#!/usr/bin/env bash

# Prowler - the handy cloud security tool (copyright 2019) by Toni de la Fuente
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
# use this file except in compliance with the License. You may obtain a copy
# of the License at http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed
# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
# CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License.



CHECK_ID_extra7184="7.184"
CHECK_TITLE_extra7184="[extra7184] Directory Service Manual Snapshot Limit"
CHECK_SCORED_extra7184="NOT_SCORED"
CHECK_CIS_LEVEL_extra7184="EXTRA"
CHECK_SEVERITY_extra7184="Low"
CHECK_ASFF_RESOURCE_TYPE_extra7184="AwsDirectoryService"
CHECK_ALTERNATE_check7184="extra7184"
CHECK_SERVICENAME_extra7184="ds"
CHECK_RISK_extra7184="A limit reached can bring unwanted results. The maximum number of manual snapshots is a hard limit"
CHECK_REMEDIATION_extra7184="Monitor manual snapshots limit to ensure capacity when you need it."
CHECK_DOC_extra7184="https://docs.aws.amazon.com/general/latest/gr/ds_region.html"
CHECK_CAF_EPIC_extra7184="Infrastructure Security"

extra7184(){
    local THRESHOLD="2"
    for regx in ${REGIONS}; do
        DIRECTORY_SERVICE_IDS=$("${AWSCLI}" ds describe-directories ${PROFILE_OPT} --region "${regx}" --query 'DirectoryDescriptions[*].DirectoryId[]' --output text 2>&1)
        if grep -q -E 'AccessDenied|UnauthorizedOperation|AuthorizationError' <<< "${DIRECTORY_SERVICE_IDS}"; then
            textInfo "${regx}: Access Denied trying to describe directories" "${regx}"
            continue
        fi

        if [[ ${DIRECTORY_SERVICE_IDS} ]]; then
            for DIRECTORY_ID in ${DIRECTORY_SERVICE_IDS}; do
                LIMIT_DATA=$("${AWSCLI}" ds get-snapshot-limits ${PROFILE_OPT} --region "${regx}" --directory-id "${DIRECTORY_ID}" --query 'SnapshotLimits' --output text 2>&1)
                if grep -q -E 'AccessDenied|UnauthorizedOperation|AuthorizationError' <<< "${LIMIT_DATA}"; then
                    textInfo "${regx}: Access Denied trying to get Directiory Service snapshot limits" "${regx}"
                    continue
                fi
                echo "${LIMIT_DATA}" | while read -r CURRENT_SNAPSHOTS_COUNT SNAPSHOTS_LIMIT SNAPSHOTS_LIMIT_REACHED; do
                    if [[ ${SNAPSHOTS_LIMIT_REACHED} == "true" ]] 
                    then
                        textFail "${regx}: Directory Service ${DIRECTORY_ID} reached ${SNAPSHOTS_LIMIT} Snapshots Limit" "${regx}" "${DIRECTORY_ID}"
                    else 
                        LIMIT_REMAIN=$(("${SNAPSHOTS_LIMIT}" - "${CURRENT_SNAPSHOTS_COUNT}"))
                        if [[ "${LIMIT_REMAIN}" -le "${THRESHOLD}" ]]; then
                            textFail "${regx}: Directory Service ${DIRECTORY_ID} is about to reach ${SNAPSHOTS_LIMIT} snapshots which is the limit" "${regx}" "${DIRECTORY_ID}"
                        else
                            textPass "${regx}: Directory Service ${DIRECTORY_ID} is using ${CURRENT_SNAPSHOTS_COUNT} out of ${SNAPSHOTS_LIMIT} from the Snapshot Limit" "${regx}" "{$DIRECTORY_ID}"
                        fi
                    fi
                done
            done
        else
            textInfo "${regx}: No Directory Service found" "${regx}"
        fi
    done
}
