#!/bin/bash
# shellcheck disable=2181

set -euo pipefail

BASHLS_URL="$(rpmspec -P ./*.spec | grep Source0 | sed -e 's/Source0:[ ]*//g')"
BASHLS_TARBALL="$(basename "${BASHLS_URL}")"
BASHLS_PKGVERSION="$(rpmspec -P ./*.spec | grep ^Version | sed -e 's/Version:[ ]*//g')"
BASHLS_PKGNAME="bash-language-server"
BASHLS_PKGDIR="$(pwd)"
BASHLS_TMPDIR="$(mktemp --tmpdir -d bashls-XXXXXXXX)"
BASHLS_PATH="${BASHLS_TMPDIR}/${BASHLS_PKGNAME}-server-${BASHLS_PKGVERSION}"
PUSHED=0

echo "URL:     ${BASHLS_URL}"
echo "TARBALL: ${BASHLS_TARBALL}"
echo "NAME:    ${BASHLS_PKGNAME}"
echo "VERSION: ${BASHLS_PKGVERSION}"
echo "PATH:    ${BASHLS_PATH}"

cleanup() {
    if [ "${PUSHED}" -eq 1 ]; then
        popd 2>/dev/null || true
    fi
    if [ -n "${BASHLS_TMPDIR}" ] && [ -d "${BASHLS_TMPDIR}" ]; then
        echo "Cleaning up temporary directory..."
        rm -rf "${BASHLS_TMPDIR}"
    fi
}
trap cleanup SIGINT EXIT

cleanup_and_exit() {
    cleanup
    if [ "${1:-0}" -eq 0 ]; then
        exit 0
    else
        exit "${1}"
    fi
}

if [ ! -w "${BASHLS_TARBALL}" ]; then
    echo ">>>>>> Downloading source tarball"
    if ! wget "$BASHLS_URL"; then
        echo "ERROR: Failed to download source tarball"
        cleanup_and_exit 1
    fi
fi

echo ">>>>>> Extracting source tarball"
if ! tar -xf "${BASHLS_TARBALL}" -C "${BASHLS_TMPDIR}"; then
    echo "ERROR: Failed to extract tarball"
    cleanup_and_exit 1
fi

if ! pushd "${BASHLS_PATH}"; then
    echo "ERROR: Failed to change to directory ${BASHLS_PATH}"
    cleanup_and_exit 1
fi
PUSHED=1

PNPM_STORE_DIR="$(pwd)/.pnpm-store"

echo ">>>>>> Fetching node modules"
if ! pnpm fetch --frozen-lockfile --store-dir "${PNPM_STORE_DIR}"; then
    echo "ERROR: pnpm fetch failed"
    cleanup_and_exit 1
fi

echo ">>>>>> Installing node modules"
# We don't want to run postinstall script for vscode
if ! pnpm install --frozen-lockfile --offline --ignore-scripts --store-dir "${PNPM_STORE_DIR}"; then
    echo "ERROR: pnpm install failed"
    cleanup_and_exit 1
fi

echo ">>>>>> Running security audit"
AUDIT_FAILED=0
if ! pnpm audit --audit-level=high; then
    AUDIT_FAILED=1
fi

if [ ${AUDIT_FAILED} -eq 1 ]; then
    echo ""
    echo "WARNING: Security vulnerabilities found (high or critical severity)"
    echo "Run 'pnpm audit' manually in ${BASHLS_PATH} for details"
    echo ""
    read -p "Continue despite vulnerabilities? (yes/no): " -r
    if [[ ! $REPLY =~ ^[Yy][Ee][Ss]$ ]]; then
        echo "Aborting due to security vulnerabilities"
        cleanup_and_exit 1
    fi
fi

echo ">>>>>> Running security checks for malicious patterns"
SECURITY_ISSUES=0

# Check for Shai-Hulud worm patterns
# - Self-replicating code that modifies package.json
# - Suspicious preinstall/postinstall hooks
# - Hidden Unicode characters
# - Obfuscated code patterns
echo "  - Checking for suspicious install hooks..."
if grep -r "preinstall\|postinstall\|preuninstall" "${PNPM_STORE_DIR}" --include="package.json" | grep -i "curl\|wget\|eval\|exec\|child_process" > /dev/null 2>&1; then
    echo "    WARNING: Found suspicious install hooks with network/exec calls"
    SECURITY_ISSUES=$((SECURITY_ISSUES + 1))
fi

echo "  - Checking for obfuscated code..."
if find "${PNPM_STORE_DIR}" -type f \( -name "*.js" -o -name "*.mjs" -o -name "*.cjs" \) -exec grep -l "eval(\|Function(\|atob(\|\\x[0-9a-f][0-9a-f]" {} \; | head -5 | grep -q .; then
    echo "    WARNING: Found potentially obfuscated code (eval, Function constructor, hex encoding)"
    SECURITY_ISSUES=$((SECURITY_ISSUES + 1))
fi

