#!/usr/bin/env bash
set -euo pipefail

# -------------------------------------------------------------------
# dovecot-logreport.sh
#
# Zweck:
#   - Dovecot Logs parsen (imap-login/imap/pop3-login/lmtp/auth/...)
#   - Lesbare Key/Value-Ausgabe pro Event
#   - Filtermöglichkeiten:
#       * Ergebnis: --success / --fail / --error
#       * Zeit:    --since / --until (ISO8601 empfohlen)
#                 --last (bequem: "jetzt - Dauer", z.B. 10m/2h/7d)
#       * Inhalt:  --addr REGEX (match gegen "user ip message")
#                 --email STR (case-insensitive substring auf user)
#       * Typen:   --only-login / --only-lmtp / --only-imap / --only-pop3
#                 --type REGEX (match gegen Dovecot type/service Token)
#   - Input:
#       * Standard-Log: /var/log/dovecot/dovecot.log
#       * --all:        nimmt zusätzlich .0 und .*.gz
#       * --file:       eigene Logdateien (mehrfach möglich)
#                       Wichtig: Wenn kein absoluter Pfad angegeben ist,
#                       wird automatisch /var/log/dovecot/ vorangestellt.
#   - Ausgabe:
#       * Default: Key/Value Block + Leerzeile als Trenner
#       * --oneline: 1 Zeile TSV (kein Leerzeilentrenner)
#       * --stats: Statistik statt Events (inkl. Matrix/Toplisten)
#   - Live-Modus:
#       * --follow: tail -F (gz-Dateien werden dafür übersprungen)
#
# Anforderungen/Annahmen:
#   - Timestamp steht als erstes Feld in ISO-Format (z.B. 2026-01-17T12:34:56+01:00)
#     => since/until/last funktionieren als Stringvergleich.
#   - Dovecot-Zeilen enthalten "dovecot:"
#
# Beispiele:
#   - Nur Login-Fails (Default logfile):
#       ./dovecot-logreport.sh --only-login --fail
#   - Stats für letzte 6 Stunden:
#       ./dovecot-logreport.sh --all --last 6h --stats
#   - Live follow nur IMAP domain:
#       ./dovecot-logreport.sh --follow --only-imap --email '@example.org'
# -------------------------------------------------------------------

PROG="$(basename "$0")"

# --- Standard-Logverzeichnis / Default-Datei ---
LOGDIR="/var/log/dovecot"
DEFAULT_LOG="${LOGDIR}/dovecot.log"

# --- Optionen ---
FOLLOW=0
ALL=0
ONELINE=0
STATS=0

# Service-/Event-Filter (OR-verknüpft, wenn mehrere gesetzt sind)
ONLY_LOGIN=0
ONLY_LMTP=0
ONLY_IMAP=0
ONLY_POP3=0

# Regex-Filter für type/service
TYPE_RE=""

STATUS_FILTER="all"       # all|success|fail|error
SINCE=""
UNTIL=""
LAST_DUR=""
ADDR_RE=""
EMAIL_NEEDLE=""

# --file kann mehrfach gesetzt werden
declare -a FILES=()

usage() {
  cat <<USAGE
$PROG - Dovecot Log Analyzer

SYNOPSIS
  $PROG [options]

DEFAULTS
  - Default logfile: ${DEFAULT_LOG}
  - Default logdir : ${LOGDIR}
  - If you pass --file with a RELATIVE path (no leading "/"),
    it will be interpreted as: ${LOGDIR}/<yourfile>

INPUT OPTIONS
  --file PATH
      Add a log file to read (can be used multiple times).

      PATH may be:
        - Absolute:  /somewhere/dovecot.log
        - Relative:  dovecot.log.0
          => becomes ${LOGDIR}/dovecot.log.0

      Examples:
        --file dovecot.log
        --file dovecot.log.0
        --file dovecot.log.1.gz
        --file /tmp/test.log

  --all
      Include rotated logs based on the default logfile:
        ${DEFAULT_LOG}
        ${DEFAULT_LOG}.0
        ${DEFAULT_LOG}.*.gz

      Note:
        You can combine --all and --file to add extra files.

