#!/usr/bin/env bash
set -Eeuo pipefail

: "${EDGESHIELD_GENERATED_DIR:=/var/lib/edgeshield/generated}"
: "${EDGESHIELD_WAF_CONF:=/etc/edgeshield/waf/modsecurity.conf}"
: "${EDGESHIELD_WAF_PORT:=8082}"
: "${EDGESHIELD_NGINX_RELOAD:=1}"

mkdir -p "${EDGESHIELD_GENERATED_DIR}"
mkdir -p /etc/edgeshield/waf /var/log/nginx /var/log/modsecurity
touch /var/log/nginx/edgeshield.access.jsonl
touch /var/log/nginx/edgeshield.error.log
touch /var/log/modsecurity/audit.log

if [ ! -f "${EDGESHIELD_WAF_CONF}" ]; then
  cat > "${EDGESHIELD_WAF_CONF}" <<'WAF'
SecRuleEngine DetectionOnly
SecRequestBodyAccess On
SecResponseBodyAccess Off
SecRequestBodyLimit 13107200
SecRequestBodyNoFilesLimit 131072
SecRequestBodyLimitAction Reject
SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus "^(?:5|4(?!04))"
SecAuditLogType Serial
SecAuditLogFormat JSON
SecAuditLog /var/log/modsecurity/audit.log
SecTmpDir /tmp/
SecDataDir /tmp/
Include /etc/edgeshield/waf/crs-setup.conf
Include /etc/edgeshield/waf/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
Include /usr/share/owasp-crs/rules/*.conf
Include /etc/edgeshield/waf/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf
WAF
fi

touch /etc/edgeshield/waf/crs-setup.conf \
      /etc/edgeshield/waf/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf \
      /etc/edgeshield/waf/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf

cat > "${EDGESHIELD_GENERATED_DIR}/60-edgeshield-waf-observability.conf" <<EOF_NGINX
server {
    listen ${EDGESHIELD_WAF_PORT};
    server_name edgeshield_waf_observability;

    root /usr/share/nginx/html;
    index index.html;

    access_log /var/log/nginx/edgeshield.access.jsonl edgeshield_access_v3 buffer=64k flush=1s;
    error_log  /var/log/nginx/edgeshield.error.log warn;

    modsecurity on;
    modsecurity_rules_file ${EDGESHIELD_WAF_CONF};

    edgeshield_telemetry_server_zone edgeshield_waf_observability;

    location = /healthz {
        access_log off;
        add_header Content-Type text/plain;
        return 200 "ok\\n";
    }

    location / {
        edgeshield_telemetry_location_zone edgeshield_waf_root;
        try_files \$uri /index.html =404;
    }
}
EOF_NGINX

nginx -t
if [ "${EDGESHIELD_NGINX_RELOAD}" = "1" ]; then
  nginx -s reload || nginx
fi

cat <<EOF_OK
OK: EdgeShield WAF observability enabled
port=${EDGESHIELD_WAF_PORT}
waf=${EDGESHIELD_WAF_CONF}
access_log=/var/log/nginx/edgeshield.access.jsonl
audit_log=/var/log/modsecurity/audit.log
smoke:
  curl -i 'http://127.0.0.1:${EDGESHIELD_WAF_PORT}/?q=%27%20or%201=1--' -H 'User-Agent: sqlmap/1.7'
EOF_OK
