#!/usr/bin/env python3

# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.

import sys
import subprocess
import os
import json

sys.path.append('/opt/saltstack/salt/lib/python3.10/site-packages/')
import salt.config
import salt.loader

__opts__ = salt.config.minion_config('/etc/salt/minion')
__grains__ = salt.loader.grains(__opts__)

def check_needs_restarted():
  osfam = __grains__['os_family']
  val = '0'
  outfile = "/opt/so/log/sostatus/needs_restarted"

  if osfam == 'Debian':
    if os.path.exists('/var/run/reboot-required'):
      val = '1'
  elif osfam == 'RedHat':
    cmd = 'needs-restarting -r > /dev/null 2>&1'
    try:
      needs_restarting = subprocess.check_call(cmd, shell=True)
    except subprocess.CalledProcessError:
      val = '1'
  else:
    fail("Unsupported OS")

  with open(outfile, 'w') as f:
    f.write(val)

def check_for_fips():
    os = __grains__['os']
    fips = False
    # Only checking fully supported OS
    if os == 'OEL':
        try:
            result = subprocess.run(['fips-mode-setup', '--is-enabled'], check=True, stdout=subprocess.PIPE)
            fips = result.returncode == 0
        except FileNotFoundError:
            with open('/proc/sys/crypto/fips_enabled', 'r') as f:
                contents = f.read()
                if '1' in contents:
                    fips = True
                else:
                    fips = False
        return fips

def check_for_luks():
    os = __grains__['os']
    luks = False
    # Only checking fully supported OS
    if os == 'OEL':
        result = subprocess.run(['lsblk', '-p', '-J'], check=True, stdout=subprocess.PIPE)
        data = json.loads(result.stdout)
        for device in data['blockdevices']:
            if 'children' in device:
                for gc in device['children']:
                    if 'children' in gc:
                        try:
                            result = subprocess.run(['cryptsetup', 'isLuks', gc['name']], check=True, stdout=subprocess.PIPE)
                            luks = result.returncode == 0
                        except FileNotFoundError:
                            for ggc in gc['children']:
                                if 'crypt' in ggc['type']:
                                    luks = True
            if luks:
                break
        return luks

def check_features():
    fips = check_for_fips()
    luks = check_for_luks()
    with open('/opt/so/log/sostatus/features-check.log', 'w') as f:
       f.write("featuresdetected: fips={},luks={}".format(fips,luks))

def fail(msg):
  print(msg, file=sys.stderr)
  sys.exit(1)

def main():
  proc = subprocess.run(['id', '-u'], stdout=subprocess.PIPE, encoding="utf-8")
  if proc.stdout.strip() != "0":
    fail("This program must be run as root")

  check_needs_restarted()
  check_features()

if __name__ == "__main__":
  main()