echo "  - Checking for suspicious network activity..."
if grep -r "http://\|https://" "${PNPM_STORE_DIR}" --include="*.js" --include="*.mjs" --include="*.cjs" | grep -v "node_modules\|\.git\|test\|spec\|example" | grep -i "pastebin\|discord\.com/api/webhooks\|raw\.githubusercontent" > /dev/null 2>&1; then
    echo "    WARNING: Found suspicious external URLs (pastebin, discord webhooks, raw github)"
    SECURITY_ISSUES=$((SECURITY_ISSUES + 1))
fi

echo "  - Checking for filesystem tampering..."
if grep -r "writeFileSync\|appendFileSync" "${PNPM_STORE_DIR}" --include="*.js" --include="*.mjs" --include="*.cjs" | grep -i "package\.json\|\.npmrc\|\.bashrc\|\.zshrc\|\.profile" > /dev/null 2>&1; then
    echo "    WARNING: Found code that modifies sensitive files"
    SECURITY_ISSUES=$((SECURITY_ISSUES + 1))
fi

echo "  - Checking for credential harvesting..."
if grep -r "password\|token\|secret\|api[_-]key\|npm_token" "${PNPM_STORE_DIR}" --include="*.js" --include="*.mjs" --include="*.cjs" | grep -i "process\.env\|fs\.read" | grep -v "test\|spec\|example\|\.d\.ts" > /dev/null 2>&1; then
    echo "    WARNING: Found code accessing credentials from environment"
    SECURITY_ISSUES=$((SECURITY_ISSUES + 1))
fi

if [ ${SECURITY_ISSUES} -gt 0 ]; then
    echo ""
    echo "!!! SECURITY WARNING: Found ${SECURITY_ISSUES} potential security issue(s) !!!"
    echo "!!! Please review the warnings above carefully before proceeding !!!"
    echo ""
    read -p "Continue anyway? (yes/no): " -r
    if [[ ! $REPLY =~ ^[Yy][Ee][Ss]$ ]]; then
        echo "Aborting due to security concerns"
        cleanup_and_exit 1
    fi
else
    echo "  ✓ No obvious malicious patterns detected"
fi

echo ">>>>>> Cleanup object dirs"
find "${PNPM_STORE_DIR}/" -type d -name "__pycache__" -print0 | xargs -0 rm -rf || true
find "${PNPM_STORE_DIR}/" -type d -name "*.o.d" -print0 | xargs -0 rm -rf || true


echo ">>>>>> Cleanup object files"
find "${PNPM_STORE_DIR}/" -name "*.node" -print0 | xargs -0 rm -rf || true

find "${PNPM_STORE_DIR}/" -name "*.dll" | grep -v signal-client | xargs rm -f || true
find "${PNPM_STORE_DIR}/" -name "*.dylib" -delete || true
find "${PNPM_STORE_DIR}/" -name "*.so" -delete || true
find "${PNPM_STORE_DIR}/" -name "*.o" -delete || true
find "${PNPM_STORE_DIR}/" -name "*.a" -delete || true
find "${PNPM_STORE_DIR}/" -name "*.snyk-*.flag" -delete || true
find "${PNPM_STORE_DIR}/" -name "builderror.log" -delete || true
find "${PNPM_STORE_DIR}/" -name ".deps" -type d -print0 | xargs -0 rm -rf || true


echo ">>>>>> Cleanup build info"
find "${PNPM_STORE_DIR}/" -name "Makefile" -delete || true
find "${PNPM_STORE_DIR}/" -name "*.target.mk" -delete || true
find "${PNPM_STORE_DIR}/" -name "config.gypi" -delete || true
find "${PNPM_STORE_DIR}/" -name "package.json" -exec sed -i "s#${BASHLS_PATH}#/tmp#g" {} \; || true


echo ">>>>>> Packaging vendor files"
rm -f "${BASHLS_PKGDIR}/${BASHLS_PKGNAME}-${BASHLS_PKGVERSION}-vendor.tar.zst"
if ! ZSTD_NBTHREADS=$(nproc) tar --zstd -cf "${BASHLS_PKGDIR}/${BASHLS_PKGNAME}-${BASHLS_PKGVERSION}-vendor.tar.zst" .pnpm-store; then
    echo "ERROR: Failed to create tarball"
    cleanup_and_exit 1
fi

echo ">>>>>> Successfully created ${BASHLS_PKGNAME}-${BASHLS_PKGVERSION}-vendor.tar.zst"

popd
PUSHED=0

echo ""
echo ">>>>>> Next step: Add sources with the following command:"
echo ""
echo "osc add ${BASHLS_TARBALL} ${BASHLS_PKGNAME}-${BASHLS_PKGVERSION}-vendor.tar.zst"
echo ""

cleanup_and_exit 0