#! /bin/bash

# Rocky 9 compatible

. /usr/src/k_framework/main.sh

# ---- VARS -----

VERSION="1.1.6"
SCRIPT_NAME="Redis Check"
REDIS_VERSION="3.2.12"

TEST=0   # 1 - do not execute changes

# ---- FUNCTIONS -----

# ---- MAIN -----

k_start "$@"

k_config_details "$@"

if [ "$TEST" == "1" ]; then
    report "***** TEST MODE ON. Changes will not be applied *****" 8
fi

current_redis_v=$(rpm -q --info redis | grep "Version" | awk '{print $3}')
if [[ $current_redis_v == "" ]]; then
    report "Redis not installed" 1
    report "  Run /usr/src/k_framework/helpers/redis/redis_install.sh" fix
    k_exit 1
else
    if [[ $ROCKY9 != 1 ]]; then
        if [ "$current_redis_v" == "$REDIS_VERSION" ]; then
            report "Current Redis version: $current_redis_v" 0
        else
            report "Wrong Redis version: $current_redis_v, should be: $REDIS_VERSION" 1
            report "  Run /usr/src/k_framework/helpers/redis/redis_install.sh" fix
            EXIT_CODE=1
        fi
    fi
fi

if k_service_is_running "redis"; then
    report "Redis service is active" 0
else
    if ! k_service_is_enabled "redis"; then
        report " Redis service is not active and is not enabled"
        report "  Run /usr/src/k_framework/helpers/redis/redis_install.sh" fix
    else
        report "Redis service is not active. Troubleshoot manually." 1
        report "  Check /var/log/redis" 1
    fi
    EXIT_CODE=1
    k_exit EXIT_CODE
fi

# connections check
conn_count=$(netstat -vatupn | grep -c "redis-server")
#conn_count=`redis-cli info | grep 'connected_clients' | awk -F ":" '{print $2}' | xargs`
if [ "$conn_count" -ge 200 ]; then
    report "Redis Connected Clients count too high: $conn_count" 2
    EXIT_CODE=2
else
    report "Redis Connected Clients: $conn_count" 0
fi


PONG=$(redis-cli PING)
if [[ $PONG == "PONG" ]]; then
    report "Redis accessible locally (PING-PONG)" 0
else
    report "Redis not accessible locally (PING->$PONG)" 1
    EXIT_CODE=1
fi

file1=/usr/src/k_framework/helpers/redis/redis.conf
file2=/etc/redis.conf
if ! cmp -s "$file1" "$file2"; then
    report "$file2 does not match $file1" 2
    EXIT_CODE=2
fi

file1=/usr/src/k_framework/helpers/redis/redis.service
file2=/usr/lib/systemd/system/redis.service
if ! cmp -s "$file1" "$file2"; then
    report "$file2 does not match $file1" 2
    EXIT_CODE=2
fi


var="net.core.somaxconn"
value="65535"
if sysctl $var | awk '{print $3}' | grep -q $value; then
    report "sysctl $var = $value" 0
else
    report "sysctl $var != $value" 1
    report "  echo \"net.core.somaxconn = 65535\" >> /etc/sysctl.conf && sysctl -p" fix
    EXIT_CODE=1
fi

var="vm.overcommit_memory"
value="1"
if sysctl $var | awk '{print $3}' | grep -q $value; then
    report "sysctl $var = $value" 0
else
    report "sysctl $var != $value" 1
    report "  echo \"vm.overcommit_memory = 1\" >> /etc/sysctl.conf && sysctl -p" fix
    EXIT_CODE=1
fi

k_iptables_locking_option

# Check if Redis whitelist chain exists
if ! /sbin/iptables $l_opt -nL REDIS-WHITELIST-CHAIN &> /dev/null; then
    report "REDIS-WHITELIST-CHAIN chain does not exist" 1
    report "  /sbin/iptables -N REDIS-WHITELIST-CHAIN" fix
    EXIT_CODE=1
fi

# Whitelist chain might be created but not added to INPUT chain
if ! /sbin/iptables $l_opt -L INPUT -n | grep -Fq REDIS-WHITELIST-CHAIN &> /dev/null; then
    report "REDIS-WHITELIST-CHAIN chain is not added to INPUT chain" 1
    report "  /sbin/iptables $l_opt  -I INPUT 1 -j REDIS-WHITELIST-CHAIN" fix
    EXIT_CODE=1
fi

iptables -w 5 -n -L REDIS-WHITELIST-CHAIN | grep ACCEPT | grep "tcp dpt:6379" > /tmp/redis_iptables

#if iptables -L -n | grep ACCEPT | grep "tcp dpt:6379" | grep -q "127.0.0.1"; then
if grep -q "127.0.0.1" /tmp/redis_iptables; then
    report "Access to Redis from 127.0.0.1 present" 0
else
    report "No access to Redis from 127.0.0.1" 1
    report "  iptables -I REDIS-WHITELIST-CHAIN -p tcp -s 127.0.0.1 --dport 6379 -j ACCEPT" fix
    EXIT_CODE=1
fi

# list other IPs which have access to Redis
while IFS="" read -r p || [ -n "$p" ] ; do
    ip=$(echo "$p" | awk '{print $4}')

    if [[ $ip != "127.0.0.1" ]]; then
        report "$ip has access to Redis" 0
    fi
done < /tmp/redis_iptables

rm -fr /tmp/redis_iptables



if iptables -w 5 -n -L REDIS-WHITELIST-CHAIN | grep DROP | grep -q "tcp dpt:6379"; then
    report "Access to Redis closed from outside for other IPs" 0
else
    report "Access to Redis not closed from outside!" 1
    report "  iptables -A REDIS-WHITELIST-CHAIN -p tcp --dport 6379 -j DROP" fix
    EXIT_CODE=1
fi

# check if GUI access allowed
gui_ip=$(MYSQL_PWD=$DB_PASSWORD /usr/bin/mysql -h "$DB_HOST" -u "$DB_USERNAME" $P_OPT "$DB_NAME" --silent -e "SELECT server_ip FROM servers WHERE gui = 1 AND active = 1" | grep -v value)

if [ "$gui_ip" != "" ]; then
    if ! iptables $l_opt -nL REDIS-WHITELIST-CHAIN | grep 6379 | grep ACCEPT | grep -Fq "$gui_ip"; then
        report "GUI [$gui_ip] does not have access to Redis" 1
        report "  iptables -I REDIS-WHITELIST-CHAIN -p tcp -s '$gui_ip' --dport 6379 -j ACCEPT" fix
        EXIT_CODE=1
    else
        report "GUI [$gui_ip] has access to Redis" 0
    fi
fi

if [[ $REDIS_ENABLED_CORE == 1 && $REDIS_ENABLED != 1 ]]; then
    report "Redis is not enabled in GUI" 2
    report "  Enable Redis in MAINTENANCE->Settings->Redis and test connection" fix
fi

k_exit $EXIT_CODE