#!/usr/bin/env bash
#
# onx-modsec-disable — ModSecurity engine OFF (DetectionOnly veya Off).
#
# Input (opsiyonel): {"mode":"off"|"detection_only"}
# Output: {"ok":true,"enabled":false,"reloaded":true}

set -euo pipefail

readonly CONF_FILE="/etc/httpd/modsecurity.d/onox-engine.conf"
readonly LOG_TAG="onox-modsec"

input="$(cat 2>/dev/null || echo '{}')"
mode="$(echo "$input" | jq -r '.mode // "off"')"

engine_value="Off"
[[ "$mode" == "detection_only" ]] && engine_value="DetectionOnly"

mkdir -p "$(dirname "$CONF_FILE")"
cat > "$CONF_FILE" <<EOF
# Onoxsoft Panel managed — engine disabled by admin
# UI: Admin > ModSecurity > Settings (Engine: Off)
SecRuleEngine $engine_value
SecAuditEngine RelevantOnly
SecAuditLog /var/log/httpd/modsec_audit.log
EOF

chmod 0644 "$CONF_FILE"

reloaded=true
if command -v httpd &>/dev/null; then
    if httpd -t 2>/dev/null; then
        systemctl reload httpd 2>/dev/null || reloaded=false
    else
        reloaded=false
    fi
fi

logger -t "$LOG_TAG" "Disabled (mode=$engine_value reloaded=$reloaded)"

jq -nc \
    --arg mode "$engine_value" \
    --argjson reloaded "$reloaded" \
    '{ok:true,enabled:false,mode:$mode,reloaded:$reloaded}'
