#!/bin/sh
#
# SecuBox WAN Access Manager
# Opens ports completely (DMZ-style) for remote access
#

. /lib/functions.sh
. /usr/share/libubox/jshn.sh

RULE_PREFIX="secubox_wan"

# Remove all SecuBox WAN access rules from UCI
remove_uci_rules() {
	local changed=0

	# Keep removing rules until none left (indices shift after each delete)
	while true; do
		local found=0
		local i=0
		while true; do
			local name=$(uci -q get firewall.@rule[$i].name 2>/dev/null)
			[ -z "$name" ] && break

			if echo "$name" | grep -q "^${RULE_PREFIX}"; then
				uci delete "firewall.@rule[$i]" 2>/dev/null
				changed=1
				found=1
				break  # Restart from beginning since indices shifted
			fi
			i=$((i + 1))
		done
		[ "$found" -eq 0 ] && break
	done

	[ "$changed" -eq 1 ] && uci commit firewall
	return $changed
}

# Add a simple firewall rule - open to ALL (DMZ style)
add_rule() {
	local name="$1"
	local port="$2"
	local proto="${3:-tcp}"

	uci add firewall rule >/dev/null
	uci set firewall.@rule[-1].name="$name"
	uci set firewall.@rule[-1].src="*"
	uci set firewall.@rule[-1].dest_port="$port"
	uci set firewall.@rule[-1].proto="$proto"
	uci set firewall.@rule[-1].target="ACCEPT"
}

# Apply rules based on secubox config
apply_rules() {
	local noreload="$1"

	config_load secubox

	local enabled https_enabled https_port http_enabled http_port ssh_enabled ssh_port

	config_get enabled remote enabled "0"
	config_get https_enabled remote https_enabled "0"
	config_get https_port remote https_port "443"
	config_get http_enabled remote http_enabled "0"
	config_get http_port remote http_port "80"
	config_get ssh_enabled remote ssh_enabled "0"
	config_get ssh_port remote ssh_port "22"

	# Remove existing rules first
	remove_uci_rules

	# Only add rules if WAN access is enabled
	if [ "$enabled" = "1" ]; then
		# HTTPS access
		if [ "$https_enabled" = "1" ]; then
			add_rule "${RULE_PREFIX}_https" "$https_port" "tcp"
			logger -t secubox-wan "Opened HTTPS port $https_port (all zones)"
		fi

		# HTTP access
		if [ "$http_enabled" = "1" ]; then
			add_rule "${RULE_PREFIX}_http" "$http_port" "tcp"
			logger -t secubox-wan "Opened HTTP port $http_port (all zones)"
		fi

		# SSH access
		if [ "$ssh_enabled" = "1" ]; then
			add_rule "${RULE_PREFIX}_ssh" "$ssh_port" "tcp"
			logger -t secubox-wan "Opened SSH port $ssh_port (all zones)"
		fi

		uci commit firewall
	fi

	# Reload firewall unless called with noreload
	if [ "$noreload" != "noreload" ]; then
		/etc/init.d/firewall reload >/dev/null 2>&1 &
	fi

	echo "WAN access rules applied"
}

# Show current status
status() {
	config_load secubox

	local enabled https_enabled https_port http_enabled http_port ssh_enabled ssh_port

	config_get enabled remote enabled "0"
	config_get https_enabled remote https_enabled "0"
	config_get https_port remote https_port "443"
	config_get http_enabled remote http_enabled "0"
	config_get http_port remote http_port "80"
	config_get ssh_enabled remote ssh_enabled "0"
	config_get ssh_port remote ssh_port "22"

	echo "SecuBox WAN Access Status (DMZ Mode)"
	echo "====================================="
	echo "Master switch: $([ "$enabled" = "1" ] && echo "ENABLED" || echo "DISABLED")"
	echo ""
	echo "Open Ports (all zones):"
	echo "  HTTPS (port $https_port): $([ "$https_enabled" = "1" ] && echo "OPEN" || echo "closed")"
	echo "  HTTP  (port $http_port): $([ "$http_enabled" = "1" ] && echo "OPEN" || echo "closed")"
	echo "  SSH   (port $ssh_port): $([ "$ssh_enabled" = "1" ] && echo "OPEN" || echo "closed")"
}

# Enable WAN access
enable() {
	uci set secubox.remote.enabled='1'
	uci commit secubox
	apply_rules
}

# Disable WAN access
disable() {
	uci set secubox.remote.enabled='0'
	uci commit secubox
	remove_uci_rules
	/etc/init.d/firewall reload >/dev/null 2>&1 &
	echo "WAN access disabled"
}

# JSON output for API
json_status() {
	config_load secubox

	local enabled https_enabled https_port http_enabled http_port ssh_enabled ssh_port

	config_get enabled remote enabled "0"
	config_get https_enabled remote https_enabled "0"
	config_get https_port remote https_port "443"
	config_get http_enabled remote http_enabled "0"
	config_get http_port remote http_port "80"
	config_get ssh_enabled remote ssh_enabled "0"
	config_get ssh_port remote ssh_port "22"

	json_init
	json_add_boolean "enabled" "$enabled"
	json_add_object "services"
		json_add_object "https"
			json_add_boolean "enabled" "$https_enabled"
			json_add_int "port" "$https_port"
		json_close_object
		json_add_object "http"
			json_add_boolean "enabled" "$http_enabled"
			json_add_int "port" "$http_port"
		json_close_object
		json_add_object "ssh"
			json_add_boolean "enabled" "$ssh_enabled"
			json_add_int "port" "$ssh_port"
		json_close_object
	json_close_object
	json_dump
}

case "$1" in
	apply)
		apply_rules
		;;
	apply-noreload)
		apply_rules "noreload"
		;;
	remove)
		remove_uci_rules
		/etc/init.d/firewall reload >/dev/null 2>&1 &
		echo "WAN access rules removed"
		;;
	enable)
		enable
		;;
	disable)
		disable
		;;
	status)
		status
		;;
	json)
		json_status
		;;
	*)
		echo "Usage: $0 {apply|apply-noreload|remove|enable|disable|status|json}"
		exit 1
		;;
esac
