#!/bin/bash -f
#If this machine version R80.30, uncomment the line below
source /opt/CPshrd-R80.30/tmp/.CPprofile.sh
#If this machine version R80.20, uncomment the next line
#source /opt/CPshrd-R80.20/tmp/.CPprofile.sh
#If this machine version R80.10, uncomment the line below
#source /opt/CPshrd-R80/tmp/.CPprofile.sh
#------------------------------------------------------------------------------------
#Define Environment
#Define Scripts Path
v_spath="/scripts/firehol"
#Policy Name
v_polpack="Frontiera"
#Policy Target Name
v_poltarget="lntfw-pVSX1_Frontiera"
#Name  of group object
v_grp="Blacklist_API-FireHOL"
#Naming prefix for elements
v_objprefix="Net-FireHOL_"
#comment for objects
v_objcomment="Do NOT use this object. Automatically created and deleted!"
#color of objects
v_objcolor="red"
#Login User
v_cpuser="<youruser>"
#Login Password
v_cpuserpw="<yourpassword>"
#Time
time=$(date "+%Y.%m.%d-%H.%M.%S")

#(if needed) define mail subject for notification
echo "Subject: "Activity Report - Blacklist Import Script""


#define helper_files and vars
v_helper_blacklist_ipv4cidr="$v_spath/blacklist_helper_cidr.tmp"
v_helper_rmfromgrp="$v_spath/blacklist_helper_removefromgrp.tmp"
v_helper_currobj="$v_spath/blacklist_helper_currentobjects.tmp"
v_helper_objlist_msblacklistsorted="$v_spath/blacklist_helper_ms-objsorted.tmp"
v_helper_objlist_instsorted="$v_spath/blacklist_helper_inst-objsorted.tmp"
v_helper_difflist="$v_spath/blacklist_helper_difflist.tmp"
v_diff_add="$v_spath/blacklist_helper_diff_add.tmp"
v_diff_rm="$v_spath/blacklist_helper_diff_rm.tmp"
v_diff_add_netmask="$v_spath/blacklist_helper_diff_add_nm.tmp"
v_diff_rm_sh="$v_spath/blacklist_helper_diff_rm_sh.tmp"
v_diff_add_sh="$v_spath/blacklist_helper_diff_add_sh.tmp"
v_diff_add_sh_awk="$v_spath/blacklist_helper_diff_add_sh_awk.tmp"
#------------------------------------------------------------------------------------

echo "################## Script starts : $time ##################"
#cleaning up directory from helper files
if ls blacklist_helper* 1> /dev/null 2>&1;
then
    rm blacklist_helper*
fi

#Download of Feed
#Original url: https://endpoints.office.com/endpoints/worldwide?noipv6&ClientRequestId=b10c5ed1-bad1-445f-b386-b919946339a7
curl_cli --insecure 'https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level3.netset' |grep -Po '^(([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])(\/([89]|[12][0-9]|3[0-2]))?)$' |sed  -re 's|^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$|&\/32|g' > $v_helper_blacklist_ipv4cidr

# Session of 3600 seconds (1 hour)
mgmt_cli login user $v_cpuser password $v_cpuserpw session-timeout 3600 --format json > id.txt

if mgmt_cli show group name "$v_grp" --format json -s id.txt | grep -q 'generic_err_object_not_found'; then
    echo "Group $v_grp does not exist. Creating ..."
    mgmt_cli add group name "$v_grp" color "$v_objcolor" comments "$v_objcomment" -s id.txt
else
    echo "Group $v_grp already exists"
fi

if [ -e $v_helper_blacklist_ipv4cidr ]
then
    if [ -s $v_helper_blacklist_ipv4cidr ]
    then
        mgmt_cli show group name "$v_grp" -s id.txt |grep $v_objprefix |grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\-[0-9]\{1,\}'|sed -e 's|-|\/|g' > $v_helper_currobj
        #check for duplicates on Blacklist and sort
        awk '!seen[$0]++' $v_helper_blacklist_ipv4cidr > $v_helper_objlist_msblacklistsorted
        sort -n $v_helper_objlist_msblacklistsorted  -o $v_helper_objlist_msblacklistsorted
        #sort existing member objects
        awk '!seen[$0]++' $v_helper_currobj > $v_helper_objlist_instsorted
        sort -n $v_helper_objlist_instsorted  -o $v_helper_objlist_instsorted

