#!/bin/bash
#
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.

# Elastic agent is not managed by salt. Because of this we must store this base information in a 
# script that accompanies the soup system. Since so-common is one of those special soup files, 
# and since this same logic is required during installation, it's included in this file.
ELASTIC_AGENT_TARBALL_VERSION="8.10.4"
ELASTIC_AGENT_URL="https://repo.securityonion.net/file/so-repo/prod/2.4/elasticagent/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.tar.gz"
ELASTIC_AGENT_MD5_URL="https://repo.securityonion.net/file/so-repo/prod/2.4/elasticagent/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.md5"
ELASTIC_AGENT_FILE="/nsm/elastic-fleet/artifacts/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.tar.gz"
ELASTIC_AGENT_MD5="/nsm/elastic-fleet/artifacts/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.md5"
ELASTIC_AGENT_EXPANSION_DIR=/nsm/elastic-fleet/artifacts/beats/elastic-agent

DEFAULT_SALT_DIR=/opt/so/saltstack/default
DOC_BASE_URL="https://docs.securityonion.net/en/2.4"

if [ -z $NOROOT ]; then
	# Check for prerequisites
	if [ "$(id -u)" -ne 0 ]; then
		echo "This script must be run using sudo!"
		exit 1
	fi
fi

# Ensure /usr/sbin is in path
if ! echo "$PATH" | grep -q "/usr/sbin"; then
  export PATH="$PATH:/usr/sbin"
fi

# Define a banner to separate sections
banner="========================================================================="

add_interface_bond0() {
	local BNIC=$1
	if [[ -z $MTU ]]; then
		local MTU
		MTU=$(lookup_pillar "mtu" "sensor")
	fi
	local nic_error=0

	# Check if specific offload features are able to be disabled
	for string in "generic-segmentation-offload" "generic-receive-offload" "tcp-segmentation-offload"; do
		if ethtool -k "$BNIC" | grep $string | grep -q "on [fixed]"; then
			echo "The hardware or driver for interface ${BNIC} is not supported, packet capture may not work as expected."
			((nic_error++))
			break
		fi
	done

	case "$2" in
		-v|--verbose)
			local verbose=true
		;;
	esac

	for i in rx tx sg tso ufo gso gro lro; do
		if [[ $verbose == true ]]; then
			ethtool -K "$BNIC" $i off
		else
			ethtool -K "$BNIC" $i off &>/dev/null
		fi
	done

        if ! [[ $is_cloud ]]; then
	  # Check if the bond slave connection has already been created
	  nmcli -f name,uuid -p con | grep -q "bond0-slave-$BNIC"
	  local found_int=$?

	  if [[ $found_int != 0 ]]; then
		  # Create the slave interface and assign it to the bond
		  nmcli con add type ethernet ifname "$BNIC" con-name "bond0-slave-$BNIC" master bond0 -- \
			  ethernet.mtu "$MTU" \
			  connection.autoconnect "yes"
	  else
		  local int_uuid
		  int_uuid=$(nmcli -f name,uuid -p con | sed -n "s/bond0-slave-$BNIC //p" | tr -d ' ')

		  nmcli con mod "$int_uuid" \
			  ethernet.mtu "$MTU" \
			  connection.autoconnect "yes"
	  fi
        fi

	ip link set dev "$BNIC" arp off multicast off allmulticast off promisc on

        if ! [[ $is_cloud ]]; then
	  # Bring the slave interface up
	  if [[ $verbose == true ]]; then
		  nmcli con up "bond0-slave-$BNIC"
	  else
		  nmcli con up "bond0-slave-$BNIC" &>/dev/null
	  fi
	fi
	if [ "$nic_error" != 0 ]; then
		return "$nic_error"
	fi
}

check_container() {
	docker ps | grep "$1:" > /dev/null 2>&1
	return $?
}

check_password() {
	local password=$1
	echo "$password" | egrep -v "'|\"|\\$|\\\\" > /dev/null 2>&1
	return $?
}