  --follow
      Follow the active logfile(s) (tail -F).
      .gz files cannot be followed and will be skipped in follow mode.

TIME FILTERS (ISO8601 recommended)
  --since TS
      Only show entries with timestamp >= TS
      Example:
        --since 2026-01-17T00:00:00

  --until TS
      Only show entries with timestamp <= TS
      Example:
        --until 2026-01-18T23:59:59

  --last DUR
      Convenience: sets --since to "now - DUR" (only if --since is not set).
      DUR format:
        Nm  (minutes)  e.g. 10m
        Nh  (hours)    e.g. 2h
        Nd  (days)     e.g. 7d
      Examples:
        --last 30m
        --last 6h
        --last 1d

CONTENT FILTERS
  --addr REGEX
      Regex match against combined "user ip message".
      Useful for filtering by IP, username, or keywords.
      Example:
        --addr 'rip=188\\.194\\.126\\.134|^188\\.194\\.126\\.134$'
        --addr 'imap-login'

  --email STR
      Case-insensitive substring match against extracted user.
      Works with full mail address, partial, or domain.
      Examples:
        --email 'sales@koma-elektronik.com'
        --email 'sales'
        --email '@koma-elektronik.com'

TYPE / SERVICE FILTERS
  --type REGEX
      Regex match against the extracted Dovecot service token (type).
      Examples:
        --type 'imap-login'
        --type '^(imap|imap-login)$'
        --type 'lmtp|auth'

  --only-login
      Show only login-related events:
        - services ending in "-login" (imap-login, pop3-login)
        - typical login/auth messages (logged in, auth failed, login aborted, ...)

  --only-imap
      Show only IMAP related services (imap + imap-login)

  --only-pop3
      Show only POP3 related services (pop3 + pop3-login)

  --only-lmtp
      Show only LMTP service

RESULT FILTERS
  --success
      Only show classified success events

  --fail
      Only show classified fail events

  --error
      Only show classified error events

OUTPUT OPTIONS
  --oneline
      One line per event (tab separated):
        TS<TAB>TYPE<TAB>RESULT<TAB>IP<TAB>USER<TAB>MESSAGE

  --stats
      Print statistics instead of individual events:
        - By result (success/fail/error/info)
        - By type (Top 20)
        - Top IPs overall + fail-only
        - Top users overall + fail-only
        - Matrix: result@type (Top 30)
        - Fail combos: IP -> user (Top 20)

HELP
  -h, --help
      Show this help

EXAMPLES
  # Default logfile, show all failed login attempts
  $PROG --only-login --fail

  # All rotated logs, stats for brute-force overview (last 6 hours)
  $PROG --all --only-login --last 6h --stats

  # Follow current log, only IMAP, only fail, only a domain
  $PROG --follow --only-imap --fail --email '@example.org'

  # Use relative --file paths (auto-prefixed with ${LOGDIR})
  $PROG --file dovecot.log --file dovecot.log.0 --file dovecot.log.1.gz --stats
USAGE
}

die() { echo "ERROR: $*" >&2; exit 1; }

# -------------------------------------------------------------------
# normalize_path():
#   - If PATH starts with "/" -> keep it (absolute path)
#   - Otherwise -> prefix with LOGDIR
# -------------------------------------------------------------------
normalize_path() {
  local p="$1"
  if [[ "$p" == /* ]]; then
    printf "%s" "$p"
  else
    printf "%s/%s" "$LOGDIR" "$p"
  fi
}

# -------------------------------------------------------------------
# Argumente parsen
# -------------------------------------------------------------------
while [[ $# -gt 0 ]]; do
  case "$1" in
    --file)
      [[ $# -ge 2 ]] || die "--file needs PATH"
      FILES+=("$(normalize_path "$2")")
      shift 2
      ;;
    --all)    ALL=1; shift;;
    --follow) FOLLOW=1; shift;;

