mirror of
https://github.com/zulip/zulip.git
synced 2025-11-06 15:03:34 +00:00
puppet: Pin with sha256sum verification.
This commit is contained in:
Alex Vandiver
committed by
Alex Vandiver
Alex Vandiver
parent
c3bcbfb484
commit
e7fabb45f2
@@ -1,2 +1,6 @@
|
|||||||
puppetlabs-stdlib: 8.5.0
|
puppetlabs-stdlib:
|
||||||
puppetlabs-concat: 7.3.0
|
version: 8.5.0
|
||||||
|
sha256sum: 6ec37b310d76dc2ecf3b6b553c39466583d519652a058e12a0986843e350898f
|
||||||
|
puppetlabs-concat:
|
||||||
|
version: 7.3.0
|
||||||
|
sha256sum: d8076f45d33769647ba5f4d10bbb9a8343cc70097f6957c2c84377d8ce4ed8d4
|
||||||
|
|||||||
@@ -3,6 +3,8 @@ import json
|
|||||||
import os
|
import os
|
||||||
import shutil
|
import shutil
|
||||||
import subprocess
|
import subprocess
|
||||||
|
import tempfile
|
||||||
|
from urllib.request import urlopen
|
||||||
|
|
||||||
import yaml
|
import yaml
|
||||||
|
|
||||||
@@ -50,16 +52,48 @@ def do_puppet_module_install(
|
|||||||
target_path: str,
|
target_path: str,
|
||||||
success_stamp: str,
|
success_stamp: str,
|
||||||
) -> None:
|
) -> None:
|
||||||
|
os.makedirs(target_path, exist_ok=True)
|
||||||
|
with open(PUPPET_DEPS_FILE_PATH) as yaml_file:
|
||||||
|
deps = yaml.safe_load(yaml_file)
|
||||||
|
for module, metadata in deps.items():
|
||||||
|
install_puppet_module(target_path, module, metadata["version"], metadata["sha256sum"])
|
||||||
|
with open(success_stamp, "w"):
|
||||||
|
pass
|
||||||
|
|
||||||
|
|
||||||
|
def install_puppet_module(
|
||||||
|
target_path: str, module: str, version: str, expected_sha256sum: str
|
||||||
|
) -> None:
|
||||||
|
with urlopen(f"https://forgeapi.puppet.com/v3/releases/{module}-{version}") as forge_resp:
|
||||||
|
forge_data = json.load(forge_resp)
|
||||||
|
|
||||||
|
forge_sha256sum = forge_data["file_sha256"]
|
||||||
|
if forge_sha256sum != expected_sha256sum:
|
||||||
|
raise Exception(
|
||||||
|
f"Forge API returned unexpected SHA256 sum for {module}-{version}: "
|
||||||
|
f"expected {expected_sha256sum}, got {forge_sha256sum}"
|
||||||
|
)
|
||||||
|
|
||||||
|
with tempfile.NamedTemporaryFile(
|
||||||
|
prefix=f"zulip-puppet-{module}-{version}-",
|
||||||
|
suffix=".tar.gz",
|
||||||
|
) as tarball:
|
||||||
|
with urlopen("https://forgeapi.puppet.com" + forge_data["file_uri"]) as tarball_resp:
|
||||||
|
tarball_content = tarball_resp.read()
|
||||||
|
local_sha256sum = hashlib.sha256(tarball_content).hexdigest()
|
||||||
|
if local_sha256sum != expected_sha256sum:
|
||||||
|
raise Exception(
|
||||||
|
f"Downloaded file had unexpected SHA256 sum for {module}-{version}: "
|
||||||
|
f"expected {expected_sha256sum}, got {forge_sha256sum}"
|
||||||
|
)
|
||||||
|
tarball.write(tarball_content)
|
||||||
|
tarball.flush()
|
||||||
|
|
||||||
# This is to suppress Puppet warnings with ruby 2.7.
|
# This is to suppress Puppet warnings with ruby 2.7.
|
||||||
distro_info = parse_os_release()
|
distro_info = parse_os_release()
|
||||||
puppet_env = os.environ.copy()
|
puppet_env = os.environ.copy()
|
||||||
if (distro_info["ID"], distro_info["VERSION_ID"]) in [("ubuntu", "20.04")]:
|
if (distro_info["ID"], distro_info["VERSION_ID"]) in [("ubuntu", "20.04")]:
|
||||||
puppet_env["RUBYOPT"] = "-W0"
|
puppet_env["RUBYOPT"] = "-W0"
|
||||||
|
|
||||||
os.makedirs(target_path, exist_ok=True)
|
|
||||||
with open(PUPPET_DEPS_FILE_PATH) as yaml_file:
|
|
||||||
deps = yaml.safe_load(yaml_file)
|
|
||||||
for module, version in deps.items():
|
|
||||||
run(
|
run(
|
||||||
[
|
[
|
||||||
"puppet",
|
"puppet",
|
||||||
@@ -67,11 +101,8 @@ def do_puppet_module_install(
|
|||||||
"--modulepath",
|
"--modulepath",
|
||||||
target_path,
|
target_path,
|
||||||
"install",
|
"install",
|
||||||
module,
|
tarball.name,
|
||||||
"--version",
|
"--ignore-dependencies",
|
||||||
version,
|
|
||||||
],
|
],
|
||||||
env=puppet_env,
|
env=puppet_env,
|
||||||
)
|
)
|
||||||
with open(success_stamp, "w"):
|
|
||||||
pass
|
|
||||||
|
|||||||
Reference in New Issue
Block a user