB/CIFS implementation.

   http handling code

   Copyright (C) Andrew Tridgell 2005
   
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
   the Free Software Foundation; either version 2 of the License, or
   (at your option) any later version.
   
   This program is distributed in the hope that it will be useful,
   but WITHOUT ANY WARRANTY; without even the implied warranty of
   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
   GNU General Public License for more details.
   
   You should have received a copy of the GNU General Public License
   along with this program; if not, write to the Free Software
   Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
*/

#include "includes.h"
#include "smbd/service_task.h"
#include "web_server/web_server.h"
#include "smbd/service_stream.h"
#include "smbd/service.h"
#include "lib/events/events.h"
#include "system/time.h"
#include "lib/appweb/esp/esp.h"
#include "lib/appweb/ejs/ejsInternal.h"
#include "lib/util/dlinklist.h"
#include "lib/tls/tls.h"
#include "scripting/ejs/smbcalls.h"

#define SWAT_SESSION_KEY "SwatSessionId"
#define HTTP_PREAUTH_URI "/scripting/preauth.esp"
#define JSONRPC_REQUEST "/services"
#define JSONRPC_SERVER "/request.esp"

/* state of the esp subsystem for a specific request */
struct esp_state {
	struct websrv_context *web;
	struct EspRequest *req;
	struct MprVar variables[ESP_OBJ_MAX];
	struct session_data *session;
};

/*
  output the http headers
*/
static void http_output_headers(struct websrv_context *web)
{
	int i;
	char *s;
	DATA_BLOB b;
	uint32_t content_length = 0;
	const char *response_string = "Unknown Code";
	const struct {
		unsigned code;
		const char *response_string;
	} codes[] = {
		{ 200, "OK" },
		{ 301, "Moved" },
		{ 302, "Found" },
		{ 303, "Method" },
		{ 304, "Not Modified" },
		{ 400, "Bad request" },
		{ 401, "Unauthorized" },
		{ 403, "Forbidden" },
		{ 404, "Not Found" },
		{ 500, "Internal Server Error" },
		{ 501, "Not implemented" }
	};
	for (i=0;i<ARRAY_SIZE(codes);i++) {
		if (codes[i].code == web->output.response_code) {
			response_string = codes[i].response_string;
		}
	}

	if (web->output.headers == NULL) return;
	s = talloc_asprintf(web, "HTTP/1.0 %u %s\r\n", 
			    web->output.response_code, response_string);
	if (s == NULL) return;
	for (i=0;web->output.headers[i];i++) {
		s = talloc_asprintf_append(s, "%s\r\n", web->output.headers[i]);
	}

	/* work out the content length */
	content_length = web->output.content.length;
	if (web->output.fd != -1) {
		struct stat st;
		fstat(web->output.fd, &st);
		content_length += st.st_size;
	}
	s = talloc_asprintf_append(s, "Content-Length: %u\r\n\r\n", content_length);
	if (s == NULL) return;

	b = web->output.content;
	web->output.content = data_blob_string_const(s);
	data_blob_append(web, &web->output.content, b.data, b.length);
	data_blob_free(&b);
}

/*
  return the local path for a URL
*/
static const char *http_local_path(struct websrv_context *web,
                                   const char *url,
                                   const char *base_dir)
{
	int i;
	char *path;

	/* check that the url is OK */
	if (url[0] != '/') return NULL;

	for (i=0;url[i];i++) {
		if ((!isalnum((unsigned char)url[i]) && !strchr("./_-", url[i])) ||
		    (url[i] == '.' && strchr("/.", url[i+1]))) {
			return NULL;
		}
	}

	path = talloc_asprintf(web, "%s/%s", base_dir, url+1);
	if (path == NULL) return NULL;

	if (directory_exist(path)) {
		path = talloc_asprintf_append(path, "/index.esp");
	}
	return path;
}

/*
  called when esp wants to read a file to support include() calls
*/
static int http_readFile(EspHandle handle,
                         char **buf,
                         int *len,
                         const char *path,
                         const char *base_dir)
{
	struct websrv_context *web = talloc_get_type(handle, struct websrv_context);
	int fd = -1;
	struct stat st;
	*buf = NULL;

	path = http_local_path(web, path, base_dir);
	if (path == NULL) goto failed;

	fd = open(path, O_RDONLY);
	if (fd == -1 || fstat(fd, &st) != 0 || !S_ISREG(st.st_mode)) goto failed;

	*buf = talloc_size(handle, st.st_size+1);
	if (*buf == NULL) goto failed;

	if (read(fd, *buf, st.st_size) != st.st_size) goto failed;

