From 683755f95d0aacf926779a67a1c16e8ff6d10290 Mon Sep 17 00:00:00 2001
From: Alan Orth <alan.orth@gmail.com>
Date: Wed, 11 Jan 2017 10:32:43 +0200
Subject: [PATCH] Add tooling to generate SRI hashes for assets

Subresource integrity allows user agents to verify that a fetched
resource has been delivered without unexpected manipulation[0]. I
put theme assets in a json configuration file and save the hashes
to a TOML file that Hugo loads via its theme data mechanism[1].

[0] https://www.w3.org/TR/SRI/
[1] https://gohugo.io/extras/datafiles/
---
 build/assets.json |  5 +++++
 build/sri.js      | 23 +++++++++++++++++++++++
 package.json      |  3 ++-
 3 files changed, 30 insertions(+), 1 deletion(-)
 create mode 100644 build/assets.json
 create mode 100644 build/sri.js

diff --git a/build/assets.json b/build/assets.json
new file mode 100644
index 0000000..c8771bd
--- /dev/null
+++ b/build/assets.json
@@ -0,0 +1,5 @@
+{
+  "style": "static/css/style.css",
+  "cookieconsentcss": "static/css/cookieconsent.min.css",
+  "cookieconsentjs": "static/js/cookieconsent.min.js"
+}
diff --git a/build/sri.js b/build/sri.js
new file mode 100644
index 0000000..dcc54e0
--- /dev/null
+++ b/build/sri.js
@@ -0,0 +1,23 @@
+// Adapted from: https://gist.github.com/jmervine/ae1bace0fe37dce75b90ec3e9592771c
+
+var crypto = require('crypto');
+var fs     = require('fs');
+var assets = require('./assets.json');
+
+var generate384 = function (file) {
+  var enc  = 'utf8';
+  var body = fs.readFileSync(file, { encoding: enc });
+  var hash = crypto.createHash('sha384').update(body, enc);
+  var sha  = hash.digest('base64');
+
+  return 'sha384-' + sha;
+}
+
+for (var asset in assets) {
+  var path = assets[asset];
+  var hash = generate384(path);
+
+  console.log(asset + ' = "' + hash + '"');
+}
+
+// vim: set ts=2 sw=2 et:
diff --git a/package.json b/package.json
index ec173b7..a437f08 100644
--- a/package.json
+++ b/package.json
@@ -10,7 +10,8 @@
     "build:css": "node-sass --output-style expanded --precision 6 source/scss/style.scss static/css/style.css.tmp && cleancss --skip-advanced static/css/style.css.tmp -o static/css/style.css",
     "build:fonts": "cp node_modules/font-awesome/fonts/* static/fonts",
     "build:cookieconsent": "cp node_modules/cookieconsent/build/cookieconsent.min.css static/css && cp node_modules/cookieconsent/build/cookieconsent.min.js static/js",
-    "build": "npm run build:css && npm run build:fonts && npm run build:cookieconsent && npm run clean",
+    "build:generatesri": "node build/sri.js > data/sri.toml",
+    "build": "npm run build:css && npm run build:fonts && npm run build:cookieconsent && npm run build:generatesri && npm run clean",
     "clean": "rm static/css/style.css.tmp"
   },
   "keywords": "hugo",