#! /bin/sh
#
# osh-seal-banner: The Bastion SSH banner seal service
#
### BEGIN INIT INFO
# Provides:          osh-seal-banner
# Required-Start:    $local_fs
# Required-Stop:     $local_fs
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: Sets SSH banner to sealed state at boot time
# Description:       Script to set SSH banner to indicate the node is sealed
### END INIT INFO

PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# Load the VERBOSE setting and other rcS variables
. /lib/init/vars.sh

# Define LSB log_* functions.
# Depend on lsb-base (>= 3.0-6) to ensure that this file is present.
. /lib/lsb/init-functions

case "$1" in
    start)
	printf "Setting SSH banner to sealed state... "
	if [ -f /etc/ssh/banner.sealed ]; then
		ln -sf /etc/ssh/banner.sealed /etc/ssh/banner
		echo "done."
	else
		echo "banner.sealed not found, skipping."
	fi
	;;
    stop)
	printf "Setting SSH banner to unsealed state... "
	if [ -f /etc/ssh/banner.ok ]; then
		ln -sf /etc/ssh/banner.ok /etc/ssh/banner
		echo "done."
	else
		echo "banner.ok not found, skipping."
	fi
	;;
    force-reload|restart)
	printf "Restarting SSH banner seal service... "
	if [ -f /etc/ssh/banner.sealed ]; then
		ln -sf /etc/ssh/banner.sealed /etc/ssh/banner
		echo "done."
	else
		echo "banner.sealed not found, skipping."
	fi
	;;
    status)
	if [ -L /etc/ssh/banner ]; then
		target=$(readlink /etc/ssh/banner)
		if [ "$target" = "/etc/ssh/banner.sealed" ]; then
			echo "SSH banner is in sealed state"
			exit 0
		elif [ "$target" = "/etc/ssh/banner.ok" ]; then
			echo "SSH banner is in unsealed state"
			exit 0
		else
			echo "SSH banner state unknown (points to $target)"
			exit 1
		fi
	else
		echo "SSH banner is not managed by seal service"
		exit 1
	fi
	;;
    *)
	echo "Usage: $0 {start|stop|restart|force-reload|status}"
	exit 1
	;;
esac

exit 0