	(*buf)[st.st_size] = 0;

	close(fd);
	*len = st.st_size;
	return 0;

failed:
	DEBUG(0,("Failed to read file %s - %s\n", path, strerror(errno)));
	if (fd != -1) close(fd);
	talloc_free(*buf);
	*buf = NULL;
	return -1;
}

static int http_readFileFromSwatDir(EspHandle handle,
                                    char **buf,
                                    int *len,
                                    const char *path)
{
    return http_readFile(handle, buf, len, path, lp_swat_directory());
}



/*
  called when esp wants to find the real path of a file
*/
static int http_mapToStorage(EspHandle handle, char *path, int len, const char *uri, int flags)
{
	if (uri == NULL || strlen(uri) >= len) return -1;
	strncpy(path, uri, len);
	return 0;
}

/*
  called when esp wants to output something
*/
static int http_writeBlock(EspHandle handle, const char *buf, int size)
{
	struct websrv_context *web = talloc_get_type(handle, struct websrv_context);
	NTSTATUS status;
	status = data_blob_append(web, &web->output.content, buf, size);
	if (!NT_STATUS_IS_OK(status)) return -1;
	return size;
}


/*
  set a http header
*/
static void http_setHeader(EspHandle handle, const char *value, bool allowMultiple)
{
	struct websrv_context *web = talloc_get_type(handle, struct websrv_context);
	char *p = strchr(value, ':');

	if (p && !allowMultiple && web->output.headers) {
		int i;
		for (i=0;web->output.headers[i];i++) {
			if (strncmp(web->output.headers[i], value, (p+1)-value) == 0) {
				web->output.headers[i] = talloc_strdup(web, value);
				return;
			}
		}
	}

	web->output.headers = str_list_add(web->output.headers, value);
	talloc_steal(web, web->output.headers);
}

/*
  set a http response code
*/
static void http_setResponseCode(EspHandle handle, int code)
{
	struct websrv_context *web = talloc_get_type(handle, struct websrv_context);
	web->output.response_code = code;
}

/*
  redirect to another web page
 */
static void http_redirect(EspHandle handle, int code, char *url)
{
	struct websrv_context *web = talloc_get_type(handle, struct websrv_context);
	const char *host = web->input.host;
	
	/* form the full url, unless it already looks like a url */
	if (strchr(url, ':') == NULL) {
		if (host == NULL) {
			struct socket_address *socket_address = socket_get_my_addr(web->conn->socket, web);
			if (socket_address == NULL) goto internal_error;
			host = talloc_asprintf(web, "%s:%u",
					       socket_address->addr, socket_address->port);
		}
		if (host == NULL) goto internal_error;
		if (url[0] != '/') {
			char *p = strrchr(web->input.url, '/');
			if (p == web->input.url) {
				url = talloc_asprintf(web, "http%s://%s/%s", 
						      tls_enabled(web->conn->socket)?"s":"",
						      host, url);
			} else {
				int dirlen = p - web->input.url;
				url = talloc_asprintf(web, "http%s://%s%*.*s/%s",
						      tls_enabled(web->conn->socket)?"s":"",
						      host, 
						      dirlen, dirlen, web->input.url,
						      url);
			}
			if (url == NULL) goto internal_error;
		}
	}

	http_setHeader(handle, talloc_asprintf(web, "Location: %s", url), 0);

	/* make sure we give a valid redirect code */
	if (code >= 300 && code < 400) {
		http_setResponseCode(handle, code);
	} else {
		http_setResponseCode(handle, 302);
	}
	return;

internal_error:
	http_error(web, 500, "Internal server error");
}


/*
  setup a cookie
*/
static void http_setCookie(EspHandle handle, const char *name, const char *value, 
			   int lifetime, const char *path, bool secure)
{
	struct websrv_context *web = talloc_get_type(handle, struct websrv_context);
	char *buf;
	
	if (lifetime > 0) {
		buf = talloc_asprintf(web, "Set-Cookie: %s=%s; path=%s; Expires=%s; %s",
				      name, value, path?path:"/", 
				      http_timestring(web, time(NULL)+lifetime),
				      secure?"secure":"");
	} else {
		buf = talloc_asprintf(web, "Set-Cookie: %s=%s; path=%s; %s",
				      name, value, path?path:"/", 
				      secure?"secure":"");
	}
	http_setHeader(handle, "Cache-control: no-cache=\"set-cookie\"", 0);
	http_setHeader(handle, buf, 0);
	talloc_free(buf);
}

