#!/bin/sh

# Script to be run after package is installed

# disable WAP/NIS integration based on env variable passed to installer or existing disabler file from previous installation
WAP_DISABLER_PATH="/opt/eset/efs/etc/WAP_DISABLED"
NFTABLES_DISABLER_PATH="/opt/eset/efs/etc/NFTABLES_DISABLED"
if [ -f "$WAP_DISABLER_PATH" ]; then
	mv "$WAP_DISABLER_PATH" "$NFTABLES_DISABLER_PATH"
fi
if [ -n "$ESET_DISABLE_WAP" ] || [ -n "$ESET_DISABLE_NFTABLES" ] || [ -f "$NFTABLES_DISABLER_PATH" ]; then
	DISABLE_NFTABLES=1
fi

# for rpm as we are running at %posttrans step we always get first argument 0, or 1 depending on rpm version
# so we cannot easily detect fresh install, or upgrade in here
if [ "$1" = "0" ] || [ "$1" = "1" ]; then
	IS_RPM_INSTALL="1"
	# read saved value from %post step
	if [ -f "%{_localstatedir}/lib/rpm-state/efs/post" ]; then
		RPM_POST_VALUE=$(cat "%{_localstatedir}/lib/rpm-state/efs/post")
		rm -rf "%{_localstatedir}/lib/rpm-state/efs/"
		if [ "$RPM_POST_VALUE" = "1" ]; then
			IS_FRESH_INSTALL="1"
		fi
	fi
fi

# deb first installation, we cannot properly detect `Installing from "Config-Files" state` (as same parameters as upgrade), ignore this installation
if [ "$1" = "configure" ] && [ -z "$2" ]; then
	IS_FRESH_INSTALL="1"
fi

SYSTEMD_CAT="$(which systemd-cat 2>/dev/null || true)"
print_error() {
	errorstr="ESET Server Security error: $1"
	echo "$errorstr" 1>&2
	if [ -n "$SYSTEMD_CAT" ]; then
		printf "%s" "$errorstr" | $SYSTEMD_CAT -t "efs" -p err
	fi
}

# Because of a bug in a cronie package, a cron daemon does not start automatically after the cronie
# package has been installed (eg. on SUSE Linux and RHEL Linux), hence we start it manually here.
# NOTE: Remove this code after https://bugzilla.suse.com/show_bug.cgi?id=1150210 has been fixed.
if systemctl --version >/dev/null 2>/dev/null; then
	systemctl start cron  >/dev/null 2>/dev/null || true
	systemctl start crond >/dev/null 2> /dev/null || true
else
	service cron  start >/dev/null 2>/dev/null || true
	service crond start >/dev/null 2>/dev/null || true
fi

# remove residues after old scheduler
rm -rf /var/opt/eset/efs/schedulerd || true
rm -f /etc/cron.d/eset-efs || true

# create all groups and users (there might be some new on upgrade)
for g in eset-efs-services eset-efs-vapm eset-efs-daemons eset-efs-agents; do
	groupadd -f -r $g
done

for ug in eset-efs-confd:eset-efs-daemons eset-efs-watchd:eset-efs-daemons eset-efs-licensed:eset-efs-daemons eset-efs-vapm-wrapper:eset-efs-vapm eset-efs-econnd:eset-efs-daemons eset-efs-wapd:eset-efs-daemons eset-efs-sched:eset-efs-agents eset-efs-logd:eset-efs-daemons eset-efs-authd:eset-efs-daemons eset-efs-scand:eset-efs-daemons eset-efs-vapmd:eset-efs-daemons eset-efs-icapd:eset-efs-daemons eset-efs-netisd:eset-efs-daemons eset-efs-webd:eset-efs-daemons eset-efs-updated:eset-efs-daemons; do
	if ! id "${ug%:*}" > /dev/null 2>&1; then
		useradd -d '/opt/eset/efs' -M -N -r -s /sbin/nologin -G 'eset-efs-services' -g "${ug#*:}" "${ug%:*}"
	else
		usermod -a -G 'eset-efs-services' "${ug%:*}"
	fi
done

for ug in eset-efs-vapmd:eset-efs-vapm; do
	usermod -a -G "${ug#*:}" "${ug%:*}"
done

if [ "$IS_RPM_INSTALL" = "1" ] && [ -z "$IS_FRESH_INSTALL" ]; then
	# rpm upgrade only
	#remove selinux rules and all tmp files
	/opt/eset/efs/lib/install_scripts/efs_selinux_uninstall_check.sh
	if semodule -l | grep '^eset_efs\>' > /dev/null 2>&1; then
		exit 1
	fi
fi

#################################### Upgrade & Install ####################################
# these directories needs to exist for modules compilation
# permissions are set correctly after compilation
mkdir -p /var/opt/eset/efs/updated/modules

