cipd/client/testing/admission_plugin_demo.sh - infra/luci/luci-go - Git at Google

 #!/bin/bash
 # Copyright 2020 The LUCI Authors. All rights reserved.
 # Use of this source code is governed under the Apache License, Version 2.0
 # that can be found in the LICENSE file.

 set -e

 CIPD_DEV_BACKEND="https://chrome-infra-packages-dev.appspot.com"


 # Staging area for all produced files.
 rm -rf .tmp_dir
 mkdir .tmp_dir
 STAGING=$PWD/.tmp_dir


 # `banner title` prints a banner to make logs more exciting.
 function banner() {
   echo "======================================================================="
   echo "$1"
   echo "======================================================================="
 }


 # `calc_sha256 file` calculates SHA256 of a file.
 function calc_sha256() {
   if hash sha256sum 2> /dev/null ; then
     sha256sum "$1" | cut -d' ' -f1
   elif hash shasum 2> /dev/null ; then
     shasum -a 256 "$1" | cut -d' ' -f1
   else
     return 1
   fi
 }


 # `build_fake_package title path` builds a "unique" package file locally.
 function build_fake_package {
   banner "Building $2"

   # Generate inputs for a fake package.
   rm -rf "$STAGING/inputs"
   mkdir "$STAGING/inputs"
   echo "$1:" `date` > "$STAGING/inputs/date"

   # Build the package file locally without uploading it anywhere.
   cipd pkg-build \
     -in "$STAGING/inputs" \
     -name playground/testing \
     -out "$2"
 }


 # Use binaries from this repo.
 banner "Building go code"
 mkdir $STAGING/bin
 go build -v -o "$STAGING/bin/cipd" go.chromium.org/luci/cipd/client/cmd/cipd
 go build -v -o "$STAGING/bin/example" go.chromium.org/luci/cipd/client/cipd/plugin/plugins/admission/example
 export PATH="$STAGING/bin":$PATH


 # Build 3 different instances of the package.
 build_fake_package "a" "$STAGING/a.cipd"
 build_fake_package "b" "$STAGING/b.cipd"
 build_fake_package "c" "$STAGING/c.cipd"


 # Upload the first one attaching the "valid" metadata accepted by the example
 # admission plugin. It looks for "allowed-sha256" metadata keys with values
 # matching package's SHA256. We calculate SHA256 from scratch here, but it is
 # also possible to use -json-output from `cipd pkg-build` step to get it.
 banner "Registering a.cipd"
 cipd pkg-register "$STAGING/a.cipd" \
   -service-url "$CIPD_DEV_BACKEND" \
   -hash-algo sha256 \
   -ref latest-a \
   -metadata allowed-sha256:`calc_sha256 "$STAGING/a.cipd"` \
   -metadata allowed-sha256:also-some-bogus-one-why-not


 # Upload the second one, but attach "invalid" metadata which will be rejected
 # by the example admission plugin. We reuse metadata intended for `a` here for
 # this purpose: it is not valid for `b`.
 banner "Registering b.cipd"
 cipd pkg-register "$STAGING/b.cipd" \
   -service-url "$CIPD_DEV_BACKEND" \
   -hash-algo sha256 \
   -ref latest-b \
   -metadata allowed-sha256:`calc_sha256 "$STAGING/a.cipd"` \
   -metadata allowed-sha256:also-some-bogus-one-why-not


 # Upload the third one, but attach no metadata at all. The plugin should reject
 # it as well.
 banner "Registering c.cipd"
 cipd pkg-register "$STAGING/c.cipd" \
   -service-url "$CIPD_DEV_BACKEND" \
   -hash-algo sha256 \
   -ref latest-c


 # Disable any active plugins (if any) for the following check.
 export CIPD_ADMISSION_PLUGIN=


 # Verify all packages can be installed when *not* using admission checks.
 banner "Installing without admission checks, should succeed"
 cipd ensure -ensure-file - -root "$STAGING/0" -service-url "$CIPD_DEV_BACKEND" <<EOF
 @Subdir a
 playground/testing latest-a
 @Subdir b
 playground/testing latest-b
 @Subdir c
 playground/testing latest-c
 EOF


 # Configure the CIPD client to use the example admission plugin built above.
 # The value of CIPD_ADMISSION_PLUGIN env var should be a JSON-serialized list of
 # strings with the full command line of the plugin.
 export CIPD_ADMISSION_PLUGIN="[\"$STAGING/bin/example\"]"


 # Package `a` by itself can be installed, it has valid metadata.
 banner "Installing a valid package with admission checks, should succeed"
 cipd ensure -ensure-file - -root "$STAGING/1" -service-url "$CIPD_DEV_BACKEND" <<EOF
 @Subdir a
 playground/testing latest-a
 EOF


 # This now should fail saying that two instances (`b` and `c`) are not allowed.
 banner "Installing invalid packages with admission checks, should fail"
 cipd ensure -ensure-file - -root "$STAGING/2" -service-url "$CIPD_DEV_BACKEND" <<EOF
 @Subdir a
 playground/testing latest-a
 @Subdir b
 playground/testing latest-b
 @Subdir c
 playground/testing latest-c
 EOF
	#!/bin/bash
	# Copyright 2020 The LUCI Authors. All rights reserved.
	# Use of this source code is governed under the Apache License, Version 2.0
	# that can be found in the LICENSE file.

