#!/bin/bash
# SPDX-License-Identifier: MIT
# SPDX-FileCopyrightText: Copyright 2024-2025 SUSE LLC
# SPDX-FileCopyrightText: Copyright 2024-2025 Richard Brown

set -euo pipefail

# Setup logging
exec 3>&1 4>&2
trap 'exec 2>&4 1>&3' 0 1 2 3
exec 1>>/var/log/aeon-check.log 2>&1

# bug fixing functions follow the following naming conventions depending on where the bug is reported
#   - booXXXXX: bug reports on bugzilla.opensuse.org (Legacy Aeon bug tracker)
#   - issueXXX: bug reports on github.com/AeonDesktop/Project (Current Aeon bug tracker)

boo1234234() {
    # Problem: boo1234234 and related bugs. TPM2 enrolments failing because PCR0 invalidated by firmware updates.
    # Solution: Stop measuring PCR0 and update-predictions with the reduced PCR list

    # Only run if fde-tools is configured
    if test -e /etc/sysconfig/fde-tools ; then
        . /etc/sysconfig/fde-tools

        if [ "${FDE_SEAL_PCR_LIST}" = "0,4,5,7,9" ]; then
            echo "boo1234234 detected - PCR0 measured for TPM FDE sealing - correcting"
            echo "FDE_SEAL_PCR_LIST=4,5,7,9" > /etc/sysconfig/fde-tools
            sdbootutil -v update-predictions
            echo "boo1234234 corrected"
        fi
    fi
}

boo1243182() {
    # Problem: Aeon should be using Zypp's single RPM transaction backend
    # Solution: Add 'techpreview.ZYPP_SINGLE_RPMTRANS=1' to zypp.conf 

    if ! grep -qxF 'techpreview.ZYPP_SINGLE_RPMTRANS=1' /etc/zypp/zypp.conf ; then
         echo 'boo1243182 detected - Not using ZYPP_SINGLE_RPMTRANS - correcting'
         echo 'techpreview.ZYPP_SINGLE_RPMTRANS=1' >> /etc/zypp/zypp.conf
         echo 'boo1243182 corrected'
    fi
}

boo1246605() {
    # Problem: Aeon should have 'ro=vfs' as a mount attribute for / in /etc/fstab
    # Solution: Add 'ro=vfs' as a mount attribute for / in /etc/fstab
    if gawk '$2 == "/" && $4 != "compress=zstd:1,ro=vfs"' /etc/fstab | grep -q / ; then
        echo 'boo1246605 detected - fstab not using ro=vfs for / - correcting'
        gawk -i inplace '$2 == "/" && $4 != "compress=zstd:1,ro=vfs" { $4 = "compress=zstd:1,ro=vfs" } { print $0 }' /etc/fstab
        echo 'boo1246605 corrected'
    fi
}

issue7() {
    # Problem: Aeon should have systemd-growfs-root.service masked as it tries to run when it shouldn't
    # Solution: Mask systemd-growfs-root.service
    if ! [ -L /etc/systemd/system/systemd-growfs-root.service ]; then
        echo 'issue7 detected - systemd-growfs-root.service not masked - correcting'
	systemctl mask systemd-growfs-root.service
	echo 'issue7 corrected'
    fi
}

issue6() {
    # Problem: Aeon should have 'tpm2-measure-pcr=yes' set in /etc/crypttab if using normal encryption mode
    # Solution: add tpm2-measure-pcr=yes if tpm2-device=auto is set
    if grep '^aeon_root' /etc/crypttab | grep -qF 'tpm2-device=auto'; then
	    # Default Mode detected, now search for missing config
	    if ! grep '^aeon_root' /etc/crypttab | grep -qF 'tpm2-measure-pcr=yes'; then
                echo 'issue6 detected  - tpm2-measure-pcr=yes not set - correcting'
                sed -i '/^aeon_root/ s/$/,tpm2-measure-pcr=yes/' /etc/crypttab
                sdbootutil mkinitrd
                echo 'issue6 corrected'
	    fi
    fi
}

# Active fixes executed in order of importance
boo1246605
boo1243182
boo1234234
issue7
issue6
