#!/bin/bash
#
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.

. /usr/sbin/so-common

SKIP=0
#########################################
# Options
#########################################
usage()
{
cat <<EOF
Security Onion Elastic Clear
  Options:
  -h         This message
  -y         Skip interactive mode
EOF
}
while getopts "h:cdely" OPTION
do
        case $OPTION in
                h)
                        usage
                        exit 0
                        ;;
                c)
			DELETE_CASES_DATA=1
			SKIP=1
                        ;;
                d)
			DONT_STOP_SERVICES=1
                        SKIP=1
			;;
                e)
			DELETE_ELASTALERT_DATA=1
                        SKIP=1
                        ;;
		l)
			DELETE_LOG_DATA=1
			SKIP=1
			;;
                y)
                        DELETE_CASES_DATA=1
                        DELETE_ELASTALERT_DATA=1
			DELETE_LOG_DATA=1
			SKIP=1
                        ;;
                *)
                        usage
                        exit 0
                        ;;
        esac
done
if [ $SKIP -ne 1 ]; then
        DELETE_CASES_DATA=1
        DELETE_ELASTALERT_DATA=1
        DELETE_LOG_DATA=1
        # List indices
        echo 
        curl -K /opt/so/conf/elasticsearch/curl.config -k -L https://localhost:9200/_cat/indices?v
        echo
        # Inform user we are about to delete all data
        echo
        echo "This script will delete all data (documents, indices, etc.) in the Elasticsearch database."
        echo
        echo "If you would like to proceed, then type AGREE and press ENTER."
        echo
        # Read user input
        read INPUT
        if [ "$INPUT" != "AGREE" ] ; then exit 0; fi
fi


if [ -z "$DONT_STOP_SERVICES" ]; then
	# Stop Elastic Agent
        /usr/sbin/so-elastic-agent-stop

	# Check to see if Elastic Fleet, Logstash, Elastalert are running
	#EF_ENABLED=$(so-status | grep elastic-fleet)
	LS_ENABLED=$(so-status | grep logstash)
	EA_ENABLED=$(so-status | grep elastalert)

	#if [ ! -z "$EF_ENABLED" ]; then
        #	/usr/sbin/so-elastic-fleet-stop
	#fi

	if [ ! -z "$LS_ENABLED" ]; then
        	/usr/sbin/so-logstash-stop
	fi

	if [ ! -z "$EA_ENABLED" ]; then
        	/usr/sbin/so-elastalert-stop
	fi
fi

if [ ! -z "$DELETE_CASES_DATA" ]; then
        # Delete Cases data
        echo "Deleting Cases data..."
        INDXS=$(/usr/sbin/so-elasticsearch-query _cat/indices?h=index | grep "so-case")
        for INDX in ${INDXS}
        do
                echo "Deleting $INDX"
                /usr/sbin/so-elasticsearch-query ${INDX} -XDELETE > /dev/null 2>&1
        done
fi

# Delete Elastalert data
if [ ! -z "$DELETE_ELASTALERT_DATA" ]; then
        # Delete Elastalert data
        echo "Deleting Elastalert data..."
        INDXS=$(/usr/sbin/so-elasticsearch-query _cat/indices?h=index | grep "elastalert")
        for INDX in ${INDXS}
        do
                echo "Deleting $INDX"
                /usr/sbin/so-elasticsearch-query ${INDX} -XDELETE > /dev/null 2>&1
        done
fi

# Delete log data
if [ ! -z "$DELETE_LOG_DATA" ]; then
	echo "Deleting log data ..."
	DATASTREAMS=$(/usr/sbin/so-elasticsearch-query _data_stream | jq -r '.[] |.[].name')
	for DATASTREAM in ${DATASTREAMS}
	do
		# Delete the data stream
        	echo "Deleting $DATASTREAM..."
        	/usr/sbin/so-elasticsearch-query _data_stream/${DATASTREAM} -XDELETE > /dev/null 2>&1
	done
fi

if [ -z "$DONT_STOP_SERVICES" ]; then
	#Start Logstash
	if [ ! -z "$LS_ENABLED" ]; then
        	/usr/sbin/so-logstash-start

	fi

	#Start Elastic Fleet
	#if [ ! -z "$EF_ENABLED" ]; then
        # 	/usr/sbin/so-elastic-fleet-start
	#fi

	#Start Elastalert
	if [ ! -z "$EA_ENABLED" ]; then
        	/usr/sbin/so-elastalert-start
	fi

	# Start Elastic Agent
	/usr/sbin/so-elastic-agent-restart
fi