#!/bin/sh

#
# Copyright (C) 2023 Nethesis S.r.l.
# SPDX-License-Identifier: GPL-2.0-only
#

#
# Threat shield: add Nethesis categories to banip
#

. /lib/functions.sh

keep=''

handle_blocklist() {
    # preserve only non-enteprise lists
    if ! echo $1 | grep -q -E '^yoroi|^nethesis' ; then
        keep="$keep $1"
    fi
}


function exit_error {
    >&2 echo "[ERROR] $@"
    exit 1
}

SYSTEM_SECRET=$(uci -q get ns-plug.config.secret)
SYSTEM_ID=$(uci -q get ns-plug.config.system_id)
TYPE=$(uci -q get ns-plug.config.type)

if [ ! -z "$SYSTEM_SECRET" ] && [ ! -z "$SYSTEM_ID" ]; then
    jq -s '.[0] * .[1]' /etc/banip/banip.nethesis.feeds /etc/banip/banip.feeds \
	    | sed -e "s/__USER__/$SYSTEM_ID/" -e "s/__PASSWORD__/$SYSTEM_SECRET/" -e "s/__TYPE__/$TYPE/" > /etc/banip/banip.custom.feeds
    if ! uci -q get banip.global.ban_allowurl | grep -q bl.nethesis.it; then
        uci add_list banip.global.ban_allowurl="https://$SYSTEM_ID:$SYSTEM_SECRET@bl.nethesis.it/plain/$TYPE/nethesis-blacklists/whitelist.global"
        uci commit banip
    fi
else
    allow=$(uci -q get banip.global.ban_allowurl | tr " " "\n" | grep bl.nethesis.it)
    if [ "$allow" != "" ]; then
        # cleanup allowlist
        uci del_list banip.global.ban_allowurl="$allow"
        # remove premium blocklist
        config_load banip
        config_list_foreach global ban_feed handle_blocklist
        uci -q delete banip.global.ban_feed
        for k in $keep; do
            uci add_list banip.global.ban_feed=$k
        done
        uci commit banip
    fi
    > /etc/banip/banip.custom.feeds
fi
