#!/usr/bin/env python3

#from ruamel.yaml import YAML
#from ruamel.yaml.comments import CommentedMap
import os
import sys
from typing import Tuple
import hashlib
from urllib.parse import urlparse
import json
from collections import OrderedDict

# Return a structured list of all environment variables, with sensitive ones hashed.

# Switched to json as it needs no librarires
# yaml = YAML()

if len(sys.argv) > 1:
    whitelist = sys.argv[1:]
else:
    whitelist = None


def filter_sensitive_vars(env_var: Tuple[str, str]):
    """
    If env var name contains a sensitive pattern like 'SECRET' or 'KEY',
    then just return the hash of the value.
    Input is a env var tuple, e.g. ('SHELL','/bin/bash')
    """
    (key, value) = env_var

    # Test if value is super long
    MAX_VALUE_LEN = 256
    if len(value) > MAX_VALUE_LEN:
        return (key + '(HASHED)', hashlib.md5(str(value).encode("utf-8")).hexdigest() + '(HASH)')

    # Test if Value is url with password: http://username:password@example.com/
    parts = urlparse(value)
    if parts.password:
        return (key + '(HASHED)', hashlib.md5(str(value).encode("utf-8")).hexdigest() + '(HASH)')

    # Test if Key appears to be "sensitive"
    SENSITIVE_PATTERN_LIST = ['KEY', 'SECRET', 'PASSWORD', 'PASS']
    if any(pattern.upper() in key.upper() for pattern in SENSITIVE_PATTERN_LIST):
        return (key + '(HASHED)', hashlib.md5(str(value).encode("utf-8")).hexdigest() + '(HASH)')

    return env_var


env_vars = os.environ.items()
# if whitelist is given only print vars in whitelist
filtered_env_vars = [(k, v) for k, v in map(filter_sensitive_vars, env_vars)
                     if whitelist is None or k in whitelist]

json.dump(OrderedDict(sorted(filtered_env_vars)), sys.stdout)