/*
  return the session id
*/
static const char *http_getSessionId(EspHandle handle)
{
	struct websrv_context *web = talloc_get_type(handle, struct websrv_context);
	return web->session->id;
}

/*
  setup a session
*/
static void http_createSession(EspHandle handle, int timeout)
{
	struct websrv_context *web = talloc_get_type(handle, struct websrv_context);
	if (web->session) {
		web->session->lifetime = timeout;
		http_setCookie(web, SWAT_SESSION_KEY, web->session->id, 
			       web->session->lifetime, "/", 0);
	}
}

/*
  destroy a session
*/
static void http_destroySession(EspHandle handle)
{
	struct websrv_context *web = talloc_get_type(handle, struct websrv_context);
	talloc_free(web->session);
	web->session = NULL;
}


/*
  setup for a raw http level error
*/
void http_error(struct websrv_context *web, int code, const char *info)
{
	char *s;
	s = talloc_asprintf(web,"<HTML><HEAD><TITLE>Error %u</TITLE></HEAD><BODY><H1>Error %u</H1><pre>%s</pre><p></BODY></HTML>\r\n\r\n", 
			    code, code, info);
	if (s == NULL) {
		stream_terminate_connection(web->conn, "http_error: out of memory");
		return;
	}
	http_writeBlock(web, s, strlen(s));
	http_setResponseCode(web, code);
	http_output_headers(web);
	EVENT_FD_NOT_READABLE(web->conn->event.fde);
	EVENT_FD_WRITEABLE(web->conn->event.fde);
	web->output.output_pending = True;
}

/*
  map a unix error code to a http error
*/
void http_error_unix(struct websrv_context *web, const char *info)
{
	int code = 500;
	switch (errno) {
	case ENOENT:
	case EISDIR:
		code = 404;
		break;
	case EACCES:
		code = 403;
		break;
	}
	info = talloc_asprintf(web, "%s<p>%s<p>\n", info, strerror(errno));
	http_error(web, code, info);
}


/*
  a simple file request
*/
static void http_simple_request(struct websrv_context *web)
{
	const char *url = web->input.url;
	const char *path;
	struct stat st;

	path = http_local_path(web, url, lp_swat_directory());
	if (path == NULL) goto invalid;

	/* looks ok */
	web->output.fd = open(path, O_RDONLY);
	if (web->output.fd == -1) {
		DEBUG(0,("Failed to read file %s - %s\n", path, strerror(errno)));
		http_error_unix(web, path);
		return;
	}

	if (fstat(web->output.fd, &st) != 0 || !S_ISREG(st.st_mode)) {
		close(web->output.fd);
		goto invalid;
	}

	return;

invalid:
	http_error(web, 400, "Malformed URL");
}

/*
  setup the standard ESP arrays
*/
static void http_setup_arrays(struct esp_state *esp)
{
	struct websrv_context *web = esp->web;
	struct esp_data *edata = talloc_get_type(web->task->private, struct esp_data);
	struct EspRequest *req = esp->req;
	struct socket_address *socket_address = socket_get_my_addr(web->conn->socket, esp);
	struct socket_address *peer_address = socket_get_peer_addr(web->conn->socket, esp);
	char *p;

#define SETVAR(type, name, value) do { \
		const char *v = value; \
		if (v) espSetStringVar(req, type, name, v); \
} while (0)

	SETVAR(ESP_REQUEST_OBJ, "CONTENT_LENGTH", 
	       talloc_asprintf(esp, "%u", web->input.content_length));
	SETVAR(ESP_REQUEST_OBJ, "QUERY_STRING", web->input.query_string);
	SETVAR(ESP_REQUEST_OBJ, "POST_DATA",
               talloc_strndup(esp,
                              web->input.partial.data,
                              web->input.partial.length));
	SETVAR(ESP_REQUEST_OBJ, "REQUEST_METHOD", web->input.post_request?"POST":"GET");
	SETVAR(ESP_REQUEST_OBJ, "REQUEST_URI", web->input.url);
	p = strrchr(web->input.url, '/');
	SETVAR(ESP_REQUEST_OBJ, "SCRIPT_NAME", p+1);
	SETVAR(ESP_REQUEST_OBJ, "SCRIPT_FILENAME", web->input.url);
	if (peer_address) {
		struct MprVar mpv = mprObject("socket_address");
		mprSetPtrChild(&mpv, "socket_address", peer_address);
		espSetVar(req, ESP_REQUEST_OBJ, "REMOTE_SOCKET_ADDRESS", mpv);
		SETVAR(ESP_REQUEST_OBJ, "REMOTE_ADDR", peer_address->addr);
	}
	p = socket_get_peer_name(web->conn->socket, esp);
	SETVAR(ESP_REQUEST_OBJ, "REMOTE_HOST", p);
	SETVAR(ESP_REQUEST_OBJ, "REMOTE_USER", "");
	SETVAR(ESP_REQUEST_OBJ, "CONTENT_TYPE", web->input.content_type);
	if (web->session) {
		SETVAR(ESP_REQUEST_OBJ, "SESSION_ID", web->session->id);
	}
	SETVAR(ESP_REQUEST_OBJ, "COOKIE_SUPPORT", web->input.cookie?"True":"False");

