mailhook.py

#!/usr/bin/env python3
# SPDX-License-Identifier: GPL-3.0-only
# Copyright (C) 2026 Anthony Burow <https://github.com/aburow>

import argparse
import dataclasses
import datetime as dt
import email
import email.policy
import hashlib
import hmac
import json
import html
import os
import re
import smtplib
import sqlite3
import ssl
import subprocess
import sys
import time
import urllib.error
import urllib.request
from http import HTTPStatus
from http.server import BaseHTTPRequestHandler, ThreadingHTTPServer
from email.header import decode_header, make_header
from email.utils import getaddresses
from pathlib import Path
from urllib.parse import parse_qs, quote_plus, urlparse
from typing import Any

DB_PATH = Path(os.environ.get("MAILHOOK_DB_PATH", "/var/lib/mailhook/state.db"))
DEFAULT_TIMEOUT = float(os.environ.get("MAILHOOK_HTTP_TIMEOUT", "5"))
DEFAULT_USER_AGENT = os.environ.get("MAILHOOK_USER_AGENT", "mailhook/1.0")
EVENT_WINDOW_SECONDS = int(os.environ.get("MAILHOOK_EVENT_WINDOW_SECONDS", "86400"))
DEFAULT_CAPTURE_DIR = os.environ.get("MAILHOOK_CAPTURE_DIR", "")
DEFAULT_UI_BIND = os.environ.get("MAILHOOK_UI_BIND", "127.0.0.1")
DEFAULT_UI_PORT = int(os.environ.get("MAILHOOK_UI_PORT", "8010"))
DEFAULT_UI_AUTH_FILE = Path(os.environ.get("MAILHOOK_UI_AUTH_FILE", "/etc/nginx/.htpasswd-mailhook"))
DEFAULT_UI_AUTH_USER = os.environ.get("MAILHOOK_UI_AUTH_USER", "mailhook")

CHANGELOG_SUBJECT_RE = re.compile(
    r"(?P<object>Address|Subnet|Folder|Section)\s+(?P<action>create|change|delete)\s+notification",
    re.IGNORECASE,
)
IP_REQUEST_SUBJECT_RE = re.compile(
    r"IP request\s+(?P<action>submitted|accepted|rejected|confirmed|denied)",
    re.IGNORECASE,
)
KEY_VALUE_RE = re.compile(r"^\s*([A-Za-z][A-Za-z0-9 _./-]+?)\s*[:=]\s*(.+?)\s*$")
DIFF_LINE_RE = re.compile(r"^\[(?P<field>[^\]]+)\]:\s*(?P<old>.*?)\s*=>\s*(?P<new>.*?)\s*$")


@dataclasses.dataclass
class FilterConfig:
    relay_host: str
    relay_port: int
    relay_tls_mode: str
    relay_username: str | None
    relay_password: str | None
    relay_allow_invalid_cert: bool
    webhook_url: str
    webhook_timeout: float
    webhook_secret: str | None
    webhook_token: str | None
    webhook_verify_tls: bool
    phpipam_sender_pattern: str | None
    phpipam_header_name: str | None
    phpipam_header_pattern: str | None
    listen_all_mail: bool
    relay_original_phpipam_mail: bool
    hostname: str
    capture_dir: Path | None

    @classmethod
    def from_env(cls) -> "FilterConfig":
        relay_host = require_env("RELAY_HOST")
        relay_port = int(os.environ.get("RELAY_PORT", "25"))
        relay_tls_mode = os.environ.get("RELAY_TLS_MODE", "starttls").lower()
        if relay_tls_mode not in {"none", "starttls", "smtps"}:
            raise SystemExit("RELAY_TLS_MODE must be one of: none, starttls, smtps")
        webhook_url = require_env("WEBHOOK_URL")
        return cls(
            relay_host=relay_host,
            relay_port=relay_port,
            relay_tls_mode=relay_tls_mode,
            relay_username=os.environ.get("RELAY_USERNAME") or None,
            relay_password=os.environ.get("RELAY_PASSWORD") or None,
            relay_allow_invalid_cert=parse_bool(os.environ.get("RELAY_ALLOW_INVALID_CERT", "false")),
            webhook_url=webhook_url,
            webhook_timeout=float(os.environ.get("WEBHOOK_TIMEOUT", str(DEFAULT_TIMEOUT))),
            webhook_secret=os.environ.get("WEBHOOK_SECRET") or None,
            webhook_token=os.environ.get("WEBHOOK_TOKEN") or None,
            webhook_verify_tls=not parse_bool(os.environ.get("WEBHOOK_SKIP_TLS_VERIFY", "false")),
            phpipam_sender_pattern=os.environ.get("PHPIPAM_SENDER_PATTERN") or None,
            phpipam_header_name=os.environ.get("PHPIPAM_HEADER_NAME") or None,
            phpipam_header_pattern=os.environ.get("PHPIPAM_HEADER_PATTERN") or None,
            listen_all_mail=parse_bool(os.environ.get("LISTEN_ALL_MAIL", "false")),
            relay_original_phpipam_mail=parse_bool(os.environ.get("RELAY_ORIGINAL_PHPIPAM_MAIL", "true")),
            hostname=os.environ.get("MAILHOOK_HOSTNAME") or os.uname().nodename,
            capture_dir=Path(DEFAULT_CAPTURE_DIR) if DEFAULT_CAPTURE_DIR else None,
        )


