-
Notifications
You must be signed in to change notification settings - Fork 27
/
utils.py
419 lines (333 loc) · 14.6 KB
/
utils.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
# SPDX-License-Identifier: GPL-3.0-or-later
import functools
import hashlib
import json
import logging
import os
import shutil
from dataclasses import dataclass, field
from pathlib import Path
from subprocess import PIPE, Popen
from tarfile import ExtractError, TarFile
from typing import Any, Dict, List, Tuple
import jsonschema
import requests
import yaml
from git import Repo
log = logging.getLogger(__name__)
# use the '|' style for multiline strings
# https://github.com/yaml/pyyaml/issues/240
yaml.representer.SafeRepresenter.add_representer(
str,
lambda dumper, data: dumper.represent_scalar(
"tag:yaml.org,2002:str",
data,
style="|" if data.count("\n") > 0 else None,
),
)
CYCLONEDX_SCHEMA_URL = (
"https://raw.githubusercontent.com/CycloneDX/specification/1.4/schema/bom-1.4.schema.json"
)
@dataclass
class TestParameters:
repo: str
ref: str
packages: Tuple[Dict[str, Any], ...]
check_output: bool = True
check_deps_checksums: bool = True
check_vendor_checksums: bool = True
expected_exit_code: int = 0
expected_output: str = ""
flags: List[str] = field(default_factory=list)
class ContainerImage:
def __init__(self, repository: str):
"""Initialize ContainerImage object with associated repository."""
self.repository = repository
def __enter__(self) -> "ContainerImage":
return self
def pull_image(self) -> None:
cmd = ["podman", "pull", self.repository]
output, exit_code = run_cmd(cmd)
if exit_code != 0:
raise RuntimeError(f"Pulling {self.repository} failed. Output:{output}")
log.info("Pulled image: %s.", self.repository)
def run_cmd_on_image(self, cmd: List, tmpdir: Path) -> Tuple[str, int]:
image_cmd = ["podman", "run", "--rm", "-v", f"{tmpdir}:{tmpdir}:z", self.repository] + cmd
return run_cmd(image_cmd)
def __exit__(self, exc_type: Any, exc_value: Any, exc_traceback: Any) -> None:
image_cmd = ["podman", "rmi", "--force", self.repository]
(output, exit_code) = run_cmd(image_cmd)
if exit_code != 0:
raise RuntimeError(f"Image deletion failed. Output:{output}")
def build_image(context_dir: Path, tag: str) -> ContainerImage:
return _build_image(["podman", "build", str(context_dir)], tag=tag)
def build_image_for_test_case(tmp_path: Path, containerfile: str, test_case: str) -> ContainerImage:
cmd = [
"podman",
"build",
"-f",
containerfile,
"-v",
f"{tmp_path}:/tmp:Z",
"--no-cache",
"--network",
"none",
]
return _build_image(cmd, tag=f"localhost/{test_case}")
def _build_image(podman_cmd: list[str], *, tag: str) -> ContainerImage:
podman_cmd = [*podman_cmd, "--tag", tag]
(output, exit_code) = run_cmd(podman_cmd)
if exit_code != 0:
raise RuntimeError(f"Building image failed. Output:\n{output}")
return ContainerImage(tag)
def clone_repository(repo_url: str, ref: str, folder_name: str, tmpdir: Path) -> Path:
"""
Clone repository and checkout specific commit.
:param repo_url: Git repository URL
:param ref: Git reference
:param folder_name: Name of folder where content will be cloned
:param tmpdir: Temp directory for pytest
:return: Absolute path to cloned repository
:rtype: str
"""
folder = tmpdir / folder_name
repo = Repo.clone_from(repo_url, folder)
repo.git.checkout(ref)
log.info("Cloned repository path: %s", folder)
return folder
def run_cmd(cmd: List[str]) -> Tuple[str, int]:
"""
Run command via subprocess.
:param cmd: command to be executed
:return: Command output and exitcode
:rtype: Tuple
"""
log.info("Run command: %s.", cmd)
process = Popen(cmd, stdout=PIPE, stderr=PIPE)
out, err = process.communicate()
return (out + err).decode("utf-8"), process.returncode
def _calculate_files_checksums_in_dir(root_dir: Path) -> Dict:
"""
Calculate files sha256sum in provided directory.
Method lists all files in provided directory and calculates their checksums.
