From c0616cf2881dd7d13a87d54cd5af81c0a31dd289 Mon Sep 17 00:00:00 2001
From: Oguz Kocer <oguz.kocer@automattic.com>
Date: Wed, 16 Nov 2022 03:52:17 -0500
Subject: [PATCH] Adds validate_gradle_wrapper script

---
 bin/validate_gradle_wrapper | 37 +++++++++++++++++++++++++++++++++++++
 1 file changed, 37 insertions(+)
 create mode 100755 bin/validate_gradle_wrapper

diff --git a/bin/validate_gradle_wrapper b/bin/validate_gradle_wrapper
new file mode 100755
index 0000000..52151fd
--- /dev/null
+++ b/bin/validate_gradle_wrapper
@@ -0,0 +1,37 @@
+#!/bin/bash -eu
+
+CHECKSUM_URLS=$(curl -s https://services.gradle.org/versions/all | jq -r ".[].wrapperChecksumUrl? | select(.)")
+
+function validate_checksum() {
+    wrapper_location="$1"
+    validated_with_checksum_from_url=""
+
+    wrapper_checksum=$(shasum --algorithm=256 "$wrapper_location")
+    # Remove the file location from the "wrapper_checksum" result
+    sha256_checksum_to_be_validated="${wrapper_checksum%% *}"
+
+    while IFS= read -r checksum_url; do
+        downloaded_checksum=$(curl -s --location "$checksum_url")
+        if [[ "$sha256_checksum_to_be_validated" == "$downloaded_checksum" ]]; then
+            validated_with_checksum_from_url="$checksum_url"
+            break;
+        fi
+    done <<< "$CHECKSUM_URLS"
+
+    if [[ -z "$validated_with_checksum_from_url" ]]; then
+        echo "Failed to validate '$wrapper_location'"
+        exit 1
+    else
+        echo "'$wrapper_location' is validated with sha256 checksum from '$validated_with_checksum_from_url'"
+    fi
+}
+
+WRAPPER_JARS=$(find . -type f -name "gradle-wrapper.jar")
+if [ -z "${WRAPPER_JARS}" ]; then
+    echo "No gradle-wrapper.jar files found."
+    exit 1
+else
+    while IFS= read -r wrapper_location; do
+        validate_checksum "$wrapper_location"
+    done <<< "$WRAPPER_JARS"
+fi