def require_env(name: str) -> str:
    value = os.environ.get(name)
    if not value:
        raise SystemExit(f"Missing required environment variable: {name}")
    return value


def parse_bool(value: str) -> bool:
    return value.strip().lower() in {"1", "true", "yes", "on"}


def decode_mime(value: str | None) -> str:
    if not value:
        return ""
    try:
        return str(make_header(decode_header(value)))
    except (email.errors.HeaderParseError, UnicodeError, ValueError):
        return value


def body_text(msg: email.message.Message) -> str:
    if msg.is_multipart():
        parts: list[str] = []
        for part in msg.walk():
            if part.get_content_maintype() == "multipart":
                continue
            if part.get_content_type() != "text/plain":
                continue
            payload = part.get_payload(decode=True) or b""
            charset = part.get_content_charset() or "utf-8"
            try:
                parts.append(payload.decode(charset, errors="replace"))
            except LookupError:
                parts.append(payload.decode("utf-8", errors="replace"))
        return "\n".join(p for p in parts if p)
    payload = msg.get_payload(decode=True) or b""
    charset = msg.get_content_charset() or "utf-8"
    try:
        return payload.decode(charset, errors="replace")
    except LookupError:
        return payload.decode("utf-8", errors="replace")


def normalise_whitespace(value: str) -> str:
    return re.sub(r"\s+", " ", value.strip())


def extract_pairs(text: str) -> dict[str, str]:
    fields: dict[str, str] = {}
    for line in text.splitlines():
        match = KEY_VALUE_RE.match(line)
        if not match:
            continue
        key = normalise_whitespace(match.group(1)).lower().replace(" ", "_")
        fields[key] = match.group(2).strip()
    return fields


def parse_change_lines(text: str) -> tuple[list[str], dict[str, dict[str, str]]]:
    change_lines: list[str] = []
    changes: dict[str, dict[str, str]] = {}
    for raw_line in text.splitlines():
        line = raw_line.strip()
        if not line.startswith("["):
            continue
        change_lines.append(line)
        match = DIFF_LINE_RE.match(line)
        if not match:
            continue
        field = normalise_whitespace(match.group("field")).lower().replace(" ", "_")
        changes[field] = {
            "old": match.group("old").strip(),
            "new": match.group("new").strip(),
        }
    return change_lines, changes


def classify_phpipam_changelog(subject: str, body_pairs: dict[str, str]) -> tuple[str, str, str] | None:
    match = CHANGELOG_SUBJECT_RE.search(subject)
    if not match:
        return None
    object_map = {
        "address": "ip_addr",
        "subnet": "subnet",
        "folder": "folder",
        "section": "section",
    }
    action_map = {
        "create": "added",
        "change": "edited",
        "delete": "deleted",
    }
    object_raw = match.group("object").lower()
    action_raw = match.group("action").lower()
    object_type = object_map[object_raw]
    action = action_map[action_raw]
    event_type = f"phpipam.changelog.{object_type}.{action}"
    if body_pairs.get("object_type"):
        object_raw = body_pairs["object_type"].lower()
    return event_type, object_type, action


def header_values(msg: email.message.Message, name: str | None) -> list[str]:
    if not name:
        return []
    return [decode_mime(v) for v in msg.get_all(name, [])]


def message_recipients(msg: email.message.Message) -> list[str]:
    pairs = getaddresses(msg.get_all("to", []) + msg.get_all("cc", []) + msg.get_all("bcc", []))
    return sorted({addr for _, addr in pairs if addr})


def parse_phpipam_event(msg: email.message.Message, raw_bytes: bytes, cfg: FilterConfig) -> dict[str, Any] | None:
    sender = email.utils.parseaddr(msg.get("from", ""))[1]
    subject = decode_mime(msg.get("subject"))
    plain = body_text(msg)
    body_pairs = extract_pairs(plain)
    change_lines, changes = parse_change_lines(plain)

    if not cfg.listen_all_mail:
        if cfg.phpipam_sender_pattern and not re.search(cfg.phpipam_sender_pattern, sender or "", re.IGNORECASE):
            return None
        if cfg.phpipam_header_name and cfg.phpipam_header_pattern:
            joined = "\n".join(header_values(msg, cfg.phpipam_header_name))
            if not re.search(cfg.phpipam_header_pattern, joined, re.IGNORECASE):
                return None
        elif not cfg.phpipam_sender_pattern:
            lower_blob = f"{subject}\n{plain}".lower()
            if "phpipam" not in lower_blob and "ip request" not in lower_blob:
                return None

    event_type = "mail.generic"
    object_type = "unknown"
    action = "unknown"

