#!/usr/bin/env bash
# shellcheck disable=SC2230
#  vim:ts=4:sts=4:sw=4:et
#
#  Author: Hari Sekhon
#  Date: 2019-10-18 13:57:12 +0100 (Fri, 18 Oct 2019)
#
#  https://github.com/harisekhon/bash-tools
#
#  License: see accompanying Hari Sekhon LICENSE file
#
#  If you're using my code you're welcome to connect with me on LinkedIn and optionally send me feedback
#
#  https://www.linkedin.com/in/harisekhon
#

set -euo pipefail
[ -n "${DEBUG:-}" ] && set -x
srcdir="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"

# shellcheck source=lib/utils.sh
. "$srcdir/lib/utils.sh"

section "AWS Git credentials scan"

start_time="$(start_timer)"

location="${1:-.}"

if [ "$location" = . ]; then
    :
elif [ -d "$location" ]; then
    cd "$location"
else
    cd "$(dirname "$location")"
fi

# $(pwd) more reliable than $PWD
echo "checking $(pwd)"
echo

if [ -f .gitallowed ]; then
    gitallowed=.gitallowed
else
    gitallowed=/dev/null
fi

if git grep \
    -e 'AWS_ACCESS_KEY.*=' \
    -e 'AWS_SECRET_KEY.*=' \
    -e 'AWS_SESSION_TOKEN.*=' \
    -e 'aws_access_key_id.*=' \
    -e 'aws_secret_access_key.*=' \
    -e 'aws_session_token.*=' |
        grep -v -e '\.bash\.d/aws.sh:' \
                -e "${0##*/}:" |
        grep -v -f "$gitallowed" |
    grep .; then
    echo
    echo "DANGER: potential AWS credentials found in Git!!"
    exit 1
fi

time_taken "$start_time"
section2 "OK: no AWS credentials found in Git"
echo