#!/bin/bash
# ==============================================================================
# Sechpoint Wallarm Smart Deployer - Manual Binary Edition (PoC Optimized)
# ==============================================================================

# --- Styling ---
YELLOW='\033[1;33m'; GREEN='\033[0;32m'; RED='\033[0;31m'; BLUE='\033[0;34m'; NC='\033[0m'

LOG_FILE="/var/log/wallarm-deploy.log"
EU_DATA_NODES=("api.wallarm.com" "node-data0.eu1.wallarm.com")
US_DATA_NODES=("us1.api.wallarm.com" "node-data0.us1.wallarm.com")

# --- Initialization ---
sudo touch "$LOG_FILE" && sudo chmod 644 "$LOG_FILE"
exec > >(tee -a "$LOG_FILE") 2>&1 

clear
echo -e "${BLUE}====================================================${NC}"
echo -e "${BLUE}      Wallarm Manual Binary Container Deployer      ${NC}"
echo -e "${BLUE}====================================================${NC}"

# --- 1. PRE-FLIGHT & CONNECTIVITY ---

check_connectivity() {
    echo -e "\n${YELLOW}[1/5] Testing Cloud & Registry Connectivity...${NC}"
    
    # 1. Cloud Selection
    read -p "  Wallarm Cloud (US/EU) [US]: " CLOUD_SEL
    CLOUD_SEL=${CLOUD_SEL^^}
    CLOUD_SEL=${CLOUD_SEL:-US}
    
    local nodes_to_test=("${US_DATA_NODES[@]}")
    [[ "$CLOUD_SEL" == "EU" ]] && nodes_to_test=("${EU_DATA_NODES[@]}")

    # 2. Test Wallarm API Endpoints
    echo "  Testing $CLOUD_SEL Cloud Endpoints..."
    for node in "${nodes_to_test[@]}"; do
        if curl -skI --connect-timeout 5 "https://$node" > /dev/null 2>&1; then
            echo -e "    ${GREEN}[PASS]${NC} Reached $node"
        else
            echo -e "    ${RED}[FAIL]${NC} Cannot reach $node (Check Firewall/Proxy)"
        fi
    done
    
    API_HOST=$([[ "$CLOUD_SEL" == "EU" ]] && echo "api.wallarm.com" || echo "us1.api.wallarm.com")

    # 3. Improved Docker Registry Check (Accepting 401 as 'Reachable')
    echo -n "  Testing Docker Hub Registry Path... "
    
    # Capture the HTTP Status code specifically
    REGISTRY_STATUS=$(curl -skI --connect-timeout 5 -o /dev/null -w "%{http_code}" "https://registry-1.docker.io/v2/")

    # 401 (Unauthorized) is the expected response from Docker Hub V2 API for unauthenticated probes
    if [[ "$REGISTRY_STATUS" == "200" || "$REGISTRY_STATUS" == "401" ]]; then
        REGISTRY_REACHABLE=true
        echo -e "${GREEN}REACHABLE${NC} (Status: $REGISTRY_STATUS)"
    else
        REGISTRY_REACHABLE=false
        echo -e "${RED}BLOCKED/OFFLINE${NC} (Status: $REGISTRY_STATUS)"
        echo -e "  ${YELLOW}i${NC} Falling back to local image check..."
        
        if ! ls *.tar >/dev/null 2>&1; then
            echo -e "  ${RED}✗ FATAL: Registry unreachable and no local .tar image found.${NC}"
            exit 1
        fi
    fi
}

# --- 2. ENGINE SETUP (Manual Binary Logic) ---

setup_manual_engine() {
    echo -e "\n${YELLOW}[2/5] Hardening Manual Docker Engine...${NC}"
    
    if sudo docker info > /dev/null 2>&1; then
        echo -e "  ${GREEN}[INFO]${NC} Docker is already active."
    else
        if [ ! -f "/usr/bin/dockerd" ]; then
            echo -e "  ${RED}[FATAL]${NC} Manual binaries not found in /usr/bin/. Move them first."; exit 1
        fi

        echo "  Configuring systemd service for manual binaries..."
        sudo tee /etc/systemd/system/docker.service > /dev/null <<EOF
[Unit]
Description=Docker Engine
After=network-online.target
[Service]
Type=notify
ExecStart=/usr/bin/dockerd
Restart=on-failure
LimitNOFILE=infinity
[Install]
WantedBy=multi-user.target
EOF
        sudo systemctl daemon-reload
        sudo systemctl enable --now docker
        echo -e "  ${GREEN}[PASS]${NC} Docker service initialized."
    fi
}

