#!/usr/bin/bash

if [ $(/usr/bin/id -u) != 0 ]; then echo "only root can do that"; exit 2; fi

#***************************************************************************
# This file is part of the CRYPTO BONE
# File     : external-cryptobone  (installed in /usr/bin)
# Version  : 2.0 (external cryptobone)
# License  : BSD-3-Clause
# Date     : 7 Mar 2025
# Contact  : Please send enquiries and bug-reports to innovation@senderek.ie
#
#
# Copyright (c) 2015-2025
#	Ralf Senderek, Ireland.  All rights reserved. (https://senderek.ie)
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
# 1. Redistributions of source code must retain the above copyright
#    notice, this list of conditions and the following disclaimer.
# 2. Redistributions in binary form must reproduce the above copyright
#    notice, this list of conditions and the following disclaimer in the
#    documentation and/or other materials provided with the distribution.
# 3. All advertising materials mentioning features or use of this software
#    must display the following acknowledgement:
#	   This product includes software developed by Ralf Senderek.
#
# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND  ANY EXPRESS OR 
# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE  IMPLIED WARRANTIES 
# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.  
# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, 
# PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; 
# OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 
# ARISING IN ANY WAY # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 
# POSSIBILITY OF SUCH DAMAGE.
#****************************************************************************


function get_status 
{
          /bin/echo -n "database:" 
	  if /bin/ls /usr/lib/cryptobone/ext/database  > /dev/null 2> /dev/null;then
              echo "initialised"
	  else
	      echo "missing"
	  fi
	  /bin/echo -n "firewall:"
	  if /bin/ls /usr/lib/cryptobone/ext/init.d/usefirewall > /dev/null 2>/dev/null ; then
	       echo "restrictive"
	  else     
	       echo "system"
	  fi
	  /bin/echo -n "sshdconfig:"
	  if /usr/bin/diff /etc/ssh/sshd_config /usr/lib/cryptobone/ext/init.d/sshd_config-external > /dev/null; then
	      echo "hardened"
	  else    
	      echo "system"
	  fi
}


if [[ $# -ge 1 ]]; then

     if [[ $1 = "enable" ]]; then
	  # prepare the external device and start the daemon
	  # the daemon waits for the masterkey until the client machine sends it over the ssh tunnel
          /usr/bin/systemctl enable cryptoboneexternd
          /usr/bin/systemctl start cryptoboneexternd
          /usr/bin/systemctl enable cryptobone-fetch.timer
          /usr/bin/systemctl start cryptobone-fetch.timer
	  /usr/bin/cp /usr/lib/cryptobone/extern.header /usr/lib/cryptobone/safewebdrop.header
	  # no need for reboot
     fi
     
     if [[ $1 = "disable" ]]; then
	  # stop the daemon and switch back to ALLINONE mode   
          /usr/bin/systemctl stop cryptobone-fetch.timer
          /usr/bin/systemctl disable cryptobone-fetch.timer
          /usr/bin/systemctl stop cryptoboneexternd
          /usr/bin/systemctl disable cryptoboneexternd
	  /usr/bin/cp /usr/lib/cryptobone/allinone.header /usr/lib/cryptobone/safewebdrop.header
     fi

     if [[ $1 = "usefirewall" ]]; then
          /usr/bin/touch /usr/lib/cryptobone/ext/init.d/usefirewall
          /usr/bin/systemctl stop firewalld
	  /usr/lib/cryptobone/ext/firewall red
     fi
     
     if [[ $1 = "restorefirewall" ]]; then
          /usr/bin/rm -f /usr/lib/cryptobone/ext/init.d/usefirewall
          /usr/bin/systemctl start firewalld
     fi

     if [[ $1 = "hardensshd" ]]; then
          /usr/bin/systemctl stop sshd 
	  if ! diff /usr/lib/cryptobone/ext/init.d/sshd_config-external /etc/ssh/sshd_config >/dev/null ; then
               /usr/bin/echo "Using the CryptoBone ssh configuration file ..."
	       /usr/bin/cp /etc/ssh/sshd_config /usr/lib/cryptobone/ext/init.d/sshd_config-original
               /usr/bin/echo "Saving original ssh configuration file ..."
	       /usr/bin/cp /usr/lib/cryptobone/ext/init.d/sshd_config-external /etc/ssh/sshd_config
               /usr/bin/echo "Overwriting the sshd configuration  ..."
	  fi 
	  /usr/bin/chmod 600 /etc/ssh/sshd_config
          /usr/bin/systemctl enable sshd
	  /usr/bin/systemctl start sshd
     fi

     if [[ $1 = "restoresshd" ]]; then
          /usr/bin/systemctl stop sshd
	  /usr/bin/cp /usr/lib/cryptobone/ext/init.d/sshd_config-original /etc/ssh/sshd_config
          /usr/bin/echo "Original ssh configuration file restored."
	  /usr/bin/chmod 600 /etc/ssh/sshd_config
	  /usr/bin/systemctl start sshd
     fi
     
     if [[ $1 = "installsshd" ]]; then
          /usr/bin/dnf install openssh-server -y
	  /usr/bin/systemctl enable sshd 
	  /usr/bin/systemctl start sshd
     fi

     if [[ $1 = "destroy" ]]; then

	  /usr/bin/echo "DESTROYING the current Crypto Bone database"   
          /usr/bin/systemctl stop cryptoboneexternd
          /usr/bin/systemctl disable cryptoboneexternd
	  /usr/bin/rm -f /usr/lib/cryptobone/ext/masterkey
          /usr/bin/echo "yes" | /usr/lib/cryptobone/ext/destroy
     fi
     get_status

else
    echo "usage: external-cryptobone [ enable | disable | destroy | usefirewall "
    echo "           restorefirewall | hardensshd | restoresshd | installsshd ]"
fi

exit 0
