include ${NGX_CONF_DIR}/common-includes/server_filters;
include ${NGX_CONF_DIR}/components/${NGX_COMP_DIR_NAME}/ssl_config;
include ${NGX_CONF_DIR}/components/${NGX_COMP_DIR_NAME}/proxy_headers;
include ${NGX_CONF_DIR}/components/${NGX_COMP_DIR_NAME}/cuic_cache;
include ${NGX_CONF_DIR}/components/${NGX_COMP_DIR_NAME}/configoverride;

location / {
	deny all;
    # 421 Misdirected Request
	return 421;
}

location ~ "^/cuic/rest/[a-z]{2}_[A-Z]{2}/viewmap/$" {
    if ($request_method = OPTIONS ) {
        set $upstreamservername  "CUIC-${http_origin}";
       rewrite ^ /internaloptions$uri last;
   }

   set_by_lua_file $res ${NGX_LUA_DIR}/cuic_auth_header.lua;

    #picks the authorization header from the one specified (authorization)
    set $custom_authorization_header 'tokenValidation';

    # logic to block unauthorized user, checks if the user requesting the finesse api is present in the system.
    # if user is present, rewrites the url to internal/finesse/api which does the authorization through
    # UserAuth API, else 401 unauthorized is returned.
    rewrite_by_lua_file ${NGX_LUA_DIR}/block_unauthorized_users.lua;

    limit_except GET OPTIONS { deny all; }

    proxy_pass $scheme://$backend;

    proxy_no_cache 1;
    proxy_cache_bypass 1;
}

location ~ "^/(cuic/rest/(report|reportdefinitions|datasources)/[a-zA-Z0-9]{32}/?)$" {
    if ($request_method = OPTIONS ) {
        set $upstreamservername  "CUIC-${http_origin}";
       rewrite ^ /internaloptions$uri last;
   }

   set_by_lua_file $res ${NGX_LUA_DIR}/cuic_auth_header.lua;

    #picks the authorization header from the one specified (authorization)
    set $custom_authorization_header 'tokenValidation';

    # logic to block unauthorized user, checks if the user requesting the finesse api is present in the system.
    # if user is present, rewrites the url to internal/finesse/api which does the authorization through
    # UserAuth API, else 401 unauthorized is returned.
    rewrite_by_lua_file ${NGX_LUA_DIR}/block_unauthorized_users.lua;

    limit_except GET OPTIONS { deny all; }

    proxy_pass $scheme://$backend;

    proxy_no_cache 1;
    proxy_cache_bypass 1;
}

location ~ "^/(cuic/rest/report/[a-zA-Z0-9]{32}/help)$" {
    if ($request_method = OPTIONS ) {
        set $upstreamservername  "CUIC-${http_origin}";
       rewrite ^ /internaloptions$uri last;
   }

   set_by_lua_file $res ${NGX_LUA_DIR}/cuic_auth_header.lua;

    #picks the authorization header from the one specified (authorization)
    set $custom_authorization_header 'tokenValidation';

    # logic to block unauthorized user, checks if the user requesting the finesse api is present in the system.
    # if user is present, rewrites the url to internal/finesse/api which does the authorization through
    # UserAuth API, else 401 unauthorized is returned.
    rewrite_by_lua_file ${NGX_LUA_DIR}/block_unauthorized_users.lua;

    limit_except GET OPTIONS { deny all; }

    proxy_pass $scheme://$backend;

    proxy_no_cache 1;
    proxy_cache_bypass 1;
}

location ~ ^/(cuic/rest/fieldformats/(dateandtime|decimal)/?)$ {
    if ($request_method = OPTIONS ) {
        set $upstreamservername  "CUIC-${http_origin}";
       rewrite ^ /internaloptions$uri last;
   }

   set_by_lua_file $res ${NGX_LUA_DIR}/cuic_auth_header.lua;

    #picks the authorization header from the one specified (authorization)
    set $custom_authorization_header 'tokenValidation';

    # logic to block unauthorized user, checks if the user requesting the finesse api is present in the system.
    # if user is present, rewrites the url to internal/finesse/api which does the authorization through
    # UserAuth API, else 401 unauthorized is returned.
    rewrite_by_lua_file ${NGX_LUA_DIR}/block_unauthorized_users.lua;

    limit_except GET OPTIONS { deny all; }

    proxy_pass $scheme://$backend;

    proxy_no_cache 1;
    proxy_cache_bypass 1;
}

location ~ "^/cuic/rest/[a-z]{2}_[A-Z]{2}/filters((/skillTargetId)?)/?$" {
    if ($request_method = OPTIONS ) {
        set $upstreamservername  "CUIC-${http_origin}";
       rewrite ^ /internaloptions$uri last;
   }

   set_by_lua_file $res ${NGX_LUA_DIR}/cuic_auth_header.lua;

    #picks the authorization header from the one specified (authorization)
    set $custom_authorization_header 'tokenValidation';