	SETVAR(ESP_HEADERS_OBJ, "HTT_REFERER", web->input.referer);
	SETVAR(ESP_HEADERS_OBJ, "HOST", web->input.host);
	SETVAR(ESP_HEADERS_OBJ, "ACCEPT_ENCODING", web->input.accept_encoding);
	SETVAR(ESP_HEADERS_OBJ, "ACCEPT_LANGUAGE", web->input.accept_language);
	SETVAR(ESP_HEADERS_OBJ, "ACCEPT_CHARSET", web->input.accept_charset);
	SETVAR(ESP_HEADERS_OBJ, "COOKIE", web->input.cookie);
	SETVAR(ESP_HEADERS_OBJ, "USER_AGENT", web->input.user_agent);

	if (socket_address) {
		SETVAR(ESP_SERVER_OBJ, "SERVER_ADDR", socket_address->addr);
		SETVAR(ESP_SERVER_OBJ, "SERVER_NAME", socket_address->addr);
		SETVAR(ESP_SERVER_OBJ, "SERVER_HOST", socket_address->addr);
		SETVAR(ESP_SERVER_OBJ, "SERVER_PORT", 
		       talloc_asprintf(esp, "%u", socket_address->port));
	}

	SETVAR(ESP_SERVER_OBJ, "DOCUMENT_ROOT", lp_swat_directory());
	SETVAR(ESP_SERVER_OBJ, "SERVER_PROTOCOL", tls_enabled(web->conn->socket)?"https":"http");
	SETVAR(ESP_SERVER_OBJ, "SERVER_SOFTWARE", "SWAT");
	SETVAR(ESP_SERVER_OBJ, "GATEWAY_INTERFACE", "CGI/1.1");
	SETVAR(ESP_SERVER_OBJ, "TLS_SUPPORT", tls_support(edata->tls_params)?"True":"False");
}

#if HAVE_SETJMP_H
/* the esp scripting lirary generates exceptions when
   it hits a major error. We need to catch these and
   report a internal server error via http
*/
#include <setjmp.h>
static jmp_buf ejs_exception_buf;
static const char *exception_reason;

static void web_server_ejs_exception(const char *reason)
{
	Ejs *ep = ejsPtr(0);
	if (ep) {
		ejsSetErrorMsg(0, "%s", reason);
		exception_reason = ep->error;
	} else {
		exception_reason = reason;
	}
	DEBUG(0,("%s", exception_reason));
	longjmp(ejs_exception_buf, -1);
}
#else
static void web_server_ejs_exception(const char *reason)
{
	DEBUG(0,("%s", reason));
	smb_panic(reason);
}
#endif

/*
  process a esp request
*/
static void esp_request(struct esp_state *esp, const char *url)
{
	struct websrv_context *web = esp->web;
	int size;
	int res;
	char *emsg = NULL, *buf;

	if (http_readFile(web, &buf, &size, url, lp_swat_directory()) != 0) {
		http_error_unix(web, url);
		return;
	}

#if HAVE_SETJMP_H
	if (setjmp(ejs_exception_buf) != 0) {
		http_error(web, 500, exception_reason);
		return;
	}
#endif

	res = espProcessRequest(esp->req, url, buf, &emsg);
	if (res != 0 && emsg) {
		http_writeBlock(web, "<pre>", 5);
		http_writeBlock(web, emsg, strlen(emsg));
		http_writeBlock(web, "</pre>", 6);
	}
	talloc_free(buf);
}

/*
  process a JSON RPC request
*/
static void jsonrpc_request(struct esp_state *esp)
{
	struct websrv_context *web = esp->web;
	const char *path = http_local_path(web,
                                           JSONRPC_SERVER,
                                           lp_jsonrpc_services_dir());
        MprVar *global;
        MprVar v;
        MprVar temp;
	int size;
	int res;
	char *emsg = NULL;
	char *emsg2 = NULL;
        char *buf;
        char *error_script =
                "error.setOrigin(jsonrpc.Constant.ErrorOrigin.Server); "
                "error.setError(jsonrpc.Constant.ErrorCode.UnexpectedOutput, "
                "               global.errorString);"
                "error.Send();";

