2018-03-27 19:54:05 +05:30
|
|
|
#!/usr/bin/env ruby
|
|
|
|
|
2020-01-01 13:55:28 +05:30
|
|
|
# frozen_string_literal: true
|
|
|
|
|
2018-03-27 19:54:05 +05:30
|
|
|
require 'digest'
|
|
|
|
require 'fileutils'
|
2021-09-04 01:27:46 +05:30
|
|
|
require 'open3'
|
2018-03-27 19:54:05 +05:30
|
|
|
|
2020-01-01 13:55:28 +05:30
|
|
|
if ENV['NO_COLOR']
|
|
|
|
SHELL_RED = ''
|
|
|
|
SHELL_GREEN = ''
|
|
|
|
SHELL_YELLOW = ''
|
|
|
|
SHELL_CLEAR = ''
|
|
|
|
else
|
|
|
|
SHELL_RED = "\e[1;31m"
|
|
|
|
SHELL_GREEN = "\e[1;32m"
|
|
|
|
SHELL_YELLOW = "\e[1;33m"
|
|
|
|
SHELL_CLEAR = "\e[0m"
|
|
|
|
end
|
2018-03-27 19:54:05 +05:30
|
|
|
|
2021-03-11 19:13:27 +05:30
|
|
|
LEFTHOOK_GLOBAL_CONFIG_PATH = File.expand_path("../lefthook.yml", __dir__)
|
2021-09-04 01:27:46 +05:30
|
|
|
HOOK_PATH = Open3.capture3("git rev-parse --path-format=absolute --git-path hooks/pre-push")[0].strip
|
2020-01-01 13:55:28 +05:30
|
|
|
HOOK_DATA = <<~HOOK
|
2020-05-24 23:13:21 +05:30
|
|
|
#!/usr/bin/env bash
|
2018-03-27 19:54:05 +05:30
|
|
|
|
2020-01-01 13:55:28 +05:30
|
|
|
set -e
|
2018-03-27 19:54:05 +05:30
|
|
|
|
2020-01-01 13:55:28 +05:30
|
|
|
url="$2"
|
|
|
|
|
2021-03-11 19:13:27 +05:30
|
|
|
if [[ "$url" != *"gitlab-org/security/"* ]]
|
2020-01-01 13:55:28 +05:30
|
|
|
then
|
2021-03-11 19:13:27 +05:30
|
|
|
echo "Pushing to remotes other than gitlab.com/gitlab-org/security has been disabled!"
|
|
|
|
echo "Run scripts/security-harness to disable this check."
|
|
|
|
echo
|
|
|
|
|
|
|
|
exit 1
|
2020-01-01 13:55:28 +05:30
|
|
|
fi
|
|
|
|
HOOK
|
2018-03-27 19:54:05 +05:30
|
|
|
|
2021-03-11 19:13:27 +05:30
|
|
|
def hook_exist?
|
|
|
|
File.exist?(HOOK_PATH)
|
|
|
|
end
|
|
|
|
|
|
|
|
def lefthook_hook_in_place?
|
|
|
|
hook_exist? && File.foreach(HOOK_PATH).grep(/lefthook/i).any?
|
|
|
|
end
|
|
|
|
|
|
|
|
def lefthook_available?
|
|
|
|
system('bundle exec lefthook run prepare-commit-msg &>/dev/null') # rubocop:disable GitlabSecurity/SystemCommandInjection
|
|
|
|
end
|
|
|
|
|
|
|
|
def uninstall_lefthook
|
|
|
|
return unless lefthook_available?
|
|
|
|
|
|
|
|
system('bundle exec lefthook uninstall') # rubocop:disable GitlabSecurity/SystemCommandInjection
|
|
|
|
# `bundle exec lefthook uninstall` removes the `lefthook.yml` file so we checkout it again
|
|
|
|
system("git checkout -- #{LEFTHOOK_GLOBAL_CONFIG_PATH}") # rubocop:disable GitlabSecurity/SystemCommandInjection
|
|
|
|
puts "#{SHELL_YELLOW}Lefthook was uninstalled to let the security harness work properly.#{SHELL_CLEAR}"
|
|
|
|
end
|
|
|
|
|
|
|
|
def install_lefthook
|
|
|
|
return unless lefthook_available?
