#!/usr/bin/env bash
#
# onx-modsec-disable — ModSecurity engine Off|DetectionOnly. DRIVER-AWARE (v3.41).
#
#   Apache → /etc/httpd/modsecurity.d/onox-engine.conf (mevcut davranış)
#   v3 (nginx/ols/caddy) → neutral layer 00-engine.conf
#
# Re-enable (onx-modsec-enable) tüm ayarları DB payload'ından yeniden yazar; bu
# yüzden disable minimal bir engine dosyası yazar (paranoia/body limitleri engine
# Off iken zaten anlamsız).
#
# Input (opsiyonel): { mode: "off"|"detection_only" }
# Output: { ok, enabled:false, driver, mode, engine, reloaded }

set -euo pipefail

SCRIPT_DIR="$(dirname "$(readlink -f "$0")")"
# shellcheck source=_lib/common.sh
source "${SCRIPT_DIR}/_lib/common.sh"

require_root

input="$(cat 2>/dev/null || echo '{}')"
echo "$input" | jq -e 'type == "object"' >/dev/null 2>&1 || input='{}'
mode="$(echo "$input" | jq -r '.mode // "off"')"

engine="Off"
[[ "$mode" == "detection_only" ]] && engine="DetectionOnly"

DRIVER=$(onx_ws_active_driver)
audit_log_line=""
if [[ "$DRIVER" == "apache" ]]; then
    ENGINE_FILE="/etc/httpd/modsecurity.d/onox-engine.conf"
    audit_log_line="SecAuditLog /var/log/httpd/modsec_audit.log"
elif [[ "$DRIVER" == "unknown" ]]; then
    onx_die 2 "Aktif web sunucusu tespit edilemedi (apache/ols/nginx/caddy hiçbiri active değil)"
else
    ENGINE_FILE="${ONX_MODSEC_NEUTRAL_DIR}/${ONX_MODSEC_NEUTRAL_SUBDIR}/00-engine.conf"
    mkdir -p "$(dirname "$ENGINE_FILE")" 2>/dev/null || true
fi

backup=""
if [[ -f "$ENGINE_FILE" ]]; then
    backup="${ENGINE_FILE}.onx-bak.$$"
    cp -p "$ENGINE_FILE" "$backup"
fi

tmp="$(mktemp -t onx-modsec.XXXXXX)"
{
    echo "# Onoxsoft Panel managed — engine disabled by admin (UI: Settings > Engine)"
    echo "# Driver: ${DRIVER} | generated $(date -u +%Y-%m-%dT%H:%M:%SZ)"
    echo "SecRuleEngine ${engine}"
    echo "SecAuditEngine RelevantOnly"
    echo "SecAuditLogParts ABIJDEFHZ"
    if [[ -n "$audit_log_line" ]]; then echo "$audit_log_line"; fi
} > "$tmp"
chmod 0644 "$tmp"
mv -f "$tmp" "$ENGINE_FILE"

reloaded=$(onx_ws_modsec_reload "$DRIVER")
if [[ "$reloaded" != "true" ]]; then
    if [[ -n "$backup" ]]; then
        mv -f "$backup" "$ENGINE_FILE" 2>/dev/null || true
    else
        rm -f "$ENGINE_FILE" 2>/dev/null || true
    fi
    onx_ws_modsec_reload "$DRIVER" >/dev/null 2>&1 || true
    onx_log "modsec-disable: driver=${DRIVER} reload FAILED — rolled back"
    jq -nc --arg driver "$DRIVER" '{ok:false,error:"reload failed — rolled back",driver:$driver}' >&2
    exit 4
fi
[[ -n "$backup" ]] && rm -f "$backup" 2>/dev/null || true

logger -t "onox-modsec" "Disabled driver=${DRIVER} engine=${engine} reloaded=${reloaded}"

jq -nc \
    --arg driver "$DRIVER" \
    --arg engine "$engine" \
    '{ok:true, enabled:false, driver:$driver, mode:$engine, engine:$engine, reloaded:true}'
