#!/usr/bin/bash

# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.

. /usr/sbin/so-common

if [[ $# -lt 1 ]]; then
  echo "Usage: $0 --role=<ROLE> --ip=<IP ADDRESS> --apply=<true|false>"
  echo ""
  echo " Example: so-firewall --role=sensor --ip=192.168.254.100 --apply=true"
  echo ""
  exit 1
fi

for i in "$@"; do
	case $i in
		-r=*|--role=*)
			ROLE="${i#*=}"
			shift 
			;;
		-i=*|--ip=*)
			IP="${i#*=}"
			shift 
			;;
		-a=*|--apply*)
			APPLY="${i#*=}"
			shift
			;;
		-*|--*)
			echo "Unknown option $i"
			exit 1
			;;
		*)
		;;
	esac
done

ROLE=${ROLE,,}
APPLY=${APPLY,,}

function rolecall() {
	THEROLE=$1
	THEROLES="analyst analyst_workstations beats_endpoint beats_endpoint_ssl elastic_agent_endpoint elasticsearch_rest endgame eval heavynodes idh manager receivers searchnodes sensors standalone strelka_frontend syslog"

	for AROLE in $THEROLES; do
		if [ "$AROLE" = "$THEROLE" ]; then
			return 0
		fi
	done
	return 1
}

# Make sure the required options are specified
if [ -z "$ROLE" ]; then
	echo "Please specify a role with --role="
	exit 1
fi
if [ -z "$IP" ]; then
	echo "Please specify an IP address with --ip="
	exit 1
fi

# Are we dealing with a role that this script supports?
if rolecall "$ROLE"; then
	echo "$ROLE is a supported role"
else
	echo "This is not a supported role"
	exit 1
fi

 # Are we dealing with an IP?
if verify_ip4 "$IP"; then
	echo "$IP is a valid IP or CIDR"
else
	echo "$IP is not a valid IP or CIDR"
	exit 1
fi

local_salt_dir=/opt/so/saltstack/local/salt/firewall

# Let's see if the file exists and if it does, let's see if the IP exists.
if [ -f "$local_salt_dir/hostgroups/$ROLE" ]; then
	if grep -q $IP "$local_salt_dir/hostgroups/$ROLE"; then
		echo "Host already exists"
		exit 0
	fi
fi

# If you have reached this part of your quest then let's add the IP
echo "Adding $IP to the $ROLE role"
echo "$IP" >> $local_salt_dir/hostgroups/$ROLE

# Check to see if we are applying this right away.
if [ "$APPLY" = "true" ]; then
	echo "Applying the firewall rules"
	salt-call state.apply firewall queue=True
else
	echo "Firewall rules will be applied next salt run"
fi