#!/bin/bash
###########################################################################
#
# Copyright (c) 2023 Diality Inc. - All Rights Reserved.
# 
# This is inpart based on scripts developed by Sunrise Labs Inc.
#
# THIS CODE MAY NOT BE COPIED OR REPRODUCED IN ANY FORM, IN PART OR IN
# WHOLE, WITHOUT THE EXPLICIT PERMISSION OF THE COPYRIGHT OWNER.
#
# @file    start.sh
#
# @author  (last)      Philip Braica
# @date    (last)      22-Mar-2023
# @author  (original)  Philip Braica
# @date    (original)  22-Mar-2023
#
############################################################################

# @details
#  This file sets up and verifies some of the SOM security.

# Does the file contain a string? if
# not, add a line at end.
# If $1 not in $2 then append line $3 to end.
#   $1  What to look for.
#   $2  File name.
#   $3  What to add.
function appendIfMissing() {
  # q for quiet, F for regular string match, not -x because not full line.
  # Done as one command because this is done remotely.
  grep -qF $1 $2 || echo $3 >> $2
}

# Remove all lines that contain $1 in file $2 then append $3.
#   $1  What to look for.
#   $2  File name.
function removeIfFound() {
  sed -i /${1}/d $2
}

# Turn on some ssh security.
function secureSsh() {
  local fileTarget="${PWD}/../../etc/ssh/sshd_config"  

  # 
  chown -R root.denali ${fileTarget}
  chmod -R g+rw ${fileTarget}

  # Remove add PermitRootLogin settings then add one to turn it off.
  removeIfFound "PermitRootLogin" ${fileTarget}
  appendIfMissing "PermitRootLogin" ${fileTarget} "PermitRootLogin no"

  # Restart service on remote.
  systemctl restart system-sshd.slice
}

# Move the customers app files to the app users home directories,
# changed the owner, and set the immutable attribute.
function moveCustomerAppFiles() {
    # Move the files
    mv ${PWD}/cloudsync ${PWD}/../cloudsync/
    mv ${PWD}/denali ${PWD}/../denali/

    # Change the file owners.
    chown -R cloudsync.cloudsync ${PWD}/../cloudsync
    chmod -R o-rwx ${PWD}/../cloudsync
    chown -R denali.denali ${PWD}/../denali
    chmod -R o-rwx ${PWD}/../denali
}

# Set all permissions for our users that 
# are not root.
function setPermissionsCustomerAppFiles() {

  # Make sure the the other users have no access to these directories.
  chmod -R o-rwx ${PWD}/../cloudsync
  chmod -R o-rwx ${PWD}/../denali

  # Give read-only access to denali by making the group owner.
  mkdir -p ${PWD}/../../var/configuration/CloudSync
  chown -R cloudsync.denali ${PWD}/../../var/configuration/CloudSync
  chmod -R g-w,g+r,o-rwx ${PWD}/../../var/configuration/CloudSync

  # Give read-only access to denali by making the group owner.
  mkdir -p ${PWD}/../../media/sd-card/cloudsync
  chown -R cloudsync.denali ${PWD}/../../media/sd-card/cloudsync
  chmod -R g-w,g+r,o-rwx ${PWD}/../../media/sd-card/cloudsync

  # Set the immutable attribute for all of the files.
  chattr -R +i ${PWD}/../cloudsync/*
  chattr -R +i ${PWD}/../denali/*
}

function main() {

  # Move the App Files to their home directories and setup the file
  # permissions needed to make them work.
  moveCustomerAppFiles
  setPermissionsCustomerAppFiles

  # Turn off root login in by ssh.
  secureSsh
}

# Running the main function
main 

exit 0