#!/bin/bash
# RedFlag Agent Installer - Linux
# Generated for agent: {{.AgentID}}
# Platform: {{.Platform}}
# Architecture: {{.Architecture}}
# Version: {{.Version}}

set -e

# Check if running as root (required for user creation and sudoers)
if [ "$EUID" -ne 0 ]; then
    echo "ERROR: This script must be run as root for secure installation (use sudo)"
    exit 1
fi

AGENT_USER="redflag-agent"
AGENT_HOME="/var/lib/redflag-agent"
SUDOERS_FILE="/etc/sudoers.d/redflag-agent"

# Function to detect package manager
detect_package_manager() {
    if command -v apt-get &> /dev/null; then
        echo "apt"
    elif command -v dnf &> /dev/null; then
        echo "dnf"
    elif command -v yum &> /dev/null; then
        echo "yum"
    elif command -v pacman &> /dev/null; then
        echo "pacman"
    elif command -v zypper &> /dev/null; then
        echo "zypper"
    else
        echo "unknown"
    fi
}

AGENT_ID="{{.AgentID}}"
BINARY_URL="{{.BinaryURL}}"
CONFIG_URL="{{.ConfigURL}}"
INSTALL_DIR="/usr/local/bin"
CONFIG_DIR="/etc/redflag"
OLD_CONFIG_DIR="/etc/aggregator"
SERVICE_NAME="redflag-agent"
VERSION="{{.Version}}"
LOG_DIR="/var/log/redflag"
BACKUP_DIR="${CONFIG_DIR}/backups/backup.$(date +%s)"
AGENT_USER="redflag-agent"
AGENT_HOME="/var/lib/redflag-agent"
SUDOERS_FILE="/etc/sudoers.d/redflag-agent"

echo "=== RedFlag Agent v${VERSION} Installation ==="
echo "Agent ID: ${AGENT_ID}"
echo "Platform: {{.Platform}}"
echo "Installing to: ${INSTALL_DIR}/${SERVICE_NAME}"
echo

# Step 1: Detect existing installation
echo "Detecting existing RedFlag installations..."
MIGRATION_NEEDED=false

if [ -f "${CONFIG_DIR}/config.json" ]; then
    echo "✓ Existing installation detected at ${CONFIG_DIR}"
    MIGRATION_NEEDED=true
elif [ -f "${OLD_CONFIG_DIR}/config.json" ]; then
    echo "⚠ Old installation detected at ${OLD_CONFIG_DIR} - MIGRATION REQUIRED"
    MIGRATION_NEEDED=true
else
    echo "✓ Fresh installation"
fi

# Step 2: Create backup if migration needed
if [ "${MIGRATION_NEEDED}" = true ]; then
    echo
    echo "=== Migration Required ==="
    echo "Agent will migrate on first start. Backing up configuration..."
    sudo mkdir -p "${BACKUP_DIR}"

    if [ -f "${OLD_CONFIG_DIR}/config.json" ]; then
        echo "Backing up old configuration..."
        sudo cp -r "${OLD_CONFIG_DIR}"/* "${BACKUP_DIR}/" 2>/dev/null || true
    fi

    if [ -f "${CONFIG_DIR}/config.json" ]; then
        echo "Backing up current configuration..."
        sudo cp "${CONFIG_DIR}/config.json" "${BACKUP_DIR}/config.json.backup" 2>/dev/null || true
    fi

    echo "Migration will run automatically when agent starts."
    echo "View migration logs with: sudo journalctl -u ${SERVICE_NAME} -f"
    echo
fi

# Step 3: Create system user and home directory
echo "Creating system user for agent..."
if id "$AGENT_USER" &>/dev/null; then
    echo "✓ User $AGENT_USER already exists"
else
    sudo useradd -r -s /bin/false -d "$AGENT_HOME" "$AGENT_USER"
    echo "✓ User $AGENT_USER created"
fi

# Create home directory
if [ ! -d "$AGENT_HOME" ]; then
    sudo mkdir -p "$AGENT_HOME"
    sudo chown "$AGENT_USER:$AGENT_USER" "$AGENT_HOME"
    sudo chmod 750 "$AGENT_HOME"
    echo "✓ Home directory created at $AGENT_HOME"
fi

# Step 4: Install sudoers configuration with OS-specific commands
PM=$(detect_package_manager)
echo "Detected package manager: $PM"
echo "Installing sudoers configuration..."

