#!/usr/bin/env python3 # # Copyright (c) 2018 Yousong Zhou <yszhou4tech@gmail.com> # # This is free software, licensed under the GNU General Public License v2. # See /LICENSE for more information. import argparse import calendar import datetime import errno import fcntl import hashlib import json import os import os.path import re import shutil import ssl import subprocess import sys import time import urllib.request TMPDIR = os.environ.get('TMP_DIR') or '/tmp' TMPDIR_DL = os.path.join(TMPDIR, 'dl') class PathException(Exception): pass class DownloadGitHubError(Exception): pass class Path(object): """Context class for preparing and cleaning up directories. If ```preclean` is ``False``, ``path`` will NOT be removed on context enter If ``path`` ``isdir``, then it will be created on context enter. If ``keep`` is True, then ``path`` will NOT be removed on context exit """ def __init__(self, path, isdir=True, preclean=False, keep=False): self.path = path self.isdir = isdir self.preclean = preclean self.keep = keep def __enter__(self): if self.preclean: self.rm_all(self.path) if self.isdir: self.mkdir_all(self.path) return self def __exit__(self, exc_type, exc_value, traceback): if not self.keep: self.rm_all(self.path) @staticmethod def mkdir_all(path): """Same as mkdir -p.""" names = os.path.split(path) p = '' for name in names: p = os.path.join(p, name) Path._mkdir(p) @staticmethod def _rmdir_dir(dir_): names = Path._listdir(dir_) for name in names: p = os.path.join(dir_, name) Path.rm_all(p) Path._rmdir(dir_) @staticmethod def _mkdir(path): Path._os_func(os.mkdir, path, errno.EEXIST) @staticmethod def _rmdir(path): Path._os_func(os.rmdir, path, errno.ENOENT) @staticmethod def _remove(path): Path._os_func(os.remove, path, errno.ENOENT) @staticmethod def _listdir(path): return Path._os_func(os.listdir, path, errno.ENOENT, default=[]) @staticmethod def _os_func(func, path, errno, default=None): """Call func(path) in an idempotent way. On exception ``ex``, if the type is OSError and ``ex.errno == errno``, return ``default``, otherwise, re-raise """ try: return func(path) except OSError as e: if e.errno == errno: return default else: raise @staticmethod def rm_all(path): """Same as rm -r.""" if os.path.islink(path): Path._remove(path) elif os.path.isdir(path): Path._rmdir_dir(path) else: Path._remove(path) @staticmethod def untar(path, into=None): """Extract tarball at ``path`` into subdir ``into``. return subdir name if and only if there exists one, otherwise raise PathException """ args = ('tar', '-C', into, '-xzf', path, '--no-same-permissions') subprocess.check_call(args, preexec_fn=lambda: os.umask(0o22)) dirs = os.listdir(into) if len(dirs) == 1: return dirs[0] else: raise PathException('untar %s: expecting a single subdir, got %s' % (path, dirs)) @staticmethod def tar(path, subdir, into=None, ts=None): """Pack ``path`` into tarball ``into``.""" # --sort=name requires a recent build of GNU tar args = ['tar', '--numeric-owner', '--owner=0', '--group=0', '--sort=name'] args += ['-C', path, '-cf', into, subdir] envs = os.environ.copy() if ts is not None: args.append('--mtime=@%d' % ts) if into.endswith('.xz'): envs['XZ_OPT'] = '-7e' args.append('-J') elif into.endswith('.bz2'): args.append('-j') elif into.endswith('.gz'): args.append('-z') envs['GZIP'] = '-n' else: raise PathException('unknown compression type %s' % into) subprocess.check_call(args, env=envs) class GitHubCommitTsCache(object): __cachef = 'github.commit.ts.cache' __cachen = 2048 def __init__(self): Path.mkdir_all(TMPDIR_DL) self.cachef = os.path.join(TMPDIR_DL, self.