#!/bin/sh
#
#    Copyright (c) 2016-2017 Brocade Communications Systems, Inc.
#    All rights reserved.
#
#    File name:   firmwareIntegrity
#    Module name: fabos/src/utils/firmware
#
PATH=/bin:/sbin:/usr/bin:/usr/sbin

STATUS_FILE=/etc/fabos/pwron_RestrictedMode
MNT_STATUS_FILE=/mnt/etc/fabos/pwron_RestrictedMode
ENABLE="No"
DISABLE="No"

if [ $# -eq 0 ]; then
	/fabos/bin/firmwareCheck
	exit 0
fi

print_help()
{
	echo "usage: firmwarecheck --<enable/disable> -boot"
	echo "                     --show"
}


while :;
do
	case $1 in
	-e|--enable) ENABLE="Yes"
		;;
	-d|--disable) DISABLE="Yes"
		;;
	--show) SHOW="Yes"
		;;
	-boot) BOOT="Yes"
		;;
	--)
		shift
		break
		;;
	-?*)
		print_help
		exit 1
		;;
	*)
		break
	esac

	shift
done

hashow_cmd=$(ls /fabos/cliexec/hashow)
case "$($hashow_cmd | ( read a; echo $a ))" in
	*Local*Active*)
	ACTIVECP=1
	;;
	*Local*Standby*)
	ACTIVECP=0
	;;
	*"Not supported"*)
	ACTIVECP=1
	;;
	*)
	ACTIVECP=0
	;;
esac

if [ $ACTIVECP -eq 0 ]; then
	echo "fedRestrictedMode: Only be executed from Active CP"
fi

cpid() {
	sed -n -e 's/^Control.\+No: \([[:digit:]]\{1,\}\)$/\1/gp'
}

swbd() {
	sed -n -e 's/^.\+\(SWBD[[:digit:]]\{1,\}\).\+$/\1/gp'
}

SWBD=`sin | swbd 2>/dev/null`
CPID=`sin | cpid 2>/dev/null`

otherhost(){
	case ${SWBD##SWBD} in
	'62')
		printf 127.1.1.$((8 - CPID % 2))
		;;
	'77')
		printf 127.1.1.$((6 - CPID % 2))
		;;
	'165' | '166')
		printf 127.3.1.$((2 - CPID % 2))
		;;
	*)
		printf 10.0.0.$((6 - CPID % 2))
		;;
	esac
}

correcthost() {
    /usr/bin/rsh -n $(otherhost) ROLE_ID=root LOGIN_ID=root CURRENT_AD=0 "$@"
}

# Return 0 for FIPS mode ON
fipsmode(){

	FIPSFLAG=1
	if [ -x /fabos/link_abin/fipscfg ]; then
	
		FIPSMODE=`/fabos/link_abin/fipscfg --show | grep "FIPS mode is" | cut -d ':' -f2 | cut -d ' ' -f2 2>/dev/null`
		if [ "$FIPSMODE" = "Enabled" ]; then
			FIPSFLAG=0
		else
			FIPSFLAG=1
		fi
	fi

    return $FIPSFLAG
}

if [ "$ENABLE" = "Yes" ]; then

	if fipsmode ; then
		echo "firmwarecheck: FIPS mode is enabled."
		exit 0
	fi

	if [ "$BOOT" = "Yes" ]; then

		if [ -x "$STATUS_FILE" ]; then
			status=$(/bin/cat $STATUS_FILE)
			if [ "$status" = "1" ]; then
				echo "firmwarecheck: Restricted mode is already enabled."
				exit 0
			fi
		else
			echo "firmwarecheck: Status file unreadable or permission denied."
			exit 1
		fi

		case ${SWBD##SWBD} in
		'62' | '77' | '165' | '166')
			ret=`correcthost /bin/echo 1 > $STATUS_FILE 2>/dev/null`
			ret=`correcthost /bin/echo 1 > $MNT_STATUS_FILE 2>/dev/null`
			#if [ $ret -ne 0 ]; then
			#	echo "firmwarecheck: Connect to standby CP failed."
			#	exit 1
			#fi
		;;
		esac

		echo 1 > $STATUS_FILE 2>/dev/null
		echo 1 > $MNT_STATUS_FILE 2>/dev/null
		echo "firmwarecheck on boot enabled. Firmware integrity check will be done on every reboot"

	else
		print_help
		exit 1
	fi
 
fi

if [ "$DISABLE" = "Yes" ]; then

	if [ "$BOOT" = "Yes" ]; then

		if [ -x "$STATUS_FILE" ]; then
			status=$(/bin/cat $STATUS_FILE 2>/dev/null)
			if [ "$status" = "0" ]; then
				echo "firmwarecheck: Restricted mode is already disable."
				exit 0
			fi
		else
			echo "firmwarecheck: Status file unreadable or permission denied."
			exit 1
		fi

		case ${SWBD##SWBD} in
		'62' | '77' | '165' | '166')
		ret=`correcthost /bin/echo 0 > $STATUS_FILE 2>/dev/null`
		ret=`correcthost /bin/echo 0 > $MNT_STATUS_FILE 2>/dev/null`
		#if [ $ret -ne 0 ]; then
		#	echo "fedRestrictedMode: Connect to standby CP failed"
		#	exit 1
		#fi
		;;
		esac

		echo 0 > $STATUS_FILE 2>/dev/null
		echo 0 > $MNT_STATUS_FILE 2>/dev/null
		echo "firmwarecheck on boot disabled."

	else
		print_help
		exit 1
	fi

fi

if [ "$SHOW" = "Yes" ]; then

	if [ -f "$STATUS_FILE" ]; then
		F=$(/bin/cat $STATUS_FILE 2>/dev/null)
		if [ "$F" = "1" ]; then
			echo "firmwarecheck restricted mode is enabled."
		else
			echo "firmwarecheck restricted mode is disabled."
		fi
	else
		echo "firmwarecheck: Status file unreadable."
	fi
fi

exit 0
