#!/bin/bash
# ============================================
# 风七六本地生活平台 - 敏感信息扫描脚本
# 用于扫描代码库中可能的敏感信息泄露
# ============================================

SCAN_DIR=${1:-$(pwd)}
REPORT_FILE="security-scan-report.txt"
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
NC='\033[0m'

echo "=========================================="
echo "  风七六平台 - 敏感信息扫描"
echo "=========================================="
echo "扫描目录: ${SCAN_DIR}"
echo "开始时间: $(date)"
echo "" > ${REPORT_FILE}

# ============================================
# 检测模式配置
# ============================================
declare -A patterns
patterns["AWS API Key"]="AKIA[0-9A-Z]{16}"
patterns["AWS Secret Key"]="(?i)aws.*secret.*access.*key|aws_secret_access_key"
patterns["阿里云 Access Key"]="LTAI[0-9A-Z]{12,20}"
patterns["API Key/Token"]="(?i)api[_-]?key|api[_-]?token|access[_-]?token|secret[_-]?key"
patterns["密码字段"]="(?i)password|passwd|pwd|mysql_password|db_password"
patterns["私钥"]="-----BEGIN.*PRIVATE KEY-----"
patterns["JWT Secret"]="(?i)jwt.*secret|jwt.*token.*secret"
patterns["数据库连接串"]="(?i)jdbc:|mongodb://|redis://|postgresql://"
patterns["硬编码 IP"]="(?<!\.)(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(?!\.)"

# ============================================
# 执行扫描
# ============================================
total_issues=0
for pattern_name in "${!patterns[@]}"; do
    echo -e "${YELLOW}[扫描] ${pattern_name}...${NC}"
    
    # 使用grep查找匹配
    matches=$(grep -r -n -i -E "${patterns[$pattern_name]}" \
        --include="*.java" \
        --include="*.py" \
        --include="*.js" \
        --include="*.ts" \
        --include="*.xml" \
        --include="*.yml" \
        --include="*.yaml" \
        --include="*.properties" \
        --include="*.env*" \
        --exclude-dir=".git" \
        --exclude-dir="node_modules" \
        --exclude="*.min.js" \
        --exclude="*.min.css" \
        "${SCAN_DIR}" 2>/dev/null)
    
    if [ ! -z "$matches" ]; then
        echo -e "${RED}✗ 发现潜在问题: ${pattern_name}${NC}"
        echo "==========================================" >> ${REPORT_FILE}
        echo "类型: ${pattern_name}" >> ${REPORT_FILE}
        echo "${matches}" >> ${REPORT_FILE}
        echo "" >> ${REPORT_FILE}
        
        # 统计数量
        issue_count=$(echo "${matches}" | wc -l)
        total_issues=$((total_issues + issue_count))
        echo -e "  发现 ${issue_count} 个匹配项"
    else
        echo -e "${GREEN}✓ 未发现问题${NC}"
    fi
    echo ""
done

# ============================================
# 检查.gitignore配置
# ============================================
echo -e "${YELLOW}[检查] .gitignore 配置...${NC}"
if [ ! -f "${SCAN_DIR}/.gitignore" ]; then
    echo -e "${RED}✗ 未找到 .gitignore 文件!${NC}"
    echo "==========================================" >> ${REPORT_FILE}
    echo "类型: 缺少 .gitignore" >> ${REPORT_FILE}
    echo "建议: 添加 .gitignore 文件，忽略敏感配置文件" >> ${REPORT_FILE}
    echo "" >> ${REPORT_FILE}
else
    # 检查是否包含敏感文件
    sensitive_files=(".env" ".env.prod" ".env.local" "*.pem" "*.key" "*.p12" "*.jks")
    for file in "${sensitive_files[@]}"; do
        if ! grep -q "^${file}" "${SCAN_DIR}/.gitignore" 2>/dev/null; then
            echo -e "${YELLOW}⚠ 建议在 .gitignore 中添加: ${file}${NC}"
            echo "==========================================" >> ${REPORT_FILE}
            echo "类型: .gitignore 建议" >> ${REPORT_FILE}
            echo "建议: 将 ${file} 添加到 .gitignore" >> ${REPORT_FILE}
            echo "" >> ${REPORT_FILE}
        fi
    done
fi

# ============================================
# 扫描报告总结
# ============================================
echo ""
echo "=========================================="
echo "  扫描完成!"
echo "=========================================="
if [ ${total_issues} -gt 0 ]; then
    echo -e "${RED}发现 ${total_issues} 个潜在问题!${NC}"
    echo -e "详细报告请查看: ${REPORT_FILE}"
    exit 1
else
    echo -e "${GREEN}✓ 未发现明显的敏感信息泄露!${NC}"
    exit 0
fi
