#!/bin/sh
# Плугин проверяет хранимые на узле образы
export LANG=C

export adminmail=root

if [ $EUID -ne 0 ]
then
  if [ "$LANG" == 'ru_RU.UTF-8' ]
  then
    echo "POLICY Unknown plugin должен запускаться с правами пользователя root"
  else
    echo "POLICY Unknown plugin must be run as root user"
  fi
  exit 3
fi

. podsec-policy-functions
. podsec-inotify-functions

setTraps

# Проанализировать описание уровня интервалов во входных парамаетрах
parseIntervalParameters $*

checkUsersImages=$(checkUsersImages)
# checkUsersImages=$(cat "/tmp/out")
# echo -ne $checkUsersImages
# exit

# JSON пользователей имеющих неподписанный образы в формате [{key: <user>, value:"<registries>"},{key: <user>, value:"<registries>"...]
notSignedRegistriesJSON=$(echo $checkUsersImages | jq '[.[] | select(.notSignedRegistries | length > 0) | {key:.user, value:.notSignedRegistries | join(", ")}]')
# echo "$notSignedRegistriesJSON"
# exit
if [ -n "$notSignedRegistriesJSON" ]
then
  # Получение списка пользователей
  notSignedRegistriesUsers=$(echo $notSignedRegistriesJSON | jq '[.[].key] | join (", ")')
  notSignedRegistriesImages=$(echo $notSignedRegistriesJSON | jq '[.[] | join(":")] | join(", ")')
#   echo "notSignedRegistriesUsers=$notSignedRegistriesUsers"
  metricWeight=101
  key=$(getJournalKeyByMetric $metricWeight);
  if [ -n "$key" ]
  then
    users+=$notSignedRegistriesUsers
    prefix=${LEVELSNAMES[$key]};
    priority=${JOURNALPRIORITY[$key]}
    if [ "$LANG" == 'ru_RU.UTF-8' ]
    then
      nagiosHeads+="\nимеют регистраторы не поддерживающие электронную подпись"
      message="$prefix($metricWeight): Пользователи $notSignedRegistriesUsers имеют регистраторы не поддерживающие электронную подпись: $notSignedRegistriesImages"
    else
      nagiosHeads+="\nhave unsigned registries,"
      message="$prefix($metricWeight): $notSignedRegistriesUsers users have unsigned registries:$notSignedRegistriesImages"
    fi
    logger -p $priority -t $prefix $message
    messages+="\n$message"
  fi
  let summaryMetric+=$metricWeight
fi

# JSON пользователей со списком неподписанных образов в формате [{key: <user>, value:"<images>"},{key: <user>, value:"<images>"...]
notSignedImagesJSON=$(echo $checkUsersImages | jq '.[] | select(.notSignedImagesTree | length > 0) | ([{key:.user,value:([.notSignedImagesTree | to_entries[] | .value[]])}])')
if [ -n "$notSignedImagesJSON" ]
then
  # Получение списка пользователей
  notSignedRegistriesUsers=$(echo $notSignedImagesJSON | jq '[.[].key] | join (", ")')
  notSignedRegistriesImages=$(echo $notSignedImagesJSON | jq '[[.[]][] | (.key, ": ", (.value | sort | unique | join(", ") ))] | join("")')
#   echo "notSignedImagesUsers=$notSignedImagesUsers"
  metricWeight=102
  key=$(getJournalKeyByMetric $metricWeight);
  if [ -n "$key" ]
  then
    users+=$notSignedImagesUsers
    prefix=${LEVELSNAMES[$key]};
    priority=${JOURNALPRIORITY[$key]}
    if [ "$LANG" == 'ru_RU.UTF-8' ]
    then
      nagiosHeads+="\nимеют неподписанные образы"
      message="$prefix($metricWeight): Пользователи $notSignedImagesUsers имеют неподписанные образы: $notSignedImagesImages"
    else
      nagiosHeads+="\nhave unsigned images,"
      message="$prefix($metricWeight): $notSignedImagesUsers users have unsigned images: $notSignedImagesImages"
    fi
    logger -p $priority -t $prefix $message
    messages+="\n$message"
  fi
  let summaryMetric+=$metricWeight
fi

