#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
# SPDX-Comment: GRUB Kernel Parameter Linter

set -Ceuo pipefail

GRUB_FILE="${1:-/etc/default/grub}"

# Parse GRUB_CMDLINE string into array of unique options
parse_cmdline() {
  local input="${1}"
  # Remove outer quotes if present
  input="${input%\"}"
  input="${input#\"}"
  # Split into array
  read -r -a ary <<< "${input}"
  printf "%s\n" "${ary[@]}"
}

# Key extractor: for console=tty0 → console
extract_key() {
  local param="${1}"
  if [[ "${param}" == *=* ]]; then
    echo "${param%%=*}"
  else
    echo "${param}"
  fi
}


# Extract lines
GRUB_LINUX_LINE=$(grep -E '^GRUB_CMDLINE_LINUX=' "${GRUB_FILE}" | sed -E 's/GRUB_CMDLINE_LINUX=//')
GRUB_DEFAULT_LINE=$(grep -E '^GRUB_CMDLINE_LINUX_DEFAULT=' "${GRUB_FILE}" | sed -E 's/GRUB_CMDLINE_LINUX_DEFAULT=//')

# Parse both lines
mapfile -t linux_params < <(parse_cmdline "${GRUB_LINUX_LINE}")
mapfile -t default_params < <(parse_cmdline "${GRUB_DEFAULT_LINE}")

# Combine for conflict analysis
declare -A param_values=()
declare -A param_sources=()
declare -A duplicate_params=()

# Loop over all parameter
for source in "linux" "default"; do
  declare -n params="${source}_params"
  for p in "${params[@]}"; do
    key=$(extract_key "${p}")
    if [[ -v param_values["${key}"] ]]; then
      if [[ "${param_values[${key}]}" != "${p}" ]]; then
        echo "⚠️  Conflict: Parameter '${key}' has multiple values:"
        echo "   - ${param_values[${key}]} (from ${param_sources[${key}]})"
        echo "   - ${p} (from ${source})"
      else
        duplicate_params["${p}"]=1
      fi
    else
      param_values["${key}"]="${p}"
      param_sources["${key}"]="${source}"
    fi
  done
done

# Report duplicates
if (( ${#duplicate_params[@]} > 0 )); then
  echo "ℹ️  Duplicate parameters found:"
  for dup in "${!duplicate_params[@]}"; do
    echo "   - ${dup}"
  done
fi

echo "✅ GRUB_CMDLINE check complete."
eit 0