:param root_dir: path to root directory
:return: Dictionary with relative paths to files in dir and their checksums
:rtype: Dict
"""
files_checksums = {}
for dir_, _, files in os.walk(root_dir):
rel_dir = Path(dir_).relative_to(root_dir)
for file_name in files:
rel_file = rel_dir.joinpath(file_name).as_posix()
if "-external-gitcommit-" in file_name:
files_checksums[rel_file] = _get_git_commit_from_tarball(
root_dir.joinpath(rel_file)
)
elif "/sumdb/sum.golang.org/lookup/" in rel_file:
files_checksums[rel_file] = "unstable"
elif "/sumdb/sum.golang.org/tile/" in rel_file:
# drop altogether - even the filenames are unstable, not just the checksums
pass
else:
files_checksums[rel_file] = _calculate_sha256sum(root_dir.joinpath(rel_file))
return files_checksums
def _get_git_commit_from_tarball(tarball: Path) -> str:
with TarFile.open(tarball, "r:gz") as tarfile:
extract_path = str(tarball).replace(".tar.gz", "").replace(".tgz", "")
_safe_extract(tarfile, extract_path)
repo = Repo(path=f"{extract_path}/app")
commit = f"gitcommit:{repo.commit().hexsha}"
shutil.rmtree(extract_path)
return commit
def _calculate_sha256sum(file: Path) -> str:
"""
Calculate sha256sum of file.
:param file: path to file
:return: file's sha256sum
:rtype: str
"""
sha256_hash = hashlib.sha256()
with open(file, "rb") as f:
# Read and update hash string value in blocks of 4K
for byte_block in iter(lambda: f.read(4096), b""):
sha256_hash.update(byte_block)
return f"sha256:{sha256_hash.hexdigest()}"
def _load_json_or_yaml(file: Path) -> dict[str, Any]:
"""Load JSON or YAML file and return dict."""
with open(file) as f:
return yaml.safe_load(f)
def _safe_extract(tar: TarFile, path: str = ".", *, numeric_owner: bool = False) -> None:
"""
CVE-2007-4559 replacement for extract() or extractall().
By using extract() or extractall() on a tarfile object without sanitizing input,
a maliciously crafted .tar file could perform a directory path traversal attack.
The patch essentially checks to see if all tarfile members will be
extracted safely and throws an exception otherwise.
:param tarfile tar: the tarfile to be extracted.
:param str path: specifies a different directory to extract to.
:param numeric_owner: if True, only the numbers for user/group names are used and not the names.
:raise ExtractError: if there is a Traversal Path Attempt in the Tar File.
"""
abs_path = Path(path).resolve()
for member in tar.getmembers():
member_path = Path(path).joinpath(member.name)
abs_member_path = member_path.resolve()
if not abs_member_path.is_relative_to(abs_path):
raise ExtractError("Attempted Path Traversal in Tar File")
tar.extractall(path, numeric_owner=numeric_owner)
def _json_serialize(data: dict[str, Any]) -> str:
return json.dumps(data, indent=2, sort_keys=True) + "\n"
def _yaml_serialize(data: dict[str, Any]) -> str:
return yaml.safe_dump(data)
def update_test_data_if_needed(path: Path, data: dict[str, Any]) -> None:
if path.suffix == ".json":
serialize = _json_serialize
elif path.suffix == ".yaml":
serialize = _yaml_serialize
else:
raise ValueError(f"Don't know how to serialize data to {path.name} :(")
if os.getenv("CACHI2_GENERATE_TEST_DATA") == "true":
path.parent.mkdir(parents=True, exist_ok=True)
with open(path, "w") as file:
file.write(serialize(data))
@functools.cache
def _fetch_cyclone_dx_schema() -> dict[str, Any]:
response = requests.get(CYCLONEDX_SCHEMA_URL)
response.raise_for_status()
return response.json()
def fetch_deps_and_check_output(
tmp_path: Path,
test_case: str,
test_params: TestParameters,
source_folder: Path,
test_data_dir: Path,
cachi2_image: ContainerImage,
) -> Path:
"""
Fetch dependencies for source repo and check expected output.
