debian-mirror-gitlab/scripts/security-harness

100 lines
2.5 KiB
Text
Raw Normal View History

2018-03-27 19:54:05 +05:30
#!/usr/bin/env ruby
2020-01-01 13:55:28 +05:30
# frozen_string_literal: true
2018-03-27 19:54:05 +05:30
require 'digest'
require 'fileutils'
2020-01-01 13:55:28 +05:30
if ENV['NO_COLOR']
SHELL_RED = ''
SHELL_GREEN = ''
SHELL_YELLOW = ''
SHELL_CLEAR = ''
else
SHELL_RED = "\e[1;31m"
SHELL_GREEN = "\e[1;32m"
SHELL_YELLOW = "\e[1;33m"
SHELL_CLEAR = "\e[0m"
end
2018-03-27 19:54:05 +05:30
2020-01-01 13:55:28 +05:30
HOOK_PATH = File.expand_path("../.git/hooks/pre-push", __dir__)
HOOK_DATA = <<~HOOK
#!/bin/bash
2018-03-27 19:54:05 +05:30
2020-01-01 13:55:28 +05:30
set -e
2018-03-27 19:54:05 +05:30
2020-01-01 13:55:28 +05:30
url="$2"
harness=`dirname "$0"`/../security_harness
if [ -e "$harness" ]
then
2020-04-08 14:13:33 +05:30
if [[ "$url" != *"gitlab-org/security/"* ]]
2020-01-01 13:55:28 +05:30
then
2020-04-08 14:13:33 +05:30
echo "Pushing to remotes other than gitlab.com/gitlab-org/security has been disabled!"
2020-01-01 13:55:28 +05:30
echo "Run scripts/security-harness to disable this check."
echo
exit 1
fi
fi
HOOK
2018-03-27 19:54:05 +05:30
2020-01-01 13:55:28 +05:30
def write_hook
FileUtils.mkdir_p(File.dirname(HOOK_PATH))
File.open(HOOK_PATH, 'w') do |file|
file.write(HOOK_DATA)
end
File.chmod(0755, HOOK_PATH)
2018-03-27 19:54:05 +05:30
end
# Toggle the harness on or off
2020-01-01 13:55:28 +05:30
def toggle
harness_path = File.expand_path('../.git/security_harness', __dir__)
2018-03-27 19:54:05 +05:30
2020-01-01 13:55:28 +05:30
if File.exist?(harness_path)
FileUtils.rm(harness_path)
2018-03-27 19:54:05 +05:30
2020-01-01 13:55:28 +05:30
puts "#{SHELL_YELLOW}Security harness removed -- you can now push to all remotes.#{SHELL_CLEAR}"
else
FileUtils.touch(harness_path)
2018-03-27 19:54:05 +05:30
2020-04-08 14:13:33 +05:30
puts "#{SHELL_GREEN}Security harness installed -- you will only be able to push to gitlab.com/gitlab-org/security!#{SHELL_CLEAR}"
2020-01-01 13:55:28 +05:30
end
end
2018-03-27 19:54:05 +05:30
2020-01-01 13:55:28 +05:30
# If we were to change the script and then check for a pre-existing hook before
# writing, the check would fail even if the user had an unmodified version of
# the old hook. Checking previous version hashes allows us to safely overwrite a
# script that differs from the current version, as long as it's an old one and
# not custom.
def previous_version?(dest_sum)
# SHA256 hashes of previous iterations of the script contained in `DATA`
%w[
010bf0363a911ebab2bd5728d80795ed02388da51815f0b2530d08ae8ac574f0
].include?(dest_sum)
end
2018-03-27 19:54:05 +05:30
2020-01-01 13:55:28 +05:30
if !File.exist?(HOOK_PATH)
write_hook
toggle
else
# Deal with a pre-existing hook
source_sum = Digest::SHA256.hexdigest(HOOK_DATA)
dest_sum = Digest::SHA256.file(HOOK_PATH).hexdigest
2018-03-27 19:54:05 +05:30
2020-01-01 13:55:28 +05:30
if previous_version?(dest_sum)
# Upgrading from a previous version, update in-place
write_hook
toggle
elsif source_sum != dest_sum
# Pre-existing hook we didn't create; do nothing
puts "#{SHELL_RED}#{HOOK_PATH} exists and is different from our hook!"
puts "Remove it and re-run this script to continue.#{SHELL_CLEAR}"
2018-03-27 19:54:05 +05:30
exit 1
2020-01-01 13:55:28 +05:30
else
# No hook update needed, just toggle
toggle
end
end