diff options
| -rw-r--r-- | pkgs/tools/system/osquery/default.nix | 64 | ||||
| -rw-r--r-- | pkgs/tools/system/osquery/info.json | 13 | ||||
| -rw-r--r-- | pkgs/tools/system/osquery/update.py | 109 |
3 files changed, 134 insertions, 52 deletions
diff --git a/pkgs/tools/system/osquery/default.nix b/pkgs/tools/system/osquery/default.nix index 8413c2e9f33ad..e97e03180d32a 100644 --- a/pkgs/tools/system/osquery/default.nix +++ b/pkgs/tools/system/osquery/default.nix @@ -9,48 +9,20 @@ , stdenv , stdenvNoCC , ninja +, nix-prefetch-git , autoPatchelfHook -, writeShellApplication , jq , removeReferencesTo , nixosTests , file +, writers }: let - version = "5.12.2"; + info = builtins.fromJSON (builtins.readFile ./info.json); - opensslVersion = "3.2.1"; - - opensslSha256 = "83c7329fe52c850677d75e5d0b0ca245309b97e8ecbcfdc1dfdc4ab9fac35b39"; - - src = fetchFromGitHub { - owner = "osquery"; - repo = "osquery"; - rev = version; - fetchSubmodules = true; - hash = "sha256-PJrGAqDxo5l6jtQdpTqraR195G6kaLQ2ik08WtlWEmk="; - }; - - extractOpensslInfo = writeShellApplication { - name = "extractOpensslInfo"; - text = '' - if [ $# -ne 1 ]; then - echo "Usage: $0 <osquery-source-directory>" - exit 1 - fi - opensslCmake="$1"/libraries/cmake/formula/openssl/CMakeLists.txt - version=$(gawk 'match($0, /OPENSSL_VERSION "(.*)"/, a) {print a[1]}' < "$opensslCmake") - sha256=$(gawk 'match($0, /OPENSSL_ARCHIVE_SHA256 "(.*)"/, a) {print a[1]}' < "$opensslCmake") - echo "{\"version\": \"$version\", \"sha256\": \"$sha256\"}" - ''; - }; - - opensslSrc = fetchurl { - url = "https://www.openssl.org/source/openssl-${opensslVersion}.tar.gz"; - sha256 = opensslSha256; - }; + opensslSrc = fetchurl info.openssl; toolchain = import ./toolchain-bin.nix { inherit stdenv lib fetchzip file; }; @@ -60,7 +32,9 @@ stdenvNoCC.mkDerivation rec { pname = "osquery"; - inherit src version; + version = info.osquery.rev; + + src = fetchFromGitHub info.osquery; patches = [ ./Remove-git-reset.patch @@ -73,7 +47,6 @@ stdenvNoCC.mkDerivation rec { python3 ninja autoPatchelfHook - extractOpensslInfo jq removeReferencesTo ]; @@ -83,23 +56,6 @@ stdenvNoCC.mkDerivation rec { ''; configurePhase = '' - expectedOpensslVersion=$(extractOpensslInfo . | jq -r .version) - expectedOpensslSha256=$(extractOpensslInfo . | jq -r .sha256) - - if [ "$expectedOpensslVersion" != "${opensslVersion}" ]; then - echo "openssl version mismatch: expected=$expectedOpensslVersion actual=${opensslVersion}" - opensslMismatch=1 - fi - - if [ "$expectedOpensslSha256" != "${opensslSha256}" ]; then - echo "openssl sha256 mismatch: expected=$expectedOpensslSha256 actual=${opensslSha256}" - opensslMismatch=1 - fi - - if [ -n "$opensslMismatch" ]; then - exit 1 - fi - mkdir build cd build cmake .. \ @@ -120,10 +76,14 @@ stdenvNoCC.mkDerivation rec { ''; passthru = { - inherit extractOpensslInfo opensslSrc toolchain; + inherit opensslSrc toolchain; tests = { inherit (nixosTests) osquery; }; + updateScript = writers.writePython3 + "osquery-update" + { makeWrapperArgs = "--prefix PATH : ${lib.makeBinPath [ nix-prefetch-git ]}"; } + (builtins.readFile ./update.py); }; meta = with lib; { diff --git a/pkgs/tools/system/osquery/info.json b/pkgs/tools/system/osquery/info.json new file mode 100644 index 