#!/usr/bin/env bash
#
# onx-modsec-whitelist-write — IP allowlist'i Apache modsec_overrides'a yaz.
#
# Input: {"ips": [{"ip_or_cidr":"1.2.3.4", "domain_name":"example.com|null"}]}
# Output: {"applied":true, "count":N, "file":"...", "reloaded":true}

set -euo pipefail

readonly CONF_FILE="/etc/httpd/modsecurity.d/onox-whitelist.conf"

input="$(cat)"

# Sayım
count=$(echo "$input" | jq '.ips // [] | length')

mkdir -p "$(dirname "$CONF_FILE")"

# Start ID range 1000-1999 for whitelist rules
{
    echo "# Onoxsoft Panel managed — DO NOT EDIT MANUALLY"
    echo "# UI: Admin > ModSecurity > IP Whitelist"
    echo "# Auto-generated $(date -u +%Y-%m-%dT%H:%M:%SZ)"
    echo ""

    rule_id=1000
    echo "$input" | jq -c '.ips[]?' | while IFS= read -r entry; do
        ip=$(echo "$entry" | jq -r '.ip_or_cidr // empty')
        domain=$(echo "$entry" | jq -r '.domain_name // empty')
        [[ -z "$ip" ]] && continue

        # Validate IP/CIDR
        if [[ "$ip" == *:* ]]; then
            [[ "$ip" =~ ^[0-9a-fA-F:]+(/[0-9]{1,3})?$ ]] || continue
        else
            [[ "$ip" =~ ^([0-9]{1,3}\.){3}[0-9]{1,3}(/[0-9]{1,2})?$ ]] || continue
        fi

        if [[ -n "$domain" ]]; then
            echo "<LocationMatch \"^/.*\">"
            echo "  SecRule SERVER_NAME \"@streq $domain\" \"id:$rule_id,phase:1,nolog,allow,t:none,chain\""
            echo "    SecRule REMOTE_ADDR \"@ipMatch $ip\""
            echo "</LocationMatch>"
        else
            echo "SecRule REMOTE_ADDR \"@ipMatch $ip\" \"id:$rule_id,phase:1,nolog,allow,t:none,msg:'onox-whitelist'\""
        fi
        echo ""
        rule_id=$((rule_id + 1))
    done
} > "$CONF_FILE"

chmod 0644 "$CONF_FILE"

# Reload Apache (test config first)
reloaded=true
if command -v httpd &>/dev/null; then
    if httpd -t 2>/dev/null; then
        systemctl reload httpd 2>/dev/null || reloaded=false
    else
        reloaded=false
    fi
fi

logger -t "onox-modsec" "Whitelist written: $count entries (reloaded=$reloaded)"

jq -nc \
    --argjson count "$count" \
    --arg file "$CONF_FILE" \
    --argjson reloaded "$reloaded" \
    '{ok:true, applied:true, count:$count, file:$file, reloaded:$reloaded}'