check_password_and_exit() {
	local password=$1
	if ! check_password "$password"; then
		echo "Password is invalid. Do not include single quotes, double quotes, dollar signs, and backslashes in the password."
		exit 2
	fi
	return 0
}

check_elastic_license() {

	[ -n "$TESTING" ] && return

	# See if the user has already accepted the license
	if [ ! -f /opt/so/state/yeselastic.txt ]; then
	  elastic_license
	else
	  echo "Elastic License has already been accepted"
	fi  
}

check_salt_master_status() {
	local count=0
    local attempts="${1:- 10}"
	current_time="$(date '+%b %d %H:%M:%S')"
	echo "Checking if we can access the salt master and that it is ready at: ${current_time}"
    while ! salt-call state.show_top -l error concurrent=true 1> /dev/null; do
        current_time="$(date '+%b %d %H:%M:%S')"
        echo "Can't access salt master or it is not ready at: ${current_time}"
        ((count+=1))
        if [[ $count -eq $attempts ]]; then
			# 10 attempts takes about 5.5 minutes
            echo "Gave up trying to access salt-master"
            return 1
        fi
    done
	current_time="$(date '+%b %d %H:%M:%S')"
	echo "Successfully accessed and salt master ready at: ${current_time}"
    return 0
}

check_salt_minion_status() {
	local timeout="${1:-5}"
	echo "Checking if the salt minion will respond to jobs" >> "$setup_log" 2>&1
	salt "$MINION_ID" test.ping -t $timeout > /dev/null 2>&1
	local status=$?
	if [ $status -gt 0 ]; then
		echo "  Minion did not respond" >> "$setup_log" 2>&1
	else
		echo "  Received job response from salt minion" >> "$setup_log" 2>&1
	fi

	return $status
}

copy_new_files() {
  # Copy new files over to the salt dir
  cd $UPDATE_DIR
  rsync -a salt $DEFAULT_SALT_DIR/ --delete
  rsync -a pillar $DEFAULT_SALT_DIR/ --delete
  chown -R socore:socore $DEFAULT_SALT_DIR/
  chmod 755 $DEFAULT_SALT_DIR/pillar/firewall/addfirewall.sh
  cd /tmp
}

disable_fastestmirror() {
	sed -i 's/enabled=1/enabled=0/' /etc/yum/pluginconf.d/fastestmirror.conf
}

download_and_verify() {
	source_url=$1
	source_md5_url=$2
	dest_file=$3
	md5_file=$4
	expand_dir=$5

	if [[ -n "$expand_dir" ]]; then
		mkdir -p "$expand_dir"
	fi

	if ! verify_md5_checksum "$dest_file" "$md5_file"; then
		retry 15 10 "curl --fail --retry 5 --retry-delay 15 -L '$source_url' --output '$dest_file'" "" ""
		retry 15 10 "curl --fail --retry 5 --retry-delay 15 -L '$source_md5_url' --output '$md5_file'"  "" ""

		if verify_md5_checksum "$dest_file" "$md5_file"; then
		  echo "Source file and checksum are good."
		else
		  echo "Unable to download and verify the source file and checksum."
		  return 1
		fi
	fi

	if [[ -n "$expand_dir" ]]; then
		tar -xf "$dest_file" -C "$expand_dir"
	fi
}

elastic_license() {

read -r -d '' message <<- EOM
\n
Elastic Stack binaries and Security Onion components are only available under the Elastic License version 2 (ELv2):
https://securityonion.net/license/

Do you agree to the terms of ELv2?

