#!/usr/bin/env bash
# setup.sh v1.0
# Run once after cloning on any VM where you want security scanning active.

set -euo pipefail

SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"

echo "=== Security Tools Setup ==="
echo ""

# ── Telegram credentials ───────────────────────────────────────────────────────
if [[ -f "$SCRIPT_DIR/config.sh" ]]; then
    echo "config.sh already exists — skipping credential setup."
else
    echo "Enter your Telegram bot token:"
    read -r BOT_TOKEN
    echo "Enter your Telegram chat ID:"
    read -r CHAT_ID

    cat > "$SCRIPT_DIR/config.sh" <<EOF
#!/usr/bin/env bash
# Telegram notification config
TELEGRAM_BOT_TOKEN="${BOT_TOKEN}"
TELEGRAM_CHAT_ID="${CHAT_ID}"
EOF
    chmod 600 "$SCRIPT_DIR/config.sh"
    echo "config.sh created."
fi

# ── Make scripts executable ────────────────────────────────────────────────────
chmod +x "$SCRIPT_DIR/npm-security-check.sh"
chmod +x "$SCRIPT_DIR/check-nextjs-rce.sh"

# ── Create logs directory ──────────────────────────────────────────────────────
mkdir -p "$SCRIPT_DIR/logs"

# ── Create whitelist if absent ─────────────────────────────────────────────────
if [[ ! -f "$SCRIPT_DIR/whitelist.conf" ]]; then
    cat > "$SCRIPT_DIR/whitelist.conf" <<'EOF'
# whitelist.conf — one entry per line, exact match against package names or file paths
# Example:
#   ua-parser-js
#   /tmp/my-known-safe-script.sh
EOF
    echo "whitelist.conf created — add known-safe items to suppress false positives."
fi

# ── Ensure cron is available ──────────────────────────────────────────────────
if ! command -v crontab &>/dev/null; then
    echo "cron not found — installing..."
    apt install cron -y
    systemctl enable cron
    systemctl start cron
fi

# ── Cron jobs ──────────────────────────────────────────────────────────────────
CRON_1="0 8 * * * $SCRIPT_DIR/npm-security-check.sh >> $SCRIPT_DIR/logs/npm-security-check-\$(date +\%Y\%m\%d).log 2>&1"
CRON_2="5 8 * * * $SCRIPT_DIR/check-nextjs-rce.sh >> $SCRIPT_DIR/logs/check-nextjs-rce-\$(date +\%Y\%m\%d).log 2>&1"
CRON_3="0 9 * * * find $SCRIPT_DIR/logs -name '*.log' -mtime +60 -delete"

EXISTING=$(crontab -l 2>/dev/null || true)

if echo "$EXISTING" | grep -qF "npm-security-check.sh"; then
    echo "Cron job for npm-security-check.sh already registered — skipping."
else
    (echo "$EXISTING"; echo "$CRON_1") | crontab -
    echo "Cron job registered: npm-security-check.sh daily at 08:00."
fi

if echo "$EXISTING" | grep -qF "check-nextjs-rce.sh"; then
    echo "Cron job for check-nextjs-rce.sh already registered — skipping."
else
    (crontab -l 2>/dev/null; echo "$CRON_2") | crontab -
    echo "Cron job registered: check-nextjs-rce.sh daily at 08:05."
fi

if echo "$EXISTING" | grep -qF "logs -name '*.log'"; then
    echo "Log cleanup cron already registered — skipping."
else
    (crontab -l 2>/dev/null; echo "$CRON_3") | crontab -
    echo "Cron job registered: log cleanup daily at 09:00 (60 day retention)."
fi

# ── Test Telegram ──────────────────────────────────────────────────────────────
source "$SCRIPT_DIR/config.sh"
HOSTNAME=$(hostname)

echo ""
echo "Sending test Telegram message..."
RESPONSE=$(curl -s -X POST "https://api.telegram.org/bot${TELEGRAM_BOT_TOKEN}/sendMessage" \
    -d chat_id="${TELEGRAM_CHAT_ID}" \
    -d text="✅ <b>Security Tools Active</b>
Host: <code>${HOSTNAME}</code>
Scripts registered and running daily at 08:00." \
    -d parse_mode="HTML")

if echo "$RESPONSE" | grep -q '"ok":true'; then
    echo "Test message sent to Telegram."
else
    echo "Warning: Telegram message failed. Check your token and chat ID in config.sh."
fi

echo ""
echo "Setup complete. Security scans will run daily at 08:00 on ${HOSTNAME}."

# ── Initial scan ───────────────────────────────────────────────────────────────
echo ""
echo "Running initial security scan..."
bash "$SCRIPT_DIR/npm-security-check.sh" >> "$SCRIPT_DIR/logs/npm-security-check-$(date +%Y%m%d).log" 2>&1 && echo "npm-security-check: done." || echo "npm-security-check: issues found — check Telegram."
bash "$SCRIPT_DIR/check-nextjs-rce.sh" >> "$SCRIPT_DIR/logs/check-nextjs-rce-$(date +%Y%m%d).log" 2>&1 && echo "check-nextjs-rce: done." || echo "check-nextjs-rce: issues found — check Telegram."
echo ""
echo "Initial scan complete. Check Telegram for any alerts."