# extract modules from tar
if ! tar -xf /var/opt/eset/efs/lib/modules_efs.tar -C /var/opt/eset/efs/updated/modules; then
	print_error 'Module extraction failed.'
fi
# compile modules
if ! /opt/eset/efs/lib/modfetch --compile-nups; then
	print_error 'Module compilation failed.'
fi

# create directories and change directory permissions
# generated from product_paths.json
mkdir -p /var/log/eset/efs
chown eset-efs-logd:eset-efs-daemons /var/log/eset/efs
chmod 0755 /var/log/eset/efs
mkdir -p /var/log/eset/efs/logd
chown eset-efs-logd:eset-efs-daemons /var/log/eset/efs/logd
chmod 0700 /var/log/eset/efs/logd
mkdir -p /var/log/eset/efs/internal
chown root:eset-efs-daemons /var/log/eset/efs/internal
chmod 1770 /var/log/eset/efs/internal
chown root:eset-efs-daemons /var/opt/eset/efs
chmod 0775 /var/opt/eset/efs
mkdir -p /var/run/eset/efs
chown root:eset-efs-daemons /var/run/eset/efs
chmod 0755 /var/run/eset/efs
mkdir -p /var/opt/eset/efs/cache
chown eset-efs-scand:eset-efs-services /var/opt/eset/efs/cache
chmod 1770 /var/opt/eset/efs/cache
mkdir -p /var/opt/eset/efs/cache/data
chown eset-efs-scand:eset-efs-daemons /var/opt/eset/efs/cache/data
chmod 1770 /var/opt/eset/efs/cache/data
mkdir -p /var/opt/eset/efs/cache/data/Logs
chown eset-efs-scand:eset-efs-daemons /var/opt/eset/efs/cache/data/Logs
chmod 1770 /var/opt/eset/efs/cache/data/Logs
mkdir -p /var/opt/eset/efs/cache/data/Diagnostics
chown eset-efs-scand:eset-efs-daemons /var/opt/eset/efs/cache/data/Diagnostics
chmod 1770 /var/opt/eset/efs/cache/data/Diagnostics
mkdir -p /var/opt/eset/efs/installer
chown root:eset-efs-daemons /var/opt/eset/efs/installer
chmod 0775 /var/opt/eset/efs/installer
mkdir -p /var/opt/eset/efs/vapm
chown root:eset-efs-vapm /var/opt/eset/efs/vapm
chmod 0770 /var/opt/eset/efs/vapm
mkdir -p /var/opt/eset/efs/vapm/database
chown -R eset-efs-vapmd:eset-efs-vapm /var/opt/eset/efs/vapm/database
find -P /var/opt/eset/efs/vapm/database -type d -exec chmod 0750 '{}' \;
find -P /var/opt/eset/efs/vapm/database -type f -exec chmod 0640 '{}' \;
mkdir -p /var/opt/eset/efs/vapm/logs
chown -R eset-efs-vapm-wrapper:eset-efs-vapm /var/opt/eset/efs/vapm/logs
find -P /var/opt/eset/efs/vapm/logs -type d -exec chmod 0700 '{}' \;
find -P /var/opt/eset/efs/vapm/logs -type f -exec chmod 0600 '{}' \;
chown -R eset-efs-updated:eset-efs-daemons /var/opt/eset/efs/lib
find -P /var/opt/eset/efs/lib -type d -exec chmod 0755 '{}' \;
find -P /var/opt/eset/efs/lib -type f -exec chmod 0644 '{}' \;
mkdir -p /var/opt/eset/efs/modules_notice
chown root:root /var/opt/eset/efs/modules_notice
chmod 0755 /var/opt/eset/efs/modules_notice
mkdir -p /var/opt/eset/efs/updated
chown eset-efs-updated:eset-efs-daemons /var/opt/eset/efs/updated
chmod 0755 /var/opt/eset/efs/updated
mkdir -p /var/opt/eset/efs/updated/app
chown eset-efs-updated:eset-efs-daemons /var/opt/eset/efs/updated/app
chmod 0700 /var/opt/eset/efs/updated/app
mkdir -p /var/opt/eset/efs/updated/modules
chown -R eset-efs-updated:eset-efs-daemons /var/opt/eset/efs/updated/modules
find -P /var/opt/eset/efs/updated/modules -type d -exec chmod 0755 '{}' \;
find -P /var/opt/eset/efs/updated/modules -type f -exec chmod 0644 '{}' \;
mkdir -p /opt/eset/lib
chown root:root /opt/eset/lib
chmod 0755 /opt/eset/lib
mkdir -p /opt/eset/lib/modules
chown root:eset-efs-services /opt/eset/lib/modules
chmod 0775 /opt/eset/lib/modules
mkdir -p /var/opt/eset/efs/dumps
chown root:eset-efs-services /var/opt/eset/efs/dumps
chmod 0775 /var/opt/eset/efs/dumps



