mirror of
https://github.com/mongodb/mongo.git
synced 2024-12-01 01:21:03 +01:00
106 lines
3.6 KiB
Python
106 lines
3.6 KiB
Python
|
#!/usr/bin/env python
|
||
|
#
|
||
|
# Generate and upload detached gpg signatures for archive files in Amazon S3
|
||
|
#
|
||
|
# Requires standard MongoDB settings.py, like so:
|
||
|
# bucket = "downloads.mongodb.org"
|
||
|
# # downloads user
|
||
|
# id = "xxxxx"
|
||
|
# key = "xxxxx"
|
||
|
#
|
||
|
# Usage: s3sign.py [ --dry-run ] [ --bucket <overridden s3 bucket> ] [ --notary-url <notary url> ] [ --key-name <key name passed to notary service> ] [ --filter <filter> ]
|
||
|
#
|
||
|
|
||
|
|
||
|
import argparse
|
||
|
import json
|
||
|
import os
|
||
|
import requests
|
||
|
import sys
|
||
|
|
||
|
sys.path.append("." )
|
||
|
sys.path.append(".." )
|
||
|
sys.path.append("../../" )
|
||
|
sys.path.append("../../../" )
|
||
|
|
||
|
import simples3
|
||
|
import settings
|
||
|
import subprocess
|
||
|
|
||
|
# parse command line
|
||
|
#
|
||
|
parser = argparse.ArgumentParser(description='Sign MongoDB S3 Files')
|
||
|
parser.add_argument('--dry-run', action='store_true', required=False, help='Do not write anything to S3', default = False);
|
||
|
parser.add_argument('--bucket', required = False, help='Override bucket in settings.py', default = settings.bucket);
|
||
|
parser.add_argument('--notary-url', required=False, help='URL base for notary service', default = 'http://localhost:5000');
|
||
|
parser.add_argument('--key-name', required=False, help='Key parameter to notary service', default = 'test');
|
||
|
parser.add_argument('--filter', required=False,
|
||
|
help='Only sign files matching case-insensitive substring filter', default = None);
|
||
|
args = parser.parse_args()
|
||
|
|
||
|
notary_urlbase = args.notary_url
|
||
|
notary_url = notary_urlbase + '/api/sign'
|
||
|
notary_payload = { 'key': args.key_name, 'comment': 'Automatic archive signing'}
|
||
|
|
||
|
# check s3 for pgp signatures
|
||
|
|
||
|
def check_dir( bucket , prefix ):
|
||
|
|
||
|
zips = {}
|
||
|
sigs = {}
|
||
|
for ( key , modify , etag , size ) in bucket.listdir( prefix=prefix ):
|
||
|
# filtered out
|
||
|
if args.filter and args.filter.lower() not in key.lower():
|
||
|
pass
|
||
|
# sign it
|
||
|
elif key.endswith(".tgz" ) or key.endswith(".zip" ) or key.endswith(".tar.gz" ) or key.endswith("md5"):
|
||
|
# generate signature
|
||
|
files = {'file': (key, bucket.get(key))}
|
||
|
response_json = {}
|
||
|
try:
|
||
|
r = requests.post(notary_url, files=files, data=notary_payload,
|
||
|
headers = { "Accept": "application/json" })
|
||
|
# get url for signature file
|
||
|
response_json = json.loads(r.text)
|
||
|
except Exception as e:
|
||
|
print('error contacting signing service for %s:\n%s' % (key, e.message))
|
||
|
continue
|
||
|
if 'permalink' in response_json:
|
||
|
signature_url = response_json['permalink']
|
||
|
try:
|
||
|
signature = requests.get(notary_urlbase + signature_url).text
|
||
|
zips[key] = signature
|
||
|
except Exception as e:
|
||
|
print('error downloading signature from signing service for %s:\n%s' % (key, e.message))
|
||
|
else:
|
||
|
print('error from signing service for %s:\n%s' % (key, response_json.get('message')))
|
||
|
# signatures
|
||
|
elif key.endswith(".sig" ) or key.endswith(".asc" ):
|
||
|
sigs[key] = True
|
||
|
# file types we don't need to sign
|
||
|
elif key.endswith(".msi" ) or key.endswith(".deb") or key.endswith(".rpm"):
|
||
|
pass
|
||
|
else:
|
||
|
print("unknown file type: %s" % key)
|
||
|
|
||
|
for x in zips:
|
||
|
m = x + ".sig"
|
||
|
if m in sigs:
|
||
|
continue
|
||
|
|
||
|
print("need to do: " + x + " to " + m )
|
||
|
if not args.dry_run:
|
||
|
bucket.put( m , zips[x] , acl="public-read" )
|
||
|
|
||
|
|
||
|
def run():
|
||
|
|
||
|
bucket = simples3.S3Bucket( args.bucket , settings.id , settings.key )
|
||
|
|
||
|
for x in [ "osx" , "linux" , "win32" , "sunos5" , "src" ]:
|
||
|
check_dir( bucket , x )
|
||
|
|
||
|
|
||
|
if __name__ == "__main__":
|
||
|
run()
|