        /* Ensure we got a valid path. */
	if (path == NULL) {
                /* should never occur */
		http_error(esp->web, 500, "Internal server error");
		return;
	}

        /* Ensure that the JSON-RPC server request script exists */
	if (!file_exist(path)) {
		http_error_unix(esp->web, path);
		return;
	}

        /* Call the server request script */
	if (http_readFile(web, &buf, &size,
                          JSONRPC_SERVER, lp_jsonrpc_services_dir()) != 0) {
		http_error_unix(web, JSONRPC_SERVER);
		return;
	}

#if HAVE_SETJMP_H
	if (setjmp(ejs_exception_buf) != 0) {
		http_error(web, 500, exception_reason);
		return;
	}
#endif

	res = espProcessRequest(esp->req, JSONRPC_SERVER, buf, &emsg);
	if (res != 0 && emsg) {
                /* Save the error in a string accessible from javascript */
                global = ejsGetGlobalObject(0);
                v = mprString(emsg);
                mprCreateProperty(global, "errorString", &v);

                /* Create and send a JsonRpcError object */
                if (ejsEvalScript(0,
                                  error_script,
                                  &temp,
                                  &emsg2) != 0) {
                        http_writeBlock(web, "<pre>", 5);
                        http_writeBlock(web, emsg, strlen(emsg));
                        http_writeBlock(web, "</pre>", 6);
                }
	}
	talloc_free(buf);
}

/*
  perform pre-authentication on every page if /scripting/preauth.esp
  exists.  If this script generates any non-whitepace output at all,
  then we don't run the requested URL.

  note that the preauth is run even for static pages such as images, but not
  for JSON-RPC service requests which do their own authentication via the
  JSON-RPC server.
*/
static BOOL http_preauth(struct esp_state *esp)
{
	const char *path = http_local_path(esp->web,
                                           HTTP_PREAUTH_URI,
                                           lp_swat_directory());
	int i;
	if (path == NULL) {
		http_error(esp->web, 500, "Internal server error");
		return False;
	}
	if (!file_exist(path)) {
		/* if the preath script is not installed then allow access */
		return True;
	}
	esp_request(esp, HTTP_PREAUTH_URI);
	for (i=0;i<esp->web->output.content.length;i++) {
		if (!isspace(esp->web->output.content.data[i])) {
			/* if the preauth has generated content, then force it
			   to be html, so that we can show the login page for
			   failed access to images */
			http_setHeader(esp->web, "Content-Type: text/html", 0);
			return False;
		}
	}
	data_blob_free(&esp->web->output.content);
	return True;
}


/* 
   handling of + and % escapes in http variables 
*/
static const char *http_unescape(TALLOC_CTX *mem_ctx, const char *p)
{
	char *s0 = talloc_strdup(mem_ctx, p);
	char *s = s0;
	if (s == NULL) return NULL;

	while (*s) {
		unsigned v;
		if (*s == '+') *s = ' ';
		if (*s == '%' && sscanf(s+1, "%02x", &v) == 1) {
			*s = (char)v;
			memmove(s+1, s+3, strlen(s+3)+1);
		}
		s++;
	}

	return s0;
}

/*
  set a form or GET variable
*/
static void esp_putvar(struct esp_state *esp, const char *var, const char *value)
{
	if (strcasecmp(var, SWAT_SESSION_KEY) == 0) {
		/* special case support for browsers without cookie
		 support */
		esp->web->input.session_key = talloc_strdup(esp, value);
	} else {
		mprSetPropertyValue(&esp->variables[ESP_FORM_OBJ], 
				    http_unescape(esp, var),
				    mprCreateStringVar(http_unescape(esp, value), 0));
	}
}


/*
  parse the variables in a POST style request
*/
static NTSTATUS http_parse_post(struct esp_state *esp)
{
	DATA_BLOB b = esp->web->input.partial;

	while (b.length) {
		char *p, *line;
		size_t len;

		p = memchr(b.data, '&', b.length);
		if (p == NULL) {
			len = b.length;
		} else {
			len = p - (char *)b.data;
		}
		line = talloc_strndup(esp, (char *)b.data, len);
		NT_STATUS_HAVE_NO_MEMORY(line);
				     
		p = strchr(line,'=');
		if (p) {
			*p = 0;
			esp_putvar(esp, line, p+1);
		}
		talloc_free(line);
		b.length -= len;
		b.data += len;
		if (b.length > 0) {
			b.length--;
			b.data++;
		}
	}