# --- 3. INPUT & WORKSPACE ---

get_user_input() {
    echo -e "\n${YELLOW}[3/5] Configuration & Workspace Setup...${NC}"
    
    read -p "  Enter Instance Number (e.g., 1, 2): " NUM
    INSTANCE_DIR="/opt/wallarm/$NUM"
    TRAFFIC_PORT=$((8000 + NUM))
    MONITOR_PORT=$((9000 + NUM))
    NODE_NAME="wallarm-node-$NUM"

    read -p "  Upstream App IP [127.0.0.1]: " UPSTREAM_IP
    UPSTREAM_IP=${UPSTREAM_IP:-127.0.0.1}
    read -p "  Upstream App Port [80]: " UPSTREAM_PORT
    UPSTREAM_PORT=${UPSTREAM_PORT:-80}
    read -p "  Paste Wallarm Token: " TOKEN

    # Pre-check internal app reachability
    if ! timeout 2 bash -c "cat < /dev/null > /dev/tcp/$UPSTREAM_IP/$UPSTREAM_PORT" 2>/dev/null; then
        echo -e "  ${RED}[WARN]${NC} VM cannot reach App at $UPSTREAM_IP:$UPSTREAM_PORT. Check networking."
    fi
}

# --- 4. DEPLOYMENT (Replaces Compose) ---

execute_deployment() {
    echo -e "\n${YELLOW}[4/5] Launching Instance $NUM...${NC}"
    sudo mkdir -p "$INSTANCE_DIR"

    # Nginx Config
    sudo tee "$INSTANCE_DIR/nginx.conf" > /dev/null <<EOF
server {
    listen 80;
    wallarm_mode monitoring;
    location / {
        proxy_pass http://$UPSTREAM_IP:$UPSTREAM_PORT;
        proxy_set_header Host \$host;
        proxy_set_header X-Real-IP \$remote_addr;
        proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
    }
}
server { listen 90; location /wallarm-status { wallarm_status on; allow all; } }
EOF

    # Clean existing
    sudo docker rm -f "$NODE_NAME" &>/dev/null

    # Image Source Logic
    if [ "$REGISTRY_REACHABLE" = true ]; then
        echo "  Pulling wallarm/node:latest..."
        sudo docker pull wallarm/node:latest
    else
        echo "  Registry blocked. Loading from local .tar..."
        sudo docker load < *.tar || { echo "No image found!"; exit 1; }
    fi

    # Persistent Launch (Manual "Compose" behavior)
    sudo docker run -d --name "$NODE_NAME" --restart always \
      -p $TRAFFIC_PORT:80 -p $MONITOR_PORT:90 \
      -e WALLARM_API_TOKEN=$TOKEN -e WALLARM_API_HOST=$API_HOST \
      -v "$INSTANCE_DIR/nginx.conf:/etc/nginx/http.d/default.conf:ro" \
      wallarm/node:latest

    # Create a start.sh in the directory for easy manual control later
    sudo tee "$INSTANCE_DIR/start.sh" > /dev/null <<EOF
#!/bin/bash
sudo docker rm -f $NODE_NAME 2>/dev/null
sudo docker run -d --name $NODE_NAME --restart always -p $TRAFFIC_PORT:80 -p $MONITOR_PORT:90 -e WALLARM_API_TOKEN=$TOKEN -e WALLARM_API_HOST=$API_HOST -v "$INSTANCE_DIR/nginx.conf:/etc/nginx/http.d/default.conf:ro" wallarm/node:latest
EOF
    sudo chmod +x "$INSTANCE_DIR/start.sh"
}

# --- 5. ATTACK TEST & VERIFY ---

verify_and_test() {
    echo -e "\n${YELLOW}[5/5] Verification & Attack Simulation...${NC}"
    sleep 15
    
    if curl -s "http://localhost:$MONITOR_PORT/wallarm-status" | grep -q "requests"; then
        echo -e "  ${GREEN}✓${NC} Node Handshake Successful."
    else
        echo -e "  ${RED}✗${NC} Node not responding. Check: sudo docker logs $NODE_NAME"
    fi

    echo -e "\n${YELLOW}⚔️ Simulating Attacks...${NC}"
    local sqli=$(curl -s -o /dev/null -w "%{http_code}" "http://localhost:$TRAFFIC_PORT/?id='OR+1=1--")
    echo -e "  SQLi Attack: HTTP $sqli (Logged)"
    local xss=$(curl -s -o /dev/null -w "%{http_code}" "http://localhost:$TRAFFIC_PORT/?search=<script>alert(1)</script>")
    echo -e "  XSS Attack:  HTTP $xss (Logged)"

    echo -e "\n${GREEN}${BOLD}✅ DEPLOYMENT FINISHED${NC}"
    echo -e "Instance Path: $INSTANCE_DIR"
    echo -e "Traffic Port:  $TRAFFIC_PORT"
    echo -e "Monitor Port:  $MONITOR_PORT"
}

# --- EXECUTION ---
check_connectivity
setup_manual_engine
get_user_input
execute_deployment
verify_and_test