Revert "[cipd] Check CIPD client hash against pinned SHA256 during updates."

This reverts commit eebc3d82. Reason for revert: crbug.com/874586 Original change's description: > [cipd] Check CIPD client hash against pinned SHA256 during updates. > > Linux and OSX only for now. This also rolls CIPD client to a version that > supports pinned hashes (v2.2.5). > > CIPD_CLIENT_VER and CIPD_CLIENT_SRV are no longer supported as env vars, since > it makes no sense when pinning hashes of the binaries at specific version on > the specific backend. > > Also somewhat cleanup 'cipd' script to use "${VAR}", stderr and colored output > consistently. > > R=iannucci@chromium.org, nodir@chromium.org > BUG=870166 > > Change-Id: I9e61f9f8fbdcf10985c52828b2bfbec64b4234f0 > Reviewed-on: https://chromium-review.googlesource.com/1171957 > Commit-Queue: Vadim Shtayura <vadimsh@chromium.org> > Reviewed-by: Nodir Turakulov <nodir@chromium.org> TBR=iannucci@chromium.org,vadimsh@chromium.org,nodir@chromium.org # Not skipping CQ checks because original CL landed > 1 day ago. Bug: 870166 Change-Id: I9aa8e7a7f07520aa69d366c76e4dbccae345bc00 Reviewed-on: https://chromium-review.googlesource.com/1175294Reviewed-by: Vadim Shtayura <vadimsh@chromium.org> Commit-Queue: Vadim Shtayura <vadimsh@chromium.org>

Revert "[cipd] Check CIPD client hash against pinned SHA256 during updates."
This reverts commit eebc3d82. Reason for revert: crbug.com/874586 Original change's description: > [cipd] Check CIPD client hash against pinned SHA256 during updates. > > Linux and OSX only for now. This also rolls CIPD client to a version that > supports pinned hashes (v2.2.5). > > CIPD_CLIENT_VER and CIPD_CLIENT_SRV are no longer supported as env vars, since > it makes no sense when pinning hashes of the binaries at specific version on > the specific backend. > > Also somewhat cleanup 'cipd' script to use "${VAR}", stderr and colored output > consistently. > > R=iannucci@chromium.org, nodir@chromium.org > BUG=870166 > > Change-Id: I9e61f9f8fbdcf10985c52828b2bfbec64b4234f0 > Reviewed-on: https://chromium-review.googlesource.com/1171957 > Commit-Queue: Vadim Shtayura <vadimsh@chromium.org> > Reviewed-by: Nodir Turakulov <nodir@chromium.org> TBR=iannucci@chromium.org,vadimsh@chromium.org,nodir@chromium.org # Not skipping CQ checks because original CL landed > 1 day ago. Bug: 870166 Change-Id: I9aa8e7a7f07520aa69d366c76e4dbccae345bc00 Reviewed-on: https://chromium-review.googlesource.com/1175294Reviewed-by: Vadim Shtayura <vadimsh@chromium.org> Commit-Queue: Vadim Shtayura <vadimsh@chromium.org>
5e5c2173 · Vadim Shtayura · Commit Bot · 00657119 · 5e5c2173 · 5e5c2173
Commit 5e5c2173 authored Aug 15, 2018 by Vadim Shtayura Committed by Commit Bot Aug 15, 2018
Showing with 53 additions and 196 deletions

cipd cipd +47 -140

cipd_client_version cipd_client_version +1 -1

cipd_client_version.digests cipd_client_version.digests +0 -21

cipd_bootstrap_test.py tests/cipd_bootstrap_test.py +5 -34

No files found.
--- a/cipd
+++ b/cipd
@@ -6,31 +6,34 @@

 set -e -o pipefail

-MYPATH=$(dirname "${BASH_SOURCE[0]}")
 CYGWIN=false
+MYPATH=$(dirname "${BASH_SOURCE[0]}")
+
+: ${CIPD_CLIENT_VER:=`cat $MYPATH/cipd_client_version`}
+: ${CIPD_CLIENT_SRV:='https://chrome-infra-packages.appspot.com'}

 UNAME=`uname -s | tr '[:upper:]' '[:lower:]'`
-case "${UNAME}" in
+case $UNAME in
  linux)
-    OS=linux
+    PLAT=linux
    ;;
  cygwin*)
-    OS=windows
+    PLAT=windows
    CYGWIN=true
    ;;
  msys*|mingw*)
-    OS=windows
+    PLAT=windows
    ;;
  darwin)
-    OS=mac
+    PLAT=mac
    ;;
  *)
-    >&2 echo "CIPD not supported on ${UNAME}"
+    echo "cipd not supported on $UNAME"
    exit 1
 esac