    # logic to block unauthorized user, checks if the user requesting the finesse api is present in the system.
    # if user is present, rewrites the url to internal/finesse/api which does the authorization through
    # UserAuth API, else 401 unauthorized is returned.
    rewrite_by_lua_file ${NGX_LUA_DIR}/block_unauthorized_users.lua;

    limit_except POST GET OPTIONS { deny all; }
    proxy_pass $scheme://$backend;

    proxy_no_cache 1;
    proxy_cache_bypass 1;
}

location = /cuic/rest/authentication {
    if ($request_method = OPTIONS ) {
        set $upstreamservername  "CUIC-${http_origin}";
       rewrite ^ /internaloptions$uri last;
   }

   set_by_lua_file $res ${NGX_LUA_DIR}/cuic_auth_header.lua;

    #picks the authorization header from the one specified (authorization)
    set $custom_authorization_header 'tokenValidation';

    # logic to block unauthorized user, checks if the user requesting the finesse api is present in the system.
    # if user is present, rewrites the url to internal/finesse/api which does the authorization through
    # UserAuth API, else 401 unauthorized is returned.
    rewrite_by_lua_file ${NGX_LUA_DIR}/block_unauthorized_users.lua;

    limit_except GET OPTIONS { deny all; }

    proxy_pass $scheme://$backend;

    proxy_no_cache 1;
    proxy_cache_bypass 1;
}

location /cuic/rest/about {
    if ($request_method = OPTIONS ) {
        set $upstreamservername  "CUIC-${http_origin}";
       rewrite ^ /internaloptions$uri last;
   }

   set_by_lua_file $res ${NGX_LUA_DIR}/cuic_auth_header.lua;

    #picks the authorization header from the one specified (authorization)
    set $custom_authorization_header 'tokenValidation';

    # logic to block unauthorized user, checks if the user requesting the finesse api is present in the system.
    # if user is present, rewrites the url to internal/finesse/api which does the authorization through
    # UserAuth API, else 401 unauthorized is returned.
    rewrite_by_lua_file ${NGX_LUA_DIR}/block_unauthorized_users.lua;
    
    limit_except GET OPTIONS { deny all; }

    proxy_pass $scheme://$backend;

    proxy_no_cache 1;
    proxy_cache_bypass 1;
}

location ~ "^/cuic/rest/[a-z]{2}_[A-Z]{2}/filters/permafilterinfo/$" {
    if ($request_method = OPTIONS ) {
        set $upstreamservername  "CUIC-${http_origin}";
       rewrite ^ /internaloptions$uri last;
   }

   set_by_lua_file $res ${NGX_LUA_DIR}/cuic_auth_header.lua;

    #picks the authorization header from the one specified (authorization)
    set $custom_authorization_header 'tokenValidation';

    # logic to block unauthorized user, checks if the user requesting the finesse api is present in the system.
    # if user is present, rewrites the url to internal/finesse/api which does the authorization through
    # UserAuth API, else 401 unauthorized is returned.
    rewrite_by_lua_file ${NGX_LUA_DIR}/block_unauthorized_users.lua;

    limit_except GET OPTIONS { deny all; }

    proxy_pass $scheme://$backend;

    proxy_no_cache 1;
    proxy_cache_bypass 1;
}

location ~ "^/cuic/rest/[a-z]{2}_[A-Z]{2}/reports/execute/[a-zA-Z0-9]{32}$" {
    if ($request_method = OPTIONS ) {
        set $upstreamservername  "CUIC-${http_origin}";
        rewrite ^ /internaloptions$uri last;
    }

    if ($arg_reportExecutionType = '') {
        return 404;
    }
    limit_req zone=cuicreportexecutionratelimit burst=${NGX_CUIC_REPORT_EXECUTION_REQUEST_BURST_LIMIT} nodelay;
    # if this is historical request
    if ($arg_reportExecutionType = 'historical') {
        rewrite ^ /historical$uri last;
    }
    # if this is relatime request
    if ($arg_reportExecutionType = 'realtime') {
        rewrite ^ /realtime$uri last;
    }
}

location ~ "^/historical/cuic/rest/[a-z]{2}_[A-Z]{2}/reports/execute/[a-zA-Z0-9]{32}$" {
    if ($request_method = OPTIONS ) {
        set $upstreamservername  "CUIC-${http_origin}";
       rewrite ^ /internaloptions$uri last;
   }

   set_by_lua_file $res ${NGX_LUA_DIR}/cuic_auth_header.lua;

    #picks the authorization header from the one specified (authorization)
    set $custom_authorization_header 'tokenValidation';

    # logic to block unauthorized user, checks if the user requesting the finesse api is present in the system.
    # if user is present, rewrites the url to internal/finesse/api which does the authorization through
    # UserAuth API, else 401 unauthorized is returned.
    rewrite_by_lua_file ${NGX_LUA_DIR}/block_unauthorized_users.lua;

    rewrite ^/historical(?<realurl>/.*)$ $realurl break;

    limit_conn cuichistoricalreportconnlimit ${NGX_CUIC_HISTORICAL_REPORT_CONN_LIMIT};
    limit_except GET OPTIONS { deny all; }

    proxy_pass $scheme://$backend;
    proxy_no_cache 1;
    proxy_cache_bypass 1;
}

location ~ "^/realtime/cuic/rest/[a-z]{2}_[A-Z]{2}/reports/execute/[a-zA-Z0-9]{32}$" {
    if ($request_method = OPTIONS ) {
        set $upstreamservername  "CUIC-${http_origin}";
       rewrite ^ /internaloptions$uri last;
   }

   set_by_lua_file $res ${NGX_LUA_DIR}/cuic_auth_header.lua;