# jq '.[] | select(.outPolicyImagesTree | length > 0) | ([{key:.user,value:([.outPolicyImagesTree | to_entries[] | .value[]] | sort | unique)}])'

# JSON пользователей  списком неподписанных образов в формате [{key: <user>, value:"<images>"},{key: <user>, value:"<images>"...]
outPolicyImagesJSON=$(echo $checkUsersImages | jq '.[] | select(.outPolicyImagesTree | length > 0) | ([{key:.user,value:([.outPolicyImagesTree | to_entries[] | .value[]] | sort | unique)}])')
if [ -n "$outPolicyImagesJSON" ]
then
  # Получение списка пользователей
#   outPolicyImagesUsers=$(echo $outPolicyImagesJSON | jq '.[].key' | tr "\n" ' ')
#   outPolicyImages=$(echo $outPolicyImagesJSON | jq '.[] | join(":")' | tr "\n" ' ')
  outPolicyImagesUsers=$(echo $outPolicyImagesJSON | jq '[.[].key] | join (", ")')
  outPolicyImages=$(echo $outPolicyImagesJSON | jq '[[.[]][] | (.key, ": ", (.value | sort | unique | join(", ") ))] | join("")')
#   echo "outPolicyImagesUsers=$outPolicyImagesUsers"
  metricWeight=103
  key=$(getJournalKeyByMetric $metricWeight);
  if [ -n "$key" ]
  then
    users+=$outPolicyImagesUsers
    prefix=${LEVELSNAMES[$key]};
    priority=${JOURNALPRIORITY[$key]}
    if [ "$LANG" == 'ru_RU.UTF-8' ]
    then
      nagiosHeads+="\nимеют образы вне поддерживаемых политик"
      message="$prefix($metricWeight): Пользователи $outPolicyImagesUsers имеют образы вне поддерживаемых политик:  $outPolicyImages"
    else
      nagiosHeads+="\nhave unsigned images,"
      message="$prefix($metricWeight): $outPolicyImagesUsers users have images outside of supported policies: $outPolicyImages"
    fi
    logger -p $priority -t $prefix $message
    messages+="\n$message"
  fi
  let summaryMetric+=$metricWeight
fi

key=$(getNagiosKeyByMetric $summaryMetric)
if [ -n "$key" ]
then
  users=$(echo "$users" | tr ' ' "\n" | sort -u | tr "\n" ' ')
  prefix=${LEVELSNAMES[$key]}
  priority=${NAGIOSPRIORITY[$key]}
  outMessage=
  subject=
  case $VERBOSELEVEL in
    0)
      if [ "$LANG" == 'ru_RU.UTF-8' ]
      then
        subject="POLICY $prefix($metricWeight): Пользователи $users имеют образы нарушающие установленные политики"
        outMessage=$subject
      else
        subject="POLICY $prefix($metricWeight): Users $users have images that violate established policies"
        outMessage=$subject
      fi
      ;;
    1|2|3)
      if [ "$LANG" == 'ru_RU.UTF-8' ]
      then
        subject="POLICY $prefix($metricWeight): Пользователи $users имеют образы нарушающие установленные политики"
        outMessage="$subject | Есть пользователи:"
      else
        subject="POLICY $prefix($metricWeight): Users $users have images that violate established policies "
        outMessage="$subject | There are users:"
      fi
      outMessage+="$nagiosHeads"
      if [ $VERBOSELEVEL -gt 1 ]
      then
        outMessage+=" | $messages"
      fi
      ;;
  esac
  outMessage+="\n"
  if [ "$XDG_SESSION_TYPE" = 'tty' ] # Вызов через nagion shell
  then
    echo -ne $outMessage
  else  # Вызов через cron
    echo -ne $outMessage | mail -s "$subject" $adminmail
  fi
  exit $priority
fi
if [ "$LANG" == 'ru_RU.UTF-8' ]
then
  echo "POLICY OK: Политики контейнеризации не нарушены"
else
  echo "POLICY OK: Containerization policies are not violated"
fi
exit 0
