#!/bin/bash
# ==============================================================================
# SECHPOINT WALLARM SMART DEPLOYER - V7 (TRIPLE-VERIFIED CONNECTIVITY)
# ==============================================================================

YELLOW='\033[1;33m'; GREEN='\033[0;32m'; RED='\033[0;31m'; BLUE='\033[0;34m'; NC='\033[0m'; BOLD='\033[1m'
LOG_FILE="/var/log/wallarm-deploy.log"

# Cloud Endpoints
EU_DATA_NODES=("api.wallarm.com" "node-data0.eu1.wallarm.com")
US_DATA_NODES=("us1.api.wallarm.com" "node-data0.us1.wallarm.com")

# --- Initialization ---
sudo touch "$LOG_FILE" && sudo chmod 644 "$LOG_FILE"
exec > >(tee -a "$LOG_FILE") 2>&1 

clear
echo -e "${BLUE}${BOLD}==========================================================${NC}"
echo -e "${BLUE}${BOLD}      Wallarm Full Binary & Container Deployer V7       ${NC}"
echo -e "${BLUE}${BOLD}==========================================================${NC}"

# --- 1. PRE-FLIGHT & TRIPLE CONNECTIVITY CHECK ---

check_connectivity() {
    echo -e "\n${YELLOW}[1/5] Testing Connectivity Matrix...${NC}"
    
    # A. Cloud Selection & Test
    read -p "  Wallarm Cloud (US/EU) [US]: " CLOUD_SEL
    CLOUD_SEL=${CLOUD_SEL^^}; CLOUD_SEL=${CLOUD_SEL:-US}
    local nodes_to_test=("${US_DATA_NODES[@]}")
    [[ "$CLOUD_SEL" == "EU" ]] && nodes_to_test=("${EU_DATA_NODES[@]}")

    for node in "${nodes_to_test[@]}"; do
        if curl -skI --connect-timeout 5 "https://$node" > /dev/null 2>&1; then
            echo -e "    ${GREEN}[PASS]${NC} Wallarm Cloud: $node"
        else
            echo -e "    ${RED}[FAIL]${NC} Wallarm Cloud: $node (Check Firewall/Proxy)"
        fi
    done
    API_HOST=$([[ "$CLOUD_SEL" == "EU" ]] && echo "api.wallarm.com" || echo "us1.api.wallarm.com")

    # B. Test Docker Registry (For Images)
    REGISTRY_STATUS=$(curl -skI --connect-timeout 5 -o /dev/null -w "%{http_code}" "https://registry-1.docker.io/v2/")
    if [[ "$REGISTRY_STATUS" == "200" || "$REGISTRY_STATUS" == "401" ]]; then
        REGISTRY_REACHABLE=true
        echo -e "    ${GREEN}[PASS]${NC} Docker Registry (Status: $REGISTRY_STATUS)"
    else
        REGISTRY_REACHABLE=false
        echo -e "    ${RED}[FAIL]${NC} Docker Registry (Status: $REGISTRY_STATUS)"
    fi

    # C. Test Docker Download Server (For Engine Binaries)
    DOWNLOAD_REACHABLE=true
    if ! curl -skI --connect-timeout 5 "https://download.docker.com" > /dev/null 2>&1; then
        DOWNLOAD_REACHABLE=false
        echo -e "    ${RED}[WARN]${NC} Docker Download Server (Blocked)"
    else
        echo -e "    ${GREEN}[PASS]${NC} Docker Download Server"
    fi

    # Final Gatekeeper
    if [ "$REGISTRY_REACHABLE" = false ] && ! ls *.tar >/dev/null 2>&1; then
        echo -e "${RED}✗ FATAL: No registry access and no local .tar image found.${NC}"; exit 1
    fi
}

# --- 2. ENGINE SETUP (Smart Binary Install) ---

setup_manual_engine() {
    echo -e "\n${YELLOW}[2/5] Setting up Docker Engine...${NC}"
    
    if command -v docker > /dev/null 2>&1 && sudo docker info > /dev/null 2>&1; then
        echo -e "  ${GREEN}✓${NC} Docker is already active."
    else
        ARCH=$(uname -m)
        BINARY_FILE="docker-static.tgz"
        
        if [ "$DOWNLOAD_REACHABLE" = true ]; then
            echo "  Downloading Docker Binaries ($ARCH)..."
            curl -L "https://download.docker.com/linux/static/stable/$ARCH/docker-24.0.7.tgz" -o $BINARY_FILE
        elif ls docker-static.tgz >/dev/null 2>&1; then
            echo "  Download blocked. Using local $BINARY_FILE..."
        else
            echo -e "  ${RED}✗ FATAL: Download server blocked and no local $BINARY_FILE found.${NC}"; exit 1
        fi
        
