#!/bin/bash
# info: Adding hsts to a domain
# options: USER DOMAIN [RESTART] [QUIET]
#
# This function enables HSTS for the requested domain.

#----------------------------------------------------------#
#                Variables & Functions                     #
#----------------------------------------------------------#

# Argument definition
user=$1
domain=$2
restart="$3"
quiet="$4"

# Includes
# shellcheck source=/etc/hestiacp/hestia.conf
source /etc/hestiacp/hestia.conf
# shellcheck source=/usr/local/hestia/func/main.sh
source $HESTIA/func/main.sh
# load config file
source_conf "$HESTIA/conf/hestia.conf"

#----------------------------------------------------------#
#                    Verifications                         #
#----------------------------------------------------------#

check_args '2' "$#" 'USER DOMAIN'
is_format_valid 'user' 'domain'
is_object_valid 'user' 'USER' "$user"
is_object_unsuspended 'user' 'USER' "$user"
is_object_valid 'web' 'DOMAIN' "$domain"
is_object_unsuspended 'web' 'DOMAIN' "$domain"

# Perform verification if read-only mode is enabled
check_hestia_demo_mode

#----------------------------------------------------------#
#                       Action                             #
#----------------------------------------------------------#

# Load domain data
parse_object_kv_list $(grep "DOMAIN='$domain'" $USER_DATA/web.conf)

# Check if SSL is enabled
if [ "$SSL" != 'yes' ]; then
	echo "Error: SSL is not enabled"
	exit "$E_NOTEXIST"
fi

# Check for Apache/Nginx or Nginx/PHP-FPM configuration
if [ -z "$PROXY_SYSTEM" ]; then
	hstsconf="$HOMEDIR/$user/conf/web/$domain/$WEB_SYSTEM.hsts.conf"
else
	hstsconf="$HOMEDIR/$user/conf/web/$domain/$PROXY_SYSTEM.hsts.conf"
fi

echo 'add_header Strict-Transport-Security "max-age=31536000;" always;' > $hstsconf

chown root:$user $hstsconf
chmod 640 $hstsconf

#----------------------------------------------------------#
#                       Hestia                             #
#----------------------------------------------------------#

if [ -z "$SSL_HSTS" ]; then
	add_object_key "web" 'DOMAIN' "$domain" 'SSL_HSTS' 'SSL_FORCE'
fi

# Set forcessl flag to enabled
update_object_value 'web' 'DOMAIN' "$domain" '$SSL_HSTS' 'yes'

# Restart web server
$BIN/v-restart-web "$restart"
check_result $? "Web restart failed" > /dev/null

# Restart proxy
$BIN/v-restart-proxy "$restart"
check_result $? "Proxy restart failed" > /dev/null

# Logging
if [ "$quiet" != "yes" ]; then
	$BIN/v-log-action "$user" "Info" "Web" "HTTP Strict Transport Security (HSTS) enabled (Domain: $domain)."
fi
log_event "$OK" "$ARGUMENTS"

exit