__cachef) self.cache = {} def get(self, k): """Get timestamp with key ``k``.""" fileno = os.open(self.cachef, os.O_RDONLY | os.O_CREAT) with os.fdopen(fileno) as fin: try: fcntl.lockf(fileno, fcntl.LOCK_SH) self._cache_init(fin) if k in self.cache: ts = self.cache[k][0] return ts finally: fcntl.lockf(fileno, fcntl.LOCK_UN) return None def set(self, k, v): """Update timestamp with ``k``.""" fileno = os.open(self.cachef, os.O_RDWR | os.O_CREAT) with os.fdopen(fileno, 'w+') as f: try: fcntl.lockf(fileno, fcntl.LOCK_EX) self._cache_init(f) self.cache[k] = (v, int(time.time())) self._cache_flush(f) finally: fcntl.lockf(fileno, fcntl.LOCK_UN) def _cache_init(self, fin): for line in fin: k, ts, updated = line.split() ts = int(ts) updated = int(updated) self.cache[k] = (ts, updated) def _cache_flush(self, fout): cache = sorted(self.cache.items(), key=lambda a: a[1][1]) cache = cache[:self.__cachen] self.cache = {} os.ftruncate(fout.fileno(), 0) fout.seek(0, os.SEEK_SET) for k, ent in cache: ts = ent[0] updated = ent[1] line = '{0} {1} {2}\n'.format(k, ts, updated) fout.write(line) class DownloadGitHubTarball(object): """Download and repack archive tarabll from GitHub. Compared with the method of packing after cloning the whole repo, this method is more friendly to users with fragile internet connection. However, there are limitations with this method - GitHub imposes a 60 reqs/hour limit for unauthenticated API access. This affects fetching commit date for reproducible tarballs. Download through the archive link is not affected. - GitHub archives do not contain source codes for submodules. - GitHub archives seem to respect .gitattributes and ignore pathes with export-ignore attributes. For the first two issues, the method will fail loudly to allow fallback to clone-then-pack method. As for the 3rd issue, to make sure that this method only produces identical tarballs as the fallback method, we require the expected hash value to be supplied. That means the first tarball will need to be prepared by the clone-then-pack method """ __repo_url_regex = re.compile(r'^(?:https|git)://github.com/(?P<owner>[^/]+)/(?P<repo>[^/]+)') def __init__(self, args): self.dl_dir = args.dl_dir self.version = args.version self.subdir = args.subdir self.source = args.source self.url = args.url self._init_owner_repo() self.xhash = args.hash self._init_hasher() self.commit_ts = None # lazy load commit timestamp self.commit_ts_cache = GitHubCommitTsCache() self.name = 'github-tarball' def download(self): """Download and repack GitHub archive tarball.""" self._init_commit_ts() with Path(TMPDIR_DL, keep=True) as dir_dl: # fetch tarball from GitHub tarball_path = os.path.join(dir_dl.path, self.subdir + '.tar.gz.dl') with Path(tarball_path, isdir=False): self._fetch(tarball_path) # unpack d = os.path.join(dir_dl.path, self.subdir + '.untar') with Path(d, preclean=True) as dir_untar: tarball_prefix = Path.untar(tarball_path, into=dir_untar.path) dir0 = os.path.join(dir_untar.path, tarball_prefix) dir1 = os.path.join(dir_untar.path, self.subdir) # submodules check if self._has_submodule(dir0): raise self._error('Fetching submodules is not yet supported') # rename subdir os.rename(dir0, dir1) # repack into=os.path.join(TMPDIR_DL, self.source) Path.tar(dir_untar.path, self.subdir, into=into, ts=self.commit_ts) try: self._hash_check(into) except Exception: Path.rm_all(into) raise # move to target location file1 = os.path.join(self.dl_dir, self.source) if into != file1: shutil.move(into, file1) def _has_submodule(self, dir_): m = os.path.join(dir_, '.gitmodules') try: st = os.stat(m) return st.st_size > 0 except OSError as e: return e.errno != errno.ENOENT def _init_owner_repo(self): m = self.