extern/hishtory
1
0
Fork 0
mirror of https://github.com/ddworken/hishtory.git synced 2025-08-16 01:48:06 +02:00
Code Issues Packages Projects Releases Wiki Activity

Add more thorough tests for updates

Browse Source
This commit is contained in:
David Dworken
2023-10-09 21:41:30 -07:00
parent 82a5e2fced
commit f0dbcd6e3b
7 changed files with 204 additions and 111 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
client/cmd/update.go
View File

@ -10,6 +10,7 @@ import (
"os/exec"
"path"
"runtime"
"strings"
"syscall"
"github.com/ddworken/hishtory/client/data"
@ -47,7 +48,7 @@ func update(ctx context.Context) error {
if runtime.GOOS == "darwin" {
slsaError = verifyBinaryMac(ctx, getTmpClientPath(), downloadData)
} else {
slsaError = lib.VerifyBinary(ctx, getTmpClientPath(), getTmpClientPath()+".intoto.jsonl", downloadData.Version)
slsaError = lib.VerifyBinary(ctx, getTmpClientPath(), getTmpClientPath()+".intoto.jsonl", getPossiblyOverriddenVersion(downloadData))
}
if slsaError != nil {
err = lib.HandleSlsaFailure(slsaError)
@ -83,7 +84,7 @@ func update(ctx context.Context) error {
if err != nil {
return fmt.Errorf("failed to install update (stderr=%#v), is %s in a noexec directory? (if so, set the TMPDIR environment variable): %w", stderr.String(), getTmpClientPath(), err)
}
fmt.Printf("Successfully updated hishtory from v0.%s to %s\n", lib.Version, downloadData.Version)
fmt.Printf("Successfully updated hishtory from v0.%s to %s\n", lib.Version, getPossiblyOverriddenVersion(downloadData))
return nil
}
@ -100,13 +101,19 @@ func verifyBinaryMac(ctx context.Context, binaryPath string, downloadData shared
// go compiler.
unsignedBinaryPath := binaryPath + "-unsigned"
var err error = nil
unsignedUrl := ""
if runtime.GOOS == "darwin" && runtime.GOARCH == "amd64" {
err = downloadFile(unsignedBinaryPath, downloadData.DarwinAmd64UnsignedUrl)
unsignedUrl = downloadData.DarwinAmd64UnsignedUrl
} else if runtime.GOOS == "darwin" && runtime.GOARCH == "arm64" {
err = downloadFile(unsignedBinaryPath, downloadData.DarwinArm64UnsignedUrl)
unsignedUrl = downloadData.DarwinArm64UnsignedUrl
} else {
err = fmt.Errorf("verifyBinaryMac() called for the unhandled branch GOOS=%s, GOARCH=%s", runtime.GOOS, runtime.GOARCH)
return fmt.Errorf("verifyBinaryMac() called for the unhandled branch GOOS=%s, GOARCH=%s", runtime.GOOS, runtime.GOARCH)
}
if forcedVersion := os.Getenv("HISHTORY_FORCE_CLIENT_VERSION"); forcedVersion != "" {
unsignedUrl = strings.ReplaceAll(unsignedUrl, downloadData.Version, forcedVersion)
}
err = downloadFile(unsignedBinaryPath, unsignedUrl)
if err != nil {
return err
}
@ -129,7 +136,7 @@ func verifyBinaryMac(ctx context.Context, binaryPath string, downloadData shared
}
// Step 4: Use SLSA to verify the unsigned binary
return lib.VerifyBinary(ctx, unsignedBinaryPath, getTmpClientPath()+".intoto.jsonl", downloadData.Version)
return lib.VerifyBinary(ctx, unsignedBinaryPath, getTmpClientPath()+".intoto.jsonl", getPossiblyOverriddenVersion(downloadData))
}
func assertIdenticalBinaries(bin1Path, bin2Path string) error {
@ -199,6 +206,10 @@ func downloadFiles(updateInfo shared.UpdateInfo) error {
} else {
return fmt.Errorf("no update info found for GOOS=%s, GOARCH=%s", runtime.GOOS, runtime.GOARCH)
}
if forcedVersion := os.Getenv("HISHTORY_FORCE_CLIENT_VERSION"); forcedVersion != "" {
clientUrl = strings.ReplaceAll(clientUrl, updateInfo.Version, forcedVersion)
clientProvenanceUrl = strings.ReplaceAll(clientProvenanceUrl, updateInfo.Version, forcedVersion)
}
err := downloadFile(getTmpClientPath(), clientUrl)
if err != nil {
return err
@ -210,6 +221,13 @@ func downloadFiles(updateInfo shared.UpdateInfo) error {
return nil
}
func getPossiblyOverriddenVersion(updateInfo shared.UpdateInfo) string {
if forcedVersion := os.Getenv("HISHTORY_FORCE_CLIENT_VERSION"); forcedVersion != "" {
return forcedVersion
}
return updateInfo.Version
}
func getTmpClientPath() string {
tmpDir := "/tmp/"
if os.Getenv("TMPDIR") != "" {