From 6eb266d3f3a8adec2491ec081935302d4d6c27bb Mon Sep 17 00:00:00 2001 From: William Beuil Date: Fri, 5 Feb 2021 17:08:20 +0100 Subject: [PATCH] Add checksum and PGP sig validation while installing new driftctl version --- libexec/dctlenv-install | 40 ++++++++++++++++++++++++-- test/dctlenv-install.bats | 59 ++++++++++++++++++++++++++++++++++++--- 2 files changed, 93 insertions(+), 6 deletions(-) diff --git a/libexec/dctlenv-install b/libexec/dctlenv-install index 46f055c..9568867 100755 --- a/libexec/dctlenv-install +++ b/libexec/dctlenv-install @@ -39,9 +39,45 @@ driftctl_url="https://github.com/cloudskiff/driftctl/releases/download" echo "Installing driftctl v$version" echo "Downloading release tarball from $driftctl_url/v$version/driftctl_$os" -$(curlw -# -f -L -o "$dst_path/driftctl" --create-dirs "$driftctl_url/v$version/driftctl_$os") || log_error 'Tarball download failed' +$(curlw -# -f -L -o "$dst_path/driftctl_$os" --create-dirs "$driftctl_url/v$version/driftctl_$os") || log_error 'Tarball download failed' -echo "Making the $dst_path/driftctl binary executable" +echo "Downloading SHA256 hashes file from $driftctl_url/v$version/driftctl_SHA256SUMS" +$(curlw -s -f -L -o "$dst_path/driftctl_SHA256SUMS" "$driftctl_url/v$version/driftctl_SHA256SUMS") || log_debug 'SHA256 hashes download failed' + +if [[ -f "$dst_path/driftctl_SHA256SUMS" ]]; then + sha256sum_bin="$(command -v sha256sum 2>/dev/null)" + if [[ -n "$sha256sum_bin" && -x "$sha256sum_bin" ]]; then + (cd "$dst_path"; grep "driftctl_$os" "driftctl_SHA256SUMS" | "$sha256sum_bin" -c) &>/dev/null \ + && echo "SHA256 hash matched!" \ + || log_error 'SHA256 hash does not match!' + else + echo 'No sha256sum tool available. Skipping SHA256 hash validation' + fi + $(rm "$dst_path/driftctl_SHA256SUMS") +else + echo 'No SHA256 hashes file available. Skipping SHA256 hash validation' +fi + +if [ "${DCTLENV_PGP:-0}" -gt 0 ]; then + echo "Downloading SHA256 hashes signature file from $driftctl_url/v$version/driftctl_SHA256SUMS.gpg" + $(curlw -s -f -L -o "$dst_path/driftctl_SHA256SUMS.gpg" "$driftctl_url/v$version/driftctl_SHA256SUMS.gpg") || log_debug 'SHA256 hashes signature download failed' + + if [[ -f "$dst_path/driftctl_SHA256SUMS.gpg" ]]; then + gpg_bin="$(command -v gpg 2>/dev/null)" + if [[ -n "$gpg_bin" && -x "$gpg_bin" ]]; then + "$gpg_bin" --verify "$dst_path/driftctl_SHA256SUMS.gpg" \ + && echo "PGP signature matched!" \ + || log_error 'PGP signature rejected!' + else + echo 'No gpg tool available. Skipping signature validation' + fi + $(rm "$dst_path/driftctl_SHA256SUMS.gpg") + else + echo 'No SHA256 hashes signature file available. Skipping signature validation' + fi +fi + +$(mv "$dst_path/driftctl_$os" "$dst_path/driftctl") $(chmod +x "$dst_path/driftctl") || log_error "Fail to make the binary executable" echo "Installation of driftctl v${version} successful. To make this your default version, run 'dctlenv use ${version}'" diff --git a/test/dctlenv-install.bats b/test/dctlenv-install.bats index 803d473..b0b7432 100644 --- a/test/dctlenv-install.bats +++ b/test/dctlenv-install.bats @@ -67,8 +67,12 @@ OUT @test "dctlenv install []: prints an error message if it failed to make the binary executable" { chmod() { exit 1; }; export -f chmod; - curlw() { exit 0; }; export -f curlw; uname() { echo "Linux"; }; export -f uname; + curlw() { + mkdir -p "$DCTLENV_TMPDIR/versions/0.3.1" + touch "$DCTLENV_TMPDIR/versions/0.3.1/driftctl_linux_amd64" + exit 0 + }; export -f curlw; run dctlenv install 0.3.1 @@ -76,15 +80,20 @@ OUT assert_output <]: prints a success message at the end of the install" { chmod() { exit 0; }; export -f chmod; - curlw() { exit 0; }; export -f curlw; uname() { echo "Linux"; }; export -f uname; + curlw() { + mkdir -p "$DCTLENV_TMPDIR/versions/0.3.1" + touch "$DCTLENV_TMPDIR/versions/0.3.1/driftctl_linux_amd64" + exit 0 + }; export -f curlw; run dctlenv install 0.3.1 @@ -92,7 +101,49 @@ OUT assert_output <]: prints an error message if it failed to check SHA256" { + uname() { echo "Linux"; }; export -f uname; + curlw() { + mkdir -p "$DCTLENV_TMPDIR/versions/0.3.1" + touch "$DCTLENV_TMPDIR/versions/0.3.1/driftctl_linux_amd64" + echo "test driftctl_linux_amd64" > "$DCTLENV_TMPDIR/versions/0.3.1/driftctl_SHA256SUMS" + exit 0 + }; export -f curlw; + + run dctlenv install 0.3.1 + + assert_failure + assert_output <]: prints a success message if it can install and check for SHA256" { + uname() { echo "Linux"; }; export -f uname; + curlw() { + mkdir -p "$DCTLENV_TMPDIR/versions/0.3.1" + touch "$DCTLENV_TMPDIR/versions/0.3.1/driftctl_linux_amd64" + (cd "$DCTLENV_TMPDIR/versions/0.3.1"; sha256sum * > "$DCTLENV_TMPDIR/versions/0.3.1/driftctl_SHA256SUMS") + exit 0 + }; export -f curlw; + + run dctlenv install 0.3.1 + + assert_success + assert_output <