#!/usr/bin/env bash
#
# onx-modsec-rule-toggle — Per-rule enable/disable.
# Disable: SecRuleRemoveById ile devre dışı bırak (onx-rule-states.conf'ta).
# Enable: SecRuleRemoveById satırını sil.
#
# Input: {"rule_id":"942100","enabled":true|false}
# Output: {"ok":true,"rule_id":"...","enabled":bool,"reloaded":bool}

set -euo pipefail

readonly STATES_FILE="/etc/httpd/modsecurity.d/onox-rule-states.conf"

input="$(cat)"
rule_id="$(echo "$input" | jq -r '.rule_id // empty')"
enabled="$(echo "$input" | jq -r '.enabled // true')"

if ! [[ "$rule_id" =~ ^[0-9]{6}$ ]]; then
    jq -nc '{ok:false,error:"invalid rule_id"}' >&2
    exit 1
fi

mkdir -p "$(dirname "$STATES_FILE")"

# Header oluştur (yoksa)
if [[ ! -f "$STATES_FILE" ]]; then
    cat > "$STATES_FILE" <<'EOF'
# Onoxsoft Panel managed — DO NOT EDIT MANUALLY
# Per-rule enable/disable states.
# UI: Admin > ModSecurity > Kurallar > [Rule ID]

EOF
fi

# Geçici dosyaya yaz, atomic swap
tmp_file="${STATES_FILE}.tmp.$$"

# Mevcut satırlardan bu rule_id'yi çıkar
grep -vE "^SecRuleRemoveById ${rule_id}\b" "$STATES_FILE" > "$tmp_file" || true

# Disable ise satırı ekle
if [[ "$enabled" != "true" ]]; then
    echo "SecRuleRemoveById ${rule_id}" >> "$tmp_file"
fi

mv "$tmp_file" "$STATES_FILE"
chmod 0644 "$STATES_FILE"

# Apache reload
reloaded=true
if command -v httpd &>/dev/null; then
    if httpd -t 2>/dev/null; then
        systemctl reload httpd 2>/dev/null || reloaded=false
    else
        reloaded=false
    fi
fi

logger -t "onox-modsec" "Rule ${rule_id} enabled=${enabled} reloaded=${reloaded}"

jq -nc --arg rid "$rule_id" --argjson enabled "$enabled" --argjson reloaded "$reloaded" \
    '{ok:true,rule_id:$rid,enabled:$enabled,reloaded:$reloaded}'
