#!/bin/bash

# Copyright 2014-2023 Security Onion Solutions, LLC

#    This program is free software: you can redistribute it and/or modify
#    it under the terms of the GNU General Public License as published by
#    the Free Software Foundation, either version 3 of the License, or
#    (at your option) any later version.
#
#    This program is distributed in the hope that it will be useful,
#    but WITHOUT ANY WARRANTY; without even the implied warranty of
#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#    GNU General Public License for more details.
#
#    You should have received a copy of the GNU General Public License
#    along with this program.  If not, see <http://www.gnu.org/licenses/>.

source $(dirname $0)/so-common
require_manager

user=$1
elasticUsersFile=${ELASTIC_USERS_FILE:-/opt/so/saltstack/local/salt/elasticsearch/files/users}
elasticAuthPillarFile=${ELASTIC_AUTH_PILLAR_FILE:-/opt/so/saltstack/local/pillar/elasticsearch/auth.sls}

if [[ $# -ne 1 ]]; then
  echo "Usage: $0 <user>"
  echo ""
  echo " where <user> is one of the following:"
  echo ""
  echo "         all: Reset the password for the so_elastic, so_kibana, so_logstash, so_beats, and so_monitor users"
  echo "  so_elastic: Reset the password for the so_elastic user"
  echo "   so_kibana: Reset the password for the so_kibana user"
  echo " so_logstash: Reset the password for the so_logstash user"
  echo "    so_beats: Reset the password for the so_beats user"
  echo "  so_monitor: Reset the password for the so_monitor user"
  echo ""
  exit 1
fi

# function to create a lock so that the so-user sync cronjob can't run while this is running
function lock() {
  # Obtain file descriptor lock
  exec 99>/var/tmp/so-user.lock || fail "Unable to create lock descriptor; if the system was not shutdown gracefully you may need to remove /var/tmp/so-user.lock manually."
  flock -w 10 99 || fail "Another process is using so-user; if the system was not shutdown gracefully you may need to remove /var/tmp/so-user.lock manually."
  trap 'rm -f /var/tmp/so-user.lock' EXIT
}

function unlock() {
  rm -f /var/tmp/so-user.lock
}

function fail() {
  msg=$1
  echo "$1"
  exit 1
}

function removeSingleUserPass() {
  local user=$1
  sed -i '/user: '"${user}"'/{N;/pass: /d}' "${elasticAuthPillarFile}"
}

function removeAllUserPass() {
  local userList=("so_elastic" "so_kibana" "so_logstash" "so_beats" "so_monitor")

  for u in ${userList[@]}; do
    removeSingleUserPass "$u"
  done
}

function removeElasticUsersFile() {
  rm -f "$elasticUsersFile"
}

function createElasticAuthPillar() {
  salt-call state.apply elasticsearch.auth queue=True
}

# this will disable highstate to prevent a highstate from starting while the script is running
# will also disable salt.minion-state-apply-test allow so-salt-minion-check cronjob to restart salt-minion service incase
function disableSaltStates() {
  printf "\nDisabling salt.minion-state-apply-test and highstate from running.\n\n"
  salt-call state.disable salt.minion-state-apply-test
  salt-call state.disable highstate
}

function enableSaltStates() {
  printf "\nEnabling salt.minion-state-apply-test and highstate.\n\n"
  salt-call state.enable salt.minion-state-apply-test
  salt-call state.enable highstate
}

function killAllSaltJobs() {
  printf "\nKilling all running salt jobs.\n\n"
  salt-call saltutil.kill_all_jobs
}

function soUserSync() {
  # apply this state to update /opt/so/saltstack/local/salt/elasticsearch/curl.config on the manager
  salt-call state.sls_id elastic_curl_config_distributed manager queue=True
  salt -C 'G@role:so-standalone or G@role:so-eval or G@role:so-import or G@role:so-manager or G@role:so-managersearch or G@role:so-node or G@role:so-heavynode' saltutil.kill_all_jobs
  # apply this state to get the curl.config
  salt -C 'G@role:so-standalone or G@role:so-eval or G@role:so-import or G@role:so-manager or G@role:so-managersearch or G@role:so-node or G@role:so-heavynode' state.sls_id elastic_curl_config common queue=True
  $(dirname $0)/so-user sync
  printf "\nApplying logstash state to the appropriate nodes.\n\n"
  salt -C 'G@role:so-standalone or G@role:so-eval or G@role:so-import or G@role:so-manager or G@role:so-managersearch or G@role:so-node or G@role:so-heavynode' state.apply logstash queue=True
  printf "\nApplying filebeat state to the appropriate nodes.\n\n"
  salt -C 'G@role:so-standalone or G@role:so-eval or G@role:so-import or G@role:so-manager or G@role:so-managersearch or G@role:so-node or G@role:so-heavynode or G@role:so-sensor or G@role:so-fleet' state.apply filebeat queue=True
  printf "\nApplying kibana state to the appropriate nodes.\n\n"
  salt -C 'G@role:so-standalone or G@role:so-eval or G@role:so-import or G@role:so-manager or G@role:so-managersearch' state.apply kibana queue=True
  printf "\nApplying curator state to the appropriate nodes.\n\n"
  salt -C 'G@role:so-standalone or G@role:so-eval or G@role:so-import or G@role:so-manager or G@role:so-managersearch or G@role:so-node or G@role:so-heavynode' state.apply curator queue=True
}

function highstateManager() {
  killAllSaltJobs
  printf "\nRunning highstate on the manager to finalize password reset.\n\n"
  salt-call state.highstate -linfo queue=True
}

case "${user}" in

  so_elastic | so_kibana | so_logstash | so_beats | so_monitor)
    lock
    killAllSaltJobs
    disableSaltStates
    removeSingleUserPass "$user"
    createElasticAuthPillar
    removeElasticUsersFile
    unlock
    soUserSync
    enableSaltStates
    highstateManager
    ;;

  all)
    lock
    killAllSaltJobs
    disableSaltStates
    removeAllUserPass
    createElasticAuthPillar
    removeElasticUsersFile
    unlock
    soUserSync
    enableSaltStates
    highstateManager
    ;;

  *)
    fail "Unsupported user: $user"
    ;;

esac

exit 0