Run the TUF repo updater in a Docker container.

author: Ivan Alejandro <ivanalejandro0@gmail.com> 2015-02-26 12:17:49 -0300
committer: Ivan Alejandro <ivanalejandro0@gmail.com> 2015-02-27 14:42:18 -0300
commit: 2db203ff98b947db0db9adcaa47b637a18b05a0d (patch)
tree: c3e68970f9fd8fe11f7bd059bc8e5ed90bbaef41 /tuf
parent: 5d3b5b51b1a892586b86a3f333f9beba08f49b33 (diff)
3 files changed, 234 insertions, 0 deletions
diff --git a/tuf/Dockerfile b/tuf/Dockerfile
new file mode 100644
index 0000000..c556495
--- /dev/null
+++ b/tuf/Dockerfile
@@ -0,0 +1,15 @@
+FROM debian:8
+
+MAINTAINER Ivan Alejandro <ivanalejandro0@gmail.com>
+
+RUN DEBIAN_FRONTEND=noninteractive apt-get update && apt-get install -y \
+                    wget python-dev python-pip libssl-dev libffi-dev
+
+RUN pip install tuf[tools] pycrypto
+
+ADD tuf-stuff.sh /
+ADD release.py /
+
+WORKDIR /code
+
+ENTRYPOINT ["/tuf-stuff.sh"]
diff --git a/tuf/README.md b/tuf/README.md
new file mode 100644
index 0000000..52b45c5
--- /dev/null
+++ b/tuf/README.md
@@ -0,0 +1,29 @@
+Using the TUF repository updater
+================================
+
+Usage example (for stable):
+
+```
+$ docker build -t test/tuf .  # build the image, run this inside the Dockerfile directory
+$ mkdir bundle.stuff/
+$ cd bundle.stuff/
+$ cp /some/path/Bitmask-linux{32,64}-0.8.1.tar.bz2 .
+$ cp /some/path/tuf_private_key.pem .
+$ docker run -t -i --rm -v `pwd`:/code/ test/tuf-stuff -v 0.8.1 -a 32 -k tuf_private_key.pem -R S
+$ docker run -t -i --rm -v `pwd`:/code/ test/tuf-stuff -v 0.8.1 -a 64 -k tuf_private_key.pem -R S
+```
+
+Usage example (for unstable):
+
+```
+$ docker build -t test/tuf .  # build the image, run this inside the Dockerfile directory
+$ mkdir bundle.stuff/
+$ cd bundle.stuff/
+$ cp /some/path/Bitmask-linux{32,64}-0.9.0rc1.tar.bz2 .
+$ cp /some/path/tuf_private_key_unstable.pem .
+$ docker run -t -i --rm -v `pwd`:/code/ test/tuf-stuff -v 0.9.0rc1 -a 32 -k tuf_private_key_unstable.pem -R U
+$ docker run -t -i --rm -v `pwd`:/code/ test/tuf-stuff -v 0.9.0rc1 -a 64 -k tuf_private_key_unstable.pem -R U
+```
+
+
+You'll find the output tuf repo on `./workdir/output/`.
diff --git a/tuf/tuf-stuff.sh b/tuf/tuf-stuff.sh
new file mode 100755
index 0000000..e7e4f5a
--- /dev/null
+++ b/tuf/tuf-stuff.sh
@@ -0,0 +1,190 @@
+#!/bin/bash
+
+# Needed files:
+#   Bitmask-linux32-0.7.0.tar.bz2  # fresh bundled bundle
+#   Bitmask-linux64-0.7.0.tar.bz2  # fresh bundled bundle
+#   tuf_private_key.pem            # private key
+#   tuf-stuff.sh                   # this script
+
+# Output:
+#   workdir/     <-- temporary folder: virtualenv, bundle, repo.tar.gz, key
+#   └── output/  <-- here you'll find the resulting compressed repo/bundle
+
+
+# Expected directory structure for the repo after the script finishes:
+# $ tree workdir/repo/
+# repo
+# ├── metadata.staged
+# │   ├── root.json
+# │   ├── snapshot.json
+# │   ├── snapshot.json.gz
+# │   ├── targets.json
+# │   ├── targets.json.gz
+# │   └── timestamp.json
+# └── targets
+#     ... Bitmask bundle files ...
+
+set -e  # Exit immediately if a command exits with a non-zero status.
+
+# Set some colors variables
+esc=`echo -en "\033"`
+cc_red="${esc}[31m"
+cc_green="${esc}[32m"
+cc_yellow="${esc}[33m"
+cc_normal="${esc}[39m"
+
+show_help() {
+cat << EOF
+Usage: ${0##*/} [-h] [-r FILE] [-a (32|64)] -v VERSION -k KEY_FILE -R (S|U)
+Do stuff for version VERSION and arch ARCH.
+
+    -h           display this help and exit.
+    -a ARCH      do the tuf stuff for that ARCH, 32 or 64 bits. The default is '64'.
+    -k KEY_FILE  use this key file to sign the release
+    -r FILE      use particular repo/ file to do the tuf stuff. FILE must be a .tar.gz file.
+    -v VERSION   version to work with. This is a mandatory argument.
+    -R REPO      use the (S)table or (U)nstable TUF web repo.
