#!/usr/bin/env bash
# onx-clamav-quarantine-file — tek bir tespit edilen dosyayı karantinaya al veya sil.
# input: {path, mode}  mode=quarantine|delete
source "$(dirname "$0")/_lib/common.sh"
require_root
require_cmd realpath
onx_json_input
FILE="$(onx_json_field path '')"
MODE="$(onx_json_field mode 'quarantine')"
QDIR="/var/lib/onoxsoft/quarantine"
[[ -n "$FILE" ]] || onx_die 1 "path required"
case "$FILE" in /home/*|/var/www/*|/tmp/*) : ;; *) onx_die 1 "path not allowed" ;; esac
FILE="$(realpath -e "$FILE" 2>/dev/null)" || onx_die 2 "file not found"
case "$FILE" in /home/*|/var/www/*|/tmp/*) : ;; *) onx_die 1 "path not allowed (resolved)" ;; esac

if [[ "$MODE" == "delete" ]]; then
    rm -f -- "$FILE" || onx_die 3 "delete failed"
    onx_json_out ok true mode delete
else
    install -d -m 700 "$QDIR"
    DEST="$QDIR/$(date +%s%N)_$(basename "$FILE").quar"
    mv -- "$FILE" "$DEST" || onx_die 3 "quarantine move failed"
    chmod 600 "$DEST"
    onx_json_out ok true quarantine_path "$DEST"
fi