# disable WAP integration based on env variable passed to installer
NFTABLES_INSTALL_DISABLER="/opt/eset/efs/etc/NFTABLES_DISABLED"
if [ -n "$DISABLE_NFTABLES" ]; then
	echo "1" > "$NFTABLES_INSTALL_DISABLER"
fi

if [ ! -f "$NFTABLES_INSTALL_DISABLER" ]; then
	/opt/eset/efs/lib/install_scripts/eset_efs_sysctl.sh enable
	/opt/eset/efs/lib/install_scripts/eset_efs_udev.sh enable
fi

# enable SHA256 integration based on env variable passed to installer
sha256_enabler_path="/opt/eset/efs/etc/SHA256_ENABLED"
if [ -n "$ESET_ENABLE_SHA256" ]; then
    echo "1" > "$sha256_enabler_path"
fi

is_fresh_install() {
	# rpm installation
	if [ "$1" = "1" ]; then
		return
	fi

	# deb first installation, we cannot properly detect `Installing from "Config-Files" state` (as same parameters as upgrade), ignore this installation
	[ "$1" = "configure" ] && [ -z "$2" ]
}

if ! is_fresh_install "$@"; then
	# move logs from old log dir to the new one
	if [ -d '/var/log/eset/efs/ods' ]; then
		mv -f '/var/log/eset/efs/ods' '/var/log/eset/efs/logd'
	fi
	for f in '/var/log/eset/efs/'*.dat; do
		if [ -e "$f" ]; then
			mv -f "$f" '/var/log/eset/efs/logd'
		fi
	done
fi

# register and start service
/opt/eset/efs/lib/install_scripts/register_service.sh

parse_and_apply_eulas() {
	IFS=';' eulas="$1"
	for eula in ${eulas}; do
		eula_tag="$(echo "$eula" | cut -d ':' -f1)"
		eula_version="$(echo "$eula" | cut -d ':' -f2)"
		'/opt/eset/efs/sbin/cfg' --eula-tag "$eula_tag" --eula-version "$eula_version" > /dev/null || true
	done
}

# add eula into CE path AcceptedEulas
if [ -n "$LI_ACCEPTED_EULAS" ]; then
	# accepted in LiveInstaller (set via env variable)
	parse_and_apply_eulas "$LI_ACCEPTED_EULAS"
else 
	# built-in EULA for installer
	'/opt/eset/efs/sbin/cfg' --eula-tag "EULA-PRODUCT-LG" --eula-version "3537.0.3" > /dev/null || true
fi

LAST_PROCESSED_VERSION="State.Plugins.Webd.LastProcessedVersion"
fill_last_processed_version() {
	'/opt/eset/efs/sbin/cfg' -i /dev/stdin > /dev/null <<HERE || true
{
	"method": "_CE.rpc_api.screen_values_set",
	"params": {
		"values": {
			"$LAST_PROCESSED_VERSION" : $1
		}
	}
}
HERE
}

is_last_processed_version_empty() {
	VERSION=$('/opt/eset/efs/sbin/cfg' --dump "$LAST_PROCESSED_VERSION" | grep "$LAST_PROCESSED_VERSION" | cut -d: -f2)
	test "$VERSION" = "[]"
}

# fill current version during the first installation or 9.0.0.0 when empty (on upgrade), what's the last product version which has not filled the LAST_PROCESSED_VERSION
if [ "$IS_FRESH_INSTALL" = "1" ]; then
	fill_last_processed_version "[12, 2, 69, 0]"
elif is_last_processed_version_empty; then
	fill_last_processed_version "[9,0,0,0]"
fi

# disable wap when installed with env variable set
if [ "$IS_FRESH_INSTALL" = "1" ] && [ -f "$NFTABLES_INSTALL_DISABLER" ]; then
	'/opt/eset/efs/sbin/cfg' --set "Settings.Plugins.Wapd.Protoscan.WebProtectionEnabled" 0
fi

DATE_OF_PRODUCT_INSTALLATION="State.Common.DateOfProductInstallation"

is_installation_date_empty() {
	DATE=$('/opt/eset/efs/sbin/cfg' --dump "$DATE_OF_PRODUCT_INSTALLATION" | grep "$DATE_OF_PRODUCT_INSTALLATION" | cut -d: -f2)
	test "$DATE" = 0
}

# fill also during upgrade if the previous products version has not filled date
if is_installation_date_empty; then
	'/opt/eset/efs/sbin/cfg' -i /dev/stdin > /dev/null <<HERE || true
{
	"method": "_CE.rpc_api.screen_values_set",
	"params": {
		"values": {
			"$DATE_OF_PRODUCT_INSTALLATION": $(date +%s)
		}
	}
}
HERE
fi