Extend publishing functionality

To allow multiple publishers per build, separate the publishing function into its own space, and add sftp/cp examples. While there, make use of clean room builds in hbsd-update-build and remove the assumption that all published builds must be signed (here be dragons).
HardenedBSD · Dec 1, 2018 · 21d86e1 · 21d86e1
1 parent 4dc8dd8
commit 21d86e1
Show file tree

Hide file tree

Showing 5 changed files with 190 additions and 37 deletions.
diff --git a/lib/builder.zsh b/lib/builder.zsh
@@ -42,9 +42,7 @@ function sanitize_str() {
 
 function do_build()
 {
-	local config nbuilds i enabled tmpfile name output res
-	local dnsstr publish_user publish_host publish_path ver
-	local dnsentry apikey kernels
+	local config nbuilds i enabled tmpfile name output res kernels
 	config=${1}
 	tmpfile=$(mktemp)
 
@@ -67,10 +65,10 @@ function do_build()
 		srcconf=$(jq -r ".builds[${i}].src_conf" ${config})
 		if [ "${srcconf}" != "null" ]; then
 			srcconf=$(sanitize_str ${srcconf})
-            if [ ! -f ${srcconf} ]; then
-                echo "[-] SRCCONF ${srcconf} does not exist."
-                continue
-            fi
+			if [ ! -f ${srcconf} ]; then
+				echo "[-] SRCCONF ${srcconf} does not exist."
+				continue
+			fi
 		else
 			srcconf=""
 		fi
@@ -80,43 +78,55 @@ function do_build()
 			devmode=""
 		fi
 
-        target=$(jq -r ".builds[${i}].target" ${config})
-        if [ "${target}" = "null" ]; then
-            target=$(uname -m)
+		target=$(jq -r ".builds[${i}].target" ${config})
+		if [ "${target}" = "null" ]; then
+			target=$(uname -m)
+		fi
 
-        fi
+		target_arch=$(jq -r ".builds[${i}].target_arch" ${config})
+		if [ "${target_arch}" = "null" ]; then
+			target_arch=$(uname -p)
+		fi
 
-        target_arch=$(jq -r ".builds[${i}].target_arch" ${config})
-        if [ "${target_arch}" = "null" ]; then
-            target_arch=$(uname -p)
-        fi
+		needs_cross_utils=$(jq -r ".builds[${i}].needs_cross_utils" ${config})
+		if [ "${needs_cross_utils}" = "null" ]; then
+			needs_cross_utils="1"
+		fi
 
-        needs_cross_utils=$(jq -r ".builds[${i}].needs_cross_utils" ${config})
-        if [ "${needs_cross_utils}" = "null" ]; then
-            needs_cross_utils="1"
-        fi
+		want_chroot_build=$(jq -r ".builds[${i}].want_chroot_build" ${config})
+		if [ "${needs_cross_utils}" = "null" ]; then
+			want_chroot_build="0"
+		fi
 
-        scriptfile=$(jq -r ".builds[${i}].scriptfile" ${config})
-        if [ "${scriptfile}" = "null" ]; then
-            scriptfile=""
-        fi
+		scriptfile=$(jq -r ".builds[${i}].unsigned" ${config})
+		if [ "${unsigned}" = "null" ]; then
+			unsigned="0"
+		fi
+
+		scriptfile=$(jq -r ".builds[${i}].scriptfile" ${config})
+		if [ "${scriptfile}" = "null" ]; then
+			scriptfile=""
+		fi
 
 		cat<<EOF > ${tmpfile}
 REPO=$(jq -r ".builds[${i}].repo" ${config})
 BRANCH=$(jq -r ".builds[${i}].branch" ${config})
 DEVMODE="${devmode}"
 FULLCLEAN="yes"
+UNSIGNED="${unsigned}"
 KERNELS="${kernels}"
 SRCCONFPATH="${srcconf}"
 TARGET="${target}"
 TARGET_ARCH="${target_arch}"
 NEED_CROSS_UTILS=${needs_cross_utils}
+WANT_CHROOT_BUILD=${want_chroot_build}
 SCRIPTFILE="${scriptfile}"
 EOF
 		output=$(hbsd-update-build -c ${tmpfile})
 		res=$(echo ${output} | awk '{print $1;}')
 		echo "    [+] res: ${output}"
 
+		# TODO: improve error handling here
 		if [ ! "${res}" = "OK" ]; then
 			echo "    [-] ${name} failed"
 			continue
@@ -125,22 +135,24 @@ EOF
 		dnsstr=$(echo ${output} | awk '{print $2;}')
 		ver=$(echo ${dnsstr} | sed 's,|, ,g' | awk '{print $2;}')
 