 UNAME=`uname -m | tr '[:upper:]' '[:lower:]'`
-case "${UNAME}" in
+case $UNAME in
  x86_64|amd64)
    ARCH=amd64
    ;;
@@ -50,185 +53,89 @@ case "${UNAME}" in
    ARCH=armv6l
    ;;
  arm*)
-    ARCH="${UNAME}"
+    ARCH=$UNAME
    ;;
  *86)
    ARCH=386
    ;;
  mips*)
    # detect mips64le vs mips64.
-    ARCH="${UNAME}"
+    ARCH=$UNAME
    if lscpu | grep -q "Little Endian"; then
      ARCH+=le
    fi
    ;;
  *)
-    >&2 echo "UNKNOWN Machine architecture: ${UNAME}"
+    echo "UNKNOWN Machine architecture: $UNAME"
    exit 1
 esac

-# CIPD_BACKEND can be changed to ...-dev for manual testing.
-CIPD_BACKEND="https://chrome-infra-packages.appspot.com"
-VERSION_FILE="${MYPATH}/cipd_client_version"
-
-CLIENT="${MYPATH}/.cipd_client"
-VERSION=`cat "${VERSION_FILE}"`
-PLATFORM="${OS}-${ARCH}"
-
-URL="${CIPD_BACKEND}/client?platform=${PLATFORM}&version=${VERSION}"
-USER_AGENT="depot_tools/$(git -C ${MYPATH} rev-parse HEAD 2>/dev/null || echo "???")"
-
-
-# calc_sha256 is "portable" variant of sha256sum. It uses sha256sum when
-# available (most Linuxes and cygwin) and falls back to openssl otherwise
-# (mostly for OSX sake).
-#
-# Args:
-#   Path to a file.
-# Stdout:
-#   Lowercase SHA256 hex digest of the file.
-function calc_sha256() {
-  if hash sha256sum 2> /dev/null ; then
-    sha256sum "$1" | cut -d' ' -f1
-  elif hash openssl 2> /dev/null ; then
-    cat "$1" | openssl dgst -sha256
-  else
-    >&2 echo -n "[31;1m"
-    >&2 echo -n "Don't know how to calculate SHA256 on your platform. "
-    >&2 echo -n "Please use your package manager to install one before continuing:"
-    >&2 echo
-    >&2 echo "  sha256sum"
-    >&2 echo -n "  openssl"
-    >&2 echo "[0m"
-    return 1
-  fi
-}
-
-
-# expected_sha256 reads the expected SHA256 hex digest from *.digests file.
-#
-# Args:
-#   Name of the platform to get client's digest for.
-# Stdout:
-#   Lowercase SHA256 hex digest.
-function expected_sha256() {
-  local line
-  while read -r line; do
-    if [[ "${line}" =~ ^([0-9a-z\-]+)[[:blank:]]+sha256[[:blank:]]+([0-9a-f]+)$ ]] ; then
-      local plat="${BASH_REMATCH[1]}"
-      local hash="${BASH_REMATCH[2]}"
-      if [ "${plat}" ==  "$1" ]; then
-        echo "${hash}"
-        return 0
-      fi
-    fi
-  done < "${VERSION_FILE}.digests"
-
-  >&2 echo -n "[31;1m"
-  >&2 echo -n "Platform $1 is not supported by the CIPD client bootstrap: "
-  >&2 echo -n "there's no pinned SHA256 hash for it in the *.digests file."
-  >&2 echo "[0m"
-
-  return 1
-}
+URL="$CIPD_CLIENT_SRV/client?platform=${PLAT}-${ARCH}&version=$CIPD_CLIENT_VER"
+CLIENT="$MYPATH/.cipd_client"

+USER_AGENT="depot_tools/$(git -C $MYPATH rev-parse HEAD 2>/dev/null || echo "???")"

 # clean_bootstrap bootstraps the client from scratch using 'curl' or 'wget'.
-#
-# It checks that the SHA256 of the downloaded file is known. Exits the script
-# if the client can't be downloaded or its hash doesn't match the expected one.
 function clean_bootstrap() {
-  local expected_hash=$(expected_sha256 "${PLATFORM}")
-  if [ -z "${expected_hash}" ] ; then
-    exit 1
-  fi
+  echo "Bootstrapping cipd client for ${PLAT}-${ARCH} from ${URL}..."

