#!/bin/bash

set -euo pipefail

# ft_chatons audit script
# La Contre-Voie x 42
# Date: 2025-10-27
# Author: neil

# Move to the Core folder
cd core

# Computes tab width depending on the longest Core folder name length
audit_name_width() {
    local width=0
    for srv in $(find . -maxdepth 1 -type d); do
            [ $width -lt ${#srv} ] && width=${#srv}
    done
    echo $width
}

# Used to switch colors on results screen
chkbool() {
    if [[ -z "$1" ]]; then
        c_red "NO"
    else
        c_green "$1"
    fi
}

c_red() {
    echo -ne '\033[0;31m'$1'\033[0m'
}

c_green() {
    echo -ne '\033[0;32m'$1'\033[0m'
}

# Audits a single container given as parameter
# example: audit_single caddy
audit_single() {
    local max_width=$([ $# -ge 3 ] && echo $3 || echo 14)

    printf "%-*s  " "$max_width" "$1"

    RUNNING=$(docker ps -q -f name=^$1\$)
    if [[ -z $RUNNING ]]; then
        c_red "DOWN\t"
    else
        c_green "UP!\t"
    fi

    chkbool "$(grep "pids_limit" $1/compose.yml | xargs | sed 's/pids_limit: //g')"
    echo -ne "\t\t"

    chkbool "$(grep "cpu_shares" $1/compose.yml | xargs | sed 's/cpu_shares: //g')"
    echo -ne "\t\t"

    chkbool "$(grep "mem_limit" $1/compose.yml | xargs | sed 's/mem_limit: //g')"

    if ! [[ -z $RUNNING ]]; then
        echo -ne "\t\t"

        chkbool "$(docker inspect --format '{{ .Id }}:ReadonlyRootfs={{ .HostConfig.ReadonlyRootfs }}' $1 | grep -o "true" | sed 's/true/YES/g')"
        echo -ne "\t\t"

        chkbool "$(ps -p $(docker inspect --format='{{ .State.Pid }}' $1) -o user | tail -n 1 | sed 's/root//g' | sed -E 's/.+/YES/g')"
        echo -ne "\t\t"

        chkbool "$(docker inspect --format '{{ .Id }}:SecurityOpt={{ .HostConfig.SecurityOpt }}' $1 | grep "no-new-privileges" | sed -E 's/.+/YES/g')"

        echo -ne "\t\t"
        chkbool "$($(docker run --rm -it --net container:$1 alpine:latest netstat -tnul | tail -n +3 | awk '$1=$1' | cut -d ' ' -f4 | grep -q -e '0.0.0.0' -e ":::") || echo "YES")"
    fi

    echo ""
}

# Displays the results header
audit_tabheader() {
    local max_width=$([ $# -ge 1 ] && echo $1 || echo 14)
    printf "%-*s  " $max_width "NAME"
    printf "STATUS\tPID LIMIT\tCPU SHARES\tRAM LIMIT\tREAD-ONLY\tUNPRIVILEGED\tRESTR.PRIV.\tFIXED ADDR."
    printf "\n"
}

# Audit all running containers based on the Core folder content
audit_all() {
    local max_width=$(audit_name_width)
    audit_tabheader $max_width
    for srv in $(find . -maxdepth 1 -type d ! -name '.'  ! -name '.git' ! -name 'tools' -printf '%P\n'); do
        audit_single $srv "" $max_width
    done
}


# main #
audit_all