+EOF
+}
+
+get_args() {
+    # from: http://mywiki.wooledge.org/BashFAQ/035#getopts
+    local OPTIND
+
+    ARCH="64"
+
+    while getopts "hr:v:a:k:R:" opt; do
+        case "$opt" in
+            h)
+                show_help
+                exit 0
+                ;;
+            v)  VERSION=$OPTARG
+                ;;
+            r)  REPO=`realpath $OPTARG`
+                ;;
+            k)  KEY_FILE=`realpath $OPTARG`
+                ;;
+            a)  ARCH=$OPTARG
+                ;;
+            R)  WEB_REPO=$OPTARG
+                ;;
+            '?')
+                show_help >&2
+                exit 1
+                ;;
+        esac
+    done
+    shift "$((OPTIND-1))" # Shift off the options and optional --.
+
+    if [[ -z $VERSION ]]; then
+        echo 'Error: missing -v flag'
+        show_help
+        exit 1
+    fi
+    if [[ -z $KEY_FILE ]]; then
+        echo 'Error: missing -k flag'
+        show_help
+        exit 1
+    fi
+    if [[ -z $WEB_REPO ]]; then
+        echo 'Error: missing -R flag'
+        show_help
+        exit 1
+    else
+        if [[ $WEB_REPO != 'S' && $WEB_REPO != 'U' ]]; then
+            echo 'Error: invalid parameter for the -R flag'
+            show_help
+            exit 2
+        fi
+    fi
+
+    echo "---------- settings ----------"
+    echo "Arch: $ARCH"
+    echo "Key: $KEY_FILE"
+    echo "Repo: $REPO"
+    echo "Version: $VERSION"
+    echo "Web repo: $WEB_REPO"
+    echo "--------------------"
+    read -p "Press <Enter> to continue, <Ctrl>+C to exit. "
+}
+
+# ----------------------------------------
+
+do_init(){
+    # Initialize the needed variables and create the work directory.
+
+    BASE=`pwd`
+    WORKDIR=$BASE/workdir
+
+    BITMASK="Bitmask-linux$ARCH-$VERSION"
+    RELEASE=/release.py
+
+    if [[ ! -f $RELEASE ]]; then
+        echo "ERROR: you need to copy the release.py file into this directory."
+    fi
+
+    if [[ ! -f $KEY_FILE ]]; then
+        echo "ERROR: the specified key file does not exist."
+    fi
+
+    # Initialize path
+    mkdir -p $WORKDIR
+}
+
+do_tuf_stuff() {
+    cd $WORKDIR
+    cp $BASE/$BITMASK.tar.bz2 .
+
+    rm -fr repo/
+    mkdir repo && cd repo/
+
+    if [[ $ARCH == "64" ]]; then
+        TUF_ARCH='linux-x86_64'
+    else
+        TUF_ARCH='linux-i386'
+    fi
+
+    if [[ $WEB_REPO == 'S' ]]; then
+        TUF_URL=https://dl.bitmask.net/tuf/$TUF_ARCH/metadata/
+    else
+        TUF_URL=https://dl.bitmask.net/tuf-unstable/$TUF_ARCH/metadata/
+    fi
+
+    if [[ -z $REPO ]]; then
+        # Download old repo metadata
+        echo "${cc_yellow}-> Downloading metadata files from the old bundle...${cc_normal}"
+        wget --quiet --recursive --no-host-directories --cut-dirs=2 --no-parent --reject "index.html*" $TUF_URL
+        mv metadata metadata.staged
+    else
+        echo "${cc_yellow}-> Extracting metadata files from the repo file...${cc_normal}"
+        # we need that specific folder without the repo/ parent path
+        tar xzf $REPO repo/metadata.staged/ --strip-components=1
+    fi
+
+    echo "${cc_yellow}-> Uncompressing bundle and moving to its place...${cc_normal}"
+    tar xjf $BASE/$BITMASK.tar.bz2  # fresh bundled bundle
+    rm -fr $BITMASK/repo/  # We must not add that folder to the tuf repo.
+    rm -fr targets
+    mv $BITMASK targets
+
+    echo "${cc_yellow}-> Doing release magic...${cc_normal}"
+    $RELEASE $WORKDIR/repo $KEY_FILE
+
+    echo "${cc_yellow}-> Creating output file...${cc_normal}"
+    cd $WORKDIR
+    mkdir -p output
+    rm -f output/$BITMASK-tuf.tar.bz2
+    tar cjf output/$BITMASK-tuf.tar.bz2 repo/
+}
+
+get_args $@
+
+do_init
+
+do_tuf_stuff
+
+echo "${cc_green}TUF release complete.${cc_normal}"
+echo "You can find the resulting file in:"
+echo "$WORKDIR/output/$BITMASK-tuf.tar.bz2"
+sha256sum $WORKDIR/output/$BITMASK-tuf.tar.bz2
author	Ivan Alejandro <ivanalejandro0@gmail.com>	2015-02-26 12:17:49 -0300
committer	Ivan Alejandro <ivanalejandro0@gmail.com>	2015-02-27 14:42:18 -0300
commit	2db203ff98b947db0db9adcaa47b637a18b05a0d (patch)
tree	c3e68970f9fd8fe11f7bd059bc8e5ed90bbaef41 /tuf
parent	5d3b5b51b1a892586b86a3f333f9beba08f49b33 (diff)