-  # Download the client into a temporary file, check its hash, then move it into
-  # the final location.
+  # Download the client into a temporary file, then move it into the final
+  # location atomically.
  #
  # This wonky tempdir method works on Linux and Mac.
  local CIPD_CLIENT_TMP=$(\
-    mktemp -p "${MYPATH}" 2>/dev/null || \
-    mktemp "${MYPATH}/.cipd_client.XXXXXXX")
+    mktemp -p "$MYPATH" 2>/dev/null || \
+    mktemp "$MYPATH/.cipd_client.XXXXXXX")

  if hash curl 2> /dev/null ; then
-    curl "${URL}" -s --show-error -f -A "${USER_AGENT}" -L -o "${CIPD_CLIENT_TMP}"
+    curl "$URL" -s --show-error -f -A "$USER_AGENT"  -L -o "$CIPD_CLIENT_TMP"
  elif hash wget 2> /dev/null ; then
-    wget "${URL}" -q -U "${USER_AGENT}" -O "${CIPD_CLIENT_TMP}"
+    wget "$URL" -q -U "${USER_AGENT}" -O "${CIPD_CLIENT_TMP}"
  else
-    >&2 echo -n "[31;1m"
-    >&2 echo -n "Your platform is missing a supported fetch command. "
-    >&2 echo "Please use your package manager to install one before continuing:"
-    >&2 echo
-    >&2 echo "  curl"
-    >&2 echo "  wget"
-    >&2 echo
-    >&2 echo "Alternately, manually download:"
-    >&2 echo "  ${URL}"
-    >&2 echo -n "To ${CLIENT}, and then re-run this command."
-    >&2 echo "[0m"
-    rm "${CIPD_CLIENT_TMP}"
-    exit 1
-  fi
-
-  local actual_hash=$(calc_sha256 "${CIPD_CLIENT_TMP}")
-  if [ -z "${actual_hash}" ] ; then
+    echo Your platform is missing a supported fetch command. Please use your package
+    echo manager to install one before continuing:
+    echo
+    echo  curl
+    echo  wget
+    echo
+    echo Alternately, manually download:
+    echo   "$URL"
+    echo To $CLIENT, and then re-run this command.
    rm "${CIPD_CLIENT_TMP}"
    exit 1
  fi

-  if [ "${actual_hash}" != "${expected_hash}" ]; then
-    >&2 echo -n "[31;1m"
-    >&2 echo "SHA256 digest of the downloaded CIPD client is incorrect:"
-    >&2 echo "  Expecting ${expected_hash}"
-    >&2 echo "  Got       ${actual_hash}"
-    >&2 echo -n "Refusing to run it. Check that *.digests file is up-to-date."
-    >&2 echo "[0m"
-    rm "${CIPD_CLIENT_TMP}"
-    exit 1
-  fi
+  chmod +x "$CIPD_CLIENT_TMP"

  set +e
-  chmod +x "${CIPD_CLIENT_TMP}"
-  mv "${CIPD_CLIENT_TMP}" "${CLIENT}"
+  mv "$CIPD_CLIENT_TMP" "$CLIENT"
  set -e
 }

-
-# self_update launches CIPD client's built-in selfupdate mechanism.
-#
-# It is more efficient that redownloading the binary all the time.
 function self_update() {
-  "${CLIENT}" selfupdate -version-file "${VERSION_FILE}" -service-url "${CIPD_BACKEND}"
+  "$CLIENT" selfupdate -version "$CIPD_CLIENT_VER" -service-url "$CIPD_CLIENT_SRV"
 }

-
-if [ ! -x "${CLIENT}" ]; then
+if [ ! -x "$CLIENT" ]; then
  clean_bootstrap
 fi