	return NT_STATUS_OK;
}

/*
  parse the variables in a GET style request
*/
static NTSTATUS http_parse_get(struct esp_state *esp)
{
	struct websrv_context *web = esp->web;
	char *p, *s, *tok;
	char *pp;

	p = strchr(web->input.url, '?');
	web->input.query_string = p+1;
	*p = 0;

	s = talloc_strdup(esp, esp->web->input.query_string);
	NT_STATUS_HAVE_NO_MEMORY(s);

	for (tok=strtok_r(s,"&;", &pp);tok;tok=strtok_r(NULL,"&;", &pp)) {
		p = strchr(tok,'=');
		if (p) {
			*p = 0;
			esp_putvar(esp, tok, p+1);
		}
	}
	return NT_STATUS_OK;
}

/*
  called when a session times out
*/
static void session_timeout(struct event_context *ev, struct timed_event *te, 
			    struct timeval t, void *private)
{
	struct session_data *s = talloc_get_type(private, struct session_data);
	talloc_free(s);
}

/*
  destroy a session
 */
static int session_destructor(struct session_data *s)
{
	DLIST_REMOVE(s->edata->sessions, s);
	return 0;
}

/*
  setup the session for this request
*/
static void http_setup_session(struct esp_state *esp)
{
	const char *session_key = SWAT_SESSION_KEY;
	char *p;
	const char *cookie = esp->web->input.cookie;
	const char *key = NULL;
	struct esp_data *edata = talloc_get_type(esp->web->task->private, struct esp_data);
	struct session_data *s;
	BOOL generated_key = False;

	/* look for our session key */
	if (cookie && (p = strstr(cookie, session_key)) && 
	    p[strlen(session_key)] == '=') {
		p += strlen(session_key)+1;
		key = talloc_strndup(esp, p, strcspn(p, ";"));
	}

	if (key == NULL && esp->web->input.session_key) {
		key = esp->web->input.session_key;
	} else if (key == NULL) {
		key = generate_random_str_list(esp, 16, "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ");
		generated_key = True;
	}

	/* try to find this session in the existing session list */
	for (s=edata->sessions;s;s=s->next) {
		if (strcmp(key, s->id) == 0) {
			break;
		}
	}

	if (s == NULL) {
		/* create a new session */
		s = talloc_zero(edata, struct session_data);
		s->id = talloc_steal(s, key);
		s->data = NULL;
		s->te = NULL;
		s->edata = edata;
		s->lifetime = lp_parm_int(-1, "web", "sessiontimeout", 900);
		DLIST_ADD(edata->sessions, s);
		talloc_set_destructor(s, session_destructor);
		if (!generated_key) {
			mprSetPropertyValue(&esp->variables[ESP_REQUEST_OBJ], 
					    "SESSION_EXPIRED", mprCreateStringVar("True", 0));
		}
	}

	http_setCookie(esp->web, session_key, key, s->lifetime, "/", 0);

	if (s->data) {
		mprCopyVar(&esp->variables[ESP_SESSION_OBJ], s->data, MPR_DEEP_COPY);
	}

	esp->web->session = s;
}


/* callbacks for esp processing */
static const struct Esp esp_control = {
	.maxScriptSize   = 60000,
	.writeBlock      = http_writeBlock,
	.setHeader       = http_setHeader,
	.redirect        = http_redirect,
	.setResponseCode = http_setResponseCode,
	.readFile        = http_readFileFromSwatDir,
	.mapToStorage    = http_mapToStorage,
	.setCookie       = http_setCookie,
	.createSession   = http_createSession,
	.destroySession  = http_destroySession,
	.getSessionId    = http_getSessionId
};

/*
  process a complete http request
*/
void http_process_input(struct websrv_context *web)
{
	NTSTATUS status;
	struct esp_state *esp = NULL;
	struct esp_data *edata = talloc_get_type(web->task->private, struct esp_data);
	struct smbcalls_context *smbcalls_ctx;
	char *p;
	void *save_mpr_ctx = mprMemCtx();
	void *ejs_save = ejs_save_state();
	int i;
	const char *file_type = NULL;
        enum page_type {
                page_type_simple,
                page_type_esp,
                page_type_jsonrpc
        };
        enum page_type page_type;
	const struct {
		const char *extension;
		const char *mime_type;
                enum page_type page_type;
	} mime_types[] = {
		{"gif",  "image/gif"},
		{"png",  "image/png"},
		{"jpg",  "image/jpeg"},
		{"txt",  "text/plain"},
		{"ico",  "image/x-icon"},
		{"css",  "text/css"},
		{"esp",  "text/html", True}
	};

