#!/bin/bash
# Copyright (C) 2026 Cédric Abonnel
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU Affero General Public License for more details.


set -u

SCRIPT_NAME="$(basename "$0")"
. /opt/monitoring/lib/monitoring-lib.sh || exit 3

# On s'assure d'avoir les permissions root
if [ "${EUID}" -ne 0 ]; then
    echo "Ce script doit être exécuté en root." >&2
    exit 1
fi

check_config_drift() {
    local conf_dir="/opt/monitoring/conf"
    local base_conf local_conf
    local found_issue=false

    log_info "audit_start" "Début de l'audit des configurations"

    # Parcourir tous les fichiers .conf officiels
    find "$conf_dir" -type f -name "*.conf" ! -name "*.local.conf" | while read -r base_conf; do
        local_conf="${base_conf%.conf}.local.conf"
        local file_name
        file_name=$(basename "$base_conf")

        # 1. Si le .local.conf n'existe pas : on le crée proprement
        if [ ! -f "$local_conf" ]; then
            log_notice "audit_missing_local" "Création du fichier local manquant" "file=$file_name"
            # On copie le template en commentant les valeurs par défaut pour inciter à la config
            cp "$base_conf" "$local_conf"
            chmod 600 "$local_conf"
            continue
        fi

        # 2. Si le .local.conf existe : on compare les clés (options)
        local tmp_base tmp_local
        tmp_base=$(mktemp)
        tmp_local=$(mktemp)

        # Extraction des noms de variables uniquement (Clés)
        grep -E '^[A-Za-z0-9_]+=' "$base_conf" | cut -d'=' -f1 | sort > "$tmp_base"
        grep -E '^[A-Za-z0-9_]+=' "$local_conf" | cut -d'=' -f1 | sort > "$tmp_local"

        # Options présentes dans le .conf mais absentes du .local.conf
        local missing
        missing=$(comm -23 "$tmp_base" "$tmp_local" | tr '\n' ' ' | xargs)

        if [ -n "$missing" ]; then
            log_warning "audit_keys_missing" "Nouvelles options disponibles à configurer" \
                "file=${file_name%.conf}.local.conf" "keys=$missing"
            found_issue=true
        fi

        # Options présentes dans le .local.conf mais qui n'existent plus dans le .conf (Obsolètes)
        local obsolete
        obsolete=$(comm -13 "$tmp_base" "$tmp_local" | tr '\n' ' ' | xargs)
        
        if [ -n "$obsolete" ]; then
            log_info "audit_keys_obsolete" "Options locales obsolètes détectées" \
                "file=${file_name%.conf}.local.conf" "keys=$obsolete"
        fi

        rm -f "$tmp_base" "$tmp_local"
    done

    if [ "$found_issue" = false ]; then
        log_info "audit_success" "Toutes les configurations locales sont à jour"
    fi
}

main() {
    lock_or_exit "monitoring-audit"
    check_config_drift
}

main
exit_with_status