    changelog_event = classify_phpipam_changelog(subject, body_pairs)
    if changelog_event is not None:
        event_type, object_type, action = changelog_event
    else:
        match = IP_REQUEST_SUBJECT_RE.search(subject)
        if match:
            action = match.group("action").lower()
            object_type = "ip_request"
            if action == "confirmed":
                action = "accepted"
            if action == "denied":
                action = "rejected"
            event_type = f"phpipam.ip_request.{action}"
        elif "ip request" in subject.lower() or body_pairs.get("request_ip"):
            object_type = "ip_request"
            event_type = "phpipam.ip_request.unknown"

    if event_type == "mail.generic":
        return None

    message_id = msg.get("message-id") or f"sha256:{hashlib.sha256(raw_bytes).hexdigest()}"
    occurred_at = parse_date_header(msg.get("date"))
    queue_hint = hashlib.sha256(raw_bytes).hexdigest()

    return {
        "specversion": "1.0",
        "type": event_type,
        "source": "phpipam-mail",
        "id": message_id.strip(),
        "time": occurred_at,
        "datacontenttype": "application/json",
        "data": {
            "classification": {
                "event_family": "phpipam_mail",
                "object_type": object_type,
                "action": action,
                "confidence": infer_confidence(subject, plain),
            },
            "mail": {
                "message_id": msg.get("message-id"),
                "subject": subject,
                "from": sender,
                "to": message_recipients(msg),
                "date": msg.get("date"),
                "headers": {
                    "x_mailer": decode_mime(msg.get("x-mailer")),
                    "auto_submitted": decode_mime(msg.get("auto-submitted")),
                },
                "body_sha256": hashlib.sha256(raw_bytes).hexdigest(),
                "body_preview": plain[:1000],
            },
            "phpipam": {
                "fields": body_pairs,
                "object_type_raw": body_pairs.get("object_type", ""),
                "object_details": body_pairs.get("object_details", ""),
                "user": body_pairs.get("user", ""),
                "action_raw": body_pairs.get("action", ""),
                "date_raw": body_pairs.get("date", ""),
                "change_lines": change_lines,
                "changes": changes,
                "queue_hint": queue_hint,
            },
            "delivery": {
                "host": cfg.hostname,
                "intercept_mode": "postfix_pipe_filter",
            },
        },
    }


def infer_confidence(subject: str, body: str) -> str:
    if CHANGELOG_SUBJECT_RE.search(subject) or IP_REQUEST_SUBJECT_RE.search(subject):
        return "high"
    if "phpipam" in f"{subject}\n{body}".lower():
        return "medium"
    return "low"


def capture_message(cfg: FilterConfig, queue_id: str, raw_bytes: bytes) -> None:
    if cfg.capture_dir is None:
        return
    cfg.capture_dir.mkdir(parents=True, exist_ok=True)
    stamp = dt.datetime.now(dt.timezone.utc).strftime("%Y%m%dT%H%M%SZ")
    digest = hashlib.sha256(raw_bytes).hexdigest()[:12]
    queue_part = queue_id or "noqueue"
    target = cfg.capture_dir / f"{stamp}-{queue_part}-{digest}.eml"
    target.write_bytes(raw_bytes)


def parse_date_header(value: str | None) -> str:
    if not value:
        return dt.datetime.now(dt.timezone.utc).isoformat()
    try:
        parsed = email.utils.parsedate_to_datetime(value)
        if parsed.tzinfo is None:
            parsed = parsed.replace(tzinfo=dt.timezone.utc)
        return parsed.astimezone(dt.timezone.utc).isoformat()
    except (TypeError, ValueError, IndexError, OverflowError):
        return dt.datetime.now(dt.timezone.utc).isoformat()


def init_db() -> sqlite3.Connection:
    DB_PATH.parent.mkdir(parents=True, exist_ok=True)
    conn = sqlite3.connect(DB_PATH)
    conn.execute(
        "CREATE TABLE IF NOT EXISTS webhook_events (dedupe_key TEXT PRIMARY KEY, created_at INTEGER NOT NULL)"
    )
    conn.execute(
        """
        CREATE TABLE IF NOT EXISTS webhook_event_log (
            id INTEGER PRIMARY KEY AUTOINCREMENT,
            created_at INTEGER NOT NULL,
            delivery_status TEXT NOT NULL,
            queue_id TEXT,
            envelope_sender TEXT,
            envelope_recipients_json TEXT,
            event_type TEXT NOT NULL,
            event_id TEXT NOT NULL,
            subject TEXT,
            object_type TEXT,
            object_details TEXT,
            webhook_url TEXT NOT NULL,
            response_status INTEGER,
            response_body TEXT,
            error_text TEXT,
            payload_json TEXT NOT NULL
        )
        """
    )
    conn.execute(
        "DELETE FROM webhook_events WHERE created_at < ?",
        (int(time.time()) - EVENT_WINDOW_SECONDS,),
    )
    conn.commit()
    return conn


def make_dedupe_key(queue_id: str, payload: dict[str, Any]) -> str:
    payload_id = payload.get("id") or payload["data"]["mail"]["body_sha256"]
    key = f"{queue_id}:{payload_id}" if queue_id else f"{payload_id}"
    return hashlib.sha256(key.encode()).hexdigest()