        tar xzvf $BINARY_FILE > /dev/null
        sudo cp docker/* /usr/bin/
        rm -rf docker $BINARY_FILE
        
        sudo tee /etc/systemd/system/docker.service > /dev/null <<EOF
[Unit]
Description=Docker Engine
After=network-online.target
[Service]
Type=notify
ExecStart=/usr/bin/dockerd
Restart=on-failure
[Install]
WantedBy=multi-user.target
EOF
        sudo systemctl daemon-reload && sudo systemctl enable --now docker
        sleep 5
        echo -e "  ${GREEN}✓${NC} Engine initialized."
    fi
}

# --- 3. INPUT & WORKSPACE ---

get_user_input() {
    echo -e "\n${YELLOW}[3/5] Instance Configuration...${NC}"
    read -p "  Enter Inbound Port [80]: " IN_PORT; IN_PORT=${IN_PORT:-80}
    MON_PORT=$((IN_PORT + 10))
    echo -e "  ${YELLOW}i${NC} Monitoring Port: ${BOLD}$MON_PORT${NC}"

    INSTANCE_DIR="/opt/wallarm/poc_$IN_PORT"
    NODE_NAME="wallarm-node-$IN_PORT"

    read -p "  Upstream App IP [127.0.0.1]: " UPSTREAM_IP; UPSTREAM_IP=${UPSTREAM_IP:-127.0.0.1}
    read -p "  Upstream App Port [8080]: " UPSTREAM_PORT; UPSTREAM_PORT=${UPSTREAM_PORT:-8080}
    read -p "  Paste Wallarm Token: " TOKEN

    if sudo netstat -tulpn | grep -E ":$IN_PORT |:$MON_PORT " > /dev/null 2>&1; then
        echo -e "  ${RED}✗ FATAL: Port conflict detected.${NC}"; exit 1
    fi
}

# --- 4. DEPLOYMENT & PERSISTENCE ---

execute_deployment() {
    echo -e "\n${YELLOW}[4/5] Launching Container...${NC}"
    sudo mkdir -p "$INSTANCE_DIR"

    sudo tee "$INSTANCE_DIR/nginx.conf" > /dev/null <<EOF
server {
    listen 80;
    wallarm_mode monitoring;
    location / {
        proxy_pass http://$UPSTREAM_IP:$UPSTREAM_PORT;
        proxy_set_header Host \$host;
        proxy_set_header X-Real-IP \$remote_addr;
        proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
    }
}
server { listen 90; location /wallarm-status { wallarm_status on; allow all; } }
EOF

    if [ "$REGISTRY_REACHABLE" = true ]; then
        sudo docker pull wallarm/node:latest
    else
        echo "  Loading local .tar image..."
        sudo docker load < *.tar
    fi

    sudo tee "$INSTANCE_DIR/start.sh" > /dev/null <<EOF
#!/bin/bash
sudo docker rm -f $NODE_NAME 2>/dev/null
sudo docker run -d --name $NODE_NAME --restart always \\
  -p $IN_PORT:80 -p $MON_PORT:90 \\
  -e WALLARM_API_TOKEN=$TOKEN -e WALLARM_API_HOST=$API_HOST \\
  -v "$INSTANCE_DIR/nginx.conf:/etc/nginx/http.d/default.conf:ro" \\
  wallarm/node:latest
EOF
    sudo chmod +x "$INSTANCE_DIR/start.sh"
    sudo "$INSTANCE_DIR/start.sh"
}

# --- 5. VERIFY ---

verify() {
    echo -e "\n${YELLOW}[5/5] Final Verification...${NC}"
    sleep 15
    if curl -s "http://localhost:$MON_PORT/wallarm-status" | grep -q "requests"; then
        echo -e "\n${GREEN}${BOLD}✅ SUCCESS: Wallarm Active on Port $IN_PORT${NC}"
        echo -e "  Monitor: http://localhost:$MON_PORT/wallarm-status"
        curl -s -o /dev/null -w "  Attack Test: HTTP %{http_code}\n" "http://localhost:$IN_PORT/?id='OR+1=1--"
    else
        echo -e "\n${RED}❌ FAILED: Node not responding.${NC}"
        sudo docker logs $NODE_NAME | tail -n 5
    fi
}

check_connectivity; setup_manual_engine; get_user_input; execute_deployment; verify