#!/usr/bin/env bash

# Prowler - the handy cloud security tool (copyright 2019) by Toni de la Fuente
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
# use this file except in compliance with the License. You may obtain a copy
# of the License at http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed
# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
# CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License.

# detector and configuration of detect-secrets
secretsDetector(){
    PYTHON_PIP_DETECTSECRETS=$(which detect-secrets)
    if [ -z "${PYTHON_PIP_DETECTSECRETS}" ]; then
        echo -e "\n$RED ERROR!$NORMAL python library detect-secrets not found. Make sure it is installed correctly and in your \$PATH\n"
        EXITCODE=1
        exit $EXITCODE
    else
        SECRETS_TEMP_FOLDER="$PROWLER_DIR/secrets-$ACCOUNT_NUM"
        if [[ ! -d $SECRETS_TEMP_FOLDER ]]; then
            mkdir $SECRETS_TEMP_FOLDER
        fi
        PYTHON_PIP_DETECTSECRETS_INSTALLED=1
        # Sets the entropy limit for high entropy base64 strings from
        # environment variable BASE64_LIMIT.
        # Value must be between 0.0 and 8.0, defaults is 4.5.
        # Sets the entropy limit for high entropy hex strings from
        # environment variable HEX_LIMIT.
        # Value must be between 0.0 and 8.0, defaults is 3.0.
        case $1 in
            file )
                # this is to scan a file
                detect-secrets scan --hex-limit ${HEX_LIMIT:-3.0} --base64-limit ${BASE64_LIMIT:-4.5} $2 | \
                jq -r '.results[]|.[] | [.line_number, .type]|@csv' | wc -l
                #jq -r '.results[] | .[] | "\(.line_number)\t\(.type)"'
                # this command must return values in two colums:
                # line in file and type of secrets found
                ;;
            string )
                # this is to scan a given string
                detect-secrets scan --hex-limit ${HEX_LIMIT:-3.0} --base64-limit ${BASE64_LIMIT:-4.5} --string $2 | \
                grep True| wc -l
            ;;
            folder )
                # this is to scan a given folder with all lambda files
                detect-secrets scan --hex-limit ${HEX_LIMIT:-3.0} --base64-limit ${BASE64_LIMIT:-4.5} --all-files $2 | \
                jq -r '.results[]|.[] | [.line_number, .type]|@csv' | wc -l
            ;;
        esac
    fi
}