-		echo ${dnsstr} > ${tmpfile}
-		chmod 744 ${tmpfile}
-
-		publish_user=$(jq -r ".builds[${i}].publish.user" ${config})
-		publish_host=$(jq -r ".builds[${i}].publish.host" ${config})
-		publish_path=$(jq -r ".builds[${i}].publish.directory" ${config})
-		dnsentry=$(jq -r ".builds[${i}].dns" ${config})
-		apikey=$(jq -r ".apikey" ${config})
-
-		sudo -u ${publish_user} scp /builds/updater/output/update-${ver}.tar \
-		    ${publish_host}:${publish_path}/
-		sudo -u ${publish_user} scp ${tmpfile} \
-		    ${publish_host}:${publish_path}/update-latest.txt
+		publish=$(jq -r ".builds[${i}].publish" ${config})
+		if [ "${publish}" != "null" ]; then
+			do_publish ${config} ${i} ${dnsstr} ${ver}
+		fi
 
-		${TOPDIR}/updatedns.zsh ${apikey} hardenedbsd.org ${dnsentry} ${dnsstr}
+		sign=$(jq -r ".builds[${i}].sign" ${config})
+		if [ "${sign}" != "null" ]; then
+			do_sign ${config} ${i} ${dnsstr}
+		fi
 	done
 
 	rm -f ${tmpfile}
 }
+
+function do_sign() {
+	local dnsentry apikey dnsstr
+	local config=$1 i=$2 dnsstr=$3
+	dnsentry=$(jq -r ".builds[${i}].sign.dns" ${config})
+	apikey=$(jq -r ".signing.apikey" ${config})
+	${TOPDIR}/updatedns.zsh ${apikey} hardenedbsd.org ${dnsentry} ${dnsstr}
+}
diff --git a/lib/publish.zsh b/lib/publish.zsh
@@ -0,0 +1,49 @@
+#-
+# Copyright (c) 2018 HardenedBSD
+# Author: Johannes Meixner <[email protected]>
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+
+
+function do_publish() {
+	local dnsstr publish_user publish_host publish_path ver build dnsstr ver
+	local config=$1 i=$2 dnsstr=$3 ver=$4
+
+	# foreach publish[i]
+	# method = jq .build[i][publish]j
+	npublish=$(jq -r ".builds[$i].publish | length" ${config})
+	for ((j=0; j<${npublish}; j++)); do
+		method=$(jq -r ".builds[$i].publish[$j].method" ${config})
+		if [ ! -f lib/publishers/${method}.zsh ]; then
+			echo "[-] Publisher for ${method} does not exist."
+			continue
+		else
+			. "lib/publishers/${method}.zsh"
+		fi
+		if [ ! "$(whence -w publish_${method})" = "publish_${method}: function" ]; then
+			echo "[-] Publisher method for ${method} does not exist."
+			continue
+		fi
+		echo "[*] Publishing ${name} via ${method}"
+		publish_${method} ${config} ${i} ${j} ${dnsstr} ${ver}
+	done
+}
diff --git a/lib/publishers/cp.zsh b/lib/publishers/cp.zsh
@@ -0,0 +1,43 @@
+#-
+# Copyright (c) 2018 HardenedBSD
+# Author: Johannes Meixner <[email protected]>
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+
+function publish_cp() {
+	local publish_path
+	local config=$1 i=$2 j=$3 dnsstr=$4 ver=$5
+
+	echo ${dnsstr} > ${tmpfile}
+	chmod 744 ${tmpfile}
+
+
+	publish_path=$(jq -r ".builds[${i}].publish[$j].directory" ${config})
+
+	mkdir -p ${publish_path}
+
+	cp -a /builds/updater/output/update-${ver}.tar \
+	    ${publish_path}/
+	cp -a ${tmpfile} ${publish_path}/update-latest.txt
+
+
+}
diff --git a/lib/publishers/sftp.zsh b/lib/publishers/sftp.zsh
@@ -0,0 +1,48 @@
+#-
+# Copyright (c) 2018 HardenedBSD
+# Author: Shawn Webb <[email protected]>
+#
+# This work originally sponsored by G2, Inc
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+
+function publish_sftp() {
+	local publish_user publish_host publish_path tmpfile
+	local config=$1 i=$2 j=$3 dnsstr=$4 ver=$5
+	tmpfile=$(mktemp)
+
+
+	publish_user=$(jq -r ".builds[${i}].publish[$j].user" ${config})
+	publish_host=$(jq -r ".builds[${i}].publish[$j].host" ${config})
+	publish_path=$(jq -r ".builds[${i}].publish[$j].directory" ${config})
+
+	echo ${dnsstr} > ${tmpfile}
+	chmod 744 ${tmpfile}
+
+
+	sudo -u ${publish_user} scp /builds/updater/output/update-${ver}.tar \
+	    ${publish_host}:${publish_path}/
+	sudo -u ${publish_user} scp ${tmpfile} \
+	    ${publish_host}:${publish_path}/update-latest.txt
+
+
+}
diff --git a/run.zsh b/run.zsh
@@ -51,6 +51,7 @@ function main() {
 	cd ${TOPDIR}
 
 	source ./lib/builder.zsh
+	source ./lib/publish.zsh
 
 	while getopts 'hc:' opt; do
 		case "${opt}" in