#!/bin/bash
# Плугин проверяет хранимые на узле образы
export TEXTDOMAINDIR='/usr/share/locale'
export TEXTDOMAIN='podsec-inotify'

export LANG=C
export MAILTO=''
export PROGNAME=$(basename $0)

if [ "$EUID" -ne 0 ]
then
  echo "POLICY Unknown $(gettext 'plugin must be run as root user')"
  exit 3
fi

. podsec-policy-functions
. podsec-inotify-functions

# setTraps

# Проанализировать описание уровня интервалов во входных парамаетрах
parseIntervalParameters "$@"

checkUsersImages=$(checkUsersImages)
# checkUsersImages=$(cat "/tmp/out")
# echo -ne $checkUsersImages
# exit

# JSON пользователей имеющих неподписанный образы в формате [{key: <user>, value:"<registries>"},{key: <user>, value:"<registries>"...]
notSignedRegistriesJSON=$(echo "$checkUsersImages" | jq '[.[] | select(.notSignedRegistries | length > 0) | {key:.user, value:.notSignedRegistries | join(", ")}]')
# echo "$notSignedRegistriesJSON"
# exit

#shellcheck disable=SC2166
export nagiosHeads
export metricWeight
export users

if [ -n "$notSignedRegistriesJSON" -a "$notSignedRegistriesJSON" != '[]' ]
then
  # Получение списка пользователей
  export notSignedRegistriesUsers=$(echo "$notSignedRegistriesJSON" | jq '[.[].key] | join (", ")')
  export notSignedRegistriesImages=$(echo "$notSignedRegistriesJSON" | jq '[.[] | join(":")] | join(", ")')
#   echo "notSignedRegistriesUsers=$notSignedRegistriesUsers"
  metricWeight=101
  key=$(getJournalKeyByMetric "$metricWeight")
  if [ -n "$key" ]
  then
    users+=$notSignedRegistriesUsers
    prefix=${LEVELSNAMES[$key]}
    priority=${JOURNALPRIORITY[$key]}
    nagiosHeads+="\n$(gettext 'have registry that do not support electronic signatures'),"
    message="$metricWeight:: $notSignedRegistriesUsers $(gettext 'users have registry that do not support electronic signatures'): $notSignedRegistriesImages"
    logger -p "$priority" -t "$PROGNAME" "$prefix: $message"
    messages+="\n$message"
  fi
  (( summaryMetric+=metricWeight )) ||:
fi

# JSON пользователей со списком неподписанных образов в формате [{key: <user>, value:"<images>"},{key: <user>, value:"<images>"...]
export notSignedImagesJSON=$(echo "$checkUsersImages" | jq '.[] | select(.notSignedImagesTree | length > 0) | ([{key:.user,value:([.notSignedImagesTree | to_entries[] | .value[]])}])')
if [ -n "$notSignedImagesJSON" ]
then
  # Получение списка пользователей
  export notSignedImagesUsers=$(echo "$notSignedImagesJSON" | jq '[.[].key] | join (", ")')
  export notSignedImagesImages=$(echo "$notSignedImagesJSON" | jq '[[.[]][] | (.key, ": ", (.value | sort | unique | join(", ") ))] | join("")')
#   echo "notSignedImagesUsers=$notSignedImagesUsers"
  metricWeight=102
  key=$(getJournalKeyByMetric "$metricWeight")
  if [ -n "$key" ]
  then
    users+=$notSignedImagesUsers
    prefix=${LEVELSNAMES[$key]}
    priority=${JOURNALPRIORITY[$key]}
    nagiosHeads+="\n$(gettext 'have unsigned images'),"
    message="$metricWeight:: $notSignedImagesUsers $(gettext 'users have unsigned images'): $notSignedImagesImages"
    logger -p "$priority" -t "$PROGNAME" "$prefix: $message"
    messages+="\n$message"
  fi
  (( summaryMetric+=metricWeight )) ||:
fi

# jq '.[] | select(.outPolicyImagesTree | length > 0) | ([{key:.user,value:([.outPolicyImagesTree | to_entries[] | .value[]] | sort | unique)}])'

# JSON пользователей  списком неподписанных образов в формате [{key: <user>, value:"<images>"},{key: <user>, value:"<images>"...]
outPolicyImagesJSON=$(echo "$checkUsersImages" | jq '.[] | select(.outPolicyImagesTree | length > 0) | ([{key:.user,value:([.outPolicyImagesTree | to_entries[] | .value[]] | sort | unique)}])')
if [ -n "$outPolicyImagesJSON" ]
then
  # Получение списка пользователей
  export outPolicyImagesUsers=$(echo "$outPolicyImagesJSON" | jq '[.[].key] | join (", ")')
  export outPolicyImages=$(echo "$outPolicyImagesJSON" | jq '[[.[]][] | (.key, ": ", (.value | sort | unique | join(", ") ))] | join("")')
#   echo "outPolicyImagesUsers=$outPolicyImagesUsers"
  metricWeight=103
  key=$(getJournalKeyByMetric "$metricWeight")
  if [ -n "$key" ]
  then
    users+=$outPolicyImagesUsers
    prefix=${LEVELSNAMES[$key]}
    priority=${JOURNALPRIORITY[$key]}
    message="$metricWeight:: $outPolicyImagesUsers $(gettext 'users have images outside of supported policies'): $outPolicyImages"
    logger -p "$priority" -t "$PROGNAME" "$prefix: $message"
    messages+="\n$message"
  fi
  (( summaryMetric+=metricWeight )) ||:
fi

key=$(getNagiosKeyByMetric "$summaryMetric")
if [ -n "$key" ]
then
  users=$(echo "$users" | tr ' ' "\n" | sort -u | tr "\n" ' ')
  prefix=${LEVELSNAMES[$key]}
  priority=${NAGIOSPRIORITY[$key]}
  outMessage=
  export subject=
  case "$VERBOSELEVEL" in
    0)
      subject="POLICY $metricWeight:: $(gettext 'Users') $users $(gettext 'have images that violate established policies')"
      outMessage=$subject
      ;;
    1|2|3)
#         subject="POLICY $metricWeight:: Пользователи $users имеют образы нарушающие установленные политики"
#         outMessage="$subject | Есть пользователи:"
      subject="POLICY $metricWeight:: $(gettext 'Users') $users $(gettext 'have images that violate established policies')"
      outMessage="$subject | $(gettext 'There are users'):"
      outMessage+="$nagiosHeads"
      if [ "$VERBOSELEVEL" -gt 1 ]
      then
        outMessage+=" | $messages"
      fi
      ;;
  esac
  outMessage+="\n"
  if [ -n "$MAILTO" ]
    then
      echo -ne "$outMessage" | mail -s "$subject" "$MAILTO"
  fi
#   fi
  exit 0
fi
echo "POLICY OK: $(gettext 'Containerization policies are not violated')"
exit 0