|
|
|
|
|
|
|
|
system('bundle exec lefthook install') # rubocop:disable GitlabSecurity/SystemCommandInjection
|
|
|
|
puts "#{SHELL_GREEN}Lefthook was re-installed.#{SHELL_CLEAR}"
|
|
|
|
end
|
|
|
|
|
2020-01-01 13:55:28 +05:30
|
|
|
def write_hook
|
|
|
|
FileUtils.mkdir_p(File.dirname(HOOK_PATH))
|
|
|
|
File.open(HOOK_PATH, 'w') do |file|
|
|
|
|
file.write(HOOK_DATA)
|
|
|
|
end
|
|
|
|
File.chmod(0755, HOOK_PATH)
|
2021-03-11 19:13:27 +05:30
|
|
|
puts "#{SHELL_GREEN}Security harness installed -- you will only be able to push to gitlab.com/gitlab-org/security!#{SHELL_CLEAR}"
|
2018-03-27 19:54:05 +05:30
|
|
|
end
|
|
|
|
|
2021-03-11 19:13:27 +05:30
|
|
|
def delete_hook
|
|
|
|
FileUtils.rm(HOOK_PATH)
|
|
|
|
puts "#{SHELL_YELLOW}Security harness removed -- you can now push to all remotes.#{SHELL_CLEAR}"
|
|
|
|
end
|
2018-03-27 19:54:05 +05:30
|
|
|
|
2021-03-11 19:13:27 +05:30
|
|
|
def hook_file_sum
|
|
|
|
Digest::SHA256.file(HOOK_PATH).hexdigest
|
|
|
|
end
|
2018-03-27 19:54:05 +05:30
|
|
|
|
2021-03-11 19:13:27 +05:30
|
|
|
def hook_data_sum
|
|
|
|
Digest::SHA256.hexdigest(HOOK_DATA)
|
2020-01-01 13:55:28 +05:30
|
|
|
end
|
2018-03-27 19:54:05 +05:30
|
|
|
|
2020-01-01 13:55:28 +05:30
|
|
|
# If we were to change the script and then check for a pre-existing hook before
|
|
|
|
# writing, the check would fail even if the user had an unmodified version of
|
|
|
|
# the old hook. Checking previous version hashes allows us to safely overwrite a
|
|
|
|
# script that differs from the current version, as long as it's an old one and
|
|
|
|
# not custom.
|
2021-03-11 19:13:27 +05:30
|
|
|
def upgrade_available?
|
|
|
|
# SHA256 hashes of previous iterations of the script contained in `HOOK_DATA`
|
2020-01-01 13:55:28 +05:30
|
|
|
%w[
|
|
|
|
010bf0363a911ebab2bd5728d80795ed02388da51815f0b2530d08ae8ac574f0
|
2021-03-11 19:13:27 +05:30
|
|
|
d9866fc672f373d631eed9cd8dc9c920fa3d36ff26d956fb96a4082a0931b371
|
|
|
|
].include?(hook_file_sum)
|
2020-01-01 13:55:28 +05:30
|
|
|
end
|
2018-03-27 19:54:05 +05:30
|
|
|
|
2021-03-11 19:13:27 +05:30
|
|
|
def current_version?
|
|
|
|
hook_data_sum == hook_file_sum
|
|
|
|
end
|
2018-03-27 19:54:05 +05:30
|
|
|
|
2021-03-11 19:13:27 +05:30
|
|
|
# Uninstall Lefthook if it's in place
|
|
|
|
uninstall_lefthook if lefthook_hook_in_place?
|
|
|
|
|
|
|
|
if hook_exist?
|
|
|
|
# Deal with a pre-existing hook
|
|
|
|
if upgrade_available?
|
2020-01-01 13:55:28 +05:30
|
|
|
# Upgrading from a previous version, update in-place
|
|
|
|
write_hook
|
2021-03-11 19:13:27 +05:30
|
|
|
elsif current_version?
|
|
|
|
# Delete the hook if we're already using the current version
|
|
|
|
delete_hook
|
|
|
|
|
|
|
|
# Re-install Lefthook pre-push hook
|
|
|
|
install_lefthook
|
|
|
|
else
|
2020-01-01 13:55:28 +05:30
|
|
|
# Pre-existing hook we didn't create; do nothing
|
|
|
|
puts "#{SHELL_RED}#{HOOK_PATH} exists and is different from our hook!"
|
|
|
|
puts "Remove it and re-run this script to continue.#{SHELL_CLEAR}"
|
2018-03-27 19:54:05 +05:30
|
|
|
|
|
|
|
exit 1
|
2020-01-01 13:55:28 +05:30
|
|
|
end
|
2021-03-11 19:13:27 +05:30
|
|
|
else
|
|
|
|
write_hook
|
2020-01-01 13:55:28 +05:30
|
|
|
end
|