    --since) [[ $# -ge 2 ]] || die "--since needs TS"; SINCE="$2"; shift 2;;
    --until) [[ $# -ge 2 ]] || die "--until needs TS"; UNTIL="$2"; shift 2;;
    --last)  [[ $# -ge 2 ]] || die "--last needs DUR (e.g. 10m, 2h, 7d)"; LAST_DUR="$2"; shift 2;;

    --addr)  [[ $# -ge 2 ]] || die "--addr needs REGEX"; ADDR_RE="$2"; shift 2;;
    --email) [[ $# -ge 2 ]] || die "--email needs STR"; EMAIL_NEEDLE="$2"; shift 2;;
    --type)  [[ $# -ge 2 ]] || die "--type needs REGEX"; TYPE_RE="$2"; shift 2;;

    --success) STATUS_FILTER="success"; shift;;
    --fail)    STATUS_FILTER="fail"; shift;;
    --error)   STATUS_FILTER="error"; shift;;

    --only-login) ONLY_LOGIN=1; shift;;
    --only-lmtp)  ONLY_LMTP=1; shift;;
    --only-imap)  ONLY_IMAP=1; shift;;
    --only-pop3)  ONLY_POP3=1; shift;;

    --oneline) ONELINE=1; shift;;
    --stats)   STATS=1; shift;;

    -h|--help) usage; exit 0;;
    *) die "Unknown option: $1";;
  esac
done

# -------------------------------------------------------------------
# --last DUR:
#   If --since is NOT set, compute SINCE as ISO-like timestamp using GNU date.
#   Accepts: Nm, Nh, Nd (minutes/hours/days)
#   Example: 10m, 2h, 7d
# -------------------------------------------------------------------
if [[ -n "${LAST_DUR}" && -z "${SINCE}" ]]; then
  if [[ "${LAST_DUR}" =~ ^([0-9]+)([mhd])$ ]]; then
    n="${BASH_REMATCH[1]}"
    unit="${BASH_REMATCH[2]}"
    case "$unit" in
      m) SINCE="$(date -Is -d "${n} minutes ago")" ;;
      h) SINCE="$(date -Is -d "${n} hours ago")" ;;
      d) SINCE="$(date -Is -d "${n} days ago")" ;;
    esac
  else
    die "--last expects DUR like 10m, 2h, 7d (got: ${LAST_DUR})"
  fi
fi

# -------------------------------------------------------------------
# resolve_files():
#   Legt fest, welche Dateien gelesen werden:
#     - explizite --file(s)
#     - plus optional --all Rotationslogs
#     - sonst default
# -------------------------------------------------------------------
resolve_files() {
  local -a out=()

  # 1) explizit angegebene Dateien
  if [[ ${#FILES[@]} -gt 0 ]]; then
    out+=("${FILES[@]}")
  fi

  # 2) Rotationslogs (basierend auf DEFAULT_LOG)
  if [[ $ALL -eq 1 ]]; then
    local base="$DEFAULT_LOG"
    [[ -f "$base" ]] && out+=("$base")
    [[ -f "${base}.0" ]] && out+=("${base}.0")
    for gz in "${base}".*.gz; do
      [[ -f "$gz" ]] && out+=("$gz")
    done
  fi

  # 3) Fallback: Default
  if [[ ${#out[@]} -eq 0 ]]; then
    [[ -f "$DEFAULT_LOG" ]] || die "Default logfile $DEFAULT_LOG not found. Use --file or --all."
    out+=("$DEFAULT_LOG")
  fi

  # Duplikate entfernen (Reihenfolge bleibt erhalten)
  printf "%s\n" "${out[@]}" | awk '{ if(!seen[$0]++) print $0 }'
}

mapfile -t LOGFILES < <(resolve_files)

