#!/bin/bash
if [ ! -n "$2" ]; then
  echo "invocation: safeget <URL> <targetfile>"
  exit 2
fi

echo "downloading locally..."
realdest="$(mktemp)"
checksum="$(curl -- "$1" | tee -- "$realdest" | sha256sum - | cut -d' ' -f1 | tr -d '\n')"
echo "got checksum:"
echo "$checksum"
echo ""

mismatch_detected=0

echo "downloading on remote machines..."
for machine in $(cat ~/.multiget_machines); do
  echo -ne "  downloading from $machine...                                                     \r"

  # yuck! uhm... nothing to see here.
  # things this tries to defend against:
  #  - special chars in the URL that cause local and remote curl to see different URLs (but of course, defending
  #    against that only makes limited sense)
  #  - remote system sends us special chars and wipes previous warnings from the screen
  remote_sha256_unsanitized="$(echo -n "$1" | base64 -w0 | ssh -- "$machine" curl -- '"$(base64 -d)"' '|' sha256sum - 2>/dev/null)"
  remote_sha256="$(echo -n "$remote_sha256_unsanitized" | cut -d' ' -f1 | tr -cd '0123456789abcdef')"

  if echo -n "$remote_sha256" | grep -vFq -- "$checksum"; then
    echo -e '\E[1;33;44m'"DIFFERENT CHECKSUM FROM $machine:\n$remote_sha256"'\E[0m'
    mismatch_detected=1
  fi
done
echo -e "done                                                                          "

if [ "$mismatch_detected" -eq 0 ]; then
  echo "moving file to $2..."
  mv -- "$realdest" "$2"
  echo "done"
else
  echo "NOT moving temporary download from $realdest to $2 because verification failed"
  exit 1
fi