From ef7100c21eba426273595862149aaffc2be8e55a Mon Sep 17 00:00:00 2001
From: squalus <squalus@squalus.net>
Date: Sun, 14 Jul 2024 14:33:46 -0700
Subject: osquery: add update script

- add update script
- remove openssl hash verification logic since the hash is computed
  automatically now in the update script
---
 pkgs/tools/system/osquery/default.nix |  64 ++++----------------
 pkgs/tools/system/osquery/info.json   |  13 ++++
 pkgs/tools/system/osquery/update.py   | 109 ++++++++++++++++++++++++++++++++++
 3 files changed, 134 insertions(+), 52 deletions(-)
 create mode 100644 pkgs/tools/system/osquery/info.json
 create mode 100644 pkgs/tools/system/osquery/update.py

(limited to 'pkgs/tools/system/osquery')

diff --git a/pkgs/tools/system/osquery/default.nix b/pkgs/tools/system/osquery/default.nix
index 8413c2e9f33ad..e97e03180d32a 100644
--- a/pkgs/tools/system/osquery/default.nix
+++ b/pkgs/tools/system/osquery/default.nix
@@ -9,48 +9,20 @@
 , stdenv
 , stdenvNoCC
 , ninja
+, nix-prefetch-git
 , autoPatchelfHook
-, writeShellApplication
 , jq
 , removeReferencesTo
 , nixosTests
 , file
+, writers
 }:
 
 let
 
-  version = "5.12.2";
+  info = builtins.fromJSON (builtins.readFile ./info.json);
 
-  opensslVersion = "3.2.1";
-
-  opensslSha256 = "83c7329fe52c850677d75e5d0b0ca245309b97e8ecbcfdc1dfdc4ab9fac35b39";
-
-  src = fetchFromGitHub {
-    owner = "osquery";
-    repo = "osquery";
-    rev = version;
-    fetchSubmodules = true;
-    hash = "sha256-PJrGAqDxo5l6jtQdpTqraR195G6kaLQ2ik08WtlWEmk=";
-  };
-
-  extractOpensslInfo = writeShellApplication {
-    name = "extractOpensslInfo";
-    text = ''
-      if [ $# -ne 1 ]; then
-        echo "Usage: $0 <osquery-source-directory>"
-        exit 1
-      fi
-      opensslCmake="$1"/libraries/cmake/formula/openssl/CMakeLists.txt
-      version=$(gawk 'match($0, /OPENSSL_VERSION "(.*)"/, a) {print a[1]}' < "$opensslCmake")
-      sha256=$(gawk 'match($0, /OPENSSL_ARCHIVE_SHA256 "(.*)"/, a) {print a[1]}' < "$opensslCmake")
-      echo "{\"version\": \"$version\", \"sha256\": \"$sha256\"}"
-    '';
-  };
-
-  opensslSrc = fetchurl {
-    url = "https://www.openssl.org/source/openssl-${opensslVersion}.tar.gz";
-    sha256 = opensslSha256;
-  };
+  opensslSrc = fetchurl info.openssl;
 
   toolchain = import ./toolchain-bin.nix { inherit stdenv lib fetchzip file; };
 
@@ -60,7 +32,9 @@ stdenvNoCC.mkDerivation rec {
 
   pname = "osquery";
 
-  inherit src version;
+  version = info.osquery.rev;
+
+  src = fetchFromGitHub info.osquery;
 
   patches = [
     ./Remove-git-reset.patch
@@ -73,7 +47,6 @@ stdenvNoCC.mkDerivation rec {
     python3
     ninja
     autoPatchelfHook
-    extractOpensslInfo
     jq
     removeReferencesTo
   ];
@@ -83,23 +56,6 @@ stdenvNoCC.mkDerivation rec {
   '';
 
   configurePhase = ''
-    expectedOpensslVersion=$(extractOpensslInfo . | jq -r .version)
-    expectedOpensslSha256=$(extractOpensslInfo . | jq -r .sha256)
-
-    if [ "$expectedOpensslVersion" != "${opensslVersion}" ]; then
-      echo "openssl version mismatch: expected=$expectedOpensslVersion actual=${opensslVersion}"
-      opensslMismatch=1
-    fi
-
-    if [ "$expectedOpensslSha256" != "${opensslSha256}" ]; then
-      echo "openssl sha256 mismatch: expected=$expectedOpensslSha256 actual=${opensslSha256}"
-      opensslMismatch=1
-    fi
-
-    if [ -n "$opensslMismatch" ]; then
-      exit 1
-    fi
-
     mkdir build
     cd build
     cmake .. \
@@ -120,10 +76,14 @@ stdenvNoCC.mkDerivation rec {
   '';
 
   passthru = {
-    inherit extractOpensslInfo opensslSrc toolchain;
+    inherit opensslSrc toolchain;
     tests = {
       inherit (nixosTests) osquery;
     };
+    updateScript = writers.writePython3
+      "osquery-update"
+      { makeWrapperArgs = "--prefix PATH : ${lib.makeBinPath [ nix-prefetch-git ]}"; }
+      (builtins.readFile ./update.py);
   };
 
