#!/bin/bash
#####
#
# +===================================================+
# |                 © 2019 Privex Inc.                |
# |               https://www.privex.io               |
# +===================================================+
# |                                                   |
# |        JS File Integrity Generator                |
# |        Designed for use by CDNs                   |
# |                                                   |
# |        License: X11/MIT                           |
# |                                                   |
# |        Core Developer(s):                         |
# |                                                   |
# |          (+)  Chris (@someguy123) [Privex]        |
# |                                                   |
# +===================================================+
#
#####
# Usage:
#
#  - Place this bash file inside a folder which contains JS files (even in sub-folders)
#  - Mark it executable with `chmod +x integrity_gen.sh`
#  - Run it with `./integrity_gen.sh > integrity.txt` (saves output to integrity.txt)
#

# directory where the script is located, so we can source files regardless of where PWD is
export DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"

EXCLUDE_PATHS=(
    'lib/semanticui/Semantic-UI'
    'lib/semanticui/2.4.2/components'
    'lib/eosjs/.eosjs'
    'lib/clipboard/src'
    'lib/scatter-js/.scatter-js'
    'lib/simple-jsonrpc/.src'
    'lib/simple-jsonrpc/.privex-src'
    'lib/simplemde/.simplemde'
    'lib/highlightjs/.highlightjs'
)

# Base URL (generally with https) that your CDN is located at, for generating script tag examples
# Should NOT end with a slash.
: ${CDN_URL='https://cdn.privex.io'}
export CDN_URL

echo "
#####
#
# +===================================================+
# |                 © 2019 Privex Inc.                |
# |               https://www.privex.io               |
# +===================================================+
# |                                                   |
# |        HTML Asset File Integrity Generator        |
# |        Designed for use by CDNs                   |
# |                                                   |
# |        License: X11/MIT                           |
# |                                                   |
# |        Core Developer(s):                         |
# |                                                   |
# |          (+)  Chris (@someguy123) [Privex]        |
# |                                                   |
# +===================================================+
#
#####
"

echo "This is a list of .js files found in this folder, followed by their SHA384 sum"
echo "The list has been generated by Privex Inc's (https://www.privex.io) integrity checking script, which can be found here:"
echo
echo "Integrity Checker Bash Script:     https://cdn.privex.io/integrity_gen.sh"
echo
echo "You can use these sums inside of script tags to help prevent the risk of tampering, however it will cause updates to break your site."
echo "Example usage:"
echo
echo -e "\t <script "
echo -e "\t  src=\"https://example.com/example-framework.js\" "
echo -e "\t  integrity=\"sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC\" "
echo -e "\t  crossorigin=\"anonymous\">"
echo -e "\t </script>\n"
echo -e "To force browsers to check the integrity of all script files, set the following CSP:\n"
echo -e "\t Content-Security-Policy: require-sri-for script;\n"
echo -e "To force browsers to check the integrity of all CSS (style) files, set the following CSP:\n"
echo -e "\t Content-Security-Policy: require-sri-for style;\n"
echo -e "This integrity list was last updated at: $(date)\n"
echo "
#######################################################

Below this notice, you will find (in order):

 - sha384 base64 hashes for most JS files on this CDN (some spammy source ones generally only used for compilation may be excluded)
 - sha384 base64 hashes for most CSS files on this CDN (some spammy source ones generally only used for compilation may be excluded)
 - A list of <script> tags which link directly to each JS file on our CDN, with the 'integrity' attribute and 'crossorigin' 
   attribute already added (just copy and paste into your HTML project)
 - A list of <link> tags which link directly to each CSS file on our CDN, with the 'integrity' attribute and 'crossorigin' 
   attribute already added (just copy and paste into your HTML project)

For https://cdn.privex.io - this file is automatically updated every 5 minutes. If you're viewing this on another CDN provider, they may
run the checker script more, or less often.

#######################################################
"

echo "--- BEGIN INTEGRITY LIST ---"
echo

# Find all files ending in `.js` or `.css` within the folder this script is in (+ sub-folders)
# then output their relative path + SHA384 Base64 Sum
#export _JS_FILES=$(find . -path '*/node_modules/*' -prune -o -name '*.js' -print)

export JS_FILES=()
export CSS_FILES=()

is_excluded() {
    for ex in "${EXCLUDE_PATHS[@]}"; do
        if grep -q "$ex" <<< "$1"; then return 1; fi
    done
    return 0
}

while IFS= read -d $'\0' -r file ; do
    is_excluded "$file" || continue
    CSS_FILES=("${CSS_FILES[@]}" "$file")
done < <(find "$DIR" -path '*/node_modules/*' -prune -o -name '*.css' -print0)

while IFS= read -d $'\0' -r file ; do
    is_excluded "$file" || continue
    JS_FILES=("${JS_FILES[@]}" "$file")
done < <(find "$DIR" -path '*/node_modules/*' -prune -o -name '*.js' -print0)

declare -A JS_HASHES
declare -A CSS_HASHES

export JS_HASHES=()
export CSS_HASHES=()

hash_file() {
    local f="$1"
    cat "$f" | openssl dgst -sha384 -binary | openssl base64 -A
    return 0
}

for i in "${JS_FILES[@]}"; do
    relpath=$(realpath --relative-to="$DIR" "$i" | tr -d "\n")
    fhash=$(hash_file "$i")
    JS_HASHES[$relpath]="$fhash"
done
for i in "${CSS_FILES[@]}"; do
    relpath=$(realpath --relative-to="$DIR" "$i" | tr -d "\n")
    fhash=$(hash_file "$i")
    CSS_HASHES["$relpath"]="$fhash"
done

echo -e "\n === JS File Hashes: === \n"
{
    for i in "${!JS_HASHES[@]}"; do
        echo -e "${i}\tsha384-${JS_HASHES[$i]}"
    done
} | sort | column -t

echo -e "\n === CSS File Hashes: === \n"
{
    for i in "${!CSS_HASHES[@]}"; do
        echo -e "${i}\tsha384-${CSS_HASHES[$i]}"
    done
} | sort | column -t

echo
echo "--- END INTEGRITY LIST ---"
echo

echo "=== Easy copy <script> and <link> tags for JS / CSS ==="

echo -e "\n----------- Script Tags -----------\n"
{
    for i in "${!JS_HASHES[@]}"; do
        echo -e "<script src=\"${CDN_URL}/$i\" integrity=\"sha384-${JS_HASHES[$i]}\" crossorigin=\"anonymous\"></script>\n"
    done
} | sort | tr -s "\n"

echo -e "\n----------- Link Tags -----------\n"
{
    for i in "${!CSS_HASHES[@]}"; do
        echo -e "<link rel=\"stylesheet\" type=\"text/css\" href=\"${CDN_URL}/$i\" integrity=\"sha384-${CSS_HASHES[$i]}\" crossorigin=\"anonymous\" />\n"
    done
} | sort | tr -s "\n"

echo