#!/bin/sh

set -eu

trap update_failure 1 2 EXIT

# before we begin...

mb_path="$PATH"

mb_script="$0"

mb_success=no

mb_obtain=no

mb_dlopt="${1:-}"

error_msg()

{

	printf '%s\n' "$@" >&2

}

warning_msg()

{

	printf '%s\n' "$@" >&2

}

update_failure()

{

	if [ _$mb_success = _yes ]; then

		return 0

	fi

	printf 'update info: exiting due to an error.\n' >&3

	exit 2

}

update_needed()

{

	trap '' EXIT

	mb_success=yes

	exit 1

}

update_success()

{

	trap '' EXIT

	mb_success=yes

	exit 0

}

obtain_remote_file()

{

	pathname="$1"

	case "$mb_vendor" in

		/* )

			cp -p "${mb_vendor}/${pathname}" \

				"${pathname}"

			;;

		https://* )

			wget "${mb_vendor}/${pathname}"       \

				--output-document="${pathname}"  \

				--no-check-certificate            \

				2>/dev/null

			;;

		* )

			error_msg "Invalid prefix in path argument ${pathname}"

			update_failure

			;;

	esac

}

# logging

exec 3> /updates/update.log

# previous state

if [ -f /updates/update.pending ]; then

	rm /updates/update.pending

	update_needed

fi

# vendor server location

mb_vendor=$(cat /etc/vendor.host)

# obtain list of advertised updates

obtain_remote_file /updates/updates.sha256

mb_tarballs=$(cut -d' ' -f3 /updates/updates.sha256)

# simple argument parsing

if [ "${mb_dlopt}" = '--obtain-tarballs' ]; then

	mb_obtain=yes

fi

# compare against local state

for tarball in ${mb_tarballs:-}; do

	printf 'checking local status of %s...\n' $tarball >&3

	if ! [ -f /updates/$tarball ]; then

		printf '\t/updates/%s does not exist, download needed.\n' $tarball >&3

		if [ $mb_obtain = no ]; then

			update_needed

		else

			mb_needed=yes

		fi

	else

		printf '\t/updates/%s found, checking signatures...\n' $tarball >&3

		if ! [ -f /updates/$tarball.sha256 ]; then

			sha256sum /updates/$tarball > /updates/$tarball.sha256

		fi

		mb_remotesig=$(grep $tarball /updates/updates.sha256 | cut -d' ' -f1)

		mb_localsig=$(cat /updates/$tarball.sha256 | cut -d' ' -f1)

		printf '\tremote signature: %s\n' $mb_remotesig >&3

		printf '\tlocal  signature: %s\n' $mb_localsig >&3

		if [ $mb_localsig != $mb_remotesig ]; then

			printf '\tsignatures do not match, download needed.\n' >&3

			if [ $mb_obtain = no ]; then

				update_needed

			else

				mb_needed=yes

			fi

		else

			printf '\tsignatures match, local tarball is already up-to-date.\n' >&3

			mb_needed=no

		fi

	fi

	if [ $mb_needed = yes ]; then

		printf '\tattempting to download %s...\n' ${mb_vendor}/updates/$tarball >&3

		obtain_remote_file /updates/$tarball

		sha256sum /updates/$tarball > /updates/$tarball.sha256

		mb_remotesig=$(grep $tarball /updates/updates.sha256 | cut -d' ' -f1)

		mb_localsig=$(cat /updates/$tarball.sha256 | cut -d' ' -f1)

		printf '\tremote signature: %s\n' $mb_remotesig >&3

		printf '\tlocal  signature: %s\n' $mb_localsig >&3

		if [ $mb_localsig != $mb_remotesig ]; then

			printf 'signatures do not match, aborting.\n' >&3

			update_failure

		else

			printf '\t/local tarball is now up-to-date.\n' >&3

		fi

	fi

	printf '\n' >&3

done

# status

touch /updates/update.pending

# all done

update_success