case "$PM" in
    apt)
        cat <<'EOF' | sudo tee "$SUDOERS_FILE" > /dev/null
# RedFlag Agent minimal sudo permissions - APT
{{.AgentUser}} ALL=(root) NOPASSWD: /usr/bin/apt-get update
{{.AgentUser}} ALL=(root) NOPASSWD: /usr/bin/apt-get install -y *
{{.AgentUser}} ALL=(root) NOPASSWD: /usr/bin/apt-get upgrade -y
{{.AgentUser}} ALL=(root) NOPASSWD: /usr/bin/apt-get install --dry-run --yes *
EOF
        ;;
    dnf|yum)
        cat <<'EOF' | sudo tee "$SUDOERS_FILE" > /dev/null
# RedFlag Agent minimal sudo permissions - DNF/YUM
{{.AgentUser}} ALL=(root) NOPASSWD: /usr/bin/dnf makecache
{{.AgentUser}} ALL=(root) NOPASSWD: /usr/bin/dnf install -y *
{{.AgentUser}} ALL=(root) NOPASSWD: /usr/bin/dnf upgrade -y
{{.AgentUser}} ALL=(root) NOPASSWD: /usr/bin/yum makecache
{{.AgentUser}} ALL=(root) NOPASSWD: /usr/bin/yum install -y *
{{.AgentUser}} ALL=(root) NOPASSWD: /usr/bin/yum update -y
EOF
        ;;
    pacman)
        cat <<'EOF' | sudo tee "$SUDOERS_FILE" > /dev/null
# RedFlag Agent minimal sudo permissions - Pacman
{{.AgentUser}} ALL=(root) NOPASSWD: /usr/bin/pacman -Sy
{{.AgentUser}} ALL=(root) NOPASSWD: /usr/bin/pacman -S --noconfirm *
EOF
        ;;
    *)
        cat <<'EOF' | sudo tee "$SUDOERS_FILE" > /dev/null
# RedFlag Agent minimal sudo permissions - Generic (APT and DNF)
{{.AgentUser}} ALL=(root) NOPASSWD: /usr/bin/apt-get update
{{.AgentUser}} ALL=(root) NOPASSWD: /usr/bin/apt-get install -y *
{{.AgentUser}} ALL=(root) NOPASSWD: /usr/bin/dnf makecache
{{.AgentUser}} ALL=(root) NOPASSWD: /usr/bin/dnf install -y *
EOF
        ;;
esac

# Add Docker commands
cat <<'DOCKER_EOF' | sudo tee -a "$SUDOERS_FILE" > /dev/null
{{.AgentUser}} ALL=(root) NOPASSWD: /usr/bin/docker pull *
{{.AgentUser}} ALL=(root) NOPASSWD: /usr/bin/docker image inspect *
{{.AgentUser}} ALL=(root) NOPASSWD: /usr/bin/docker manifest inspect *
DOCKER_EOF

sudo chmod 440 "$SUDOERS_FILE"
if visudo -c -f "$SUDOERS_FILE" &>/dev/null; then
    echo "✓ Sudoers configuration installed and validated"
else
    echo "⚠ Sudoers configuration validation failed - using generic version"
fi

# Step 5: Stop existing service
if systemctl is-active --quiet ${SERVICE_NAME} 2>/dev/null; then
    echo "Stopping existing RedFlag agent service..."
    sudo systemctl stop ${SERVICE_NAME}
fi

# Step 4: Create directories
echo "Creating directories..."
sudo mkdir -p "${CONFIG_DIR}"
sudo mkdir -p "${CONFIG_DIR}/backups"
sudo mkdir -p "$AGENT_HOME"
sudo mkdir -p "/var/log/redflag"

# Step 5: Download agent binary
echo "Downloading agent binary..."
sudo curl -sSL -o "${INSTALL_DIR}/${SERVICE_NAME}" "${BINARY_URL}"
sudo chmod +x "${INSTALL_DIR}/${SERVICE_NAME}"