-export CIPD_HTTP_USER_AGENT_PREFIX="${USER_AGENT}"
-if ! self_update 2> /dev/null ; then
-  >&2 echo -n "[31;1m"
-  >&2 echo -n "CIPD selfupdate failed. "
-  >&2 echo -n "Trying to bootstrap the CIPD client from scratch..."
-  >&2 echo "[0m"
+export CIPD_HTTP_USER_AGENT_PREFIX=$USER_AGENT
+if ! self_update ; then
+  echo -n "[31;1mCIPD selfupdate failed. " 1>&2
+  echo "Trying to bootstrap the CIPD client from scratch... [0m" 1>&2
  clean_bootstrap
  if ! self_update ; then  # need to run it again to setup .cipd_version file
-    >&2 echo -n "[31;1m"
-    >&2 echo -n "Bootstrap from scratch failed, something is seriously broken. "
-    >&2 echo "Run the following commands to diagnose if this is repeating:"
-    >&2 echo "  export CIPD_HTTP_USER_AGENT_PREFIX=${USER_AGENT}/manual"
-    >&2 echo -n "  ${CLIENT} selfupdate -version-file ${VERSION_FILE}"
-    >&2 echo "[0m"
-    exit 1
+    echo -n "[31;1mBootstrap from scratch failed, something is seriously broken[0m " 1>&2
+    echo "run \`CIPD_HTTP_USER_AGENT_PREFIX=$USER_AGENT/manual $CLIENT selfupdate -version '$CIPD_CLIENT_VER'\` to diagnose if this is repeating." 1>&2
+    echo "[0m" 1>&2
  fi
 fi

 # CygWin requires changing absolute paths to Windows form. Relative paths
 # are typically okay as Windows generally accepts both forward and back
 # slashes. This could possibly be constrained to only /tmp/ and /cygdrive/.
-if ${CYGWIN}; then
+if $CYGWIN; then
  args=("$@")
  for i in `seq 2 $#`; do
    arg="${@:$i:1}"
@@ -238,7 +145,7 @@ if ${CYGWIN}; then
      set -- "${@:1:$last}" `cygpath -w "$arg"` "${@:$next}"
    fi
  done
-  echo "${CLIENT}" "${@}"
+  echo "$CLIENT" "${@}"
 fi

-exec "${CLIENT}" "${@}"
+exec "$CLIENT" "${@}"
--- a/cipd_client_version
+++ b/cipd_client_version
-git_revision:ea6c07cfcb596be6b63a1e6deb95bba79524b0c8
+git_revision:9a931a5307c46b16b1c12e01e8239d4a73830b89
--- a/cipd_client_version.digests
+++ b/cipd_client_version.digests
-# This file was generated by
-#
-#  cipd selfupdate-roll -version-file cipd_client_version \
-#      -version git_revision:ea6c07cfcb596be6b63a1e6deb95bba79524b0c8
-#
-# Do not modify manually. All changes will be overwritten.
-# Use 'cipd selfupdate-roll ...' to modify.
-
-linux-386       sha256  ee90bd655b90baf7586ab80c289c00233b96bfac3fa70e64cc5c48feb1998971
-linux-amd64     sha256  73bd62cb72cde6f12d9b42cda12941c53e1e21686f6f2b1cd98db5c6718b7bed
-linux-arm64     sha256  1f2619f3e7f5f6876d0a446bacc6cc61eb32ca1464315d7230034a832500ed64
-linux-armv6l    sha256  98c873097c460fe8f6b4311f6e00b4df41ca50e9bd2d26f06995913a9d647d3a
-linux-mips64    sha256  05e37c85502eb2b72abd8a51ff13a4914c5e071e25326c9c8fc257290749138a
-linux-mips64le  sha256  5b3af8be6ea8a62662006f1a86fdc387dc765edace9f530acbeca77c0850a32d
-linux-mipsle    sha256  cfa6539af00db69b7da00d46316f1aaaa90b38a5e6b33ce4823be17533e71810
-linux-ppc64     sha256  faa49f2b59a25134e8a13b68f5addb00c434c7feeee03940413917eca1d333e6
-linux-ppc64le   sha256  6fa51348e6039b864171426b02cfbfa1d533b9f86e3c72875e0ed116994a2fec
-linux-s390x     sha256  6cd4bfff7e2025f2d3da55013036e39eea4e8f631060a5e2b32b9975fab08b0e
-mac-amd64       sha256  6427b87fdaa1615a229d45c2fab1ba7fdb748ce785f2c09cd6e10adc48c58a66
-windows-386     sha256  809c727a31e5f8c34656061b96839fbca63833140b90cab8e2491137d6e4fc4c
-windows-amd64   sha256  3e21561b45acb2845c309a04cbedb2ce1e0567b7b24bf89857e7673607b09216
--- a/tests/cipd_bootstrap_test.py
+++ b/tests/cipd_bootstrap_test.py
@@ -15,26 +15,8 @@ ROOT_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))