__repo_url_regex.search(self.url) if m is None: raise self._error('Invalid github url: {}'.format(self.url)) owner = m.group('owner') repo = m.group('repo') if repo.endswith('.git'): repo = repo[:-4] self.owner = owner self.repo = repo def _init_hasher(self): xhash = self.xhash if len(xhash) == 64: self.hasher = hashlib.sha256() elif len(xhash) == 32: self.hasher = hashlib.md5() else: raise self._error('Requires sha256sum for verification') self.xhash = xhash def _hash_check(self, f): with open(f, 'rb') as fin: while True: d = fin.read(4096) if not d: break self.hasher.update(d) xhash = self.hasher.hexdigest() if xhash != self.xhash: raise self._error('Wrong hash (probably caused by .gitattributes), expecting {}, got {}'.format(self.xhash, xhash)) def _init_commit_ts(self): if self.commit_ts is not None: return # GitHub provides 2 APIs[1,2] for fetching commit data. API[1] is more # terse while API[2] provides more verbose info such as commit diff # etc. That's the main reason why API[1] is preferred: the response # size is predictable. # # However, API[1] only accepts complete commit sha1sum as the parameter # while API[2] is more liberal accepting also partial commit id and # tags, etc. # # [1] Get a single commit, Repositories, https://developer.github.com/v3/repos/commits/#get-a-single-commit # [2] Git Commits, Git Data, https://developer.github.com/v3/git/commits/#get-a-commit apis = [ { 'url': self._make_repo_url_path('git', 'commits', self.version), 'attr_path': ('committer', 'date'), }, { 'url': self._make_repo_url_path('commits', self.version), 'attr_path': ('commit', 'committer', 'date'), }, ] version_is_sha1sum = len(self.version) == 40 if not version_is_sha1sum: apis.insert(0, apis.pop()) reasons = '' for api in apis: url = api['url'] attr_path = api['attr_path'] try: ct = self.commit_ts_cache.get(url) if ct is not None: self.commit_ts = ct return ct = self._init_commit_ts_remote_get(url, attr_path) self.commit_ts = ct self.commit_ts_cache.set(url, ct) return except Exception as e: reasons += '\n' + (" {}: {}".format(url, e)) raise self._error('Cannot fetch commit ts:{}'.format(reasons)) def _init_commit_ts_remote_get(self, url, attrpath): resp = self._make_request(url) data = resp.read() date = json.loads(data) for attr in attrpath: date = date[attr] date = datetime.datetime.strptime(date, '%Y-%m-%dT%H:%M:%SZ') date = date.timetuple() ct = calendar.timegm(date) return ct def _fetch(self, path): """Fetch tarball of the specified version ref.""" ref = self.version url = self._make_repo_url_path('tarball', ref) resp = self._make_request(url) with open(path, 'wb') as fout: while True: d = resp.read(4096) if not d: break fout.write(d) def _make_repo_url_path(self, *args): url = '/repos/{0}/{1}'.format(self.owner, self.repo) if args: url += '/' + '/'.join(args) return url def _make_request(self, path): """Request GitHub API endpoint on ``path``.""" url = 'https://api.github.com' + path headers = { 'Accept': 'application/vnd.github.v3+json', 'User-Agent': 'OpenWrt', } req = urllib.request.Request(url, headers=headers) sslcontext = ssl._create_unverified_context() fileobj = urllib.request.urlopen(req, context=sslcontext) return fileobj def _error(self, msg): return DownloadGitHubError('{}: {}'.format(self.source, msg)) def main(): parser = argparse.ArgumentParser() parser.add_argument('--dl-dir', default=os.getcwd(), help='Download dir') parser.add_argument('--url', help='Download URL') parser.add_argument('--subdir', help='Source code subdir name') parser.add_argument('--version', help='Source code version') parser.add_argument('--source', help='Source tarball filename') parser.add_argument('--hash', help='Source tarball\'s expected sha256sum') args = parser.parse_args() try: method = DownloadGitHubTarball(args) method.download() except Exception as ex: sys.stderr.write('{}: Download from {} failed\n'.format(args.source, args.url)) sys.stderr.write('{}\n'.format(ex)) sys.exit(1) if __name__ == '__main__': main()