# -------------------------------------------------------------------
# Follow: nur nicht-gz Dateien (tail -F kann gz nicht live verfolgen)
# -------------------------------------------------------------------
if [[ $FOLLOW -eq 1 ]]; then
  mapfile -t FOLLOW_FILES < <(printf "%s\n" "${LOGFILES[@]}" | awk '!/\.gz$/')
  [[ ${#FOLLOW_FILES[@]} -gt 0 ]] || die "--follow requested, but only .gz files selected. Add an active log with --file."
fi

# -------------------------------------------------------------------
# POSIX-AWK Parser
#   - kompatibel zu mawk/nawk/busybox awk
# -------------------------------------------------------------------
AWK_SCRIPT='
function tolow(s,   i,c,r) {
  r=""
  for (i=1; i<=length(s); i++) {
    c=substr(s,i,1)
    r=r "" tolower(c)
  }
  return r
}

# classify():
#   Versucht einen Dovecot-Logeintrag grob zu klassifizieren:
#     success / fail / error / info
function classify(msg, m) {
  m=tolower(msg)

  # typische Fail-Muster (Auth/Login)
  if (m ~ /(auth failed|authentication failed|login aborted|password mismatch|unknown user|invalid password|disconnected: auth failed)/) return "fail"

  # typische Error-Muster
  if (m ~ /(fatal|panic|error|critical|internal error|temporary failure)/) return "error"

  # typische Success-Muster
  if (m ~ /(logged in:|stored mail into mailbox|sieve:.*stored mail|connect from)/) return "success"
  if (m ~ /(disconnected: logged out|disconnect .*logged out)/) return "success"

  return "info"
}

# extract_type():
#   Extracts the dovecot service token after "dovecot: ".
#   Examples:
#     "dovecot: imap-login: ..." -> imap-login
#     "dovecot: imap(user@dom):" -> imap
#     "dovecot: lmtp(123):" -> lmtp
function extract_type(line, arr, t) {
  t="-"
  if (match(line, /dovecot: [^: ]+/, arr)) {
    t=substr(arr[0], length("dovecot: ")+1)
    sub(/\(.*/, "", t)
  }
  return t
}

# extract_user():
#   Tries to extract a user/mailbox from common patterns.
function extract_user(line, arr, u) {
  if (match(line, /user=<[^>]+>/, arr)) {
    return substr(arr[0], 7, length(arr[0])-7-1)
  }

  if (match(line, /: (imap|pop3|lmtp)\([^)]*\)/, arr)) {
    u=arr[0]
    sub(/^: (imap|pop3|lmtp)\(/, "", u)
    sub(/\)$/, "", u)
    return u
  }

  if (match(line, /: lmtp\([^)]*\)</, arr)) {
    u=arr[0]
    sub(/^: lmtp\(/, "", u)
    sub(/<$/, "", u)
    return u
  }

  if (match(line, /: auth\([^,]+,/, arr)) {
    u=arr[0]
    sub(/^: auth\(/, "", u)
    sub(/,$/, "", u)
    return u
  }

  return "-"
}

# extract_ip():
#   Extracts remote IP from patterns like "rip=1.2.3.4"
#   or auth(user,IP,sasl:...)
function extract_ip(line, arr, s) {
  if (match(line, /rip=[^ ,]+/, arr)) {
    return substr(arr[0], 5)
  }

  if (match(line, /: auth\([^,]+,[^,]+,/, arr)) {
    s=arr[0]
    sub(/^: auth\([^,]+,/, "", s)
    sub(/,.*/, "", s)
    return s
  }

  return "-"
}

# is_login_event():
#   Heuristik: identifiziert Login/Auth Events
function is_login_event(type, msg, m) {
  if (type ~ /-login$/) return 1
  m=tolower(msg)
  if (m ~ /(logged in:|auth failed|authentication failed|login aborted|invalid password|unknown user)/) return 1
  return 0
}

