pkgs/tools/system/osquery/update.py

   1 import base64
   2 import json
   3 import re
   4 import subprocess
   5 import sys
   6 import urllib.request
   7
   8 OWNER = 'osquery'
   9 REPO = 'osquery'
  10 OPENSSL_VERSION_PAT = re.compile(r'^set\(OPENSSL_VERSION "(.*)"\)')
  11 OPENSSL_SHA256_PAT = re.compile(r'^set\(OPENSSL_ARCHIVE_SHA256 "(.*)"\)')
  12 INFO_PATH = 'pkgs/tools/system/osquery/info.json'
  13
  14
  15 def download_str(url):
  16     return urllib.request.urlopen(url).read().decode('utf-8')
  17
  18
  19 def get_latest_tag():
  20     latest_url = f'https://api.github.com/repos/{OWNER}/{REPO}/releases/latest'
  21     return json.loads(download_str(latest_url))['tag_name']
  22
  23
  24 def read_info():
  25     with open(INFO_PATH, 'r') as f:
  26         return json.load(f)
  27
  28
  29 def write_info(info):
  30     with open(INFO_PATH, 'w') as f:
  31         json.dump(info, f, indent=4, sort_keys=True)
  32         f.write('\n')
  33
  34
  35 def sha256_hex_to_sri(hex):
  36     return 'sha256-' + base64.b64encode(bytes.fromhex(hex)).decode()
  37
  38
  39 def openssl_info_from_cmake(cmake):
  40     version = None
  41     sha256 = None
  42     for line in cmake.splitlines():
  43         if version is None:
  44             m = OPENSSL_VERSION_PAT.match(line)
  45             if m is not None:
  46                 version = m.group(1)
  47         if sha256 is None:
  48             m = OPENSSL_SHA256_PAT.match(line)
  49             if m is not None:
  50                 sha256 = m.group(1)
  51         if version is not None and sha256 is not None:
  52             break
  53
  54     if version is None or sha256 is None:
  55         raise Exception('Failed to extract openssl fetch info')
  56
  57     return {
  58         'url': f'https://www.openssl.org/source/openssl-{version}.tar.gz',
  59         'hash': sha256_hex_to_sri(sha256)
  60     }
  61
  62
  63 def openssl_info_for_rev(rev):
  64     url = f'https://raw.githubusercontent.com/{OWNER}/{REPO}/{rev}/libraries/cmake/formula/openssl/CMakeLists.txt'  # noqa: E501
  65     return openssl_info_from_cmake(download_str(url))
  66
  67
  68 force = len(sys.argv) == 2 and sys.argv[1] == '--force'
  69
  70 latest_tag = get_latest_tag()
  71 print(f'osquery_latest_tag: {latest_tag}')
  72
  73 if not force:
  74     old_info = read_info()
  75     if latest_tag == old_info['osquery']['rev']:
  76         print('latest tag matches existing rev. exiting')
  77         sys.exit(0)
  78
  79 openssl_fetch_info = openssl_info_for_rev(latest_tag)
  80 print(f'openssl_info: {openssl_fetch_info}')
  81
  82 prefetch = json.loads(subprocess.check_output([
  83     'nix-prefetch-git',
  84     '--fetch-submodules',
  85     '--quiet',
  86     f'https://github.com/{OWNER}/{REPO}',
  87     latest_tag
  88 ]))
  89
  90 prefetch_hash = prefetch['hash']
  91
  92 github_fetch_info = {
  93     'owner': OWNER,
  94     'repo': REPO,
  95     'rev': latest_tag,
  96     'hash': prefetch_hash,
  97     'fetchSubmodules': True
  98 }
  99
 100 print(f'osquery_hash: {prefetch_hash}')
 101
 102 new_info = {
 103     'osquery': github_fetch_info,
 104     'openssl': openssl_fetch_info
 105 }
 106
 107 print(f'osquery_info: {new_info}')
 108
 109 write_info(new_info)