	set -e

	CIPD_DEV_BACKEND="https://chrome-infra-packages-dev.appspot.com"


	# Staging area for all produced files.
	rm -rf .tmp_dir
	mkdir .tmp_dir
	STAGING=$PWD/.tmp_dir


	# `banner title` prints a banner to make logs more exciting.
	function banner() {
	echo "======================================================================="
	echo "$1"
	echo "======================================================================="
	}


	# `calc_sha256 file` calculates SHA256 of a file.
	function calc_sha256() {
	if hash sha256sum 2> /dev/null ; then
	sha256sum "$1" \| cut -d' ' -f1
	elif hash shasum 2> /dev/null ; then
	shasum -a 256 "$1" \| cut -d' ' -f1
	else
	return 1
	fi
	}


	# `build_fake_package title path` builds a "unique" package file locally.
	function build_fake_package {
	banner "Building $2"

	# Generate inputs for a fake package.
	rm -rf "$STAGING/inputs"
	mkdir "$STAGING/inputs"
	echo "$1:" `date` > "$STAGING/inputs/date"

	# Build the package file locally without uploading it anywhere.
	cipd pkg-build \
	-in "$STAGING/inputs" \
	-name playground/testing \
	-out "$2"
	}


	# Use binaries from this repo.
	banner "Building go code"
	mkdir $STAGING/bin
	go build -v -o "$STAGING/bin/cipd" go.chromium.org/luci/cipd/client/cmd/cipd
	go build -v -o "$STAGING/bin/example" go.chromium.org/luci/cipd/client/cipd/plugin/plugins/admission/example
	export PATH="$STAGING/bin":$PATH


	# Build 3 different instances of the package.
	build_fake_package "a" "$STAGING/a.cipd"
	build_fake_package "b" "$STAGING/b.cipd"
	build_fake_package "c" "$STAGING/c.cipd"


	# Upload the first one attaching the "valid" metadata accepted by the example
	# admission plugin. It looks for "allowed-sha256" metadata keys with values
	# matching package's SHA256. We calculate SHA256 from scratch here, but it is
	# also possible to use -json-output from `cipd pkg-build` step to get it.
	banner "Registering a.cipd"
	cipd pkg-register "$STAGING/a.cipd" \
	-service-url "$CIPD_DEV_BACKEND" \
	-hash-algo sha256 \
	-ref latest-a \
	-metadata allowed-sha256:`calc_sha256 "$STAGING/a.cipd"` \
	-metadata allowed-sha256:also-some-bogus-one-why-not


	# Upload the second one, but attach "invalid" metadata which will be rejected
	# by the example admission plugin. We reuse metadata intended for `a` here for
	# this purpose: it is not valid for `b`.
	banner "Registering b.cipd"
	cipd pkg-register "$STAGING/b.cipd" \
	-service-url "$CIPD_DEV_BACKEND" \
	-hash-algo sha256 \
	-ref latest-b \
	-metadata allowed-sha256:`calc_sha256 "$STAGING/a.cipd"` \
	-metadata allowed-sha256:also-some-bogus-one-why-not


	# Upload the third one, but attach no metadata at all. The plugin should reject
	# it as well.
	banner "Registering c.cipd"
	cipd pkg-register "$STAGING/c.cipd" \
	-service-url "$CIPD_DEV_BACKEND" \
	-hash-algo sha256 \
	-ref latest-c


	# Disable any active plugins (if any) for the following check.
	export CIPD_ADMISSION_PLUGIN=


	# Verify all packages can be installed when not using admission checks.
	banner "Installing without admission checks, should succeed"
	cipd ensure -ensure-file - -root "$STAGING/0" -service-url "$CIPD_DEV_BACKEND" <<EOF
	@Subdir a
	playground/testing latest-a
	@Subdir b
	playground/testing latest-b
	@Subdir c
	playground/testing latest-c
	EOF


	# Configure the CIPD client to use the example admission plugin built above.
	# The value of CIPD_ADMISSION_PLUGIN env var should be a JSON-serialized list of
	# strings with the full command line of the plugin.
	export CIPD_ADMISSION_PLUGIN="[\"$STAGING/bin/example\"]"


	# Package `a` by itself can be installed, it has valid metadata.
	banner "Installing a valid package with admission checks, should succeed"
	cipd ensure -ensure-file - -root "$STAGING/1" -service-url "$CIPD_DEV_BACKEND" <<EOF
	@Subdir a
	playground/testing latest-a
	EOF


	# This now should fail saying that two instances (`b` and `c`) are not allowed.
	banner "Installing invalid packages with admission checks, should fail"
	cipd ensure -ensure-file - -root "$STAGING/2" -service-url "$CIPD_DEV_BACKEND" <<EOF
	@Subdir a
	playground/testing latest-a
	@Subdir b
	playground/testing latest-b
	@Subdir c
	playground/testing latest-c
	EOF