If so, type AGREE to accept ELv2 and continue. Otherwise, press Enter to exit this program without making any changes.
EOM

	AGREED=$(whiptail --title "$whiptail_title" --inputbox \
	"$message" 20 75 3>&1 1>&2 2>&3)

	if [ "${AGREED^^}" = 'AGREE' ]; then
		mkdir -p /opt/so/state
		touch /opt/so/state/yeselastic.txt 
	else
		echo "Starting in 2.3.40 you must accept the Elastic license if you want to run Security Onion."
		exit 1
	fi

}

fail() {
	msg=$1
	echo "ERROR: $msg"
	echo "Exiting."
	exit 1
}

get_random_value() {
	length=${1:-20}
	head -c 5000 /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w $length | head -n 1
}

gpg_rpm_import() {
	if [[ $is_oracle ]]; then
	    if [[ "$WHATWOULDYOUSAYYAHDOHERE" == "setup" ]]; then
	        local RPMKEYSLOC="../salt/repo/client/files/$OS/keys"
	    else
	        local RPMKEYSLOC="$UPDATE_DIR/salt/repo/client/files/$OS/keys"
	    fi
		RPMKEYS=('RPM-GPG-KEY-oracle' 'RPM-GPG-KEY-EPEL-9' 'SALT-PROJECT-GPG-PUBKEY-2023.pub' 'docker.pub' 'securityonion.pub')
		for RPMKEY in "${RPMKEYS[@]}"; do
    	        rpm --import $RPMKEYSLOC/$RPMKEY
	        echo "Imported $RPMKEY"
	    done
	elif [[ $is_rpm ]]; then
		echo "Importing the security onion GPG key"
		rpm --import ../salt/repo/client/files/oracle/keys/securityonion.pub
	fi
}

header() {
	printf '%s\n' "" "$banner" " $*" "$banner" 
}

init_monitor() {
	MONITORNIC=$1
	
	if [[ $MONITORNIC == "bond0" ]]; then 
	  BIFACES=$(lookup_bond_interfaces)
	  for i in rx tx sg tso ufo gso gro lro rx-vlan-offload tx-vlan-offload generic-receive-offload generic-segmentation-offload tcp-segmentation-offload; do
	    ethtool -K "$MONITORNIC" "$i" off;
  	  done
	else
	  BIFACES=$MONITORNIC
	fi

	for DEVICE_IFACE in $BIFACES; do
	  for i in rx tx sg tso ufo gso gro lro rx-vlan-offload tx-vlan-offload generic-receive-offload generic-segmentation-offload tcp-segmentation-offload; do
	    ethtool -K "$DEVICE_IFACE" "$i" off;
  	  done
	  ip link set dev "$DEVICE_IFACE" arp off multicast off allmulticast off promisc on
	done
}

is_manager_node() {
	grep "role: so-" /etc/salt/grains | grep -E "manager|eval|managersearch|standalone|import" &> /dev/null
}

is_sensor_node() {
	# Check to see if this is a sensor (forward) node
	is_single_node_grid && return 0
	grep "role: so-" /etc/salt/grains | grep -E "sensor|heavynode" &> /dev/null
}

is_single_node_grid() {
	grep "role: so-" /etc/salt/grains | grep -E "eval|standalone|import" &> /dev/null
}

lookup_bond_interfaces() {
	cat /proc/net/bonding/bond0 | grep "Slave Interface:" | sed -e "s/Slave Interface: //g"
}

lookup_salt_value() {
	key=$1
	group=$2
	kind=$3
	output=${4:-newline_values_only}
	local=$5

	if [ -z "$kind" ]; then
		kind=pillar
	fi

	if [ -n "$group" ]; then
		group=${group}:
	fi

	if [[ "$local" == "--local" ]] || [[ "$local" == "local" ]]; then
		local="--local"
	else
		local=""
	fi

	salt-call --no-color  ${kind}.get ${group}${key} --out=${output} ${local}
}

lookup_pillar() {
	key=$1
	pillar=$2
	if [ -z "$pillar" ]; then
		pillar=global
	fi
	lookup_salt_value "$key" "$pillar" "pillar"
}

