#!/usr/bin/env bash

# Microsoft Azure Linux Agent
#
# Copyright 2018 Microsoft Corporation
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# Helper script which tries to access Wireserver on system reboot. Also prints out iptable rules if non-root and still
# able to access Wireserver

if [[ $# -ne 1 ]]; then
    echo "Usage: agent_persist_firewall-access_wireserver <test-user>"
    exit 1
fi
TEST_USER=$1
USER=$(whoami)
echo "$(date --utc +%FT%T.%3NZ): Running as user: $USER"

function check_online
{
    echo "Checking network connectivity..."

    echo "Connecting to ifconfig.io to check network connection"
    if command -v curl >/dev/null 2>&1; then
        curl --retry 5 --retry-delay 5 --connect-timeout 5 -4 ifconfig.io/ip
    elif command -v wget >/dev/null 2>&1; then
        wget --tries=5 --timeout=5 --wait=5 -4 ifconfig.io/ip
    else
        http_get.py "http://ifconfig.io/ip" --timeout 5 --delay 5 --tries 5
    fi

    if [[ $? -eq 0 ]]; then
        echo "Network is accessible"
        return 0
    else
        echo "$(date --utc +%FT%T.%3NZ): Network still not accessible"
    fi

    echo "Running ping to 8.8.8.8 option"

    if ping 8.8.8.8 -c 1 -i .2 -t 30; then
        echo "Network is accessible"
        return 0
    fi

    echo "$(date --utc +%FT%T.%3NZ): Network still not accessible"
    echo "Unable to connect to network, giving up"
    return 1

    # Will remove other options if we determine first option is stable

    echo "Checking other options to see if network is accessible..."

    echo "Running ping to localhost option"
    if ping 127.0.0.1 -c 1 -i .2 -t 30; then
        echo "Ping to localhost succeeded"
        return 0
    fi
    echo "Ping to localhost failed"

    echo "Running socket connection to wireserver:53 option"
    if python3 /home/"$TEST_USER"/bin/agent_persist_firewall-check_connectivity.py; then
        echo "Socket connection succeeded"
        return 0
    fi
    echo "Socket connection failed"

    echo "Unable to connect to network, giving up"
    return 1
}

if ! check_online; then
    # We will never be able to get online. Kill script.
    echo "Unable to connect to network, exiting now"
    exit 1
fi

echo "Finally online, Time: $(date --utc +%FT%T.%3NZ)"
echo "Trying to contact Wireserver as $USER to see if accessible"
echo ""

# This script is run by a cron job on reboot, so it runs in a limited environment. Some distros may be missing the iptables path,
# so adding common iptables paths to the environment.
export PATH=$PATH:/usr/sbin:/sbin
echo "Firewall configuration before accessing Wireserver:"
if ! sudo iptables -t security -L -nxv -w; then
  sudo nft list table walinuxagent
fi
echo ""

WIRE_IP=$(cat /var/lib/waagent/WireServerEndpoint 2>/dev/null || echo '168.63.129.16' | tr -d '[:space:]')
if command -v curl >/dev/null 2>&1; then
    curl --retry 3 --retry-delay 5 --connect-timeout 5 "http://$WIRE_IP/?comp=versions" -o "/tmp/wire-versions-$USER.xml"
elif command -v wget >/dev/null 2>&1; then
    wget --tries=3 "http://$WIRE_IP/?comp=versions" --timeout=5 --wait=5 -O "/tmp/wire-versions-$USER.xml"
else
    http_get.py "http://168.63.129.16/?comp=versions" --timeout 5 --delay 5 --tries 3
fi
WIRE_EC=$?
echo "ExitCode: $WIRE_EC"

if [[ "$USER" != "root" && "$WIRE_EC" == 0  ]]; then
  echo "Wireserver should not be accessible for non-root user ($USER)"
fi

if [[ "$USER" != "root" ]]; then
  echo ""
  echo "checking tcp traffic to wireserver port 53 for non-root user ($USER)"
  echo -n 2>/dev/null < /dev/tcp/$WIRE_IP/53 && echo 0 || echo 1  # Establish network connection for port 53
  TCP_EC=$?
  echo "TCP 53 Connection ExitCode: $TCP_EC"
fi