# service_match():
#   only_* Filter: Wenn keiner gesetzt -> alles ok.
#   Wenn mind. einer gesetzt -> OR-Verknüpfung:
#     - only_lmtp: type == lmtp
#     - only_imap: imap oder imap-login
#     - only_pop3: pop3 oder pop3-login
#     - only_login: is_login_event() true
function service_match(type, msg, only_login, only_lmtp, only_imap, only_pop3) {
  if (only_login==0 && only_lmtp==0 && only_imap==0 && only_pop3==0) return 1

  if (only_lmtp==1 && type=="lmtp") return 1
  if (only_imap==1 && (type=="imap" || type=="imap-login")) return 1
  if (only_pop3==1 && (type=="pop3" || type=="pop3-login")) return 1
  if (only_login==1 && is_login_event(type, msg)==1) return 1

  return 0
}

# type_regex_match():
#   Optionaler --type Filter (regex gegen type token)
function type_regex_match(type, typere) {
  if (typere == "") return 1
  if (type ~ typere) return 1
  return 0
}

# ---- STATS helper: sort and print top N ----
function print_top_sorted(title, arr, n,   k,i,j,keys,tmp) {
  print title
  i=0
  for (k in arr) { i++; keys[i]=k }

  for (i=1; i<=length(keys); i++) {
    for (j=i+1; j<=length(keys); j++) {
      if (arr[keys[j]] > arr[keys[i]]) {
        tmp=keys[i]; keys[i]=keys[j]; keys[j]=tmp
      }
    }
  }

  for (i=1; i<=length(keys) && i<=n; i++) {
    printf "  %7d  %s\n", arr[keys[i]], keys[i]
  }
  print ""
}

# ---- STATS helper: sort and print top N for matrix-like keys ----
function print_matrix(title, arr, n,   k,i,j,keys,tmp) {
  print title
  i=0
  for (k in arr) { i++; keys[i]=k }

  for (i=1; i<=length(keys); i++) {
    for (j=i+1; j<=length(keys); j++) {
      if (arr[keys[j]] > arr[keys[i]]) {
        tmp=keys[i]; keys[i]=keys[j]; keys[j]=tmp
      }
    }
  }

  for (i=1; i<=length(keys) && i<=n; i++) {
    printf "  %7d  %s\n", arr[keys[i]], keys[i]
  }
  print ""
}

BEGIN {
  since = ENVIRON["SINCE"]
  until = ENVIRON["UNTIL"]
  addrre = ENVIRON["ADDR_RE"]
  want = ENVIRON["STATUS_FILTER"]
  oneline = ENVIRON["ONELINE"] + 0
  stats = ENVIRON["STATS"] + 0

  emailneedle = tolower(ENVIRON["EMAIL_NEEDLE"])

  onlylogin = ENVIRON["ONLY_LOGIN"] + 0
  onlylmtp  = ENVIRON["ONLY_LMTP"] + 0
  onlyimap  = ENVIRON["ONLY_IMAP"] + 0
  onlypop3  = ENVIRON["ONLY_POP3"] + 0

  typere = ENVIRON["TYPE_RE"]
  total=0
}

{
  line=$0
  if (line !~ /dovecot:/) next

  # Timestamp (ISO) steht am Anfang
  ts=$1
  if (since != "" && ts < since) next
  if (until != "" && ts > until) next

  type = extract_type(line)

  # --type Filter
  if (type_regex_match(type, typere) == 0) next

  # Message: alles nach "dovecot: "
  msg=line
  sub(/^.*dovecot: /, "", msg)

  # only_* Filter
  if (service_match(type, msg, onlylogin, onlylmtp, onlyimap, onlypop3) == 0) next

  user = extract_user(line)
  ip   = extract_ip(line)

  res = classify(msg)

  # Ergebnisfilter
  if (want == "success" && res != "success") next
  if (want == "fail"    && res != "fail") next
  if (want == "error"   && res != "error") next