lookup_pillar_secret() {
	lookup_pillar "$1" "secrets"
}

lookup_grain() {
	lookup_salt_value "$1" "" "grains"
}

lookup_role() {
	id=$(lookup_grain id)
	pieces=($(echo $id | tr '_' ' '))
	echo ${pieces[1]}
}

is_feature_enabled() {
	feature=$1
	enabled=$(lookup_salt_value features)
	for cur in $enabled; do
		if [[ "$feature" == "$cur" ]]; then
			return 0
		fi
	done
	return 1
}

require_manager() {
	if is_manager_node; then
		echo "This is a manager, so we can proceed."
	else
		echo "Please run this command on the manager; the manager controls the grid."
		exit 1
	fi
}

retry() {
        maxAttempts=$1
        sleepDelay=$2
        cmd=$3
        expectedOutput=$4
        failedOutput=$5
        attempt=0
        local exitcode=0
        while [[ $attempt -lt $maxAttempts ]]; do
                attempt=$((attempt+1))
                echo "Executing command with retry support: $cmd"
                output=$(eval "$cmd")
                exitcode=$?
                echo "Results: $output ($exitcode)"
                if [ -n "$expectedOutput" ]; then
                        if [[ "$output" =~ "$expectedOutput" ]]; then
                                return $exitcode
                        else
                                echo "Did not find expectedOutput: '$expectedOutput' in the output below from running the command: '$cmd'"
								echo "<Start of output>"
								echo "$output"
								echo "<End of output>"
                        fi
                elif [ -n "$failedOutput" ]; then
                        if [[ "$output" =~ "$failedOutput" ]]; then
                                echo "Found failedOutput: '$failedOutput' in the output below from running the command: '$cmd'"
								echo "<Start of output>"
								echo "$output"
								echo "<End of output>"
								if [[ $exitcode -eq 0 ]]; then
									echo "The exitcode was 0, but we are setting to 1 since we found $failedOutput in the output."
									exitcode=1
								fi
                        else
                                return $exitcode
                        fi
                elif [[ $exitcode -eq 0 ]]; then
                        return $exitcode
                fi
                echo "Command failed with exit code $exitcode; will retry in $sleepDelay seconds ($attempt / $maxAttempts)..."
                sleep $sleepDelay
        done
        echo "Command continues to fail; giving up."
        return $exitcode
}

run_check_net_err() {
	local cmd=$1
	local err_msg=${2:-"Unknown error occured, please check /root/$WHATWOULDYOUSAYYAHDOHERE.log for details."} # Really need to rename that variable
	local no_retry=$3

	local exit_code
	if [[ -z $no_retry ]]; then
		retry 5 60 "$cmd"
		exit_code=$?
	else
		eval "$cmd"
		exit_code=$?
	fi
	
	if [[ $exit_code -ne 0 ]]; then
		ERR_HANDLED=true
		[[ -z $no_retry ]] || echo "Command failed with error $exit_code"
		echo "$err_msg"
		exit $exit_code
	fi
}

salt_minion_count() {
	local MINIONDIR="/opt/so/saltstack/local/pillar/minions"
	MINIONCOUNT=$(ls -la $MINIONDIR/*.sls | grep -v adv_ | wc -l)

}

set_os() {
	if [ -f /etc/redhat-release ]; then
		if grep -q "Rocky Linux release 9" /etc/redhat-release; then
			OS=rocky
			OSVER=9
			is_rocky=true
		elif grep -q "CentOS Stream release 9" /etc/redhat-release; then
			OS=centos
			OSVER=9
			is_centos=true
		elif grep -q "Oracle Linux Server release 9" /etc/system-release; then
			OS=oel
			OSVER=9
			is_oracle=true
		fi
		cron_service_name="crond"
	else
		OS=ubuntu
		is_ubuntu=true
		cron_service_name="cron"
	fi
}

