osquery: add update script

, stdenv

, stdenvNoCC

, ninja

, nix-prefetch-git

, autoPatchelfHook

, writeShellApplication

, jq

, removeReferencesTo

, nixosTests

, file

, writers

}:

let

  version = "5.12.2";

  info = builtins.fromJSON (builtins.readFile ./info.json);

  opensslVersion = "3.2.1";

  opensslSha256 = "83c7329fe52c850677d75e5d0b0ca245309b97e8ecbcfdc1dfdc4ab9fac35b39";

  src = fetchFromGitHub {

    owner = "osquery";

    repo = "osquery";

    rev = version;

    fetchSubmodules = true;

    hash = "sha256-PJrGAqDxo5l6jtQdpTqraR195G6kaLQ2ik08WtlWEmk=";

  };

  extractOpensslInfo = writeShellApplication {

    name = "extractOpensslInfo";

    text = ''

      if [ $# -ne 1 ]; then

        echo "Usage: $0 <osquery-source-directory>"

        exit 1

      fi

      opensslCmake="$1"/libraries/cmake/formula/openssl/CMakeLists.txt

      version=$(gawk 'match($0, /OPENSSL_VERSION "(.*)"/, a) {print a[1]}' < "$opensslCmake")

      sha256=$(gawk 'match($0, /OPENSSL_ARCHIVE_SHA256 "(.*)"/, a) {print a[1]}' < "$opensslCmake")

      echo "{\"version\": \"$version\", \"sha256\": \"$sha256\"}"

    '';

  };

  opensslSrc = fetchurl {

    url = "https://www.openssl.org/source/openssl-${opensslVersion}.tar.gz";

    sha256 = opensslSha256;

  };

  opensslSrc = fetchurl info.openssl;

  toolchain = import ./toolchain-bin.nix { inherit stdenv lib fetchzip file; };

  pname = "osquery";

  inherit src version;

  version = info.osquery.rev;

  src = fetchFromGitHub info.osquery;

  patches = [

    ./Remove-git-reset.patch

    python3

    ninja

    autoPatchelfHook

    extractOpensslInfo

    jq

    removeReferencesTo

  ];

  '';

  configurePhase = ''

    expectedOpensslVersion=$(extractOpensslInfo . | jq -r .version)

    expectedOpensslSha256=$(extractOpensslInfo . | jq -r .sha256)

    if [ "$expectedOpensslVersion" != "${opensslVersion}" ]; then

      echo "openssl version mismatch: expected=$expectedOpensslVersion actual=${opensslVersion}"

      opensslMismatch=1

    fi

    if [ "$expectedOpensslSha256" != "${opensslSha256}" ]; then

      echo "openssl sha256 mismatch: expected=$expectedOpensslSha256 actual=${opensslSha256}"

      opensslMismatch=1

    fi

    if [ -n "$opensslMismatch" ]; then

      exit 1

    fi

    mkdir build

    cd build

    cmake .. \

  '';

  passthru = {

    inherit extractOpensslInfo opensslSrc toolchain;

    inherit opensslSrc toolchain;

    tests = {

      inherit (nixosTests) osquery;

    };

    updateScript = writers.writePython3

      "osquery-update"

      { makeWrapperArgs = "--prefix PATH : ${lib.makeBinPath [ nix-prefetch-git ]}"; }

      (builtins.readFile ./update.py);

  };

  meta = with lib; {

{

    "openssl": {

        "hash": "sha256-g8cyn+UshQZ3115dCwyiRTCbl+jsvP3B39xKufrDWzk=",

        "url": "https://www.openssl.org/source/openssl-3.2.1.tar.gz"

    },

    "osquery": {

        "fetchSubmodules": true,

        "hash": "sha256-PJrGAqDxo5l6jtQdpTqraR195G6kaLQ2ik08WtlWEmk=",

        "owner": "osquery",

        "repo": "osquery",

        "rev": "5.12.2"

    }

}

import base64

import json

import re

import subprocess

import sys

import urllib.request

OWNER = 'osquery'

REPO = 'osquery'

OPENSSL_VERSION_PAT = re.compile(r'^set\(OPENSSL_VERSION "(.*)"\)')

OPENSSL_SHA256_PAT = re.compile(r'^set\(OPENSSL_ARCHIVE_SHA256 "(.*)"\)')

INFO_PATH = 'pkgs/tools/system/osquery/info.json'

def download_str(url):

    return urllib.request.urlopen(url).read().decode('utf-8')

def get_latest_tag():

    latest_url = f'https://api.github.com/repos/{OWNER}/{REPO}/releases/latest'

    return json.loads(download_str(latest_url))['tag_name']

def read_info():

    with open(INFO_PATH, 'r') as f:

        return json.load(f)

def write_info(info):

    with open(INFO_PATH, 'w') as f:

        json.dump(info, f, indent=4, sort_keys=True)

        f.write('\n')

def sha256_hex_to_sri(hex):

    return 'sha256-' + base64.b64encode(bytes.fromhex(hex)).decode()

def openssl_info_from_cmake(cmake):

    version = None

    sha256 = None

    for line in cmake.splitlines():

        if version is None:

            m = OPENSSL_VERSION_PAT.match(line)

            if m is not None:

                version = m.group(1)

        if sha256 is None:

            m = OPENSSL_SHA256_PAT.match(line)

            if m is not None:

                sha256 = m.group(1)

        if version is not None and sha256 is not None:

            break

    if version is None or sha256 is None:

        raise Exception('Failed to extract openssl fetch info')

    return {

        'url': f'https://www.openssl.org/source/openssl-{version}.tar.gz',

        'hash': sha256_hex_to_sri(sha256)

    }

def openssl_info_for_rev(rev):

    url = f'https://raw.githubusercontent.com/{OWNER}/{REPO}/{rev}/libraries/cmake/formula/openssl/CMakeLists.txt'  # noqa: E501

    return openssl_info_from_cmake(download_str(url))

force = len(sys.argv) == 2 and sys.argv[1] == '--force'

latest_tag = get_latest_tag()

print(f'osquery_latest_tag: {latest_tag}')

if not force:

    old_info = read_info()

    if latest_tag == old_info['osquery']['rev']:

        print('latest tag matches existing rev. exiting')

        sys.exit(0)

openssl_fetch_info = openssl_info_for_rev(latest_tag)

print(f'openssl_info: {openssl_fetch_info}')

prefetch = json.loads(subprocess.check_output([

    'nix-prefetch-git',

    '--fetch-submodules',

    '--quiet',

    f'https://github.com/{OWNER}/{REPO}',

    latest_tag

]))

prefetch_hash = prefetch['hash']

github_fetch_info = {

    'owner': OWNER,

    'repo': REPO,

    'rev': latest_tag,

    'hash': prefetch_hash,

    'fetchSubmodules': True

}

print(f'osquery_hash: {prefetch_hash}')

new_info = {

    'osquery': github_fetch_info,

    'openssl': openssl_fetch_info

}

print(f'osquery_info: {new_info}')

write_info(new_info)