#!/bin/sh

set -e

[ "$DEBIAN_SCRIPT_DEBUG" ] && set -vx

case "$1" in
    configure)
    # continue below
    ;;

    abort-upgrade|abort-remove|abort-deconfigure)
    exit 0
    ;;

    *)
    echo "postinst called with unknown argument \`$1'" >&2
    exit 0
    ;;
esac


# Load debconf
. /usr/share/debconf/confmodule

# Include CARNet functions
. /usr/share/carnet-tools/functions.sh

PKG="mod-security-cn"
A2DIR="/etc/apache2"
CONF="$A2DIR/apache2.conf"
CONFDIR="$A2DIR/conf.d"
A2MODEDIR="$A2DIR/mods-enabled"
MODSECDIR="$A2DIR/mod-security"
MODSECCONF="$MODSECDIR/mod-security-cn.conf"
MODSECRBL="$MODSECDIR/rbl_lookup.conf"
MODSECLNK="$CONFDIR/$(basename $MODSECCONF)"
MODSECTPL="/usr/share/mod-security-cn"

temp_files=
need_restart=0


# cleanup()
#
#   Cleanup all temp files or directories.
#
cleanup () {
    local item

    if [ -n "$temp_files" ]; then
        for item in $temp_files; do
            if [ -e "$item" ]; then
                rm -rf $item
            fi
        done
    fi
}

# chk_conf_tag ()
#
#   Check if configuration file has CARNet package info lines.
#   return:  $RET => 0 - tagged
#                    1 - file does not exists
#                    2 - file exists, but it is not tagged
#
chk_conf_tag () {
    local conf_file
    conf_file="$1"
    RET=1

    if [ -f "$conf_file" ]; then
        if egrep -q "^## Begin - Generated by CARNet package mod-security-cn$" "$conf_file"; then
            RET=0
        else
            RET=2
        fi
    fi
}


# Set trap for deleting all temp files.
#
trap cleanup 0 1 2 15


# Enable ModSecurity and unique_id Apache2 modules.
#
if [ -e "$CONF" ]; then
    # Enable mod-security.load
    if [ ! -e "$A2MODEDIR/mod-security.load" ]; then
        cp_echo "CN: Enabling ModSecurity module for Apache2 web server."
        a2enmod mod-security >/dev/null || true
        need_restart=1
    fi

    # Enable unique_id.load
    if [ ! -e "$A2MODEDIR/unique_id.load" ]; then
        cp_echo "CN: Enabling unique_id module for Apache2 web server."
        a2enmod unique_id >/dev/null || true
        need_restart=1
    fi
fi


# Generate ModSecurity configuration files and activate RBL lookup
# for ModSecurity if needed.
#
chk_conf_tag "$MODSECCONF"
if [ $RET -eq 0 ] || [ $RET -eq 1 ]; then

    # Create /etc/apache2/conf.d/ directory if missing.
    if [ ! -d "$CONFDIR" ]; then
        cp_echo "CN: Creating configuration directory $CONFDIR/"
        mkdir -p $CONFDIR/
    fi

    # Create /etc/apache2/mod-security/ directory if missing.
    if [ ! -d "$MODSECDIR" ]; then
        cp_echo "CN: Creating ModSecurity configuration directory $MODSECDIR/"
        mkdir -p $MODSECDIR/
    fi

    out=$(mktemp $MODSECCONF.XXXXXX)
    temp_files="${temp_files} ${out}"

    db_get mod-security-cn/rbl || true
    if [ "$RET" = "true" ]; then

        # Add RBL configuration.
        chk_conf_tag "$MODSECRBL"
        if [ $RET -eq 0 ] || [ $RET -eq 1 ]; then

            if [ $RET -eq 1 ]; then
                cp_echo "CN: Creating configuration file $MODSECRBL"
                cp "$MODSECTPL/$(basename $MODSECRBL)" "$MODSECRBL"
                need_restart=1
            else
                if ! cmp -s "$MODSECRBL" "$MODSECTPL/$(basename $MODSECRBL)"; then
                    cp_echo "CN: Updating configuration file $MODSECRBL"
                    cp "$MODSECTPL/$(basename $MODSECRBL)" "$MODSECRBL"
                    need_restart=1
                fi
            fi
        fi

        sed "s,#RBLLOOKUP#,Include $MODSECRBL,g" \
            "$MODSECTPL/$(basename $MODSECCONF)" > "$out"

        if [ -e "$MODSECCONF" ]; then
            if ! cmp -s "$MODSECCONF" "$out"; then
                cp_echo "CN: Updating configuration file $MODSECCONF"
                mv -f "$out" "$MODSECCONF"
                cp_echo "CN: Enabled ModSecurity RBL lookup."
                need_restart=1
            fi
        else
            cp_echo "CN: Creating configuration file $MODSECCONF"
            mv "$out" "$MODSECCONF"
            cp_echo "CN: Enabled ModSecurity RBL lookup."
            need_restart=1
        fi
    else

        # Remove RBL configuration.
        sed "s,#RBLLOOKUP#,# DISABLED,g" \
            "$MODSECTPL/$(basename $MODSECCONF)" > "$out"

        if [ -e "$MODSECCONF" ]; then
            if ! cmp -s "$MODSECCONF" "$out"; then
                cp_echo "CN: Updating configuration file $MODSECCONF"
                mv -f "$out" "$MODSECCONF"
                cp_echo "CN: Disabled ModSecurity RBL lookup."
                need_restart=1
            fi
        else
            cp_echo "CN: Creating configuration file $MODSECCONF"
            mv "$out" "$MODSECCONF"
            cp_echo "CN: Disabled ModSecurity RBL lookup."
            need_restart=1
        fi

        chk_conf_tag "$MODSECRBL"
        if [ $RET -eq 0 ]; then
            cp_echo "CN: Removing configuration file $MODSECRBL"
            rm -f "$MODSECRBL"
            need_restart=1
        fi
    fi

    if [ -f "$out" ]; then rm -f $out; fi

    # Enable ModSecurity configuration.
    if [ ! -e "$MODSECLNK" ]; then
        cp_echo "CN: Enabling ModSecurity configuration."
        ln -fs "$MODSECCONF" "$MODSECLNK"
        need_restart=1
    fi
fi

db_stop || true


# Restart Apache2 web server if needed.
#
if [ $need_restart -eq 1 ]; then

    # Check Apache2 web server configuration.
    if apache2ctl configtest 2>/dev/null; then
        invoke-rc.d apache2 force-reload || true
    else
        # Something is broken.
        cp_echo "CN: Your Apache2 configuration is broken."
        cp_echo "CN: Please, check the service after the installation finishes!"
    fi
fi


# Mail root
#
cp_mail "$PKG"

#DEBHELPER#

exit 0