set_minionid() {
	MINIONID=$(lookup_grain id)
}

set_palette() {
	if [[ $is_deb ]]; then
	    update-alternatives --set newt-palette /etc/newt/palette.original
    fi
}

set_version() {
	CURRENTVERSION=0.0.0
	if [ -f /etc/soversion ]; then
		CURRENTVERSION=$(cat /etc/soversion)
	fi
	if [ -z "$VERSION" ]; then
		if [ -z "$NEWVERSION" ]; then
			if [ "$CURRENTVERSION" == "0.0.0" ]; then
				echo "ERROR: Unable to detect Security Onion version; terminating script."
				exit 1
			else
				VERSION=$CURRENTVERSION
			fi
		else
			VERSION="$NEWVERSION"
		fi
	fi
}

systemctl_func() {
	local action=$1
	local echo_action=$1
	local service_name=$2

	if [[ "$echo_action" == "stop" ]]; then
		echo_action="stopp"
	fi

	echo ""
	echo "${echo_action^}ing $service_name service at $(date +"%T.%6N")"
    systemctl $action $service_name && echo "Successfully ${echo_action}ed $service_name." || echo "Failed to $action $service_name."
	echo ""
}

has_uppercase() {
	local string=$1

	echo "$string" | grep -qP '[A-Z]' \
		&& return 0 \
		|| return 1
}

update_elastic_agent() {
	echo "Checking if Elastic Agent update is necessary..."
	download_and_verify "$ELASTIC_AGENT_URL" "$ELASTIC_AGENT_MD5_URL" "$ELASTIC_AGENT_FILE" "$ELASTIC_AGENT_MD5" "$ELASTIC_AGENT_EXPANSION_DIR"
}

valid_cidr() {
	# Verify there is a backslash in the string
	echo "$1" | grep -qP "^[^/]+/[^/]+$" || return 1

	valid_ip4_cidr_mask "$1" && return 0 || return 1
	
	local cidr="$1"
	local ip
	ip=$(echo "$cidr" | sed 's/\/.*//' )
	
	if valid_ip4 "$ip"; then
		local ip1 ip2 ip3 ip4 N
		IFS="./" read -r ip1 ip2 ip3 ip4 N <<< "$cidr"
		ip_total=$((ip1 * 256 ** 3 + ip2 * 256 ** 2 + ip3 * 256 + ip4))
		[[ $((ip_total % 2**(32-N))) == 0 ]] && return 0 || return 1
	else
		return 1
	fi
}

valid_cidr_list() {
	local all_valid=0

	IFS="," read -r -a net_arr <<< "$1"

	for net in "${net_arr[@]}"; do
		valid_cidr "$net" || all_valid=1
	done

	return $all_valid
}

valid_dns_list() {
	local all_valid=0

	IFS="," read -r -a dns_arr <<< "$1"

	for addr in "${dns_arr[@]}"; do
		valid_ip4 "$addr" || all_valid=1
	done

	return $all_valid
}

valid_fqdn() {
	local fqdn=$1

	echo "$fqdn" | grep -qP '(?=^.{4,253}$)(^((?!-)[a-zA-Z0-9-]{0,62}[a-zA-Z0-9]\.)+[a-zA-Z]{2,63}$)' \
		&& return 0 \
		|| return 1
}

valid_hostname() {
	local hostname=$1

	[[ $hostname =~ ^[a-zA-Z0-9\-]+$ ]] && [[ $hostname != 'localhost' ]] && return 0 || return 1
}

verify_ip4() {
        local ip=$1
        # Is this an IP or CIDR?
        if grep -qP "^[^/]+/[^/]+$" <<< $ip; then
                # Looks like a CIDR
                valid_ip4_cidr_mask "$ip"
        else
                # We know this is not a CIDR - Is it an IP?
                valid_ip4 "$ip"
        fi
}

valid_ip4() {
	local ip=$1

	echo "$ip" | grep -qP '^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$' && return 0 || return 1
}