        #finding changes
        diff -q $v_helper_objlist_msblacklistsorted $v_helper_objlist_instsorted
            if [ $? -ne 0 ];
            then
                diff $v_helper_objlist_msblacklistsorted $v_helper_objlist_instsorted > $v_helper_difflist
                grep -o '< [0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\/[0-9]\{1,\}' $v_helper_difflist |sed -e 's|< ||g' > $v_diff_add
                grep -o '> [0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\/[0-9]\{1,\}' $v_helper_difflist |sed -e 's|> ||g' > $v_diff_rm
                #replace / with -
                sed -i 's|\/|-|g' $v_diff_add
                sed -i 's|\/|-|g' $v_diff_rm

                #calc to Subnet and Netmask
                while IFS="-" read IP S
                    do
                        M=$(( 0xffffffff ^ ((1 << (32-S)) -1) ))
                        echo "subnet \"$IP\" subnet-mask \"$(( (M>>24) & 0xff )).$(( (M>>16) & 0xff )).$(( (M>>8) & 0xff )).$(( M & 0xff ))\""
                done < $v_diff_add >> $v_diff_add_netmask

                #object removal
                if [ -s $v_diff_rm ]
                then
                    echo "Found objects to remove."
                    awk -v awk_grp="$v_grp" -v awk_opfx="$v_objprefix" '{ print "mgmt_cli keepalive -s id.txt > /dev/null 2>&1; mgmt_cli -s id.txt set group name \""awk_grp"\" members.remove \""awk_opfx$0"\" ignore-warnings \"true\""}' $v_diff_rm >$v_diff_rm_sh
                    awk -v awk_grp="$v_grp" -v awk_opfx="$v_objprefix" '{ print "mgmt_cli keepalive -s id.txt > /dev/null 2>&1; mgmt_cli -s id.txt delete network name \""awk_opfx$0"\" ignore-warnings \"true\""}' $v_diff_rm >>$v_diff_rm_sh
                    sh $v_diff_rm_sh
                else
                    echo "No objects to remove found."
                fi

                #object creation
                if [ -s $v_diff_add ]
                then
                    echo "Found new objects! Creating..."
                    awk -v awk_grp="$v_grp" -v awk_opfx="$v_objprefix" -v awk_color="$v_objcolor" -v awk_comment="$v_objcomment" 'FNR==NR { a[FNR""] = $0; next } { print "mgmt_cli keepalive -s id.txt > /dev/null 2>&1; mgmt_cli -s id.txt add network name \""awk_opfx""a[FNR""]"\" ",$0" color \""awk_color"\" groups.1 \""awk_grp"\" comments \""awk_comment"\""}' $v_diff_add $v_diff_add_netmask >$v_diff_add_sh
                    # Insert a publish action each 500 lines so that we can save changes step-by-step
                    awk '{print;} NR % 500 == 0 { print "mgmt_cli publish -s id.txt"; }' $v_diff_add_sh > $v_diff_add_sh_awk
                    mv $v_diff_add_sh_awk $v_diff_add_sh
                    sh $v_diff_add_sh
                else
                    echo "Nothing to add."
                fi

                echo "Publishing changes..."

                #publish changes
                mgmt_cli keepalive -s id.txt > /dev/null 2>&1
                mgmt_cli publish -s id.txt

                echo "Publishing done! Installing Policy..."

                #install policy
                mgmt_cli keepalive -s id.txt > /dev/null 2>&1
                mgmt_cli install-policy policy-package "$v_polpack" access true threat-prevention false targets.1 "$v_poltarget" -s id.txt

            else
                echo "No Changes!"
                mgmt_cli discard -s id.txt --format json
            fi
    else
        echo "PROBLEM! Could not get feed!"
	cat $v_helper_blacklist_ipv4cidr
        mgmt_cli discard -s id.txt --format json
    fi
else
    echo "PROBLEM! Feed could not process! File $v_helper_blacklist_ipv4cidr not found"
    mgmt_cli discard -s id.txt --format json
fi
#cleaning up
mgmt_cli logout -s id.txt
rm id.txt
rm $v_helper_blacklist_ipv4cidr
rm $v_helper_rmfromgrp
rm $v_helper_currobj
rm $v_helper_objlist_msblacklistsorted
rm $v_helper_objlist_instsorted
rm $v_helper_difflist
rm $v_diff_add
rm $v_diff_rm
rm $v_diff_add_netmask
rm $v_diff_rm_sh
rm $v_diff_add_sh


echo "DONE"
echo "################## Script ends : $time ##################"