#!/bin/bash

# --- Styling ---
YELLOW='\033[1;33m'
GREEN='\033[0;32m'
RED='\033[0;31m'
NC='\033[0m'

# --- Configuration & Globals ---
EU_DATA_NODES=("api.wallarm.com" "node-data0.eu1.wallarm.com" "node-data1.eu1.wallarm.com")
US_DATA_NODES=("us1.api.wallarm.com" "node-data0.us1.wallarm.com" "node-data1.us1.wallarm.com")

# --- Functions ---

print_header() {
    echo -e "${YELLOW}=== Sechpoint Wallarm Pre-Flight Diagnostic ===${NC}"
    echo "Use this tool to verify environment readiness before deployment."
    echo "-------------------------------------------------------"
}

check_proxy() {
    echo -e "${YELLOW}[1/5] Checking Environment Proxies...${NC}"
    if [ -n "$https_proxy" ] || [ -n "$HTTPS_PROXY" ]; then
        echo -e "${GREEN}[INFO]${NC} Proxy detected: ${https_proxy:-$HTTPS_PROXY}"
    else
        echo -e "[INFO] No system proxy detected."
    fi
}

get_user_input() {
    read -p "Enter Application Server IP (to be protected) [127.0.0.1]: " APP_HOST </dev/tty
    APP_HOST=${APP_HOST:-127.0.0.1}

    read -p "Enter Application Server Port [8080]: " APP_PORT </dev/tty
    APP_PORT=${APP_PORT:-8080}
}

check_sudo() {
    echo -e "\n${YELLOW}[2/5] Checking Sudo & OS Status...${NC}"
    echo "Verifying sudo permissions (you may be prompted for your password)..."
    if sudo -v; then
        echo -e "${GREEN}[PASS]${NC} Sudo access confirmed."
    else
        echo -e "${RED}[FAIL]${NC} Sudo access DENIED. You must be a sudoer to install Wallarm."
    fi

    if [ -f /etc/os-release ]; then
        ( . /etc/os-release; echo "OS: $PRETTY_NAME" )
    fi
}

check_tools() {
    echo -e "\n${YELLOW}[3/5] Verifying Required Tools...${NC}"
    local tools=("curl" "wget" "gpg" "grep")
    for tool in "${tools[@]}"; do
        if command -v "$tool" &> /dev/null; then
            echo -e "${GREEN}[PASS]${NC} $tool is installed."
        else
            echo -e "${RED}[FAIL]${NC} $tool is MISSING."
        fi
    done
}

# The core connectivity logic
test_endpoint() {
    local target=$1
    # -skI = silent, insecure (ignore certs), head-only
    if curl -skI --connect-timeout 5 "https://$target" > /dev/null 2>&1 || [ $? -eq 45 ] || [ $? -eq 52 ]; then
         echo -e "${GREEN}[PASS]${NC} Reached $target"
    else
         echo -e "${RED}[FAIL]${NC} BLOCKED: $target"
    fi
}

check_wallarm_cloud() {
    echo -e "\n${YELLOW}[4/5] Testing Wallarm Cloud Connectivity (Port 443)...${NC}"
    echo "--- EU Cloud ---"
    for node in "${EU_DATA_NODES[@]}"; do test_endpoint "$node"; done
    
    echo -e "\n--- US Cloud ---"
    for node in "${US_DATA_NODES[@]}"; do test_endpoint "$node"; done
}

check_internal_app() {
    echo -e "\n${YELLOW}[5/5] Testing Internal App Connectivity...${NC}"
    # We test TCP handshake only. 
    # Curl exit 7 (Refused) and 28 (Timeout) are the main failure triggers.
    curl -vsk --connect-timeout 5 "http://$APP_HOST:$APP_PORT" > /dev/null 2>&1
    local exit_code=$?

    # Exit codes 0, 52 (empty reply), 22 (4xx/5xx), 56 (reset) all imply the port is OPEN.
    if [[ "$exit_code" =~ ^(0|52|22|56|35)$ ]]; then
        echo -e "${GREEN}[PASS]${NC} TCP Connection established to $APP_HOST:$APP_PORT"
    else
        echo -e "${RED}[FAIL]${NC} CANNOT REACH App at $APP_HOST:$APP_PORT (Error: $exit_code)"
        echo "       Check firewalls or verify if the service is running on the app server."
    fi
}

# --- Execution ---

print_header
check_proxy
get_user_input
check_sudo
check_tools
check_wallarm_cloud
check_internal_app

if [[ "$SUDO_RESULT" == "PASS" ]] && [[ "$CLOUD_RESULT" == "PASS" ]]; then
    echo "$(date +%Y-%m-%d %H:%M:%S)" > /tmp/.wallarm_preflight_pass
    echo -e "${GREEN}Environment verified. Readiness flag created.${NC}"
fi

echo -e "\n${YELLOW}-------------------------------------------------------"
echo -e "PRE-FLIGHT COMPLETE. PLEASE SCREENSHOT THIS OUTPUT."
echo -e "-------------------------------------------------------${NC}"