	/*
	 * give the smbcalls a chance to find the event context
	 * and messaging context 
	 */
	smbcalls_ctx = talloc(web, struct smbcalls_context);
	if (smbcalls_ctx == NULL) goto internal_error;
	smbcalls_ctx->event_ctx = web->conn->event.ctx;
	smbcalls_ctx->msg_ctx = web->conn->msg_ctx;

	esp = talloc_zero(smbcalls_ctx, struct esp_state);
	if (esp == NULL) goto internal_error;

	esp->web = web;

	mprSetCtx(esp);

	if (espOpen(&esp_control) != 0) goto internal_error;

	for (i=0;i<ARRAY_SIZE(esp->variables);i++) {
		esp->variables[i] = mprCreateUndefinedVar();
	}
	esp->variables[ESP_HEADERS_OBJ]     = mprCreateObjVar("headers", ESP_HASH_SIZE);
	esp->variables[ESP_FORM_OBJ]        = mprCreateObjVar("form", ESP_HASH_SIZE);
	esp->variables[ESP_APPLICATION_OBJ] = mprCreateObjVar("application", ESP_HASH_SIZE);
	esp->variables[ESP_COOKIES_OBJ]     = mprCreateObjVar("cookies", ESP_HASH_SIZE);
	esp->variables[ESP_FILES_OBJ]       = mprCreateObjVar("files", ESP_HASH_SIZE);
	esp->variables[ESP_REQUEST_OBJ]     = mprCreateObjVar("request", ESP_HASH_SIZE);
	esp->variables[ESP_SERVER_OBJ]      = mprCreateObjVar("server", ESP_HASH_SIZE);
	esp->variables[ESP_SESSION_OBJ]     = mprCreateObjVar("session", ESP_HASH_SIZE);

	if (edata->application_data) {
		mprCopyVar(&esp->variables[ESP_APPLICATION_OBJ], 
			   edata->application_data, MPR_DEEP_COPY);
	}

	smb_setup_ejs_functions(web_server_ejs_exception);

	if (web->input.url == NULL) {
		http_error(web, 400, "You must specify a GET or POST request");
		mprSetCtx(save_mpr_ctx);
		ejs_restore_state(ejs_save);
		return;
	}
	
	/* parse any form or get variables */
	if (web->input.post_request) {
		status = http_parse_post(esp);
		if (!NT_STATUS_IS_OK(status)) {
			http_error(web, 400, "Malformed POST data");
			mprSetCtx(save_mpr_ctx);
			ejs_restore_state(ejs_save);
			return;
		}
	} 
	if (strchr(web->input.url, '?')) {
		status = http_parse_get(esp);
		if (!NT_STATUS_IS_OK(status)) {
			http_error(web, 400, "Malformed GET data");
			mprSetCtx(save_mpr_ctx);
			ejs_restore_state(ejs_save);
			return;
		}
	}

	http_setup_session(esp);

	esp->req = espCreateRequest(web, web->input.url, esp->variables);
	if (esp->req == NULL) goto internal_error;

	/*
         * Work out the mime type.  First, we see if the request is a JSON-RPC
         * service request.  If not, we look at the extension.
         */
        if (strncmp(web->input.url,
                    JSONRPC_REQUEST,
                    sizeof(JSONRPC_REQUEST) - 1) == 0 &&
            (web->input.url[sizeof(JSONRPC_REQUEST) - 1] == '\0' ||
             web->input.url[sizeof(JSONRPC_REQUEST) - 1] == '/')) {
            page_type = page_type_jsonrpc;
            file_type = "text/json";
            
        } else {
            p = strrchr(web->input.url, '.');
            if (p == NULL) {
                    page_type = page_type_esp;
		    file_type = "text/html";
            }
            for (i=0;p && i<ARRAY_SIZE(mime_types);i++) {
		if (strcmp(mime_types[i].extension, p+1) == 0) {
                    page_type = mime_types[i].page_type;
                    file_type = mime_types[i].mime_type;
		}
            }
            if (file_type == NULL) {
                page_type = page_type_simple;
		file_type = "text/html";
            }
        }

	/* setup basic headers */
	http_setResponseCode(web, 200);
	http_setHeader(web, talloc_asprintf(esp, "Date: %s", 
					    http_timestring(esp, time(NULL))), 0);
	http_setHeader(web, "Server: Samba", 0);
	http_setHeader(web, "Connection: close", 0);
	http_setHeader(web, talloc_asprintf(esp, "Content-Type: %s", file_type), 0);

	http_setup_arrays(esp);

