#!/usr/bin/env php
<?php
// vim: :set filetype=php tabstop=4 shiftwidth=4 autoindent smartindent:

// This adds a network, or networks, to the trusted zone.
// Used by 'preconfigured'

// If the firewall hasn't started yet, don't do anything.
if (file_exists("/var/run/firewalld.safemode")) {
	print "Firewall not started. Ignoring\n";
	exit;
}

// Make sure we have a param
if (empty($argv[1])) {
	throw new \Exception("Needs a param");
}

// Underp the base64 that the param is using.
$b = str_replace('_', '/', $argv[1]);
$settings = @json_decode(gzuncompress(@base64_decode($b)), true);

if (!is_array($settings)) {
	throw new \Exception("Invalid param");
}

// ///////////////////////////////////// //
// BOILERPLATE SECURITY VALIDATION CODE: // 
// ------------------------------------- //
// Ensure this is run before including   //
// any files from the module. If you're  //
// including a file IN the module, check //
// to see if the class exists...         //
// ///////////////////////////////////// //

// Now we've passed the first checks, we can load the fake (root-owned-file) FreePBX and GPG objects
require '/usr/lib/sysadmin/includes.php';
$g = new \Sysadmin\GPG();
$sigfile = \Sysadmin\FreePBX::Config()->get('AMPWEBROOT')."/admin/modules/firewall/module.sig";
$sig = $g->checkSig($sigfile);
if (!isset($sig['config']['hash']) || $sig['config']['hash'] !== "sha256") {
	throw new \Exception("Invalid sig file.. Hash is not sha256 - check $sigfile");
}

// Check the hash of the validator, before we include it
if (empty($sig['hashes']['hooks/validator.php'])) {
	throw new \Exception("Validator not part of module.sig");
}

$vhash = hash_file('sha256', __DIR__."/validator.php");
if ($vhash !== $sig['hashes']['hooks/validator.php']) {
	throw new \Exception("Validator tampered");
} else {
	include __DIR__."/validator.php";
}

// Yay! We instantiate it now so that the Driver loader
// knows we're running as root, and we have our hashes
// preloaded.
$v = new \FreePBX\modules\Firewall\Validator($sig);

// /////////////////////////////////// //
// END BOILERPLATE SECURITY VALIDATION //
// /////////////////////////////////// //

if (!isset($settings['network'])) {
	throw new \Exception("No network");
}

if (!isset($settings['zone'])) {
	throw new \Exception("No zone");
}

$network = $settings['network'];
$zone = $settings['zone'];

$v->secureInclude('Zones.class.php');
$v->secureInclude('Driver.class.php');
$d = new \FreePBX\modules\Firewall\Driver;
$driver = $d->getDriver();

$knownnets = $driver->getKnownNetworks();

if (!isset($knownnets[$network])) {
	throw new \Exception("Unknown Network $network");
}

if ($knownnets[$network] !== $zone) {
	throw new \Exception("$network is not in $zone");
}

$driver->removeNetworkFromZone($zone, $network);
$driver->commit();


