#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu

guard_sourcing || return "${ERR_GUARD_SOURCE}"

#######################################
# Preliminary post debootstrap checks.
# Globals:
#   RECOVERY
#   TARGET
#   VAR_RUN_RECOVERY
# Arguments:
#   None
# Returns:
#   0: on success
#######################################
check_debootstrap() {
  ### Declare Arrays, HashMaps, and Variables.
  declare -r  var_logfile="/root/.ciss/cdi/log/4005_debootstrap_checks.log"
  declare     var_target="${TARGET}"

  ### Check for TARGET / RECOVERY.
  [[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"

  chroot_logger "${var_target}${var_logfile}"

  chroot_script "${var_target}" "
    {
      ### Header
      echo '==[debootstrap checks]=='
      date -Is 2>/dev/null || true

      ### dpkg audit (non-fatal)
      echo '### dpkg --audit'
      dpkg --audit || true

      ### essential subset (status & version)
      echo '### dpkg-query essential subset'
      dpkg-query -W -f='\${db:Status-Abbrev} \${binary:Package} \${Version}\n' dpkg libc6 coreutils bash apt systemd 2>/dev/null || true

      ### init presence (log explicit)
      echo '### init presence'
      if [[ -x /sbin/init ]] || [[ -x /lib/systemd/systemd ]]; then
        echo 'init_present=yes'
      else
        echo 'init_present=no'
      fi

      ### awk path and alternative link (if any)
      echo '### awk'
      awk_path=\$(command -v awk || true)
      printf 'awk_path=%s\n' \"\$awk_path\"
      if [[ -L /usr/bin/awk ]]; then
        printf 'awk_link=/usr/bin/awk -> %s\n' \"\$(readlink -f /usr/bin/awk 2>/dev/null || true)\"
      fi

      ### usr-merge / tainted check
      echo '### usr-merge / taint'
      usr_merge_ok=yes
      for p in /bin /sbin /lib /lib64; do
        [[ -e \"\$p\" ]] || continue
        if [[ -L \"\$p\" ]]; then
          tgt=\$(readlink -f \"\$p\" 2>/dev/null || true)
          printf '%s -> %s\n' \"\$p\" \"\$tgt\"
        else
          usr_merge_ok=no
          printf '%s is not a symlink (tainted: unmerged-bin)\n' \"\$p\"
        fi
      done
      printf 'usr_merge_ok=%s\n' \"\$usr_merge_ok\"

      ### architecture
      echo '### architecture'
      dpkg --print-architecture 2>/dev/null || true
    } >> ${var_logfile}
  "

  guard_dir; return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f check_debootstrap
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh