wifi-densepose/vendor/midstream/AIMDS/scripts/verify-security-fixes.sh

#!/bin/bash
# AIMDS Security Verification Script
# Run this after applying security fixes to verify compliance

set -e

echo "================================================================================"
echo "AIMDS Security Verification"
echo "================================================================================"
echo ""

SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
PROJECT_DIR="$(dirname "$SCRIPT_DIR")"
cd "$PROJECT_DIR"

PASSED=0
FAILED=0
WARNINGS=0

# Colors
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
NC='\033[0m' # No Color

check_pass() {
    echo -e "${GREEN}✅ PASS${NC}: $1"
    ((PASSED++))
}

check_fail() {
    echo -e "${RED}❌ FAIL${NC}: $1"
    ((FAILED++))
}

check_warn() {
    echo -e "${YELLOW}⚠️  WARN${NC}: $1"
    ((WARNINGS++))
}

echo "================================================================================"
echo "1. CHECKING FOR HARDCODED SECRETS"
echo "================================================================================"
echo ""

# Check if .env exists
if [ -f ".env" ]; then
    check_warn ".env file exists (should not be in git)"

    # Check if .env contains real secrets
    if grep -q "sk-" .env 2>/dev/null; then
        check_fail "Found API keys in .env file"
    else
        check_pass "No obvious API keys in .env"
    fi
else
    check_pass ".env file not found (good)"
fi

# Check git status
if git ls-files --error-unmatch .env 2>/dev/null; then
    check_fail ".env is tracked in git - MUST REMOVE"
else
    check_pass ".env is not tracked in git"
fi

# Check .gitignore
if grep -q "^\.env$" .gitignore 2>/dev/null; then
    check_pass ".env is in .gitignore"
else
    check_fail ".env NOT in .gitignore"
fi

# Check for hardcoded secrets in source code
echo ""
echo "Checking source code for hardcoded secrets..."
SECRET_PATTERNS="sk-|AKIA|ghp_|xox[baprs]-|AIza"
if grep -rn "$SECRET_PATTERNS" src/ crates/ 2>/dev/null | grep -v ".md:" | grep -v "test" | grep -v "example"; then
    check_fail "Found potential secrets in source code"
else
    check_pass "No obvious secrets in source code"
fi

echo ""
echo "================================================================================"
echo "2. CHECKING COMPILATION"
echo "================================================================================"
echo ""

# Check Rust compilation
echo "Compiling Rust crates..."
if cargo build --release --quiet 2>&1 | grep -q "error"; then
    check_fail "Rust compilation failed"
    cargo build 2>&1 | grep "error" | head -5
else
    check_pass "Rust compilation successful"
fi

# Check for clippy warnings
echo ""
echo "Running clippy..."
CLIPPY_OUTPUT=$(cargo clippy --all-targets --all-features -- -D warnings 2>&1)
if echo "$CLIPPY_OUTPUT" | grep -q "error"; then
    check_fail "Clippy found errors"
    echo "$CLIPPY_OUTPUT" | grep "error" | head -5
else
    check_pass "Clippy check passed"
fi

echo ""
echo "================================================================================"
echo "3. CHECKING DEPENDENCIES"
echo "================================================================================"
echo ""

# NPM audit
echo "Running npm audit..."
if [ -f "package.json" ]; then
    NPM_AUDIT=$(npm audit --json 2>/dev/null || echo "{}")
    VULNERABILITIES=$(echo "$NPM_AUDIT" | jq -r '.metadata.vulnerabilities.total // 0' 2>/dev/null || echo "0")
    CRITICAL=$(echo "$NPM_AUDIT" | jq -r '.metadata.vulnerabilities.critical // 0' 2>/dev/null || echo "0")
    HIGH=$(echo "$NPM_AUDIT" | jq -r '.metadata.vulnerabilities.high // 0' 2>/dev/null || echo "0")

    if [ "$CRITICAL" -gt 0 ] || [ "$HIGH" -gt 0 ]; then
        check_fail "Found $CRITICAL critical, $HIGH high vulnerabilities"
    elif [ "$VULNERABILITIES" -gt 0 ]; then
        check_warn "Found $VULNERABILITIES moderate/low vulnerabilities"
    else
        check_pass "No npm vulnerabilities found"
    fi
fi

