#!/bin/bash

# 安全扫描脚本
# 扫描代码中的安全问题和敏感信息

set -euo pipefail

# 颜色定义
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
NC='\033[0m' # No Color

# 计数器
TOTAL_ISSUES=0
HIGH_ISSUES=0
MEDIUM_ISSUES=0
LOW_ISSUES=0

# 日志函数
log_info() {
    echo -e "${BLUE}[INFO]${NC} $1"
}

log_success() {
    echo -e "${GREEN}[SUCCESS]${NC} $1"
}

log_warning() {
    echo -e "${YELLOW}[WARNING]${NC} $1"
}

log_error() {
    echo -e "${RED}[ERROR]${NC} $1"
}

# 检查敏感信息泄露
check_secrets() {
    log_info "检查敏感信息泄露..."
    
    local patterns=(
        "password\s*=\s*['\"][^'\"]*['\"]"
        "token\s*=\s*['\"][^'\"]*['\"]"
        "api_key\s*=\s*['\"][^'\"]*['\"]"
        "secret\s*=\s*['\"][^'\"]*['\"]"
        "private_key"
        "-----BEGIN.*PRIVATE KEY-----"
    )
    
    local found_secrets=0
    
    for pattern in "${patterns[@]}"; do
        local matches
        matches=$(grep -r -i -E "$pattern" . --exclude-dir=.git --exclude-dir=backups 2>/dev/null || true)
        
        if [ -n "$matches" ]; then
            log_error "发现可能的敏感信息:"
            echo "$matches"
            ((found_secrets++))
            ((HIGH_ISSUES++))
        fi
    done
    
    if [ "$found_secrets" -eq 0 ]; then
        log_success "未发现明显的敏感信息泄露"
    else
        log_error "发现 $found_secrets 种类型的敏感信息，请检查并移除"
    fi
    
    ((TOTAL_ISSUES += found_secrets))
}

# 检查不安全的命令使用
check_unsafe_commands() {
    log_info "检查不安全的命令使用..."
    
    local unsafe_patterns=(
        "rm\s+-rf\s+/"
        "chmod\s+777"
        "curl.*-k"
        "wget.*--no-check-certificate"
    )
    
    local unsafe_found=0
    
    for pattern in "${unsafe_patterns[@]}"; do
        local matches
        matches=$(grep -r -E "$pattern" scripts/ 2>/dev/null || true)
        
        if [ -n "$matches" ]; then
            log_warning "发现可能不安全的命令使用:"
            echo "$matches"
            ((unsafe_found++))
            ((MEDIUM_ISSUES++))
        fi
    done
    
    if [ "$unsafe_found" -eq 0 ]; then
        log_success "未发现明显不安全的命令使用"
    else
        log_warning "发现 $unsafe_found 个可能不安全的命令，请检查"
    fi
    
    ((TOTAL_ISSUES += unsafe_found))
}

# 生成报告
generate_report() {
    log_info "生成安全扫描报告..."
    
    echo
    echo "=================================="
    echo "         安全扫描报告"
    echo "=================================="
    echo "总问题数: $TOTAL_ISSUES"
    echo "高危: $HIGH_ISSUES"
    echo "中危: $MEDIUM_ISSUES"
    echo "低危: $LOW_ISSUES"
    echo "=================================="
    
    if [ "$TOTAL_ISSUES" -eq 0 ]; then
        log_success "安全扫描通过，未发现问题！"
        return 0
    else
        log_warning "发现 $TOTAL_ISSUES 个安全问题，请检查并修复"
        return 1
    fi
}

# 主函数
main() {
    log_info "开始安全扫描..."
    
    check_secrets
    check_unsafe_commands
    
    generate_report
}

# 执行主函数
main "$@"