#!/usr/bin/php 
<?php
/**
 * AdminCentral Client
 * 
 * Integrates AdminCentral with Fail2ban
 * 
 * Version 1.3.1 (15/11/2024)
 * 
 * Changes:
 * * fixed fail2ban jail detection
 * 
 * Version 1.3.0 (15/11/2024)
 * 
 * Changes:
 * + support for fail2ban method using admincentral jail
 * + Fall-back to blackhole, if fail2ban is not enabled and running our jail
 * 
 * Version 1.2.5 (25/07/2024)
 * 
 * Changes:
 * + --ip parameter to specify the ip to use
 * + --update parameter to Self-update 
 * * fixed {} parameters in url
 * 
 */

define ('VERSION', '1.3.1');

define('FIREWALL_BIN', '/usr/sbin/ip');

define('FAIL2BAN_BIN', '/usr/bin/fail2ban-client');
define('FAIL2BAN_JAIL', 'admincentral');

$debug = false;
$verbose = false;
$ip = null;

for ($i = 1; $i < $argc; $i++) {
    switch ($argv[$i]) {
        case '--debug':
        case '-d':
            $debug = true;
            break;
        case '--version':
        case '-v':
            echo $argv[0] . " Version " . VERSION . "\n";
            exit(0);
            break;
        case '--ip':
        case '-i':
            $i++;
            $ip = $argv[$i];
            break;
        case '-h':
        case '--help':
            echo "Syntax: admincentral [--ip|-i address] [--debug|-d] [--version|-v] [--help|-h]\n";
            break;
        case '-u':
        case '--update':
            $repo = 'https://repo.innovateone.io/tarball/admincentral-latest';
            $local = $argv[0];
            $contents = mini_http_client($repo, [], false);
            $contents = file_get_contents($repo);
            if (strlen($contents) > 1000) {
                $ok = file_put_contents($local, $contents);
                $ok = false;
                if ($ok == false) {
                    echo "Error: Failed to save latest version to $local\n";
                    exit(1);
                }
            }
            else {
                echo "Error: Failed to download latest version from $repo\n";
                exit(1);
            }
            exit;
            break;
        default:
            echo "Error: invalid argument " . $argv[$i] . ". Run admincentral --help for more information.\n";
            exit(1);        
    }
}

if (fail2ban_active(FAIL2BAN_JAIL)) {
    define('FAIL2BAN_ENABLED', true);
}
else {
    define('FAIL2BAN_ENABLED', false);
}
if ($debug) {
    echo "fail2ban enabled: " . (FAIL2BAN_ENABLED? "yes" : "no") . "\n";
}

if ($debug) {
    error_reporting(E_ALL);
    ini_set("display_errors", 1);
}

// Log file path
$logFile = "/var/log/admincentral.log";

// URL to call with the last ID as a query parameter
$query_url = "https://admincentral.innovateone.io/api/banned_ips?last_id=";
$ok_url    = "https://admincentral.innovateone.io//api/blocked/{server}/{method}/{ip}";
$fail_url  = "https://admincentral.innovateone.io/api//api/blocked/{server}/{method}/{ip}";

// Make sure that curl is available
if (!function_exists('curl_init')) {
    if ($debug) {
        echo "Error: curl does not exist\n";
    }
    exit(1);
}

// The server name
$server = explode(".", gethostname())[0];

// Read the last ID from the log file or assume it is 0
$lastId = 0;
if (file_exists($logFile)) {
    $lastLine = trim(exec("tail -n 1 $logFile"));
    $lastLineParts = explode(" ", $lastLine);
    if (isset($lastLineParts[1])) {
        $lastId = (int)$lastLineParts[1];
    }
}
else {
    //exit(2);
}

date_default_timezone_set('Europe/Athens');

$data = mini_http_client($query_url . $lastId);

// Check if data is not empty
if (!empty($data)) {
    // Iterate over each item in the array
    foreach ($data as $item) {
        perform_action($item['action'], $item['method'], $item['ip'], $item['id'], $item['reason']);        
    }
}

function write_log($logLine)
{
    global $logFile;

    debug_echo("Logging $logLine\n");
    file_put_contents($logFile, $logLine . " v.".VERSION."\n", FILE_APPEND);    
}

function perform_action($action, $method, $ip, $id, $reason) 
{
    global $debug, $server, $ok_url, $fail_url;

