#!/bin/sh
#
# Description: Set or get allowed(s) ip(s)
# Usage: ip <jailname> [<ip>|all]
#

# shellcheck source=./includes
LIBDIR="$(dirname $0)" && . "${LIBDIR}/includes"

jail_name="${1:?}"
ip="${2:-}"

if [ ! -n "${jail_name}" ]; then
    show_help && exit 1
fi
jail_path=$(jail_path "${jail_name}")

test -d "${jail_path}" || error "${jail_name}: jail not found" 2

jail_sshd_config="${jail_path}/${SSHD_CONFIG}"

if [ -z "${ip}" ]; then
    # parse IP addresses from AllowUsers directives in sshd config
    grep -E "^AllowUsers" "${jail_sshd_config}" \
    | grep -E -o "root@[^ ]+" \
    | while read allow; do
        echo "${allow}" | cut -d'@' -f2
    done
else
    if [ "${ip}" = "all" ] || [ "${ip}" = "0.0.0.0/0" ]; then
        new_ips="0.0.0.0/0"
    else
        existing_ips=$("${LIBDIR}/bkctld-ip" "${jail_name}")
        new_ips=$(echo ${existing_ips} ${ip} | xargs -n1 | grep -v "0.0.0.0/0" | sort | uniq)
    fi
    allow_users="AllowUsers"
    for new_ip in ${new_ips}; do
        allow_users="${allow_users} root@${new_ip}"
    done
    if grep -q -E "^AllowUsers" "${jail_sshd_config}"; then
        sed --follow-symlinks --in-place "s~^AllowUsers .*~${allow_users}~" "${jail_sshd_config}"
    else
        error "No \`AllowUsers' directive found in \`${jail_sshd_config}'"
    fi
    notice "Update IP whitelist with \`${ip}' for jail \`${jail_name}' : OK"
    "${LIBDIR}/bkctld-reload" "${jail_name}"
    "${LIBDIR}/bkctld-firewall" "${jail_name}"
fi