:param tmp_path: Temp directory for pytest
:param test_case: Test case name retrieved from pytest id
:param test_params: Test case arguments
:param source_folder: Folder path to source repository content
:param test_data_dir: Relative path to expected output test data
:param cachi2_image: ContainerImage instance with Cachi2 image
:return: Path to output folder with fetched dependencies and output.json
"""
output_folder = tmp_path.joinpath(f"{test_case}-output")
cmd = [
"fetch-deps",
"--source",
source_folder,
"--output",
output_folder,
]
if test_params.flags:
cmd += test_params.flags
cmd.append(json.dumps(test_params.packages).encode("utf-8"))
(output, exit_code) = cachi2_image.run_cmd_on_image(cmd, tmp_path)
assert exit_code == test_params.expected_exit_code, (
f"Fetching deps ended with unexpected exitcode: {exit_code} != "
f"{test_params.expected_exit_code}, output-cmd: {output}"
)
assert test_params.expected_output in str(
output
), f"Expected msg {test_params.expected_output} was not found in cmd output: {output}"
if test_params.check_output:
build_config = _load_json_or_yaml(output_folder.joinpath(".build-config.json"))
sbom = _load_json_or_yaml(output_folder.joinpath("bom.json"))
if "project_files" in build_config:
_replace_tmp_path_with_placeholder(build_config["project_files"], tmp_path)
# store .build_config as yaml for more readable test data
expected_build_config_path = test_data_dir.joinpath(test_case, ".build-config.yaml")
expected_sbom_path = test_data_dir.joinpath(test_case, "bom.json")
update_test_data_if_needed(expected_build_config_path, build_config)
update_test_data_if_needed(expected_sbom_path, sbom)
expected_build_config = _load_json_or_yaml(expected_build_config_path)
expected_sbom = _load_json_or_yaml(expected_sbom_path)
log.info("Compare output files")
assert build_config == expected_build_config
assert sbom == expected_sbom
log.info("Validate SBOM schema")
schema = _fetch_cyclone_dx_schema()
jsonschema.validate(instance=sbom, schema=schema)
deps_content_file = Path(test_data_dir, test_case, "fetch_deps_file_contents.yaml")
if deps_content_file.exists():
_validate_expected_dep_file_contents(deps_content_file, Path(output_folder))
if test_params.check_deps_checksums:
files_checksums = _calculate_files_checksums_in_dir(output_folder.joinpath("deps"))
expected_files_checksums_path = test_data_dir.joinpath(
test_data_dir, test_case, "fetch_deps_sha256sums.json"
)
update_test_data_if_needed(expected_files_checksums_path, files_checksums)
expected_files_checksums = _load_json_or_yaml(expected_files_checksums_path)
log.info("Compare checksums of fetched deps files")
assert files_checksums == expected_files_checksums
if test_params.check_vendor_checksums:
files_checksums = _calculate_files_checksums_in_dir(source_folder.joinpath("vendor"))
expected_files_checksums_path = test_data_dir.joinpath(test_case, "vendor_sha256sums.json")
update_test_data_if_needed(expected_files_checksums_path, files_checksums)
expected_files_checksums = _load_json_or_yaml(expected_files_checksums_path)
log.info("Compare checksums of files in source vendor folder")
assert files_checksums == expected_files_checksums
return output_folder
def build_image_and_check_cmd(
tmp_path: Path,
output_folder: Path,
test_data_dir: Path,
test_case: str,
check_cmd: List,
expected_cmd_output: str,
cachi2_image: ContainerImage,
) -> None:
"""
Build image and check that Cachi2 provided sources properly.
:param tmp_path: Temp directory for pytest
:param output_folder: Path to output folder with fetched dependencies and output.json
:param test_case: Test case name retrieved from pytest id
:param test_data_dir: Relative path to expected output test data
:param check_cmd: Command to be run on image to check provided sources
:param expected_cmd_output: Expected output of check_cmd
:param cachi2_image: ContainerImage instance with Cachi2 image
"""
log.info("Create cachi2.env file")
env_vars_file = tmp_path.joinpath("cachi2.env")
cmd = [
"generate-env",
output_folder,
"--output",
env_vars_file,
"--for-output-dir",
Path("/tmp").joinpath(f"{test_case}-output"),
]
(output, exit_code) = cachi2_image.run_cmd_on_image(cmd, tmp_path)
assert exit_code == 0, f"Env var file creation failed. output-cmd: {output}"
log.info("Inject project files")
cmd = [
"inject-files",
output_folder,
"--for-output-dir",
Path("/tmp").joinpath(f"{test_case}-output"),
]
(output, exit_code) = cachi2_image.run_cmd_on_image(cmd, tmp_path)
assert exit_code == 0, f"Injecting project files failed. output-cmd: {output}"
log.info("Build container image with all prerequisites retrieved in previous steps")
container_folder = test_data_dir.joinpath(test_case, "container")
with build_image_for_test_case(
tmp_path, str(container_folder.joinpath("Containerfile")), test_case
) as test_image:
log.info(f"Run command {check_cmd} on built image {test_image.repository}")
(output, exit_code) = test_image.run_cmd_on_image(check_cmd, tmp_path)
assert exit_code == 0, f"{check_cmd} command failed, Output: {output}"
for expected_output in expected_cmd_output:
assert expected_output in output, f"{expected_output} is missing in {output}"
def _replace_tmp_path_with_placeholder(project_files: list[dict[str, str]], tmp_path: Path) -> None:
for item in project_files:
relative_path = item["abspath"].replace(str(tmp_path), "")
item["abspath"] = "${test_case_tmpdir}" + str(relative_path)
def _validate_expected_dep_file_contents(dep_contents_file: Path, output_dir: Path) -> None:
expected_deps_content = yaml.safe_load(dep_contents_file.read_text())
for path, expected_content in expected_deps_content.items():
log.info("Compare text content of deps/%s", path)
dep_file = output_dir / "deps" / path
assert dep_file.exists()
assert dep_file.read_text() == expected_content