def should_emit(conn: sqlite3.Connection, dedupe_key: str) -> bool:
    try:
        conn.execute(
            "INSERT INTO webhook_events (dedupe_key, created_at) VALUES (?, ?)",
            (dedupe_key, int(time.time())),
        )
        conn.commit()
        return True
    except sqlite3.IntegrityError:
        return False


def post_webhook(cfg: FilterConfig, payload: dict[str, Any]) -> tuple[int, str]:
    data = json.dumps(payload, sort_keys=True).encode()
    request = urllib.request.Request(cfg.webhook_url, data=data, method="POST")
    request.add_header("Content-Type", "application/json")
    request.add_header("User-Agent", DEFAULT_USER_AGENT)
    if cfg.webhook_token:
        request.add_header("X-Webhook-Token", cfg.webhook_token)
    if cfg.webhook_secret:
        signature = hmac.new(cfg.webhook_secret.encode(), data, hashlib.sha256).hexdigest()
        request.add_header("X-Webhook-Signature-256", f"sha256={signature}")
    context = None
    if cfg.webhook_url.startswith("https") and not cfg.webhook_verify_tls:
        context = ssl._create_unverified_context()
    try:
        with urllib.request.urlopen(request, timeout=cfg.webhook_timeout, context=context) as response:
            body = response.read().decode("utf-8", errors="replace")
            if response.status >= 300:
                raise RuntimeError(f"Webhook returned HTTP {response.status}")
            return response.status, body[:4000]
    except urllib.error.HTTPError as exc:
        raise RuntimeError(f"Webhook returned HTTP {exc.code}") from exc
    except urllib.error.URLError as exc:
        raise RuntimeError(f"Webhook delivery failed: {exc.reason}") from exc


def log_webhook_attempt(
    conn: sqlite3.Connection,
    payload: dict[str, Any],
    queue_id: str,
    envelope_sender: str,
    envelope_recipients: list[str],
    webhook_url: str,
    delivery_status: str,
    response_status: int | None = None,
    response_body: str | None = None,
    error_text: str | None = None,
) -> None:
    conn.execute(
        """
        INSERT INTO webhook_event_log (
            created_at,
            delivery_status,
            queue_id,
            envelope_sender,
            envelope_recipients_json,
            event_type,
            event_id,
            subject,
            object_type,
            object_details,
            webhook_url,
            response_status,
            response_body,
            error_text,
            payload_json
        ) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
        """,
        (
            int(time.time()),
            delivery_status,
            queue_id,
            envelope_sender,
            json.dumps(envelope_recipients),
            payload["type"],
            payload["id"],
            payload["data"]["mail"]["subject"],
            payload["data"]["classification"]["object_type"],
            payload["data"]["phpipam"].get("object_details", ""),
            webhook_url,
            response_status,
            response_body,
            error_text,
            json.dumps(payload, sort_keys=True),
        ),
    )
    conn.commit()


def smtp_client(cfg: FilterConfig) -> smtplib.SMTP:
    ssl_context = ssl.create_default_context()
    if cfg.relay_allow_invalid_cert:
        ssl_context.check_hostname = False
        ssl_context.verify_mode = ssl.CERT_NONE
    if cfg.relay_tls_mode == "smtps":
        client: smtplib.SMTP = smtplib.SMTP_SSL(cfg.relay_host, cfg.relay_port, timeout=30, context=ssl_context)
    else:
        client = smtplib.SMTP(cfg.relay_host, cfg.relay_port, timeout=30)
    client.ehlo()
    if cfg.relay_tls_mode == "starttls":
        client.starttls(context=ssl_context)
        client.ehlo()
    if cfg.relay_username:
        client.login(cfg.relay_username, cfg.relay_password or "")
    return client


def relay_original(cfg: FilterConfig, sender: str, recipients: list[str], raw_bytes: bytes) -> None:
    with smtp_client(cfg) as client:
        failures = client.sendmail(sender, recipients, raw_bytes)
    if failures:
        raise RuntimeError(f"Relay rejected recipients: {failures}")


def parse_args() -> argparse.Namespace:
    argv = sys.argv[1:]
    if argv and argv[0] not in {"filter", "ui"} and not argv[0].startswith("-"):
        argv = ["filter", *argv]
    parser = argparse.ArgumentParser(description="Relay mail and emit webhook events for phpIPAM notifications")
    subparsers = parser.add_subparsers(dest="command")

    filter_parser = subparsers.add_parser("filter", help="Process a message from Postfix")
    filter_parser.add_argument("--sender", required=True)
    filter_parser.add_argument("--recipient", action="append", required=True)
    filter_parser.add_argument("--queue-id", default="")

    ui_parser = subparsers.add_parser("ui", help="Serve the local webhook review UI")
    ui_parser.add_argument("--bind", default=DEFAULT_UI_BIND)
    ui_parser.add_argument("--port", type=int, default=DEFAULT_UI_PORT)
    args = parser.parse_args(argv)
    if args.command is None:
        args.command = "filter"
    return args


