nixpkgs/pkgs/tools/system/osquery/update.py
squalus ef7100c21e osquery: add update script
- add update script
- remove openssl hash verification logic since the hash is computed
  automatically now in the update script
2024-08-24 21:28:30 -07:00

110 lines
2.7 KiB
Python

import base64
import json
import re
import subprocess
import sys
import urllib.request
OWNER = 'osquery'
REPO = 'osquery'
OPENSSL_VERSION_PAT = re.compile(r'^set\(OPENSSL_VERSION "(.*)"\)')
OPENSSL_SHA256_PAT = re.compile(r'^set\(OPENSSL_ARCHIVE_SHA256 "(.*)"\)')
INFO_PATH = 'pkgs/tools/system/osquery/info.json'
def download_str(url):
return urllib.request.urlopen(url).read().decode('utf-8')
def get_latest_tag():
latest_url = f'https://api.github.com/repos/{OWNER}/{REPO}/releases/latest'
return json.loads(download_str(latest_url))['tag_name']
def read_info():
with open(INFO_PATH, 'r') as f:
return json.load(f)
def write_info(info):
with open(INFO_PATH, 'w') as f:
json.dump(info, f, indent=4, sort_keys=True)
f.write('\n')
def sha256_hex_to_sri(hex):
return 'sha256-' + base64.b64encode(bytes.fromhex(hex)).decode()
def openssl_info_from_cmake(cmake):
version = None
sha256 = None
for line in cmake.splitlines():
if version is None:
m = OPENSSL_VERSION_PAT.match(line)
if m is not None:
version = m.group(1)
if sha256 is None:
m = OPENSSL_SHA256_PAT.match(line)
if m is not None:
sha256 = m.group(1)
if version is not None and sha256 is not None:
break
if version is None or sha256 is None:
raise Exception('Failed to extract openssl fetch info')
return {
'url': f'https://www.openssl.org/source/openssl-{version}.tar.gz',
'hash': sha256_hex_to_sri(sha256)
}
def openssl_info_for_rev(rev):
url = f'https://raw.githubusercontent.com/{OWNER}/{REPO}/{rev}/libraries/cmake/formula/openssl/CMakeLists.txt' # noqa: E501
return openssl_info_from_cmake(download_str(url))
force = len(sys.argv) == 2 and sys.argv[1] == '--force'
latest_tag = get_latest_tag()
print(f'osquery_latest_tag: {latest_tag}')
if not force:
old_info = read_info()
if latest_tag == old_info['osquery']['rev']:
print('latest tag matches existing rev. exiting')
sys.exit(0)
openssl_fetch_info = openssl_info_for_rev(latest_tag)
print(f'openssl_info: {openssl_fetch_info}')
prefetch = json.loads(subprocess.check_output([
'nix-prefetch-git',
'--fetch-submodules',
'--quiet',
f'https://github.com/{OWNER}/{REPO}',
latest_tag
]))
prefetch_hash = prefetch['hash']
github_fetch_info = {
'owner': OWNER,
'repo': REPO,
'rev': latest_tag,
'hash': prefetch_hash,
'fetchSubmodules': True
}
print(f'osquery_hash: {prefetch_hash}')
new_info = {
'osquery': github_fetch_info,
'openssl': openssl_fetch_info
}
print(f'osquery_info: {new_info}')
write_info(new_info)