 # CIPD client version to use for self-update from an "old" checkout to the tip.
 #
-# This version is from Aug 2018. Digests were generated using:
-#   cipd selfupdate-roll -version-file tmp \
-#        -version git_revision:ea6c07cfcb596be6b63a1e6deb95bba79524b0c8
-#   cat tmp.cat
-OLD_VERSION = 'git_revision:ea6c07cfcb596be6b63a1e6deb95bba79524b0c8'
-OLD_DIGESTS = """
-linux-386       sha256  ee90bd655b90baf7586ab80c289c00233b96bfac3fa70e64cc5c48feb1998971
-linux-amd64     sha256  73bd62cb72cde6f12d9b42cda12941c53e1e21686f6f2b1cd98db5c6718b7bed
-linux-arm64     sha256  1f2619f3e7f5f6876d0a446bacc6cc61eb32ca1464315d7230034a832500ed64
-linux-armv6l    sha256  98c873097c460fe8f6b4311f6e00b4df41ca50e9bd2d26f06995913a9d647d3a
-linux-mips64    sha256  05e37c85502eb2b72abd8a51ff13a4914c5e071e25326c9c8fc257290749138a
-linux-mips64le  sha256  5b3af8be6ea8a62662006f1a86fdc387dc765edace9f530acbeca77c0850a32d
-linux-mipsle    sha256  cfa6539af00db69b7da00d46316f1aaaa90b38a5e6b33ce4823be17533e71810
-linux-ppc64     sha256  faa49f2b59a25134e8a13b68f5addb00c434c7feeee03940413917eca1d333e6
-linux-ppc64le   sha256  6fa51348e6039b864171426b02cfbfa1d533b9f86e3c72875e0ed116994a2fec
-linux-s390x     sha256  6cd4bfff7e2025f2d3da55013036e39eea4e8f631060a5e2b32b9975fab08b0e
-mac-amd64       sha256  6427b87fdaa1615a229d45c2fab1ba7fdb748ce785f2c09cd6e10adc48c58a66
-windows-386     sha256  809c727a31e5f8c34656061b96839fbca63833140b90cab8e2491137d6e4fc4c
-windows-amd64   sha256  3e21561b45acb2845c309a04cbedb2ce1e0567b7b24bf89857e7673607b09216
-"""
+# This version is from Jan 2018.
+OLD_VERSION = 'git_revision:a1f61935faa60feb73e37556fdf791262c2dedce'


 class CipdBootstrapTest(unittest.TestCase):
@@ -51,28 +33,17 @@ class CipdBootstrapTest(unittest.TestCase):
  def tearDown(self):
    shutil.rmtree(self.tempdir)

-  def stage_files(self, cipd_version=None, digests=None):
+  def stage_files(self, cipd_version=None):
    """Copies files needed for cipd bootstrap into the temp dir.

    Args:
      cipd_version: if not None, a value to put into cipd_client_version file.
    """
-    names = (
-      'cipd',
-      'cipd.bat',
-      'cipd.ps1',
-      'cipd_client_version',
-      'cipd_client_version.digests',
-    )
-    for f in names:
+    for f in ('cipd', 'cipd.bat', 'cipd.ps1', 'cipd_client_version'):
      shutil.copy2(os.path.join(ROOT_DIR, f), os.path.join(self.tempdir, f))
    if cipd_version is not None:
      with open(os.path.join(self.tempdir, 'cipd_client_version'), 'wt') as f:
        f.write(cipd_version+'\n')
-    if digests is not None:
-      p = os.path.join(self.tempdir, 'cipd_client_version.digests')
-      with open(p, 'wt') as f:
-        f.write(digests+'\n')

  def call_cipd_help(self):
    """Calls 'cipd help' bootstrapping the client in tempdir.
@@ -95,7 +66,7 @@ class CipdBootstrapTest(unittest.TestCase):

  def test_self_update(self):
    """Updating the existing client in-place."""
-    self.stage_files(cipd_version=OLD_VERSION, digests=OLD_DIGESTS)
+    self.stage_files(cipd_version=OLD_VERSION)
    ret, out = self.call_cipd_help()
    if ret:
      self.fail('Update to %s fails:\n%s' % (OLD_VERSION, out))