# Cargo audit (if installed)
echo ""
echo "Checking cargo dependencies..."
if command -v cargo-audit &> /dev/null; then
    if cargo audit 2>&1 | grep -q "error"; then
        check_fail "Cargo audit found vulnerabilities"
    else
        check_pass "No cargo vulnerabilities found"
    fi
else
    check_warn "cargo-audit not installed (run: cargo install cargo-audit)"
fi

echo ""
echo "================================================================================"
echo "4. CHECKING SECURITY CONFIGURATION"
echo "================================================================================"
echo ""

# Check for TLS configuration
if grep -q "https.createServer" src/gateway/server.ts; then
    check_pass "HTTPS configuration found"
else
    check_fail "No HTTPS configuration found"
fi

# Check for authentication middleware
if grep -q "authMiddleware\|authenticate\|verifyApiKey" src/gateway/server.ts; then
    check_pass "Authentication middleware found"
else
    check_fail "No authentication middleware found"
fi

# Check for proper CORS config
if grep -q "cors({" src/gateway/server.ts; then
    check_pass "CORS configuration found"
else
    check_warn "CORS not configured (using defaults)"
fi

# Check for rate limiting
if grep -q "rateLimit" src/gateway/server.ts; then
    check_pass "Rate limiting configured"
else
    check_fail "Rate limiting not found"
fi

# Check for helmet
if grep -q "helmet" src/gateway/server.ts; then
    check_pass "Helmet security headers enabled"
else
    check_fail "Helmet not configured"
fi

echo ""
echo "================================================================================"
echo "5. RUNNING TESTS"
echo "================================================================================"
echo ""

# Rust tests
echo "Running Rust tests..."
if cargo test --quiet 2>&1 | grep -q "FAILED"; then
    check_fail "Rust tests failed"
else
    check_pass "Rust tests passed"
fi

# TypeScript tests
echo ""
echo "Running TypeScript tests..."
if [ -f "package.json" ]; then
    if npm test 2>&1 | grep -q "FAIL"; then
        check_fail "TypeScript tests failed"
    else
        check_pass "TypeScript tests passed"
    fi
fi

echo ""
echo "================================================================================"
echo "6. CHECKING CODE QUALITY"
echo "================================================================================"
echo ""

# Check for mock implementations
if grep -rn "Hash-based embedding for demo\|TODO:\|FIXME:\|HACK:" src/ crates/ | grep -v ".md:"; then
    check_warn "Found TODOs/FIXMEs or mock implementations"
else
    check_pass "No obvious mock implementations or TODOs"
fi

# Check for proper error handling
if grep -q "\.expect(\|\.unwrap(" crates/*/src/*.rs; then
    check_warn "Found .expect()/.unwrap() calls (consider proper error handling)"
else
    check_pass "No .expect()/.unwrap() calls found"
fi

echo ""
echo "================================================================================"
echo "FINAL SCORE"
echo "================================================================================"
echo ""

TOTAL=$((PASSED + FAILED + WARNINGS))
SCORE=$(( (PASSED * 100) / TOTAL ))

echo -e "Passed:   ${GREEN}$PASSED${NC}"
echo -e "Failed:   ${RED}$FAILED${NC}"
echo -e "Warnings: ${YELLOW}$WARNINGS${NC}"
echo ""
echo -e "Security Score: ${SCORE}/100"
echo ""

if [ $FAILED -eq 0 ] && [ $SCORE -ge 80 ]; then
    echo -e "${GREEN}✅ READY FOR PRODUCTION DEPLOYMENT${NC}"
    exit 0
elif [ $FAILED -eq 0 ]; then
    echo -e "${YELLOW}⚠️  ACCEPTABLE - Some improvements needed${NC}"
    exit 0
else
    echo -e "${RED}❌ NOT READY - Critical issues must be fixed${NC}"
    echo ""
    echo "See SECURITY_AUDIT_REPORT.md for detailed findings"
    echo "See CRITICAL_FIXES_REQUIRED.md for fix instructions"
    exit 1
fi