#!/usr/bin/env bash
# 
# This script will tar lxc-pve AppArmor profiles and
# upload archive to remote download server.
#

# Path to auth file that contains username and password.
# Example
# username=authuser
# password=authpw
auth_file=$HOME/.tar.lxc-apparmor-profiles.authfile

# Do not edit anything below this line
set -e

_curl_opts='--silent'
_wget_opts='--quiet'
_ssh_opts='-q'
if [ -n $DEBUG ] && [[ $DEBUG -ge 2 ]]; then
	set -x
	_tar_opts='-v'
	_curl_opts='--show-error --verbose'
	_wget_opts='--verbose'
	_ssh_opts='-vv'
fi

function debug {
	if test -n "$DEBUG"; then
		echo "[DEBUG] $1"
	fi
}

function cleanup {
	debug "Cleaning up temporary directory..."
	if test -d $_tmp_dir; then
		rm -r $_tmp_dir
	fi
}

function getfilehash {
	echo $(sha256sum $1|awk '{print $1}')
}

function _wget {
	wget $_wget_opts $1 2> /dev/null || true
}

function httpdownload {
	_wget $_dl_filedir/$_dl_filename
	_wget $_dl_filedir/$_dl_filesha256

	if test ! -f $_dl_filename && test ! -f $_dl_filename.sha256; then 
		echo "ERROR: Failed to download files"; exit 1; 
	fi

	# TODO: rename $_dl_filename to $_tar_filename
	_file_hash=$(getfilehash $_dl_filename)
	_remote_hash=$(cat $_dl_filename.sha256)

	if [ $_file_hash != $_remote_hash ]; then
		echo "Downloaded file corrupted!"
		exit 1
	fi
}

if test -n "$TESTING"; then
	_dl_server=http://localhost:8080
else
	# This is a temporary location, perhaps
	# permanent. dl.lhprojects.net is not configured
	# to execute PHP scripts
	_dl_server=https://www.lhprojects.net
fi
_tar_filename=apparmor-profiles.tgz
_dl_scriptname=handleLXCAppArmorProfiles.php
_dl_filedir=$_dl_server/apparmor
_dl_filename=$_tar_filename
_rsync_server=pve1.lhprojects.int
_tmp_dir=/tmp/.tar.lxc-apparmor-profiles
_rsync_user=apparmor_rsync
_remote_script_path=/usr/local/bin/tar.lxc-apparmor-profiles

function usage 
{ 
	echo "Usage: ${0}"
	echo "This script can upload an archive of LXC AppArmor profiles to a remote HTTP"
	echo "server via handleLXCAppArmorProfiles.php. Alternatively, you can use --download-scp."
	echo ""
	echo "    --download"
	echo "        Download and extract archive using http via handleLXCAppArmorProfiles.php"
	echo "        NOTE: You need to upload the archive to a middleman HTTP server prior to using --download."
	echo "    --download-scp"
	echo "        Same as above however use scp for file transfer."
	echo "        NOTE: the remote SSH server must have $_remote_script_path installed"
	echo "    --download-test"
	echo "        Same as --download, but extract in temp directory"
	echo "    -h | --help"
	echo "        Show this usage"

	exit 0
}


# We going to attempt to create a tmp dir
# and set the _tmp_dir variable
if test -d $_tmp_dir && test ! -O $_tmp_dir; then
	debug "ERROR: We don't own $_tmp_dir!"
	_old_tmp_dir=$_tmp_dir
	for i in {1..5}; do 
		__tmp_dir=$_tmp_dir$i
		if test -d $__tmp_dir && test -O $__tmp_dir || test ! -d $__tmp_dir; then
			debug "Setting _tmp_dir to '$__tmp_dir'"
			_tmp_dir=$__tmp_dir
			break
		fi
	done

	
	if [[ $_tmp_dir = $_old_tmp_dir ]]; then
		echo "ERROR: Unable to set a tmp dir"
		exit 1
	fi
fi
_staging_dir=$_tmp_dir/stg

case "$1" in

    -h | --help )
		usage
		;;
	--download | --download-scp)
		cleanup
		mkdir -p $_staging_dir

		cd $_tmp_dir

		if [ $1 = '--download-scp' ]; then
			echo "Archiving remote AppArmor profiles..."
			_result=$(ssh $_ssh_opts $_rsync_user@$_rsync_server || true)
			if [[ $_result != '200 OK' ]]; then
				echo "ERROR: Something went wrong: REMOTE $_result"
				cleanup
				exit 1
			fi

			echo "Downloading archive..."
			scp $_ssh_opts $_rsync_user@$_rsync_server:$_tar_filename .
			scp $_ssh_opts $_rsync_user@$_rsync_server:$_tar_filename.sha256 .
			if test ! -f $_tar_filename && test ! -f $_tar_filename.sha256; then 
				echo "ERROR: Failed to download files"; exit 1; 
			fi