  # addr filter: regex gegen "user ip msg"
  hay = user " " ip " " msg
  if (addrre != "" && hay !~ addrre) next

  # email filter: substring nur gegen user
  if (emailneedle != "" && index(tolower(user), emailneedle) == 0) next

  total++

  # Stats sammeln
  if (stats == 1) {
    c_res[res]++
    c_type[type]++
    c_res_type[res "@" type]++

    if (ip != "-") {
      c_ip[ip]++
      if (res == "fail") c_ip_fail[ip]++
    }

    if (user != "-") {
      c_user[user]++
      if (res == "fail") c_user_fail[user]++
    }

    if (res == "fail" && ip != "-" && user != "-") {
      c_fail_ip_user[ip " -> " user]++
    }

    next
  }

  # Eventausgabe
  if (oneline == 1) {
    printf "%s\t%s\t%s\t%s\t%s\t%s\n", ts, type, res, ip, user, msg
    next
  }

  print "time:      " ts
  print "type:      " type
  print "client-ip: " ip
  print "user:      " user
  print "result:    " res
  print "message:   " msg
  print ""
}

END {
  if (stats != 1) exit

  print "Events: " total
  print ""

  print "By result"
  printf "  %7d  success\n", c_res["success"]+0
  printf "  %7d  fail\n",    c_res["fail"]+0
  printf "  %7d  error\n",   c_res["error"]+0
  printf "  %7d  info\n",    c_res["info"]+0
  print ""

  print_top_sorted("By type (Top 20)", c_type, 20)

  print_top_sorted("Top client IPs (overall, Top 10)", c_ip, 10)
  print_top_sorted("Top client IPs (fail only, Top 10)", c_ip_fail, 10)

  print_top_sorted("Top users (overall, Top 10)", c_user, 10)
  print_top_sorted("Top users (fail only, Top 10)", c_user_fail, 10)

  print_matrix("Matrix result@type (Top 30)", c_res_type, 30)

  print_top_sorted("Fail combos IP -> user (Top 20)", c_fail_ip_user, 20)
}
'

# -------------------------------------------------------------------
# run_pipeline():
#   Liest die ausgewählten Files (inkl. .gz über zcat -f) und pipe't
#   in awk. In --follow Mode: tail -F auf nicht-gz Dateien.
# -------------------------------------------------------------------
run_pipeline() {
  local f

  if [[ $FOLLOW -eq 1 ]]; then
    tail -F "${FOLLOW_FILES[@]}" | \
      env SINCE="$SINCE" UNTIL="$UNTIL" ADDR_RE="$ADDR_RE" EMAIL_NEEDLE="$EMAIL_NEEDLE" TYPE_RE="$TYPE_RE" \
          ONLY_LOGIN="$ONLY_LOGIN" ONLY_LMTP="$ONLY_LMTP" ONLY_IMAP="$ONLY_IMAP" ONLY_POP3="$ONLY_POP3" \
          STATUS_FILTER="$STATUS_FILTER" ONELINE="$ONELINE" STATS="$STATS" \
      awk "$AWK_SCRIPT"
    return
  fi

  {
    for f in "${LOGFILES[@]}"; do
      if [[ "$f" =~ \.gz$ ]]; then
        zcat -f -- "$f" 2>/dev/null || true
      else
        cat -- "$f" 2>/dev/null || true
      fi
    done
  } | env SINCE="$SINCE" UNTIL="$UNTIL" ADDR_RE="$ADDR_RE" EMAIL_NEEDLE="$EMAIL_NEEDLE" TYPE_RE="$TYPE_RE" \
          ONLY_LOGIN="$ONLY_LOGIN" ONLY_LMTP="$ONLY_LMTP" ONLY_IMAP="$ONLY_IMAP" ONLY_POP3="$ONLY_POP3" \
          STATUS_FILTER="$STATUS_FILTER" ONELINE="$ONELINE" STATS="$STATS" \
      awk "$AWK_SCRIPT"
}

run_pipeline