    #picks the authorization header from the one specified (authorization)
    set $custom_authorization_header 'tokenValidation';

    # logic to block unauthorized user, checks if the user requesting the finesse api is present in the system.
    # if user is present, rewrites the url to internal/finesse/api which does the authorization through
    # UserAuth API, else 401 unauthorized is returned.
    rewrite_by_lua_file ${NGX_LUA_DIR}/block_unauthorized_users.lua;

    rewrite ^/realtime(?<realurl>/.*)$ $realurl break;

    limit_conn cuicrealtimereportconnlimit ${NGX_CUIC_REALTIME_REPORT_CONN_LIMIT};
    limit_except GET OPTIONS { deny all; }
    
    proxy_pass $scheme://$backend;
    proxy_no_cache 1;
    proxy_cache_bypass 1;
}

location ~ "^/cuic/rest/[a-z]{2}_[A-Z]{2}/reports/execute/newRest/$" {
    if ($request_method = OPTIONS ) {
        set $upstreamservername  "CUIC-${http_origin}";
        rewrite ^ /internaloptions$uri last;
    }

    if ($arg_reportExecutionType = '') {
        return 404;
    }
    if ($arg_reportExecutionType = 'historical') {
        rewrite ^ /historical$uri last;
    }
    if ($arg_reportExecutionType = 'realtime') {
        rewrite ^ /realtime$uri last;
    }
}

location ~ "^/historical/cuic/rest/[a-z]{2}_[A-Z]{2}/reports/execute/newRest/$" {
    if ($request_method = OPTIONS ) {
        set $upstreamservername  "CUIC-${http_origin}";
       rewrite ^ /internaloptions$uri last;
   }

   set_by_lua_file $res ${NGX_LUA_DIR}/cuic_auth_header.lua;

    #picks the authorization header from the one specified (authorization)
    set $custom_authorization_header 'tokenValidation';

    # logic to block unauthorized user, checks if the user requesting the finesse api is present in the system.
    # if user is present, rewrites the url to internal/finesse/api which does the authorization through
    # UserAuth API, else 401 unauthorized is returned.
    rewrite_by_lua_file ${NGX_LUA_DIR}/block_unauthorized_users.lua;

    rewrite ^/historical(?<realurl>/.*)$ $realurl break;

    limit_req zone=cuichistoricalreportratelimit burst=${NGX_CUIC_HISTORICAL_REPORT_REQUEST_BURST_LIMIT} nodelay;
    limit_conn cuichistoricalreportconnlimit ${NGX_CUIC_HISTORICAL_REPORT_NEW_CONN_LIMIT};
    limit_except POST OPTIONS { deny all; }

    proxy_pass $scheme://$backend;
    proxy_no_cache 1;
    proxy_cache_bypass 1;
}

location ~ "^/realtime/cuic/rest/[a-z]{2}_[A-Z]{2}/reports/execute/newRest/$" {
    if ($request_method = OPTIONS ) {
        set $upstreamservername  "CUIC-${http_origin}";
       rewrite ^ /internaloptions$uri last;
   }

   set_by_lua_file $res ${NGX_LUA_DIR}/cuic_auth_header.lua;

    #picks the authorization header from the one specified (authorization)
    set $custom_authorization_header 'tokenValidation';

    # logic to block unauthorized user, checks if the user requesting the finesse api is present in the system.
    # if user is present, rewrites the url to internal/finesse/api which does the authorization through
    # UserAuth API, else 401 unauthorized is returned.
    rewrite_by_lua_file ${NGX_LUA_DIR}/block_unauthorized_users.lua;

    rewrite ^/realtime(?<realurl>/.*)$ $realurl break;

    limit_req zone=cuicrealtimereportratelimit burst=${NGX_CUIC_REALTIME_REPORT_REQUEST_BURST_LIMIT} nodelay;
    limit_conn cuicrealtimereportconnlimit ${NGX_CUIC_REALTIME_REPORT_NEW_CONN_LIMIT};
    limit_except POST OPTIONS { deny all; }
    
    proxy_pass $scheme://$backend;
    proxy_no_cache 1;
    proxy_cache_bypass 1;
}

location ~ ^/internaloptions/(.*)$ {
	internal;
	rewrite ^/internaloptions(?<realurl>/.*)$ $realurl break;
  	access_by_lua_file ${NGX_LUA_DIR}/checkcorsheaders.lua;
	proxy_pass $scheme://$backend;
	body_filter_by_lua_file  ${NGX_LUA_DIR}/cacheoptionsrequests.lua;
}
