#!/bin/bash

# 2018-07-31 Cornelius Koelbel <cornelius.koelbel@netknights.it>
#
# Copyright (c) 2018, Cornelius Koelbel
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are met:
#
# 1. Redistributions of source code must retain the above copyright notice,
# this list of conditions and the following disclaimer.
#
# 2. Redistributions in binary form must reproduce the above copyright notice,
# this list of conditions and the following disclaimer in the documentation
# and/or other materials provided with the distribution.
#
# 3. Neither the name of the copyright holder nor the names of its
# contributors may be used to endorse or promote products derived from this
# software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
# POSSIBILITY OF SUCH DAMAGE.

if [[ $(id -u) != 0 ]]; then
	echo "Script must be run as root user"
	exit 1
fi

EDUMFACFG="/etc/edumfa/edumfa.cfg"

if [ "$#" -gt 0 ]; then
	EDUMFACFG=$1
fi

if [[ ! -r $EDUMFACFG ]];then
	echo "Could not read $EDUMFACFG! Please specify the edumfa.cfg file!"
	exit 1
fi

OS=$(grep "^ID=" /etc/os-release | sed -e 's/^ID=//g' | tr -d '"')
diag_info=$(mktemp -d -t edumfa_diag_XXXXXXXXXX)
tempfile="${diag_info}/system.config"
edumfa_config="${diag_info}/edumfa.config"
timestamp=$(date +"%y-%m-%d")
diag_file="/tmp/${timestamp}_$(basename "$diag_info").tar.gz"

case $OS in
	debian | ubuntu)
	;;
	*)
		echo  "Your operating system $OS is not supported!"
		;;
esac

log() {
	echo "$1" >> "$tempfile"
}

log_edumfa_config() {
	echo "$1" >> "$edumfa_config"
}

call_edumfa_config() {
	EDUMFA_CONFIGFILE=$EDUMFACFG edumfa-manage "$@"
}

upload_info() {
	echo
	echo "Please upload the diagnostics file $diag_file to your support team."
	echo
}

get_os() {
	log
	log "SECTION: Linux Distribution"
	log "==========================="
	cat /etc/*-release >> "$tempfile"
}

get_edumfa_cfg() {
	log_edumfa_config
	log_edumfa_config "SECTION: edumfa.cfg file"
	log_edumfa_config "===================="
	grep -v -e 'SECRET_KEY\|EDUMFA_PEPPER\|SQLALCHEMY_DATABASE_URI' "$EDUMFACFG" >> "$edumfa_config"
	# only write the driver part of the URI to the logfile.
	# So we see if eg. pymysql, mysql or any other dialect is used.
	grep ^SQLALCHEMY_DATABASE_URI "$EDUMFACFG" | cut -d':' -f 1 >> "$edumfa_config"
}

current_db_revision() {
	log_edumfa_config
	log_edumfa_config "SECTION: current_db_revision"
	log_edumfa_config "============================"
	call_edumfa_config db current -d /opt/edumfa/lib/edumfa/migrations/ >> "$edumfa_config"
}

edumfa_versions() {
	log_edumfa_config
	log_edumfa_config "SECTION: eduMFA Versions"
	log_edumfa_config "============================="
	log_edumfa_config "Installed packages"
	log_edumfa_config "------------------"
	FileName=$(mktemp)
	dpkg -l | sort >> "$FileName";
	# save all installed packages
	cat "$FileName" >> "$edumfa_config"
	rm -f "$FileName"
	log_edumfa_config
	log_edumfa_config "Python packages in /opt/edumfa:"
	log_edumfa_config "===================================="
	if [[ -x  /opt/edumfa/bin/pip ]]; then
		/opt/edumfa/bin/pip freeze >> "$edumfa_config"
	fi
}

edumfa_config() {
	log_edumfa_config
	log_edumfa_config "SECTION: eduMFA Configuration"
	log_edumfa_config "=================================="
	log_edumfa_config "Resolvers"
	log_edumfa_config "---------"
	call_edumfa_config resolver list -v >> "$edumfa_config"
	log_edumfa_config "Realms"
	log_edumfa_config "------"
	call_edumfa_config realm list >> "$edumfa_config"
	log_edumfa_config "Events"
	log_edumfa_config "------"
	call_edumfa_config event e_export >> "$edumfa_config"
	log_edumfa_config "Policies"
	log_edumfa_config "--------"
	call_edumfa_config policy p_export >> "$edumfa_config"
}

server_config() {
	# Extract configurations for smtp, eduMFA and RADIUS server
	server_config=$(call_edumfa_config config exporter -t smtpserver edumfaserver radiusserver -f json)

	log_edumfa_config
	log_edumfa_config "SECTION: SMTP|eduMFA|RADIUS Server Configuration"
	log_edumfa_config "====================================================="
	log_edumfa_config "$server_config"
}

FreeRADIUS_config() {
	log
	log "SECTION: FreeRADIUS Configurations"
	log "=================================="
	if (dpkg -l | grep freeradius > /dev/null); then
  	ls -R /etc//freeradius/3.0 >> "$tempfile";
  else
  	log
  	log "FreeRADIUS is not installed"
  fi
}

system_status() {
	log
	log "SECTION: System Status"
	log "======================"
	log "CPU cores: $(grep -c ^processor /proc/cpuinfo)"
	log "========================"
	top -b -n 1 >> "$tempfile"
	log
	log "HD"
	log "========================"
	df -h >> "$tempfile"
}

apache_log() {
	if [ -f /var/log/apache2/error.log ] && [ -f /var/log/apache2/ssl_access.log ]; then
		log
		log "SECTION: apache2 error_log"
		log "=========================="
		tail -100 /var/log/apache2/error.log >> "$tempfile"
		log
		log "SECTION: apache2 SSL_access_log"
		log "==============================="
		tail -100 /var/log/apache2/ssl_access.log >> "$tempfile"
	fi
	if [ -f /etc/apache2/apache2.conf ] && [ -d /etc/apache2/sites-enabled ]; then
		log
		log "SECTION: apache configuration"
		log "============================="
		tail -n +1 /etc/apache2/apache2.conf /etc/apache2/sites-enabled/* >> "$tempfile"
	fi
}

ngnix_log(){
	# Check if NGNIX logs exist
	if [ -f /var/log/nginx/error.log ] && [ -f /var/log/nginx/access.log ]; then
		log
		log "SECTION: NGNIX-ERROR.LOG"
		log "========================"
		tail -n 100 /var/log/nginx/error.log >> "$tempfile"
		log
		log "SECTION: NGNIX-ACCESS.LOG"
		log "========================"
		tail -n 100 /var/log/nginx/access.log >> "$tempfile"
	fi
}

edumfa_logfile() {
	R=$( grep "^EDUMFA_LOGFILE" "$EDUMFACFG" | cut -d "=" -f2 | tr -d "\t \'\"" )
	[[ -f ${R} ]] && cp ${R} "${diag_info}/edumfa.logfile" || echo "Could not read logfile ${R}" >> "${diag_info}/edumfa.logfile"
}

edumfa_auditlog() {
	call_edumfa_config audit dump -f - -t 2d >> "${diag_info}/edumfa.auditlog"
}

get_os
get_edumfa_cfg
current_db_revision
edumfa_versions
edumfa_config
server_config
FreeRADIUS_config
system_status
apache_log
ngnix_log
edumfa_logfile
edumfa_auditlog

tar -zcf "$diag_file" -C /tmp "$(basename "$diag_info")"

upload_info