def handle_filter(args: argparse.Namespace) -> int:
    cfg = FilterConfig.from_env()
    raw_bytes = sys.stdin.buffer.read()
    if not raw_bytes:
        print("No message received on stdin", file=sys.stderr)
        return 75

    try:
        msg = email.message_from_bytes(raw_bytes, policy=email.policy.default)
    except (email.errors.MessageError, TypeError, ValueError) as exc:
        print(f"Unable to parse message: {exc}", file=sys.stderr)
        return 75

    capture_message(cfg, args.queue_id, raw_bytes)
    payload = parse_phpipam_event(msg, raw_bytes, cfg)
    if payload is not None:
        payload["data"]["delivery"]["queue_id"] = args.queue_id
        payload["data"]["delivery"]["envelope_sender"] = args.sender
        payload["data"]["delivery"]["envelope_recipients"] = args.recipient
        conn = init_db()
        dedupe_key = make_dedupe_key(args.queue_id, payload)
        if should_emit(conn, dedupe_key):
            try:
                response_status, response_body = post_webhook(cfg, payload)
            except Exception as exc:
                log_webhook_attempt(
                    conn,
                    payload,
                    args.queue_id,
                    args.sender,
                    args.recipient,
                    cfg.webhook_url,
                    "failed",
                    error_text=str(exc),
                )
                raise
            log_webhook_attempt(
                conn,
                payload,
                args.queue_id,
                args.sender,
                args.recipient,
                cfg.webhook_url,
                "delivered",
                response_status=response_status,
                response_body=response_body,
            )
        if not cfg.relay_original_phpipam_mail:
            return 0

    relay_original(cfg, args.sender, args.recipient, raw_bytes)
    return 0


def db_connect_readonly() -> sqlite3.Connection:
    return sqlite3.connect(f"file:{DB_PATH}?mode=ro", uri=True)


def fetch_recent_events(limit: int = 100) -> list[sqlite3.Row]:
    conn = db_connect_readonly()
    conn.row_factory = sqlite3.Row
    rows = conn.execute(
        """
        SELECT id, created_at, delivery_status, queue_id, event_type, subject, object_type,
               object_details, response_status, webhook_url
        FROM webhook_event_log
        ORDER BY id DESC
        LIMIT ?
        """,
        (limit,),
    ).fetchall()
    conn.close()
    return rows


def fetch_event(event_id: int) -> sqlite3.Row | None:
    conn = db_connect_readonly()
    conn.row_factory = sqlite3.Row
    row = conn.execute("SELECT * FROM webhook_event_log WHERE id = ?", (event_id,)).fetchone()
    conn.close()
    return row


def capture_dir_path() -> Path | None:
    return Path(DEFAULT_CAPTURE_DIR) if DEFAULT_CAPTURE_DIR else None


def find_capture_file(queue_id: str | None) -> Path | None:
    if not queue_id:
        return None
    capture_dir = capture_dir_path()
    if capture_dir is None or not capture_dir.exists():
        return None
    matches = sorted(capture_dir.glob(f"*-{queue_id}-*.eml"))
    return matches[-1] if matches else None


