bin/verify_treehashes

#!/usr/bin/env bash

## This file exists just as a simple sanity check for the user, and for debugging purposes.

# Load common tools
CRYPTIC_REPO="$( dirname "$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )" )"
source "${CRYPTIC_REPO}/lib/argparse.sh"
source "${CRYPTIC_REPO}/lib/common.sh"
source "${CRYPTIC_REPO}/lib/yaml_extraction_prologue.sh"

# Get the repository root
find_repository_root

# Look for the repo key
find_repo_key

# Get paths to our yml files
find_yaml_paths "${1:-}"

for YAML_PATH in ${YAML_PATHS[@]}; do
    # Extract treehash glob patterns from the YAML
    readarray -t PIPELINE_TREEHASH_TRIPLETS < <(extract_pipeline_treehashes "${YAML_PATH}")

    vecho "Parsed out ${#PIPELINE_TREEHASH_TRIPLETS[@]} pipelines being launched."

    # Decrypt encrypted variables
    SHOULD_FAIL="false"
    for TRIPLET in "${PIPELINE_TREEHASH_TRIPLETS[@]}"; do
        PIPELINE_PATH="$(cut -d'&' -f1 <<<"${TRIPLET}" | tr -d '"')"
        PIPELINE_TREEHASH="$(cut -d'&' -f2 <<<"${TRIPLET}" | tr -d '"')"
        PIPELINE_ENCRYPTED_TREEHASH="$(cut -d'&' -f3 <<<"${TRIPLET}" | tr -d '"')"
        PIPELINE_TREEHASH_FILESOURCE="$(cut -d'&' -f4 <<<"${TRIPLET}" | tr -d '"')"

        # Compare decrypted treehash with calculated treehash
        PIPELINE_DECRYPTED_TREEHASH="$(base64dec <<<"${PIPELINE_ENCRYPTED_TREEHASH}" | decrypt_aes "${REPO_KEY_PATH}" 2>/dev/null || true)"
        if [[ "${PIPELINE_DECRYPTED_TREEHASH}" == "${PIPELINE_TREEHASH}" ]]; then
            echo "[${YAML_PATH}] -> ${PIPELINE_PATH}: ✔️"
        else
            echo "[${YAML_PATH}] -> ${PIPELINE_PATH}: ❌"
            echo "    Expected: ${PIPELINE_DECRYPTED_TREEHASH}"
            echo "  Calculated: ${PIPELINE_TREEHASH}"
            SHOULD_FAIL="true"
        fi
    done
done

if [[ ${SHOULD_FAIL} != "false" ]]; then
    exit 1
fi