# Step 6: Handle configuration
# IMPORTANT: The agent handles its own migration on first start.
# We either preserve existing config OR create a minimal template.
if [ -f "${CONFIG_DIR}/config.json" ]; then
    echo "[CONFIG] Upgrade detected - preserving existing configuration"
    echo "[CONFIG] Agent will handle migration automatically on first start"
    echo "[CONFIG] Backup created at: ${BACKUP_DIR}"
else
    echo "[CONFIG] Fresh install - generating minimal configuration with registration token"
    # Create minimal config template - agent will populate missing fields on first start
    sudo tee "${CONFIG_DIR}/config.json" > /dev/null <<EOF
{
    "version": 5,
    "agent_version": "${VERSION}",
    "agent_id": "",
    "token": "",
    "refresh_token": "",
    "registration_token": "{{.RegistrationToken}}",
    "machine_id": "",
    "check_in_interval": 300,
    "server_url": "{{.ServerURL}}",
    "network": {
        "timeout": 30000000000,
        "retry_count": 3,
        "retry_delay": 5000000000,
        "max_idle_conn": 10
    },
    "proxy": {
        "enabled": false
    },
    "tls": {
        "enabled": false,
        "insecure_skip_verify": false
    },
    "logging": {
        "level": "info",
        "max_size": 100,
        "max_backups": 3,
        "max_age": 28
    },
    "subsystems": {
        "system": {"enabled": true, "timeout": 10000000000, "circuit_breaker": {"enabled": true, "failure_threshold": 3, "failure_window": 600000000000, "open_duration": 1800000000000, "half_open_attempts": 2}},
        "filesystem": {"enabled": true, "timeout": 10000000000, "circuit_breaker": {"enabled": true, "failure_threshold": 3, "failure_window": 600000000000, "open_duration": 1800000000000, "half_open_attempts": 2}},
        "network": {"enabled": true, "timeout": 30000000000, "circuit_breaker": {"enabled": true, "failure_threshold": 3, "failure_window": 600000000000, "open_duration": 1800000000000, "half_open_attempts": 2}},
        "processes": {"enabled": true, "timeout": 30000000000, "circuit_breaker": {"enabled": true, "failure_threshold": 3, "failure_window": 600000000000, "open_duration": 1800000000000, "half_open_attempts": 2}},
        "updates": {"enabled": true, "timeout": 30000000000, "circuit_breaker": {"enabled": false, "failure_threshold": 0, "failure_window": 0, "open_duration": 0, "half_open_attempts": 0}},
        "storage": {"enabled": true, "timeout": 10000000000, "circuit_breaker": {"enabled": true, "failure_threshold": 3, "failure_window": 600000000000, "open_duration": 1800000000000, "half_open_attempts": 2}}
    },
    "security": {
        "ed25519_verification": true,
        "nonce_validation": true,
        "machine_id_binding": true
    }
}
EOF
fi

# Step 7: Set permissions on config file
sudo chmod 600 "${CONFIG_DIR}/config.json"

# Step 8: Create systemd service with security hardening
echo "Creating systemd service with security configuration..."
cat <<EOF | sudo tee /etc/systemd/system/${SERVICE_NAME}.service
[Unit]
Description=RedFlag Security Agent
After=network.target
StartLimitBurst=5
StartLimitIntervalSec=60

[Service]
Type=simple
User={{.AgentUser}}
Group={{.AgentUser}}
WorkingDirectory={{.AgentHome}}
ExecStart=${INSTALL_DIR}/${SERVICE_NAME}
Restart=always
RestartSec=30
RestartPreventExitStatus=255

# Security hardening
# Note: NoNewPrivileges disabled to allow sudo for package management
ProtectSystem=strict
ProtectHome=true
ReadWritePaths={{.AgentHome}} {{.ConfigDir}} {{.LogDir}}
PrivateTmp=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
RestrictRealtime=true
RestrictSUIDSGID=true
RemoveIPC=true

# Logging
StandardOutput=journal
StandardError=journal
SyslogIdentifier=${SERVICE_NAME}

[Install]
WantedBy=multi-user.target
EOF

# Set proper permissions on directories
echo "Setting directory permissions..."
sudo chown -R {{.AgentUser}}:{{.AgentUser}} "{{.ConfigDir}}"
sudo chown {{.AgentUser}}:{{.AgentUser}} "{{.ConfigDir}}/config.json"
sudo chmod 600 "{{.ConfigDir}}/config.json"
sudo chown -R {{.AgentUser}}:{{.AgentUser}} "{{.AgentHome}}"
sudo chmod 750 "{{.AgentHome}}"
sudo chown -R {{.AgentUser}}:{{.AgentUser}} "{{.LogDir}}"
sudo chmod 750 "{{.LogDir}}"

# Step 9: Enable and start service
echo "Enabling and starting service..."
sudo systemctl daemon-reload
sudo systemctl enable ${SERVICE_NAME}
sudo systemctl start ${SERVICE_NAME}

echo
if systemctl is-active --quiet ${SERVICE_NAME}; then
    echo "✓ Installation complete!"
    echo ""
    echo "=== Security Information ==="
    echo "Agent is running with security hardening:"
    echo "  ✓ Dedicated system user: {{.AgentUser}}"
    echo "  ✓ Limited sudo access for package management only"
    echo "  ✓ Systemd service with security restrictions"
    echo "  ✓ Protected configuration directory"
    echo ""
    echo "Check status: sudo systemctl status ${SERVICE_NAME}"
    echo "View logs:    sudo journalctl -u ${SERVICE_NAME} -f"
else
    echo "⚠ Installation complete but service not started"
    echo "  This may be normal for fresh installs awaiting registration"
    echo ""
    echo "To start after registration:"
    echo "  sudo systemctl start ${SERVICE_NAME}"
fi