def html_page(title: str, body: str) -> bytes:
    return f"""<!DOCTYPE html>
<html lang="en">
<head>
  <meta charset="utf-8">
  <meta name="viewport" content="width=device-width, initial-scale=1">
  <title>{html.escape(title)}</title>
  <style>
    :root {{
      --bg: #f1efe8;
      --panel: #fffdf7;
      --ink: #1f1c18;
      --muted: #6d665d;
      --accent: #0f766e;
      --line: #d8d0c5;
      --ok: #1d7a34;
      --bad: #a63a2b;
      --warn: #8d6a16;
    }}
    body {{ margin: 0; font-family: Georgia, serif; background: linear-gradient(180deg, #e8e2d4 0%, var(--bg) 100%); color: var(--ink); }}
    main {{ max-width: 1200px; margin: 0 auto; padding: 24px; }}
    h1, h2 {{ margin: 0 0 12px; }}
    .sub {{ color: var(--muted); margin-bottom: 20px; }}
    .panel {{ background: var(--panel); border: 1px solid var(--line); border-radius: 16px; box-shadow: 0 12px 30px rgba(31,28,24,0.08); padding: 18px; margin-bottom: 18px; }}
    table {{ width: 100%; border-collapse: collapse; font-size: 14px; }}
    th, td {{ text-align: left; padding: 10px 8px; border-bottom: 1px solid var(--line); vertical-align: top; }}
    th {{ color: var(--muted); font-weight: 600; }}
    a {{ color: var(--accent); text-decoration: none; }}
    a:hover {{ text-decoration: underline; }}
    .pill {{ display: inline-block; padding: 3px 8px; border-radius: 999px; font-size: 12px; font-weight: 700; }}
    .delivered {{ background: #dff3e4; color: var(--ok); }}
    .failed {{ background: #f8dbd6; color: var(--bad); }}
    .notice {{ padding: 12px 14px; border-radius: 12px; margin-bottom: 16px; }}
    .notice.ok {{ background: #dff3e4; color: var(--ok); }}
    .notice.bad {{ background: #f8dbd6; color: var(--bad); }}
    dl {{ display: grid; grid-template-columns: 180px 1fr; gap: 10px 16px; margin: 0; }}
    dt {{ color: var(--muted); }}
    dd {{ margin: 0; word-break: break-word; }}
    pre {{ background: #161513; color: #f8f2e8; padding: 16px; border-radius: 12px; overflow-x: auto; font-size: 13px; }}
    form {{ display: grid; gap: 12px; max-width: 420px; }}
    label {{ display: grid; gap: 6px; font-size: 14px; color: var(--muted); }}
    input {{ font: inherit; padding: 10px 12px; border: 1px solid var(--line); border-radius: 10px; background: #fff; color: var(--ink); }}
    button {{ font: inherit; border: 0; border-radius: 10px; padding: 10px 14px; background: var(--accent); color: #fff; cursor: pointer; width: fit-content; }}
    .review-link {{ white-space: nowrap; }}
    dialog {{ width: min(1200px, calc(100vw - 40px)); border: 0; border-radius: 18px; padding: 0; box-shadow: 0 20px 60px rgba(31,28,24,0.28); }}
    dialog::backdrop {{ background: rgba(15, 14, 11, 0.6); }}
    .modal-head {{ display: flex; justify-content: space-between; gap: 16px; align-items: center; padding: 18px 20px; border-bottom: 1px solid var(--line); background: #f8f3ea; }}
    .modal-body {{ display: grid; grid-template-columns: 1fr; gap: 18px; padding: 20px; }}
    .modal-col h2 {{ font-size: 18px; margin-bottom: 10px; }}
    .modal-actions {{ display: flex; gap: 10px; align-items: center; }}
    .ghost {{ background: #e7e0d2; color: var(--ink); }}
    .muted {{ color: var(--muted); }}
  </style>
</head>
<body>
  <main>{body}</main>
  <dialog id="event-modal">
    <div class="modal-head">
      <div>
        <h1 id="modal-title">Event</h1>
        <div class="sub" id="modal-subtitle"></div>
      </div>
      <div class="modal-actions">
        <button id="modal-copy-json" class="ghost" type="button">Copy JSON</button>
        <button id="modal-copy-email" class="ghost" type="button">Copy Email</button>
        <button id="modal-close" type="button">Close</button>
      </div>
    </div>
    <div class="modal-body">
      <div class="modal-col">
        <h2>Captured Email</h2>
        <pre id="modal-email">Loading...</pre>
      </div>
      <div class="modal-col">
        <h2>Webhook Payload</h2>
        <pre id="modal-json">Loading...</pre>
      </div>
    </div>
  </dialog>
  <script>
    for (const node of document.querySelectorAll('[data-utc]')) {{
      const value = node.getAttribute('data-utc');
      const parsed = new Date(value);
      if (!Number.isNaN(parsed.getTime())) {{
        node.textContent = parsed.toLocaleString();
        node.title = value;
      }}
    }}
    const modal = document.getElementById('event-modal');
    const modalTitle = document.getElementById('modal-title');
    const modalSubtitle = document.getElementById('modal-subtitle');
    const modalJson = document.getElementById('modal-json');
    const modalEmail = document.getElementById('modal-email');
    const modalCopyJson = document.getElementById('modal-copy-json');
    const modalCopyEmail = document.getElementById('modal-copy-email');
    let modalJsonText = '';
    let modalEmailText = '';
    document.getElementById('modal-close').addEventListener('click', () => modal.close());
    async function copyText(value) {{
      if (!value) return;
      if (navigator.clipboard && window.isSecureContext) {{
        await navigator.clipboard.writeText(value);
        return;
      }}
      const node = document.createElement('textarea');
      node.value = value;
      node.setAttribute('readonly', '');
      node.style.position = 'absolute';
      node.style.left = '-9999px';
      document.body.appendChild(node);
      node.select();
      document.execCommand('copy');
      document.body.removeChild(node);
    }}
    modalCopyJson.addEventListener('click', async () => {{
      await copyText(modalJsonText);
    }});
    modalCopyEmail.addEventListener('click', async () => {{
      await copyText(modalEmailText);
    }});
    modal.addEventListener('click', (event) => {{
      const rect = modal.getBoundingClientRect();
      const inside = rect.top <= event.clientY && event.clientY <= rect.bottom && rect.left <= event.clientX && event.clientX <= rect.right;
      if (!inside) modal.close();
    }});
    async function loadEventDetails(eventId, title, subtitle) {{
      modalTitle.textContent = title;
      modalSubtitle.textContent = subtitle;
      modalJson.textContent = 'Loading...';
      modalEmail.textContent = 'Loading...';
      modalJsonText = '';
      modalEmailText = '';
      modal.showModal();
      const [jsonResp, emailResp] = await Promise.all([
        fetch(`/events/${{eventId}}.json`),
        fetch(`/events/${{eventId}}/email`)
      ]);
      modalJsonText = jsonResp.ok ? JSON.stringify(await jsonResp.json(), null, 2) : `Unable to load JSON (${{jsonResp.status}})`;
      modalEmailText = emailResp.ok ? await emailResp.text() : `Unable to load email (${{emailResp.status}})`;
      modalJson.textContent = modalJsonText;
      modalEmail.textContent = modalEmailText;
    }}
    for (const button of document.querySelectorAll('[data-review-event]')) {{
      button.addEventListener('click', async (event) => {{
        event.preventDefault();
        await loadEventDetails(button.dataset.reviewEvent, button.dataset.reviewTitle, button.dataset.reviewSubtitle);
      }});
    }}
  </script>
</body>
</html>""".encode("utf-8")


