diff options
| author | Jimmy Hu <jim2212001@gmail.com> | 2019-10-02 00:50:47 +0800 |
|---|---|---|
| committer | Jimmy Hu <jim2212001@gmail.com> | 2019-10-02 12:42:48 +0800 |
| commit | 0077d18735570da89c0b22a14ec1195ce8caa4a2 (patch) | |
| tree | 0fab49eca962d2ecd517856b28cd1bdf6d7139e4 | |
| parent | 8e9e878ad201d4cd2a01d134ecae561db0046d09 (diff) | |
| download | go-tangerine-0077d18735570da89c0b22a14ec1195ce8caa4a2.tar.gz go-tangerine-0077d18735570da89c0b22a14ec1195ce8caa4a2.tar.zst go-tangerine-0077d18735570da89c0b22a14ec1195ce8caa4a2.zip | |
scripts: only upgrade with verified commit
| -rwxr-xr-x | scripts/run_bp.py | 53 | ||||
| -rw-r--r-- | scripts/run_bp.py.sha1 | 2 |
2 files changed, 46 insertions, 9 deletions
diff --git a/scripts/run_bp.py b/scripts/run_bp.py index b5212aff9..30e4833d1 100755 --- a/scripts/run_bp.py +++ b/scripts/run_bp.py @@ -38,9 +38,14 @@ except Exception: print('Please run `pip3 install ntplib\'') sys.exit(1) - +_SCRIPT_ORG = 'tangerine-network' +_SCRIPT_REPO = 'go-tangerine' +_SCRIPT_BRANCH = 'master' +_SCRIPT_PATH = 'scripts/run_bp.py' _SCRIPT_SRC = ('https://raw.githubusercontent.com/' - 'tangerine-network/go-tangerine/master/scripts/run_bp.py') + '%s/%s/%s/%s' % (_SCRIPT_ORG, _SCRIPT_REPO, _SCRIPT_BRANCH, _SCRIPT_PATH)) + +_GITHUB_API = 'https://api.github.com' _REQUEST_TIMEOUT = 5 _CONTAINER_NAME_BASE = 'tangerine' @@ -155,20 +160,50 @@ def check_environment(): 'system time') +def github_get_commits(path): + return '%s/repos/%s/%s/commits?path=%s&sha=%s' % (_GITHUB_API, _SCRIPT_ORG, _SCRIPT_REPO, path, _SCRIPT_BRANCH) + + def check_for_update(): """Check for script update.""" script_path = os.path.abspath(sys.argv[0]) global sha1sum if sha1sum is None: - with open(script_path, 'r') as f: - sha1sum = hashlib.sha1(f.read().encode('utf-8')).hexdigest() - - with urllib.request.urlopen(_SCRIPT_SRC + '.sha1', + with open(script_path, 'rb') as f: + data = f.read() + size = len(data) + sha1sum = hashlib.sha1( + ('blob ' + str(size) + "\0" + data.decode('utf-8')).encode('utf-8')).hexdigest() + + found = False + with urllib.request.urlopen(github_get_commits(_SCRIPT_PATH), timeout=_REQUEST_TIMEOUT) as f: if f.getcode() != 200: raise RuntimeError('unable to get upgrade metadata') - update_sha1sum = f.read().strip().decode('utf-8') + for item in json.loads(f.read()): + if not item['commit']['verification']['verified']: + continue + tree_url = item['commit']['tree']['url'] + for segment in _SCRIPT_PATH.split('/'): + with urllib.request.urlopen(tree_url, + timeout=_REQUEST_TIMEOUT) as furl: + if f.getcode() != 200: + raise RuntimeError('error finding upgrade metadata') + found_segment = False + for item in json.loads(furl.read())['tree']: + if item['path'] == segment: + tree_url = item['url'] + update_sha1sum = item['sha'] + found_segment = True + break + if not found_segment: + raise RuntimeError('unable to find upgrade metadata') + found = True + break + + if not found: + raise RuntimeError('unable to find a valid upgrade metadata') if sha1sum != update_sha1sum: print('Script upgrade found, performing upgrade ...') @@ -177,7 +212,9 @@ def check_for_update(): with urllib.request.urlopen(_SCRIPT_SRC, timeout=_REQUEST_TIMEOUT) as f: script_data = f.read() - new_sha1sum = hashlib.sha1(script_data).hexdigest() + size = len(script_data) + new_sha1sum = hashlib.sha1( + ('blob ' + str(size) + "\0" + script_data.decode('utf-8')).encode('utf-8')).hexdigest() if new_sha1sum != update_sha1sum: raise RuntimeError('failed to verify upgrade payload, aborted') diff --git a/scripts/run_bp.py.sha1 b/scripts/run_bp.py.sha1 index 7f2576cc1..c9c63ea10 100644 --- a/scripts/run_bp.py.sha1 +++ b/scripts/run_bp.py.sha1 @@ -1 +1 @@ -aaa8256dee8030ef876b996c6c4e4e91136ff9a0 +d9ee67615fa6de9cb8bb1d492a4689ea74005bbd |