#!/usr/bin/env bash
#
# onx-modsec-enable — ModSecurity engine ON + ruleset seç + paranoia level set.
#
# Input: {"ruleset":"OWASP-CRS-3.3", "paranoia_level":2, "audit_log_enabled":true}
# Output: {"ok":true,"enabled":true,"ruleset":"...","paranoia_level":N,"reloaded":true}

set -euo pipefail

readonly CONF_FILE="/etc/httpd/modsecurity.d/onox-engine.conf"
readonly LOG_TAG="onox-modsec"

input="$(cat)"
ruleset="$(echo "$input" | jq -r '.ruleset // "OWASP-CRS-3.3"')"
paranoia="$(echo "$input" | jq -r '.paranoia_level // 2')"
audit_log="$(echo "$input" | jq -r '.audit_log_enabled // true')"

# Validate paranoia_level 1-4
if ! [[ "$paranoia" =~ ^[1-4]$ ]]; then
    jq -nc --arg val "$paranoia" '{ok:false,error:"paranoia_level must be 1-4",value:$val}' >&2
    exit 1
fi

# Validate ruleset
case "$ruleset" in
    OWASP-CRS-3.3|OWASP-CRS-4.0|Comodo-CWAF|Custom) ;;
    *)
        jq -nc --arg r "$ruleset" '{ok:false,error:"invalid ruleset",ruleset:$r}' >&2
        exit 1
        ;;
esac

audit_engine="On"
[[ "$audit_log" != "true" ]] && audit_engine="Off"

mkdir -p "$(dirname "$CONF_FILE")"
cat > "$CONF_FILE" <<EOF
# Onoxsoft Panel managed — DO NOT EDIT MANUALLY
# UI: Admin > ModSecurity > Settings
SecRuleEngine On
SecAuditEngine $audit_engine
SecAuditLog /var/log/httpd/modsec_audit.log
SecAuditLogParts ABIJDEFHZ

# Active ruleset: $ruleset
# Paranoia level: $paranoia
SecAction "id:900000,phase:1,nolog,pass,t:none,setvar:tx.paranoia_level=$paranoia"
EOF

chmod 0644 "$CONF_FILE"

reloaded=true
if command -v httpd &>/dev/null; then
    # Test config first
    if httpd -t 2>/dev/null; then
        systemctl reload httpd 2>/dev/null || reloaded=false
    else
        reloaded=false
        logger -t "$LOG_TAG" "httpd -t failed, NOT reloading"
    fi
fi

logger -t "$LOG_TAG" "Enabled ruleset=$ruleset paranoia=$paranoia audit=$audit_engine reloaded=$reloaded"

jq -nc \
    --arg ruleset "$ruleset" \
    --argjson paranoia "$paranoia" \
    --argjson reloaded "$reloaded" \
    --argjson audit_log "$([[ "$audit_log" == "true" ]] && echo true || echo false)" \
    '{ok:true,enabled:true,ruleset:$ruleset,paranoia_level:$paranoia,audit_log_enabled:$audit_log,reloaded:$reloaded}'
