#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu

#######################################
# Wrapper for fail2ban filter checks against logs.
# Usage: f2bchk --mode=ignored || --mode=matched  || --mode=missed \
#               --filter=/etc/fail2ban/filter.d/ufw.aggressive.conf \
#               --log=/var/log/ufw.log \
#               --output=/tmp/f2bchk.log
# Globals:
#   CGRE
#   CRED
#   CRES
#   NL
# Arguments:
#   None
# Returns:
#   0: on success
#   1: In case of any errors
#######################################
f2bchk(){
  ### Declare default values (readonly)
  declare -r DEFAULT_MODE="matched"
  declare -r DEFAULT_FILTER="/etc/fail2ban/filter.d/ufw.aggressive.conf"
  declare -r DEFAULT_LOG="/var/log/ufw.log"

  declare mode="${DEFAULT_MODE}"
  declare filter="${DEFAULT_FILTER}"
  declare log="${DEFAULT_LOG}"
  declare output=""
  declare arg=""

  for arg in "$@"; do
    case "${arg}" in
      --mode=*)   mode="${arg#--mode=}";;
      --filter=*) filter="${arg#--filter=}";;
      --log=*)    log="${arg#--log=}";;
      --output=*) output="${arg#--output=}";;
      *)
        printf "%b[ERROR]%b Unknown argument: '%s' %b" "${CRED}" "${CRES}" "${arg}" "${CRED}"
        return 1
        ;;
    esac
  done

  declare flag suffix
  case "${mode}" in
    ignored) flag="--print-all-ignored"; suffix="all.ignored";;
    matched) flag="--print-all-matched"; suffix="all.matched";;
    missed)  flag="--print-all-missed";  suffix="all.missed";;
    *)
      printf "%b[ERROR]%b Invalid mode: '%s' %b" "${CRED}" "${CRES}" "${mode}" "${NL}"
      return 1
      ;;
  esac

  if [[ -z "${output}" ]]; then
    declare filter_name="${filter##*/}"
    filter_name="${filter_name%.conf}"
    output="/tmp/${filter_name}.${suffix}.log"
  fi

  if [[ ! -r "${log}" ]]; then
    printf "%b[ERROR]%b Log file '%s' not found or not readable. %b" "${CRED}" "${CRES}" "${log}" "${NL}"
    return 1
  fi

  if [[ ! -r "${filter}" ]]; then
    printf "%b[ERROR]%b Filter file '%s' not found or not readable. %b" "${CRED}" "${CRES}" "${filter}" "${NL}"
    return 1
  fi

  printf "%b[INFO]%b Running: fail2ban-regex '%s %s %s' %b" "${CGRE}" "${CRES}" "${log}" "${filter}" "${flag}" "${NL}"

  if fail2ban-regex "${log}" "${filter}" "${flag}" >| "${output}"; then

    printf "%b[SUCCESS]%b Saved log to: '%s' %b" "${CGRE}" "${CRES}" "${output}" "${NL}"
    printf "You can view it with: cat %s%b" "${output}" "${NL}"
  else

    printf "%b[ERROR]%b fail2ban-regex execution failed. %b" "${CRED}" "${CRES}" "${NL}"
    return 1

  fi

  exit 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