0000000000000..c9a20c1e0f03f --- /dev/null +++ b/pkgs/tools/system/osquery/info.json @@ -0,0 +1,13 @@ +{ + "openssl": { + "hash": "sha256-g8cyn+UshQZ3115dCwyiRTCbl+jsvP3B39xKufrDWzk=", + "url": "https://www.openssl.org/source/openssl-3.2.1.tar.gz" + }, + "osquery": { + "fetchSubmodules": true, + "hash": "sha256-PJrGAqDxo5l6jtQdpTqraR195G6kaLQ2ik08WtlWEmk=", + "owner": "osquery", + "repo": "osquery", + "rev": "5.12.2" + } +} diff --git a/pkgs/tools/system/osquery/update.py b/pkgs/tools/system/osquery/update.py new file mode 100644 index 0000000000000..d593154e78a81 --- /dev/null +++ b/pkgs/tools/system/osquery/update.py @@ -0,0 +1,109 @@ +import base64 +import json +import re +import subprocess +import sys +import urllib.request + +OWNER = 'osquery' +REPO = 'osquery' +OPENSSL_VERSION_PAT = re.compile(r'^set\(OPENSSL_VERSION "(.*)"\)') +OPENSSL_SHA256_PAT = re.compile(r'^set\(OPENSSL_ARCHIVE_SHA256 "(.*)"\)') +INFO_PATH = 'pkgs/tools/system/osquery/info.json' + + +def download_str(url): + return urllib.request.urlopen(url).read().decode('utf-8') + + +def get_latest_tag(): + latest_url = f'https://api.github.com/repos/{OWNER}/{REPO}/releases/latest' + return json.loads(download_str(latest_url))['tag_name'] + + +def read_info(): + with open(INFO_PATH, 'r') as f: + return json.load(f) + + +def write_info(info): + with open(INFO_PATH, 'w') as f: + json.dump(info, f, indent=4, sort_keys=True) + f.write('\n') + + +def sha256_hex_to_sri(hex): + return 'sha256-' + base64.b64encode(bytes.fromhex(hex)).decode() + + +def openssl_info_from_cmake(cmake): + version = None + sha256 = None + for line in cmake.splitlines(): + if version is None: + m = OPENSSL_VERSION_PAT.match(line) + if m is not None: + version = m.group(1) + if sha256 is None: + m = OPENSSL_SHA256_PAT.match(line) + if m is not None: + sha256 = m.group(1) + if version is not None and sha256 is not None: + break + + if version is None or sha256 is None: + raise Exception('Failed to extract openssl fetch info') + + return { + 'url': f'https://www.openssl.org/source/openssl-{version}.tar.gz', + 'hash': sha256_hex_to_sri(sha256) + } + + +def openssl_info_for_rev(rev): + url = f'https://raw.githubusercontent.com/{OWNER}/{REPO}/{rev}/libraries/cmake/formula/openssl/CMakeLists.txt' # noqa: E501 + return openssl_info_from_cmake(download_str(url)) + + +force = len(sys.argv) == 2 and sys.argv[1] == '--force' + +latest_tag = get_latest_tag() +print(f'osquery_latest_tag: {latest_tag}') + +if not force: + old_info = read_info() + if latest_tag == old_info['osquery']['rev']: + print('latest tag matches existing rev. exiting') + sys.exit(0) + +openssl_fetch_info = openssl_info_for_rev(latest_tag) +print(f'openssl_info: {openssl_fetch_info}') + +prefetch = json.loads(subprocess.check_output([ + 'nix-prefetch-git', + '--fetch-submodules', + '--quiet', + f'https://github.com/{OWNER}/{REPO}', + latest_tag +])) + +prefetch_hash = prefetch['hash'] + +github_fetch_info = { + 'owner': OWNER, + 'repo': REPO, + 'rev': latest_tag, + 'hash': prefetch_hash, + 'fetchSubmodules': True +} + +print(f'osquery_hash: {prefetch_hash}') + +new_info = { + 'osquery': github_fetch_info, + 'openssl': openssl_fetch_info +} + +print(f'osquery_info: {new_info}') + +write_info(new_info) |