   meta = with lib; {
diff --git a/pkgs/tools/system/osquery/info.json b/pkgs/tools/system/osquery/info.json
new file mode 100644
index 0000000000000..c9a20c1e0f03f
--- /dev/null
+++ b/pkgs/tools/system/osquery/info.json
@@ -0,0 +1,13 @@
+{
+    "openssl": {
+        "hash": "sha256-g8cyn+UshQZ3115dCwyiRTCbl+jsvP3B39xKufrDWzk=",
+        "url": "https://www.openssl.org/source/openssl-3.2.1.tar.gz"
+    },
+    "osquery": {
+        "fetchSubmodules": true,
+        "hash": "sha256-PJrGAqDxo5l6jtQdpTqraR195G6kaLQ2ik08WtlWEmk=",
+        "owner": "osquery",
+        "repo": "osquery",
+        "rev": "5.12.2"
+    }
+}
diff --git a/pkgs/tools/system/osquery/update.py b/pkgs/tools/system/osquery/update.py
new file mode 100644
index 0000000000000..d593154e78a81
--- /dev/null
+++ b/pkgs/tools/system/osquery/update.py
@@ -0,0 +1,109 @@
+import base64
+import json
+import re
+import subprocess
+import sys
+import urllib.request
+
+OWNER = 'osquery'
+REPO = 'osquery'
+OPENSSL_VERSION_PAT = re.compile(r'^set\(OPENSSL_VERSION "(.*)"\)')
+OPENSSL_SHA256_PAT = re.compile(r'^set\(OPENSSL_ARCHIVE_SHA256 "(.*)"\)')
+INFO_PATH = 'pkgs/tools/system/osquery/info.json'
+
+
+def download_str(url):
+    return urllib.request.urlopen(url).read().decode('utf-8')
+
+
+def get_latest_tag():
+    latest_url = f'https://api.github.com/repos/{OWNER}/{REPO}/releases/latest'
+    return json.loads(download_str(latest_url))['tag_name']
+
+
+def read_info():
+    with open(INFO_PATH, 'r') as f:
+        return json.load(f)
+
+
+def write_info(info):
+    with open(INFO_PATH, 'w') as f:
+        json.dump(info, f, indent=4, sort_keys=True)
+        f.write('\n')
+
+
+def sha256_hex_to_sri(hex):
+    return 'sha256-' + base64.b64encode(bytes.fromhex(hex)).decode()
+
+
+def openssl_info_from_cmake(cmake):
+    version = None
+    sha256 = None
+    for line in cmake.splitlines():
+        if version is None:
+            m = OPENSSL_VERSION_PAT.match(line)
+            if m is not None:
+                version = m.group(1)
+        if sha256 is None:
+            m = OPENSSL_SHA256_PAT.match(line)
+            if m is not None:
+                sha256 = m.group(1)
+        if version is not None and sha256 is not None:
+            break
+
+    if version is None or sha256 is None:
+        raise Exception('Failed to extract openssl fetch info')
+
+    return {
+        'url': f'https://www.openssl.org/source/openssl-{version}.tar.gz',
+        'hash': sha256_hex_to_sri(sha256)
+    }
+
+
+def openssl_info_for_rev(rev):
+    url = f'https://raw.githubusercontent.com/{OWNER}/{REPO}/{rev}/libraries/cmake/formula/openssl/CMakeLists.txt'  # noqa: E501
+    return openssl_info_from_cmake(download_str(url))
+
+
+force = len(sys.argv) == 2 and sys.argv[1] == '--force'
+
+latest_tag = get_latest_tag()
+print(f'osquery_latest_tag: {latest_tag}')
+
+if not force:
+    old_info = read_info()
+    if latest_tag == old_info['osquery']['rev']:
+        print('latest tag matches existing rev. exiting')
+        sys.exit(0)
+
+openssl_fetch_info = openssl_info_for_rev(latest_tag)
+print(f'openssl_info: {openssl_fetch_info}')
+
+prefetch = json.loads(subprocess.check_output([
+    'nix-prefetch-git',
+    '--fetch-submodules',
+    '--quiet',
+    f'https://github.com/{OWNER}/{REPO}',
+    latest_tag
+]))
+
+prefetch_hash = prefetch['hash']
+
+github_fetch_info = {
+    'owner': OWNER,
+    'repo': REPO,
+    'rev': latest_tag,
+    'hash': prefetch_hash,
+    'fetchSubmodules': True
+}
+
+print(f'osquery_hash: {prefetch_hash}')
+
+new_info = {
+    'osquery': github_fetch_info,
+    'openssl': openssl_fetch_info
+}
+
+print(f'osquery_info: {new_info}')
+
+write_info(new_info)
-- 
cgit 1.4.1