valid_ip4_cidr_mask() {
	# Verify there is a backslash in the string
	echo "$1" | grep -qP "^[^/]+/[^/]+$" || return 1

	local cidr
	local ip

	cidr=$(echo "$1" | sed 's/.*\///')
	ip=$(echo "$1" | sed 's/\/.*//' )

	if valid_ip4 "$ip"; then
		[[ $cidr =~ ^([0-9]|[1-2][0-9]|3[0-2])$ ]] && return 0 || return 1
	else
		return 1
	fi
}

valid_int() {
	local num=$1
	local min=${2:-1}
	local max=${3:-1000000000}

	[[ $num =~ ^[0-9]*$ ]] && [[ $num -ge $min ]] && [[ $num -le $max ]] && return 0 || return 1
}

# {% raw %}

valid_proxy() {
	local proxy=$1
	local url_prefixes=( 'http://' 'https://' )

	local has_prefix=false
	for prefix in "${url_prefixes[@]}"; do
		echo "$proxy" | grep -q "$prefix" && has_prefix=true && proxy=${proxy#"$prefix"} && break
	done
	
	local url_arr
	mapfile -t url_arr <<< "$(echo "$proxy" | tr ":" "\n")"

	local valid_url=true
	if ! valid_ip4 "${url_arr[0]}" && ! valid_fqdn "${url_arr[0]}" && ! valid_hostname "${url_arr[0]}"; then
		valid_url=false
	fi

	[[ $has_prefix == true ]] && [[ $valid_url == true ]] && return 0 || return 1
}

valid_ntp_list() {
	local string=$1
	local ntp_arr
	IFS="," read -r -a ntp_arr <<< "$string"

	for ntp in "${ntp_arr[@]}"; do
		if ! valid_ip4 "$ntp" && ! valid_hostname "$ntp" && ! valid_fqdn "$ntp"; then
			return 1
		fi
	done

	return 0
}

valid_string() {
	local str=$1
	local min_length=${2:-1}
	local max_length=${3:-64}

	echo "$str" | grep -qP '^\S+$' && [[ ${#str} -ge $min_length ]] && [[ ${#str} -le $max_length ]] && return 0 || return 1
}

# {% endraw %}

valid_username() {
	local user=$1

	echo "$user" | grep -qP '^[a-z_]([a-z0-9_-]{0,31}|[a-z0-9_-]{0,30}\$)$' && return 0 || return 1
}

verify_md5_checksum() {
	data_file=$1
	md5_file=${2:-${data_file}.md5}

	if [[ ! -f "$dest_file" || ! -f "$md5_file" ]]; then
		return 2
	fi

	SOURCEHASH=$(md5sum "$data_file" | awk '{ print $1 }')
	HASH=$(cat "$md5_file")

	if [[ "$HASH" == "$SOURCEHASH" ]]; then
		return 0
	fi
	return 1
}

wait_for_web_response() {
	url=$1
	expected=$2
	maxAttempts=${3:-300}
	curlcmd=${4:-curl}
	logfile=/root/wait_for_web_response.log
	truncate -s 0 "$logfile"
	attempt=0
	while [[ $attempt -lt $maxAttempts ]]; do
		attempt=$((attempt+1))
		echo "Waiting for value '$expected' at '$url' ($attempt/$maxAttempts)"
		result=$($curlcmd -ks -L $url)
		exitcode=$?

		echo "--------------------------------------------------" >> $logfile
		echo "$(date) - Checking web URL: $url ($attempt/$maxAttempts)" >> $logfile
		echo "$result" >> $logfile
		echo "exit code=$exitcode" >> $logfile
		echo "" >> $logfile

		if [[ $exitcode -eq 0 && "$result" =~ $expected ]]; then
			echo "Received expected response; proceeding."
			return 0
		fi
		echo "Server is not ready"
		sleep 1
	done
	echo "Server still not ready after $maxAttempts attempts; giving up."
	return 1
}