    // Fallback to blackhole method if fail2ban is not enabled
    if ((FAIL2BAN_ENABLED == false) && ($method == 'fail2ban')) {
        $method = 'blackhole';
    }

	if ($method == 'blackhole') {
        if ($action == 'block') {
	        $cmd = FIREWALL_BIN . ' ro add blackhole ' . $ip;
        }
        elseif ($action == 'unblock') {
            $cmd = FIREWALL_BIN . ' ro de ' . $ip;
        }
        else {
            return;
        }
    }
    elseif ($method == 'fail2ban') {
        if ($action == 'block') {
	        $cmd = FAIL2BAN_BIN .  ' set ' . FAIL2BAN_JAIL . ' banip $1 ' . $ip;
        }
        elseif ($action == 'unblock') {
            $cmd = FAIL2BAN_BIN . ' set ' . FAIL2BAN_JAIL . ' unbanip $1 ' . $ip;
        }
        else {
            return;
        }
    }

    $cmd .= ' 2>/dev/null';
    
    if ($debug) {
        echo "Executing $cmd\n";
    }

    $return_value = 99999;
    @system($cmd, $return_value);

    $api_vars = ['server' => $server, 'method' => $method, 'ip' => $ip];

    $logLine = "$ip $id [" . date('c') . "] $action $method $return_value \"$reason\"";
    // OK
    if ($return_value == 0) {            
        mini_http_client($ok_url, $api_vars);
        write_log($logLine);
    }

    // 2 = Already exists / Not found
    elseif ($return_value == 2) {            
        mini_http_client($fail_url, $api_vars);
        write_log($logLine);
    }

    // Other error
    else {            
        mini_http_client($fail_url, $api_vars);
        write_log($logLine);
    }        
}

function mini_http_client($url, $params = [], $decode = true)
{
    global $ip;

    foreach ($params as $key => $value) {
        $url = str_replace('{'.$key.'}', $value, $url);
    }
    debug_echo("Connecting to $url...\n");

    // Initialize cURL session
    $ch = curl_init();

    // Set cURL options
    curl_setopt($ch, CURLOPT_URL, $url);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);

    if ($ip != null) {
        curl_setopt($ch, CURLOPT_INTERFACE, $ip);
    }

    // Execute cURL request
    $response = curl_exec($ch);

    // Close cURL session
    curl_close($ch);
    
    // Decode JSON response, if requested
    if ($decode) {
        $data = json_decode($response, true);
    }
    else {
        $data = $response;
    }
    debug_echo("Returning: " . str_replace("\n", " ", print_r($data, true)) . "\n");

    return $data;
}

function debug_echo($s)
{
    global $debug; 
    
    if ($debug) {
        echo $s;
    }
}

/**
 * Check if fail2ban is installed, running and a specific jail is enabled
 * 
 * @param string $jail The name of the jail to check
 * @return bool Returns true if fail2ban is installed, running and the jail is enabled
 */
function fail2ban_active($jail) {
    global $debug;

    // Check if fail2ban-client is installed
    @exec('which fail2ban-client 2>/dev/null', $output, $returnCode);
    if ($returnCode !== 0) {
        if ($debug) {
            echo "fail2ban-client is not installed\n";
        }
        return false;
    }

    // Check if fail2ban service is running
    @exec('systemctl is-active fail2ban 2>/dev/null', $output, $returnCode);
    if ($returnCode !== 0) {
        if ($debug) {
            echo "fail2ban service is not running\n";
        }
        return false;
    }

    // Clean the jail name to prevent command injection
    $jail = escapeshellarg($jail);
    
    // Get status of specific jail
    @exec("fail2ban-client status $jail 2>/dev/null", $output, $returnCode);
    
    // Return code 0 means the command was successful and the jail exists
    if ($returnCode === 0) {        
        if ($debug) {
            echo "fail2ban jail $jail exists\n";
        }
        return true;

        // // Check if the jail is actually running by looking for "Status" in the output
        // foreach ($output as $line) {
        //     //if (strpos($line, 'Status') !== false && strpos($line, 'Running') !== false) {
        //     if (strpos($line, 'Status')) {
        //         return true;
        //     }
        // }
    }
 
    if ($debug) {
        echo "fail2ban jail $jail is not enabled or doesn't exist\n";
    }
    return false;
}