#!/bin/bash -eu

flavor="${1}"
mods_dir="${2}"
mods_extra_dir="${3}"

skip_checks=${4:-}
case "${skip_checks,,}" in
        1|true|yes) skip_checks=1 ;;
        *) skip_checks=0 ;;
esac

echo "II: Checking signature of staging modules for ${flavor}..."

root=$(dirname "$(realpath -e "${0}")")/../../..
. "${root}"/debian/debian.env

# Collect the signature-inclusion files
sig_incs=()
for d in debian "${DEBIAN}" ; do
	if [ -f "${root}"/"${d}"/signature-inclusion ] ; then
		sig_incs+=("${root}"/"${d}"/signature-inclusion)
	fi
done

if [ "${#sig_incs[@]}" -gt 0 ] ; then
	echo "II: Use signature inclusion file(s):"
	printf "    %s\n" "${sig_incs[@]}"
	sig_all=0
else
	echo "WW: Signature inclusion file(s) missing"
	echo "II: All modules must be signed"
	sig_all=1
fi

if ! [ -d "${mods_dir}" ] ; then
	echo "EE: Modules directory missing:"
	echo "    ${mods_dir}"
	if [ ${skip_checks} -eq 1 ] ; then
		echo "WW: Explicitly asked to ignore failures"
		echo "II: Done"
		exit 0
	fi
	exit 1
fi

echo "II: Checking modules directory:"
echo "    ${mods_dir}"
mods_dirs=("${mods_dir}")

if [ -d "${mods_extra_dir}" ] ; then
	echo "    ${mods_extra_dir}"
	mods_dirs+=("${mods_extra_dir}")
fi

pass=0
fail=0
while IFS= read -r mod ; do
	is=0
	if /sbin/modinfo "${mod}" | grep -q "^signature:" ; then
		# Module is signed
		is=1
	fi

	must=0
	if [ ${sig_all} -eq 1 ] || grep -qFx "${mod##*/}" "${sig_incs[@]}" ; then
		# Module must be signed
		must=1
	fi

	case "${is}${must}" in
		00) echo "    PASS (unsigned) : ${mod##*/}" ; pass=$((pass + 1)) ;;
		01) echo "    FAIL (unsigned) : ${mod##*/}" ; fail=$((fail + 1)) ;;
		10) echo "    FAIL (signed)   : ${mod##*/}" ; fail=$((fail + 1)) ;;
		11) echo "    PASS (signed)   : ${mod##*/}" ; pass=$((pass + 1)) ;;
	esac
done < <(find "${mods_dirs[@]}" -path '*/drivers/staging/*.ko' | sort)

echo "II: Checked $((pass + fail)) modules : ${pass} PASS, ${fail} FAIL"

if [ ${fail} -ne 0 ] ; then
	if [ ${skip_checks} -eq 1 ] ; then
		echo "WW: Explicitly asked to ignore failures"
	else
		echo "EE: Modules signature failures"
		exit 1
	fi
fi

echo "II: Done"
exit 0
