#!/bin/sh
# shellcheck source=/dev/null

SystemGetFilePath "${ROOTACT}/usr/etc/lrr" "iptables.sh"
if [ -f "${sysfilepath}" ] ; then
    # SC2034: IPTABLES is used in handle_iptables file
    # shellcheck disable=SC2034
    IPTABLES="${sysfilepath}"
else
    SystemGetFilePath "${SERVROOTDIR}" "iptables.sh"
    if [ -f "${sysfilepath}" ] ; then
        # SC2034: IPTABLES is used in handle_iptables file
        # shellcheck disable=SC2034
        IPTABLES="${sysfilepath}"
    fi
fi

IPTABLE_STATUS="unknown"

# CheckIptablesSshStatus()
#
# Check if current iptables.sh script matches
# the ssh-allowed or ssh-blocked pre-defined scripts
#
# Return 0 if match the ssh allowed script
# Return 1 if match the ssh blocked script
# Return 255 if none of the above
#
CheckIptablesSshStatus()
{
    if [ "$IPTABLE_STATUS" = "unknown" ]; then
        MD5_CURRENT=$(md5sum "$IPTABLES" | cut -f1 -d" ")

        if [ -e "$IPTABLES.ssh_blocked" ] ; then
            MD5_BLOCKED=$(md5sum "$IPTABLES".ssh_blocked | cut -f1 -d" ")
        fi

        if [ -e "$IPTABLES.ssh_allowed" ] ; then
            MD5_ALLOWED=$(md5sum "$IPTABLES".ssh_allowed | cut -f1 -d" ")
        fi

        if [ "$MD5_CURRENT" = "$MD5_ALLOWED" ] ; then
            IPTABLE_STATUS="allowed"
        else
            if [ "$MD5_CURRENT" = "$MD5_BLOCKED" ] ; then
                IPTABLE_STATUS="blocked"
            else
                Log "Warning: iptables.sh does not match iptables.sh.ssh_allowed nor iptables.sh.ssh_blocked"
            fi
        fi
    fi

    case "$IPTABLE_STATUS" in
    "allowed")
        return 0
        ;;
    "blocked")
        return 1
        ;;
    *)
        return 255
        ;;
    esac
}

# CheckConnectivityToLRC()
#
# Check connectivity to both LRCs
# and return whether or not it is
# safe to block SSH access
#
# Return 0 if SSH could be blocked
# Return 1 if SSH should not be blocked
#
CheckConnectivityToLRC()
{
    if [ -f "$ROOTACT/var/log/lrr/lrcstatuslink.txt" ] ; then
        . "$ROOTACT/var/log/lrr/lrcstatuslink.txt"
        LRRPID_CURRENT=$(pidof lrr.x)
        NOW=$(date +%s)
        TIME_DIFF=$((NOW - LASTUPDATE))
        if [ "$LRRPID" = "$LRRPID_CURRENT" ] && [ "$LRCPRIMARY" = "ok"  ] && { [ "$LRCSECONDARY" = "ok"  ] || [ "$LRCSECONDARY" = "none" ]; } && [ "$TIME_DIFF" -gt "$DELAY_REMOVE_SSH" ] ; then
            Log "Need to block the SSH flow."
            return 0
        fi
    fi
    return 1
}

BlockSSH()
{
    Log "Blocking incoming SSH connections"
    cp "$IPTABLES.ssh_blocked" "$IPTABLES"
    IPTABLE_STATUS="unknown"
    $SERVICEFIREWALL restart
    if ! CheckIptablesSshStatus ; then
        Log "Incoming SSH connections blocked"
        return 0
    else
        Log "Failed to block the incoming SSH connections"
        return 1
    fi
}

AllowSSH()
{
    Log "Allowing incoming SSH connections"
    cp "$IPTABLES.ssh_allowed" "$IPTABLES"
    IPTABLE_STATUS="unknown"
    $SERVICEFIREWALL restart
    if CheckIptablesSshStatus ; then
        Log "Incoming SSH connections allowed"
        return 0
    else
        Log "Failed to allow the incoming SSH connections"
        return 1
    fi
}
