155 lines
5.8 KiB
Python
155 lines
5.8 KiB
Python
#!/usr/bin/env python3
|
|
"""Automate mirror bundle manifest + checksums with dual-control approvals.
|
|
|
|
Implements DEVOPS-AIRGAP-57-001.
|
|
|
|
Features:
|
|
- Deterministic manifest (`mirror-bundle-manifest.json`) with sha256/size per file.
|
|
- `checksums.sha256` for quick verification.
|
|
- Dual-control approvals recorded via `--approver` (min 2 required to mark approved).
|
|
- Optional cosign signing of the manifest via `--cosign-key` (sign-blob); writes
|
|
`mirror-bundle-manifest.sig` and `mirror-bundle-manifest.pem` when available.
|
|
- Offline-friendly: purely local file reads; no network access.
|
|
|
|
Usage:
|
|
build_mirror_bundle.py --root /path/to/bundles --output out/mirror \
|
|
--approver alice@example.com --approver bob@example.com
|
|
|
|
build_mirror_bundle.py --self-test
|
|
"""
|
|
from __future__ import annotations
|
|
|
|
import argparse
|
|
import hashlib
|
|
import json
|
|
import os
|
|
import shutil
|
|
import subprocess
|
|
import sys
|
|
from datetime import datetime, timezone
|
|
from pathlib import Path
|
|
from typing import Dict, List, Optional
|
|
|
|
|
|
def sha256_file(path: Path) -> Dict[str, int | str]:
|
|
h = hashlib.sha256()
|
|
size = 0
|
|
with path.open("rb") as f:
|
|
for chunk in iter(lambda: f.read(1024 * 1024), b""):
|
|
h.update(chunk)
|
|
size += len(chunk)
|
|
return {"sha256": h.hexdigest(), "size": size}
|
|
|
|
|
|
def find_files(root: Path) -> List[Path]:
|
|
files: List[Path] = []
|
|
for p in sorted(root.rglob("*")):
|
|
if p.is_file():
|
|
files.append(p)
|
|
return files
|
|
|
|
|
|
def write_checksums(items: List[Dict], output_dir: Path) -> None:
|
|
lines = [f"{item['sha256']} {item['path']}" for item in items]
|
|
(output_dir / "checksums.sha256").write_text("\n".join(lines) + ("\n" if lines else ""), encoding="utf-8")
|
|
|
|
|
|
def maybe_sign(manifest_path: Path, key: Optional[str]) -> Dict[str, str]:
|
|
if not key:
|
|
return {"status": "skipped", "reason": "no key provided"}
|
|
if shutil.which("cosign") is None:
|
|
return {"status": "skipped", "reason": "cosign not found"}
|
|
sig = manifest_path.with_suffix(manifest_path.suffix + ".sig")
|
|
pem = manifest_path.with_suffix(manifest_path.suffix + ".pem")
|
|
try:
|
|
subprocess.run(
|
|
["cosign", "sign-blob", "--key", key, "--output-signature", str(sig), "--output-certificate", str(pem), str(manifest_path)],
|
|
check=True,
|
|
capture_output=True,
|
|
text=True,
|
|
)
|
|
return {
|
|
"status": "signed",
|
|
"signature": sig.name,
|
|
"certificate": pem.name,
|
|
}
|
|
except subprocess.CalledProcessError as exc: # pragma: no cover
|
|
return {"status": "failed", "reason": exc.stderr or str(exc)}
|
|
|
|
|
|
def build_manifest(root: Path, output_dir: Path, approvers: List[str], cosign_key: Optional[str]) -> Dict:
|
|
files = find_files(root)
|
|
items: List[Dict] = []
|
|
for p in files:
|
|
rel = p.relative_to(root).as_posix()
|
|
info = sha256_file(p)
|
|
items.append({"path": rel, **info})
|
|
manifest = {
|
|
"created": datetime.now(timezone.utc).isoformat(),
|
|
"root": str(root),
|
|
"total": len(items),
|
|
"items": items,
|
|
"approvals": sorted(set(approvers)),
|
|
"approvalStatus": "approved" if len(set(approvers)) >= 2 else "pending",
|
|
}
|
|
output_dir.mkdir(parents=True, exist_ok=True)
|
|
manifest_path = output_dir / "mirror-bundle-manifest.json"
|
|
manifest_path.write_text(json.dumps(manifest, ensure_ascii=False, indent=2) + "\n", encoding="utf-8")
|
|
write_checksums(items, output_dir)
|
|
signing = maybe_sign(manifest_path, cosign_key)
|
|
manifest["signing"] = signing
|
|
# Persist signing status in manifest for traceability
|
|
manifest_path.write_text(json.dumps(manifest, ensure_ascii=False, indent=2) + "\n", encoding="utf-8")
|
|
return manifest
|
|
|
|
|
|
def parse_args(argv: List[str]) -> argparse.Namespace:
|
|
parser = argparse.ArgumentParser(description=__doc__)
|
|
parser.add_argument("--root", type=Path, help="Root directory containing bundle files")
|
|
parser.add_argument("--output", type=Path, help="Output directory for manifest + checksums")
|
|
parser.add_argument("--approver", action="append", default=[], help="Approver identity (email or handle); provide twice for dual-control")
|
|
parser.add_argument("--cosign-key", help="Path or KMS URI for cosign signing key (optional)")
|
|
parser.add_argument("--self-test", action="store_true", help="Run internal self-test and exit")
|
|
return parser.parse_args(argv)
|
|
|
|
|
|
def self_test() -> int:
|
|
import tempfile
|
|
|
|
with tempfile.TemporaryDirectory() as tmp:
|
|
tmpdir = Path(tmp)
|
|
root = tmpdir / "bundles"
|
|
root.mkdir()
|
|
(root / "a.txt").write_text("hello", encoding="utf-8")
|
|
(root / "b.bin").write_bytes(b"world")
|
|
out = tmpdir / "out"
|
|
manifest = build_manifest(root, out, ["alice", "bob"], cosign_key=None)
|
|
assert manifest["approvalStatus"] == "approved"
|
|
assert (out / "mirror-bundle-manifest.json").exists()
|
|
assert (out / "checksums.sha256").exists()
|
|
print("self-test passed")
|
|
return 0
|
|
|
|
|
|
def main(argv: List[str]) -> int:
|
|
args = parse_args(argv)
|
|
if args.self_test:
|
|
return self_test()
|
|
if not (args.root and args.output):
|
|
print("--root and --output are required unless --self-test", file=sys.stderr)
|
|
return 2
|
|
manifest = build_manifest(args.root.resolve(), args.output.resolve(), args.approver, args.cosign_key)
|
|
if manifest["approvalStatus"] != "approved":
|
|
print("Manifest generated but approvalStatus=pending (need >=2 distinct approvers).", file=sys.stderr)
|
|
return 1
|
|
missing = [i for i in manifest["items"] if not (args.root / i["path"]).exists()]
|
|
if missing:
|
|
print(f"Missing files in manifest: {missing}", file=sys.stderr)
|
|
return 1
|
|
print(f"Mirror bundle manifest written to {args.output}")
|
|
return 0
|
|
|
|
|
|
if __name__ == "__main__": # pragma: no cover
|
|
sys.exit(main(sys.argv[1:]))
|