#!/bin/bash
. /etc/initvars
red='\033[0;31m' 
green='\033[1;32m' 
default='\033[0m'

PATH="/bin:/usr/bin:/sbin:/usr/sbin"

setfingerprint () {

    setbootloader () {
	PART=$(realpath /dev/disk/by-label/BARIUM_EFI)
	if [ $(echo $PART | wc -w) -ne 1 ] ; then
	    echo "Please enter boot partition device name ( aka /dev/sda1)"
	    read PART
	fi
	PARTUUID=$(blkid $PART -s PARTUUID -o value)
	if [ -z $PARTUUID ] ; then
	    echo "Unknown device $PART"
	    exit ${LINENO}
	fi
	md5sum=$(md5sum $PART |cut -f1 -d ' ')
	echo "BOOTPARTUUID=$PARTUUID" >> $fprint
	echo "BOOTPARTMD5=$md5sum" >> $fprint
    }

    setmodules () {
	for module in $(barium ls --hidetop --raw '$dname_source/$bname_source') ; do
	    echo "$module processing..."
	    echo $SYSMNT/layer-base/0/_REPOLIST |grep $(echo $module |cut -f 5,6 -d '/') || \
	    echo "md5sum ${module}#$(md5sum $module |cut -f1 -d ' ')" >> $fprint
	done
    }

    sign () {
	pts=$(ls -la $(tty) |awk '{print $NF}')
	chown $(id -un) $pts
	if gpg --output ${fprint}.signed --clearsign $fprint ; then
	    rm -f  $fprint
	else
	    echo "Error. $fprint not signed."
	    echo "Try creating gpg keys and try again"
	    echo "gpg --full-generate-key)"
	fi
    }
    cmdline () {
	echo "CMDLINE=$(cat /proc/cmdline)" >> $fprint
    }
    
    setbootloader
    cmdline
    setmodules
    sign
}

check () {
    EXITCODE=0
    get_fprint="gpg -q --decrypt ${fprint}.signed" 
    if ! [ -f ${fprint}.signed ] ; then
	echo "Warning! Fingerprint file not signed!"
	get_fprint="cat ${fprint}"
    elif ! gpg --verify ${fprint}.signed ; then
	echo "Error! Fingerprint file compromised!"
	echo "ENTER to continue, ctrl-c to abort"
	read qqq
    fi

    BOOTPARTUUID=$($get_fprint 2>/dev/null |grep BOOTPARTUUID |cut -f2 -d '=') 
    BOOTPARTMD5=$($get_fprint 2>/dev/null |grep BOOTPARTMD5 |cut -f2 -d '=')
    REALMD5=$(md5sum /dev/disk/by-partuuid/$BOOTPARTUUID |cut -f1 -d ' ')
    if [ $BOOTPARTMD5 != $REALMD5 ] ; then
	echo_exit "Boot partition compromised!"
	EXITCODE=$(( $EXITCODE + 1 ))
    else
	checked "Bootloaders partition"
    fi
    CMDLINE=$($get_fprint 2>/dev/null |grep CMDLINE |sed 's/CMDLINE=//')
    REALCMDLINE=$(cat /proc/cmdline)
    if [ "$CMDLINE" != "$REALCMDLINE" ] ; then
	echo_exit "kernel cmdline modified"
	EXITCODE=$(( $EXITCODE + 1 ))
    else
	checked "Kernel cmdline"
    fi
    WARNINGS=$(barium update -cl 2>&1 |grep 'not equal')
    NONTRUSTED=''
    for module in  $(barium ls --hidetop --raw '$dname_source/$bname_source') ; do
	echo $WARNINGS |grep -q $(basename $module) && echo_exit "Check $module" && continue
	grep -qw $(basename $module) ${SYSMNT}/layer-base/0/_REPOLIST && checked "Check $module" && continue
	md5=$($get_fprint 2>/dev/null |grep "md5sum $module" |cut -f2 -d '#')
	if [ -z "$md5" ] ; then
	    EXITCODE=$(( $EXITCODE + 1 ))
	    echo_exit "Unknown $module"
	    NONTRUSTED="$module $NONTRUSTED"
	elif [ "$md5" != $(md5sum $module |cut -f1 -d ' ') ] ; then
	    EXITCODE=$(( $EXITCODE + 1 ))
	    echo_exit "Check $module"
	    NONTRUSTED="$module $NONTRUSTED"
	else
	    checked "Check $module"
	fi
    done
    echo -e "\nBarium update -cl warnings:\n============================================================================="
    echo $WARNINGS
    echo -e "\nExecutable files in non trusted layers:"
    echo -e "\nChanges:\n============================================================================="
    find $SYSMNT/changes -executable -type f
    for a in $NONTRUSTED ; do
	BUNDLE=$(barium ls --raw '$bundle $dname_source/$bname_source' |grep $a)
	echo -e "\n${a}:\n============================================================================="
	find $BUNDLE  -executable -type f | while read a ; do
	    REWRITE="\e[25D\e[1A\e[K"
	    [ $str_n ] || str_n=1
	    if [ $str_n -gt 20 ] ; then
		sleep 0.0001
		echo -e "${REWRITE}And $str_n other non trusted executable files..."
	    else
    		echo $a
	    fi
	    str_n=$(( $str_n + 1 )) 
	done
    done
return $EXITCODE
}

checked () {
    echo -e "$@ -- ${green}OK${default}"
}

echo_exit () {
    echo -e "$1 -- ${red}Warning!${default}"
    [ $2 ] && exit $2
}

if ! df $SYSMNT/layer-base/1/ |grep -q '/dev/mapper/' ; then 
    echo "Warning, partition for fingerprint file not encrypted,"
    echo "this use cannot be considered protection."
    echo ''
fi

fprint=$SYSMNT/layer-base/1/fingerprint
if [ -f "$fprint" -o -f "${fprint}.signed" ] ; then
    echo "fingerprint found"
    check
else
    echo "fingerprint not found" 
    setfingerprint    
fi
