#!/bin/bash

function write_action_to_log()
{
	local scriptname=`basename $0`
	uid=$SUDO_USER
	if [ -n "$USER" ] && [ "$USER" != "root" ]; then
		exit 1
	fi
	if [ -z "$2" ]; then
		result="success"
	elif [ "$2" = "failed" ]; then
		result="failed"
	else
		uid="$2"
		result="success"
	fi
	if [ "$1" = "disable" ] || [ "$1" = "enable" ] || [[ "$1" =~ ^set[0-2]$ ]]; then
		type=$1
	else
		type="error"
	fi
	echo "`date +%Y.%m.%d-%T` uid=$uid name=astra-safepolicy version=$(dpkg -s astra-safepolicy | grep -m 1 "Version:" | cut -d' ' -f2) script=$scriptname type=$type res=$result" >> /var/log/astra-safepolicy.log
}
TEXTDOMAINDIR=/usr/share/locale
TEXTDOMAIN=astra-safepolicy

mode=$1

if [ "$UID" != "0" ]; then
    # test actual ulimits for "status" command
    if [ "`ulimit -Hf`" != "50000000" ]; then exit 1; fi # non-32bit
    if [ "`ulimit -Sf`" != "25000000" ]; then exit 1; fi # non-32bit

    if [ "`ulimit -Hn`" != "4096" ]; then exit 1; fi
    if [ "`ulimit -Sn`" != "2048" ]; then exit 1; fi

    if [ "`ulimit -Hu`" != "2000" ]; then exit 1; fi
    if [ "`ulimit -Su`" != "1000" ]; then exit 1; fi

    if [ "`ulimit -Hc`" != "0" ]; then exit 1; fi

    exit 0
fi 
status=`systemctl is-enabled astra-ulimits-control 2>/dev/null`

if [ "x$mode" = "x" ]; then
    if [ "$status" = "enabled" ]; then
	mode=enable
    elif [ "$status" = "disabled" ]; then
	mode=disable
    fi
fi

function keep_pdpl()
{
	if ! [ -e "/parsecfs/ctl" ]; then return; fi
	if [ -z "$1" ]; then
		pdpl-file $pdpl_label $pdpl_file 2> /dev/null
		unset pdpl_label
		unset pdpl_file
	else
		pdpl_label=`pdpl-file $1 2> /dev/null`
		pdpl_file=$1
	fi
}

if [ "$mode" = "enable" ]; then
    if [ ! -f /etc/systemd/system/astra-ulimits-control.service ]; then
	cat <<EOF> /etc/systemd/system/astra-ulimits-control.service
[Unit]
Description=control/Uncontrol ulimits for user
After=rc-local.service

[Service]
Type=oneshot
ExecStart=/usr/sbin/astra-ulimits-control

[Install]
WantedBy=astra-safepolicy.target
EOF
    fi
    if [ "$status" = "disabled" ] || [ "$status" = "" ]; then
	    systemctl enable astra-ulimits-control.service > /dev/null 2>&1
    fi
    keep_pdpl /etc/security/limits.conf
	sed -e "/.*hard fsize/d" -i /etc/security/limits.conf # non-32bit
	sed -e "/.*soft fsize/d" -i /etc/security/limits.conf # non-32bit
	sed -e "/.*hard nofile/d" -i /etc/security/limits.conf
	sed -e "/.*soft nofile/d" -i /etc/security/limits.conf
	sed -e "/.*hard nproc/d" -i /etc/security/limits.conf
	sed -e "/.*soft nproc/d" -i /etc/security/limits.conf
	sed -e "/.*hard core/d" -i /etc/security/limits.conf
	echo "* hard fsize 50000000" >> /etc/security/limits.conf # non-32bit
	echo "* soft fsize 25000000" >> /etc/security/limits.conf # non-32bit
	echo "* hard nofile 4096" >> /etc/security/limits.conf
	echo "* soft nofile 2048" >> /etc/security/limits.conf
	echo "* hard nproc 2000" >> /etc/security/limits.conf
	echo "* soft nproc 1000" >> /etc/security/limits.conf
	echo "* hard core 0" >> /etc/security/limits.conf
	keep_pdpl
	
	write_action_to_log "enable"
		
elif [ "$mode" = "disable" ]; then 
	if [ "$status" = "enabled" ]; then
		systemctl disable astra-ulimits-control.service > /dev/null 2>&1
	fi
	sed -e "/.*hard fsize/d" -i /etc/security/limits.conf # non-32bit
	sed -e "/.*soft fsize/d" -i /etc/security/limits.conf # non-32bit
	sed -e "/.*hard nofile/d" -i /etc/security/limits.conf
	sed -e "/.*soft nofile/d" -i /etc/security/limits.conf
	sed -e "/.*hard nproc/d" -i /etc/security/limits.conf
	sed -e "/.*soft nproc/d" -i /etc/security/limits.conf
	sed -e "/.*hard core/d" -i /etc/security/limits.conf
	echo "#* hard fsize 50000000" >> /etc/security/limits.conf # non-32bit
	echo "#* soft fsize 25000000" >> /etc/security/limits.conf # non-32bit
	echo "#* hard nofile 4096" >> /etc/security/limits.conf
	echo "#* soft nofile 2048" >> /etc/security/limits.conf
	echo "#* hard nproc 2000" >> /etc/security/limits.conf
	echo "#* soft nproc 1000" >> /etc/security/limits.conf
	echo "#* hard core 0" >> /etc/security/limits.conf
	
	write_action_to_log "disable"
		
elif [ "$mode" = "status" ]; then
	if [ "$status" = "enabled" ]; then
		echo $"ACTIVE"
		exit 0
	else
		echo $"INACTIVE"
		exit 1
	fi
elif [ "$mode" = "is-enabled" ]; then
	if [ "$status" = "enabled" ]; then
		echo $"ENABLED"
		exit 0
	else
		echo $"DISABLED"
		exit 1
	fi
else
	echo $"Usage: $0 <enable/disable/status/is-enabled>"
	write_action_to_log "$mode" "failed"
	exit 1
fi
exit 0