def update_ui_password(new_password: str) -> None:
    subprocess.run(
        ["htpasswd", "-bB", str(DEFAULT_UI_AUTH_FILE), DEFAULT_UI_AUTH_USER, new_password],
        check=True,
        stdout=subprocess.DEVNULL,
        stderr=subprocess.PIPE,
        text=True,
    )


class MailhookUIHandler(BaseHTTPRequestHandler):
    def do_GET(self) -> None:  # noqa: N802
        parsed = urlparse(self.path)
        if parsed.path == "/":
            query = parse_qs(parsed.query)
            limit = min(max(int(query.get("limit", ["100"])[0]), 1), 500)
            rows = fetch_recent_events(limit)
            table_rows = []
            for row in rows:
                status_class = "delivered" if row["delivery_status"] == "delivered" else "failed"
                created = dt.datetime.fromtimestamp(row["created_at"], tz=dt.timezone.utc).isoformat()
                table_rows.append(
                    "<tr>"
                    f"<td><a class='review-link' href='#' data-review-event='{row['id']}' data-review-title='{html.escape(row['event_type'])}' data-review-subtitle='{html.escape(row['subject'] or '')}'>#{row['id']} Review</a></td>"
                    f"<td><span data-utc='{html.escape(created)}'>{html.escape(created)}</span></td>"
                    f"<td><span class='pill {status_class}'>{html.escape(row['delivery_status'])}</span></td>"
                    f"<td>{html.escape(row['event_type'])}</td>"
                    f"<td>{html.escape(row['subject'] or '')}</td>"
                    f"<td>{html.escape(row['object_details'] or '')}</td>"
                    f"<td>{html.escape(row['queue_id'] or '')}</td>"
                    f"<td>{html.escape(str(row['response_status'] or ''))}</td>"
                    "</tr>"
                )
            empty_row = "<tr><td colspan='8'>No webhook events logged yet.</td></tr>"
            body = (
                "<h1>MailHook Review</h1>"
                "<div class='sub'>Recent outbound webhook attempts captured by the phpIPAM mail filter.</div>"
                "<div class='panel'><a href='/password'>Change UI password</a></div>"
                "<div class='panel'>"
                "<table><thead><tr><th>ID</th><th>Seen</th><th>Status</th><th>Type</th><th>Subject</th><th>Object</th><th>Queue</th><th>HTTP</th></tr></thead>"
                f"<tbody>{''.join(table_rows) if table_rows else empty_row}</tbody></table>"
                "</div>"
            )
            self.respond(HTTPStatus.OK, html_page("MailHook Review", body), "text/html; charset=utf-8")
            return
        if parsed.path == "/password":
            query = parse_qs(parsed.query)
            msg = query.get("msg", [""])[0]
            level = query.get("level", [""])[0]
            notice = ""
            if msg:
                cls = "ok" if level == "ok" else "bad"
                notice = f"<div class='notice {cls}'>{html.escape(msg)}</div>"
            body = (
                "<h1>Change UI Password</h1>"
                "<div class='sub'><a href='/'>Back to list</a></div>"
                f"{notice}"
                "<div class='panel'>"
                "<form method='post' action='/password'>"
                "<label>New password<input type='password' name='new_password' required></label>"
                "<label>Confirm password<input type='password' name='confirm_password' required></label>"
                "<button type='submit'>Update password</button>"
                "</form>"
                "</div>"
            )
            self.respond(HTTPStatus.OK, html_page("Change UI Password", body), "text/html; charset=utf-8")
            return
        if parsed.path.startswith("/events/"):
            suffix = parsed.path.rsplit("/", 1)[1]
            want_json = suffix.endswith(".json")
            want_email = suffix == "email"
            if want_json:
                suffix = suffix[:-5]
            if want_email:
                parts = parsed.path.strip("/").split("/")
                if len(parts) != 3 or parts[2] != "email":
                    self.respond(HTTPStatus.NOT_FOUND, b"not found", "text/plain; charset=utf-8")
                    return
                suffix = parts[1]
            try:
                event_id = int(suffix)
            except ValueError:
                self.respond(HTTPStatus.NOT_FOUND, b"not found", "text/plain; charset=utf-8")
                return
            row = fetch_event(event_id)
            if row is None:
                self.respond(HTTPStatus.NOT_FOUND, b"not found", "text/plain; charset=utf-8")
                return
            if want_json:
                self.respond(HTTPStatus.OK, row["payload_json"].encode("utf-8"), "application/json")
                return
            if want_email:
                capture_path = find_capture_file(row["queue_id"])
                if capture_path is None or not capture_path.exists():
                    self.respond(HTTPStatus.NOT_FOUND, b"email capture not found", "text/plain; charset=utf-8")
                    return
                self.respond(HTTPStatus.OK, capture_path.read_bytes(), "text/plain; charset=utf-8")
                return
            payload_pretty = json.dumps(json.loads(row["payload_json"]), indent=2, sort_keys=True)
            recipients = ", ".join(json.loads(row["envelope_recipients_json"] or "[]"))
            created = dt.datetime.fromtimestamp(row["created_at"], tz=dt.timezone.utc).isoformat()
            capture_path = find_capture_file(row["queue_id"])
            email_link = f"<a href='/events/{row['id']}/email'>View captured email</a>" if capture_path else "Capture not found"
            body = (
                f"<h1>Event {row['id']}</h1>"
                "<div class='sub'><a href='/'>Back to list</a></div>"
                "<div class='panel'>"
                "<dl>"
                f"<dt>Status</dt><dd>{html.escape(row['delivery_status'])}</dd>"
                f"<dt>Seen</dt><dd><span data-utc='{html.escape(created)}'>{html.escape(created)}</span></dd>"
                f"<dt>Type</dt><dd>{html.escape(row['event_type'])}</dd>"
                f"<dt>Subject</dt><dd>{html.escape(row['subject'] or '')}</dd>"
                f"<dt>Object</dt><dd>{html.escape(row['object_details'] or '')}</dd>"
                f"<dt>Queue ID</dt><dd>{html.escape(row['queue_id'] or '')}</dd>"
                f"<dt>Envelope sender</dt><dd>{html.escape(row['envelope_sender'] or '')}</dd>"
                f"<dt>Envelope recipients</dt><dd>{html.escape(recipients)}</dd>"
                f"<dt>Webhook URL</dt><dd>{html.escape(row['webhook_url'])}</dd>"
                f"<dt>HTTP status</dt><dd>{html.escape(str(row['response_status'] or ''))}</dd>"
                f"<dt>HTTP body</dt><dd>{html.escape(row['response_body'] or '')}</dd>"
                f"<dt>Error</dt><dd>{html.escape(row['error_text'] or '')}</dd>"
                f"<dt>Raw JSON</dt><dd><a href='/events/{row['id']}.json'>Download JSON</a></dd>"
                f"<dt>Captured email</dt><dd>{email_link}</dd>"
                "</dl>"
                "</div>"
                f"<div class='panel'><h2>Payload</h2><pre>{html.escape(payload_pretty)}</pre></div>"
            )
            self.respond(HTTPStatus.OK, html_page(f"Webhook Event {event_id}", body), "text/html; charset=utf-8")
            return
        self.respond(HTTPStatus.NOT_FOUND, b"not found", "text/plain; charset=utf-8")