	/*
         * Do pre-authentication.  If pre-authentication succeeds, do
         * page-type-specific processing.
         */
        switch(page_type)
        {
        case page_type_simple:
                if (http_preauth(esp)) {
                        http_simple_request(web);
                }
                break;

        case page_type_esp:
                if (http_preauth(esp)) {
                        esp_request(esp, web->input.url);
                }
                break;

        case page_type_jsonrpc:
                jsonrpc_request(esp);
                break;
        }

	if (web->conn == NULL) {
		/* the connection has been terminated above us, probably
		   via a timeout */
		goto internal_error;
	}

	if (!web->output.output_pending) {
		http_output_headers(web);
		EVENT_FD_WRITEABLE(web->conn->event.fde);
		web->output.output_pending = True;
	}

	/* copy any application data to long term storage in edata */
	talloc_free(edata->application_data);
	edata->application_data = talloc_zero(edata, struct MprVar);
	mprSetCtx(edata->application_data);
	mprCopyVar(edata->application_data, &esp->variables[ESP_APPLICATION_OBJ], 
		   MPR_DEEP_COPY);
	mprSetCtx(esp);

	/* copy any session data */
	if (web->session) {
		talloc_free(web->session->data);
		web->session->data = talloc_zero(web->session, struct MprVar);
		if (esp->variables[ESP_SESSION_OBJ].properties == NULL ||
		    esp->variables[ESP_SESSION_OBJ].properties[0].numItems == 0) {
			talloc_free(web->session);
			web->session = NULL;
		} else {
			mprSetCtx(web->session->data);
			mprCopyVar(web->session->data, &esp->variables[ESP_SESSION_OBJ], 
				   MPR_DEEP_COPY);
			/* setup the timeout for the session data */
			mprSetCtx(esp);
			talloc_free(web->session->te);
			web->session->te = event_add_timed(web->conn->event.ctx, web->session, 
							   timeval_current_ofs(web->session->lifetime, 0), 
							   session_timeout, web->session);
		}
	}

	talloc_free(esp);
	mprSetCtx(save_mpr_ctx);
	ejs_restore_state(ejs_save);
	return;
	
internal_error:
	mprSetCtx(esp);
	talloc_free(esp);
	if (web->conn != NULL) {
		http_error(web, 500, "Internal server error");
	}
	mprSetCtx(save_mpr_ctx);
	ejs_restore_state(ejs_save);
}


/*
  parse one line of header input
*/
NTSTATUS http_parse_header(struct websrv_context *web, const char *line)
{
	if (line[0] == 0) {
		web->input.end_of_headers = True;
	} else if (strncasecmp(line,"GET ", 4)==0) {
		web->input.url = talloc_strndup(web, &line[4], strcspn(&line[4], " \t"));
	} else if (strncasecmp(line,"POST ", 5)==0) {
		web->input.post_request = True;
		web->input.url = talloc_strndup(web, &line[5], strcspn(&line[5], " \t"));
	} else if (strchr(line, ':') == NULL) {
		http_error(web, 400, "This server only accepts GET and POST requests");
		return NT_STATUS_INVALID_PARAMETER;
	} else if (strncasecmp(line,"Content-Length: ", 16)==0) {
		web->input.content_length = strtoul(&line[16], NULL, 10);
	} else {
#define PULL_HEADER(v, s) do { \
	if (strncmp(line, s, strlen(s)) == 0) { \
		web->input.v = talloc_strdup(web, &line[strlen(s)]); \
		return NT_STATUS_OK; \
	} \
} while (0)
		PULL_HEADER(content_type, "Content-Type: ");
		PULL_HEADER(user_agent, "User-Agent: ");
		PULL_HEADER(referer, "Referer: ");
		PULL_HEADER(host, "Host: ");
		PULL_HEADER(accept_encoding, "Accept-Encoding: ");
		PULL_HEADER(accept_language, "Accept-Language: ");
		PULL_HEADER(accept_charset, "Accept-Charset: ");
		PULL_HEADER(cookie, "Cookie: ");
	}

	/* ignore all other headers for now */
	return NT_STATUS_OK;
}


/*
  setup the esp processor - called at task initialisation
*/
NTSTATUS http_setup_esp(struct task_server *task)
{
	struct esp_data *edata;

	edata = talloc_zero(task, struct esp_data);
	NT_STATUS_HAVE_NO_MEMORY(edata);

	task->private = edata;

	edata->tls_params = tls_initialise(edata);
	NT_STATUS_HAVE_NO_MEMORY(edata->tls_params);

	return NT_STATUS_OK;
}