From 21d86e193dbe33314fe726632f050c909d391fe4 Mon Sep 17 00:00:00 2001 From: Johannes Meixner Date: Sat, 1 Dec 2018 08:01:26 +0000 Subject: [PATCH] Extend publishing functionality To allow multiple publishers per build, separate the publishing function into its own space, and add sftp/cp examples. While there, make use of clean room builds in hbsd-update-build and remove the assumption that all published builds must be signed (here be dragons). --- lib/builder.zsh | 86 +++++++++++++++++++++++------------------ lib/publish.zsh | 49 +++++++++++++++++++++++ lib/publishers/cp.zsh | 43 +++++++++++++++++++++ lib/publishers/sftp.zsh | 48 +++++++++++++++++++++++ run.zsh | 1 + 5 files changed, 190 insertions(+), 37 deletions(-) create mode 100644 lib/publish.zsh create mode 100644 lib/publishers/cp.zsh create mode 100644 lib/publishers/sftp.zsh diff --git a/lib/builder.zsh b/lib/builder.zsh index 0f2bdb8..cfd0512 100644 --- a/lib/builder.zsh +++ b/lib/builder.zsh @@ -42,9 +42,7 @@ function sanitize_str() { function do_build() { - local config nbuilds i enabled tmpfile name output res - local dnsstr publish_user publish_host publish_path ver - local dnsentry apikey kernels + local config nbuilds i enabled tmpfile name output res kernels config=${1} tmpfile=$(mktemp) @@ -67,10 +65,10 @@ function do_build() srcconf=$(jq -r ".builds[${i}].src_conf" ${config}) if [ "${srcconf}" != "null" ]; then srcconf=$(sanitize_str ${srcconf}) - if [ ! -f ${srcconf} ]; then - echo "[-] SRCCONF ${srcconf} does not exist." - continue - fi + if [ ! -f ${srcconf} ]; then + echo "[-] SRCCONF ${srcconf} does not exist." + continue + fi else srcconf="" fi @@ -80,43 +78,55 @@ function do_build() devmode="" fi - target=$(jq -r ".builds[${i}].target" ${config}) - if [ "${target}" = "null" ]; then - target=$(uname -m) + target=$(jq -r ".builds[${i}].target" ${config}) + if [ "${target}" = "null" ]; then + target=$(uname -m) + fi - fi + target_arch=$(jq -r ".builds[${i}].target_arch" ${config}) + if [ "${target_arch}" = "null" ]; then + target_arch=$(uname -p) + fi - target_arch=$(jq -r ".builds[${i}].target_arch" ${config}) - if [ "${target_arch}" = "null" ]; then - target_arch=$(uname -p) - fi + needs_cross_utils=$(jq -r ".builds[${i}].needs_cross_utils" ${config}) + if [ "${needs_cross_utils}" = "null" ]; then + needs_cross_utils="1" + fi - needs_cross_utils=$(jq -r ".builds[${i}].needs_cross_utils" ${config}) - if [ "${needs_cross_utils}" = "null" ]; then - needs_cross_utils="1" - fi + want_chroot_build=$(jq -r ".builds[${i}].want_chroot_build" ${config}) + if [ "${needs_cross_utils}" = "null" ]; then + want_chroot_build="0" + fi - scriptfile=$(jq -r ".builds[${i}].scriptfile" ${config}) - if [ "${scriptfile}" = "null" ]; then - scriptfile="" - fi + scriptfile=$(jq -r ".builds[${i}].unsigned" ${config}) + if [ "${unsigned}" = "null" ]; then + unsigned="0" + fi + + scriptfile=$(jq -r ".builds[${i}].scriptfile" ${config}) + if [ "${scriptfile}" = "null" ]; then + scriptfile="" + fi cat< ${tmpfile} REPO=$(jq -r ".builds[${i}].repo" ${config}) BRANCH=$(jq -r ".builds[${i}].branch" ${config}) DEVMODE="${devmode}" FULLCLEAN="yes" +UNSIGNED="${unsigned}" KERNELS="${kernels}" SRCCONFPATH="${srcconf}" TARGET="${target}" TARGET_ARCH="${target_arch}" NEED_CROSS_UTILS=${needs_cross_utils} +WANT_CHROOT_BUILD=${want_chroot_build} SCRIPTFILE="${scriptfile}" EOF output=$(hbsd-update-build -c ${tmpfile}) res=$(echo ${output} | awk '{print $1;}') echo " [+] res: ${output}" + # TODO: improve error handling here if [ ! "${res}" = "OK" ]; then echo " [-] ${name} failed" continue @@ -125,22 +135,24 @@ EOF dnsstr=$(echo ${output} | awk '{print $2;}') ver=$(echo ${dnsstr} | sed 's,|, ,g' | awk '{print $2;}') - echo ${dnsstr} > ${tmpfile} - chmod 744 ${tmpfile} - - publish_user=$(jq -r ".builds[${i}].publish.user" ${config}) - publish_host=$(jq -r ".builds[${i}].publish.host" ${config}) - publish_path=$(jq -r ".builds[${i}].publish.directory" ${config}) - dnsentry=$(jq -r ".builds[${i}].dns" ${config}) - apikey=$(jq -r ".apikey" ${config}) - - sudo -u ${publish_user} scp /builds/updater/output/update-${ver}.tar \ - ${publish_host}:${publish_path}/ - sudo -u ${publish_user} scp ${tmpfile} \ - ${publish_host}:${publish_path}/update-latest.txt + publish=$(jq -r ".builds[${i}].publish" ${config}) + if [ "${publish}" != "null" ]; then + do_publish ${config} ${i} ${dnsstr} ${ver} + fi - ${TOPDIR}/updatedns.zsh ${apikey} hardenedbsd.org ${dnsentry} ${dnsstr} + sign=$(jq -r ".builds[${i}].sign" ${config}) + if [ "${sign}" != "null" ]; then + do_sign ${config} ${i} ${dnsstr} + fi done rm -f ${tmpfile} } + +function do_sign() { + local dnsentry apikey dnsstr + local config=$1 i=$2 dnsstr=$3 + dnsentry=$(jq -r ".builds[${i}].sign.dns" ${config}) + apikey=$(jq -r ".signing.apikey" ${config}) + ${TOPDIR}/updatedns.zsh ${apikey} hardenedbsd.org ${dnsentry} ${dnsstr} +} diff --git a/lib/publish.zsh b/lib/publish.zsh new file mode 100644 index 0000000..45c810b --- /dev/null +++ b/lib/publish.zsh @@ -0,0 +1,49 @@ +#- +# Copyright (c) 2018 HardenedBSD +# Author: Johannes Meixner +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. + + +function do_publish() { + local dnsstr publish_user publish_host publish_path ver build dnsstr ver + local config=$1 i=$2 dnsstr=$3 ver=$4 + + # foreach publish[i] + # method = jq .build[i][publish]j + npublish=$(jq -r ".builds[$i].publish | length" ${config}) + for ((j=0; j<${npublish}; j++)); do + method=$(jq -r ".builds[$i].publish[$j].method" ${config}) + if [ ! -f lib/publishers/${method}.zsh ]; then + echo "[-] Publisher for ${method} does not exist." + continue + else + . "lib/publishers/${method}.zsh" + fi + if [ ! "$(whence -w publish_${method})" = "publish_${method}: function" ]; then + echo "[-] Publisher method for ${method} does not exist." + continue + fi + echo "[*] Publishing ${name} via ${method}" + publish_${method} ${config} ${i} ${j} ${dnsstr} ${ver} + done +} diff --git a/lib/publishers/cp.zsh b/lib/publishers/cp.zsh new file mode 100644 index 0000000..15a1d04 --- /dev/null +++ b/lib/publishers/cp.zsh @@ -0,0 +1,43 @@ +#- +# Copyright (c) 2018 HardenedBSD +# Author: Johannes Meixner +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. + +function publish_cp() { + local publish_path + local config=$1 i=$2 j=$3 dnsstr=$4 ver=$5 + + echo ${dnsstr} > ${tmpfile} + chmod 744 ${tmpfile} + + + publish_path=$(jq -r ".builds[${i}].publish[$j].directory" ${config}) + + mkdir -p ${publish_path} + + cp -a /builds/updater/output/update-${ver}.tar \ + ${publish_path}/ + cp -a ${tmpfile} ${publish_path}/update-latest.txt + + +} diff --git a/lib/publishers/sftp.zsh b/lib/publishers/sftp.zsh new file mode 100644 index 0000000..b8e8b50 --- /dev/null +++ b/lib/publishers/sftp.zsh @@ -0,0 +1,48 @@ +#- +# Copyright (c) 2018 HardenedBSD +# Author: Shawn Webb +# +# This work originally sponsored by G2, Inc +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. + +function publish_sftp() { + local publish_user publish_host publish_path tmpfile + local config=$1 i=$2 j=$3 dnsstr=$4 ver=$5 + tmpfile=$(mktemp) + + + publish_user=$(jq -r ".builds[${i}].publish[$j].user" ${config}) + publish_host=$(jq -r ".builds[${i}].publish[$j].host" ${config}) + publish_path=$(jq -r ".builds[${i}].publish[$j].directory" ${config}) + + echo ${dnsstr} > ${tmpfile} + chmod 744 ${tmpfile} + + + sudo -u ${publish_user} scp /builds/updater/output/update-${ver}.tar \ + ${publish_host}:${publish_path}/ + sudo -u ${publish_user} scp ${tmpfile} \ + ${publish_host}:${publish_path}/update-latest.txt + + +} diff --git a/run.zsh b/run.zsh index 0d023e4..3d84dbc 100755 --- a/run.zsh +++ b/run.zsh @@ -51,6 +51,7 @@ function main() { cd ${TOPDIR} source ./lib/builder.zsh + source ./lib/publish.zsh while getopts 'hc:' opt; do case "${opt}" in