    def do_POST(self) -> None:  # noqa: N802
        parsed = urlparse(self.path)
        if parsed.path != "/password":
            self.respond(HTTPStatus.NOT_FOUND, b"not found", "text/plain; charset=utf-8")
            return
        length = int(self.headers.get("Content-Length", "0"))
        raw = self.rfile.read(length).decode("utf-8", errors="replace")
        form = parse_qs(raw)
        new_password = form.get("new_password", [""])[0]
        confirm_password = form.get("confirm_password", [""])[0]
        if not new_password:
            self.redirect("/password?level=bad&msg=Password+cannot+be+empty")
            return
        if new_password != confirm_password:
            self.redirect("/password?level=bad&msg=Passwords+did+not+match")
            return
        try:
            update_ui_password(new_password)
        except subprocess.CalledProcessError as exc:
            message = exc.stderr.strip() or "Password update failed"
            safe_message = quote_plus(message)
            self.redirect(f"/password?level=bad&msg={safe_message}")
            return
        self.redirect("/password?level=ok&msg=Password+updated")

    def log_message(self, fmt: str, *args: object) -> None:
        print(f"mailhook-ui {self.address_string()} - {fmt % args}", file=sys.stderr)

    def respond(self, status: HTTPStatus, body: bytes, content_type: str) -> None:
        self.send_response(status)
        self.send_header("Content-Type", content_type)
        self.send_header("Content-Length", str(len(body)))
        self.end_headers()
        self.wfile.write(body)

    def redirect(self, location: str) -> None:
        self.send_response(HTTPStatus.SEE_OTHER)
        self.send_header("Location", location)
        self.send_header("Content-Length", "0")
        self.end_headers()


def serve_ui(bind: str, port: int) -> int:
    server = ThreadingHTTPServer((bind, port), MailhookUIHandler)
    print(f"Serving MailHook UI on http://{bind}:{port}", file=sys.stderr)
    server.serve_forever()
    return 0


def main() -> int:
    args = parse_args()
    command = getattr(args, "command", None)
    if command == "ui":
        return serve_ui(args.bind, args.port)
    return handle_filter(args)


if __name__ == "__main__":
    try:
        raise SystemExit(main())
    except Exception as exc:
        print(str(exc), file=sys.stderr)
        raise SystemExit(75)