			_file_hash=$(getfilehash $_tar_filename)
			_remote_hash=$(cat $_tar_filename.sha256)
			if [ $_file_hash != $_remote_hash ]; then
				echo "Downloaded file corrupted!"
				exit 1
			fi
		else
			httpdownload
		fi

		echo "Extracting archive..."
		cd /
		tar $_tar_opts -xf $_tmp_dir/$_dl_filename .

		cleanup
		exit 0
		;;

	--download-test )
		echo "This is only a download test and archive extract"

		cleanup
		mkdir -p $_staging_dir

		cd $_tmp_dir
		httpdownload

		cd $_staging_dir
		tar $_tar_opts -xf ../$_dl_filename .

		echo "Download test completed successfully"

		cleanup
		exit 0
		;;

	* )

		# Check if running under a SSH connection
		if [ -n "$SSH_CLIENT" ] && [ -z "$1" ] && [ $USER != 'root' ]; then
			echo "Running from SSH connection and no command arguments given"
			echo "Exiting"
			exit 1
		fi

		# Init
		_tar_file=$_tmp_dir/$_tar_filename
		_user_home=$(eval echo "~$_rsync_user")

		_scp_remote=0
		if test -n "$1" && [ $1 = '--scp-remote' ]; then
			debug "Remote SCP enabled, not uploading..."
			_scp_remote=1

			# Determine if we need to run scp instead
			case "$SSH_ORIGINAL_COMMAND" in
				"scp -f $_tar_filename" | "scp -f $_tar_filename" | "scp -f $_tar_filename.sha256" | "scp -v -f $_tar_filename.sha256" )
			
					cd $_user_home

					# Replace script with scp command
					eval "$SSH_ORIGINAL_COMMAND"
					exit 0
					;;
			esac
		fi

		cleanup
		mkdir -p $_staging_dir


		debug "Copying AppArmor profiles over to tmp dir..."
		read -r -d '' _profile_files <<- EOF || true
/etc/apparmor.d
/etc/apparmor.d/abstractions
/etc/apparmor.d/abstractions/lxc
/etc/apparmor.d/abstractions/lxc/container-base
/etc/apparmor.d/abstractions/lxc/start-container
/etc/apparmor.d/lxc
/etc/apparmor.d/lxc/lxc-default
/etc/apparmor.d/lxc/lxc-default-cgns
/etc/apparmor.d/lxc/lxc-default-with-mounting
/etc/apparmor.d/lxc/lxc-default-with-nesting
/etc/apparmor.d/lxc-containers
EOF

		# Read file list
		while read -r file; do
			if test -d $file;
			then
				_dest=$_staging_dir/.$file
				debug "Creating directory: $_dest"
				mkdir -p $_dest
			elif test -f $file
			then
				_src=$file
				_dest=$_staging_dir/.$file
				debug "Copying: $_src to $_dest"
				cp $_src $_dest
			fi
		done <<< "$_profile_files"

		debug "Changing directory to $_tmp_dir"
		cd $_staging_dir

		if [ $PWD != $_staging_dir ]; then
			echo "Failed to change directory!"
			exit 1
		fi

		# Tar files
		tar $_tar_opts -czf $_tar_file .

		# Get file hash
		_file_hash=$(getfilehash $_tar_file)

		if [ $_scp_remote -ne 0 ]; then
			debug "Moving: $_tar_file to $_user_home"
			mv -f $_tar_file $_user_home/
			echo $_file_hash > $_user_home/$_tar_filename.sha256
			echo "200 OK"
			cleanup
			exit 0
		elif test -n "$1"; then
			echo "ERROR: Invalid argument: $1"
			cleanup
			exit 1
		fi

		# Get auth creds
		if test ! -f $auth_file; then
			echo "ERROR: Auth file '$auth_file' not found!"
			cleanup
			exit 1
		fi
		source $auth_file

		_result=$(curl $_curl_opts -H 'X-AppArmor-State: ProcessUpload' -H "X-Tar-Hash: $_file_hash" -F "apparmor-profiles=@$_tmp_dir/$_tar_filename" --user "$username:$password" $_dl_server/$_dl_scriptname)

		if [[ $_results = '200 OK' ]]; then
			echo 'Successfully uploaded archive!'
		else
			echo "Something went wrong: $_result"
		fi

		;;
esac