verify_sdist_contents.py 2.1 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556
  1. #!/usr/bin/env python3
  2. """Verify a built sdist ships only the intended configuration templates.
  3. The sdist is a published artifact in its own right. It must contain the two tracked
  4. configuration templates and must NOT contain a live configuration.py (which holds
  5. SECRET_KEY and database credentials), any other local configuration*.py variant, or
  6. any ldap_config*.py (which holds LDAP bind credentials). The wheel guard alone is not
  7. enough: a wheel rebuilt from the sdist re-applies the wheel excludes, so it can come
  8. out clean even when the sdist itself leaks a file.
  9. """
  10. import sys
  11. import tarfile
  12. from pathlib import PurePosixPath
  13. # Allowed members, relative to the sdist's netbox-<version>/ root directory. The sdist
  14. # keeps the full repository layout (no `sources` strip), unlike the wheel.
  15. ALLOWED = {
  16. 'netbox/netbox/configuration_example.py',
  17. 'netbox/netbox/configuration_testing.py',
  18. }
  19. def configuration_members(sdist_path):
  20. """Return the set of configuration*.py members anywhere inside the sdist."""
  21. with tarfile.open(sdist_path) as archive:
  22. names = archive.getnames()
  23. members = set()
  24. for name in names:
  25. path = PurePosixPath(name)
  26. if path.suffix == '.py' and (path.name.startswith('configuration') or path.name.startswith('ldap_config')):
  27. # Strip the leading netbox-<version>/ directory for a stable comparison.
  28. members.add(str(PurePosixPath(*path.parts[1:])))
  29. return members
  30. def main(argv):
  31. if len(argv) != 2:
  32. print('usage: verify_sdist_contents.py <sdist>')
  33. return 2
  34. found = configuration_members(argv[1])
  35. missing = sorted(ALLOWED - found)
  36. unexpected = sorted(found - ALLOWED)
  37. if missing or unexpected:
  38. print('Sdist configuration files are not as expected:')
  39. if missing:
  40. print(f' - missing templates: {missing}')
  41. if unexpected:
  42. print(f' - unexpected (possible secret leak): {unexpected}')
  43. return 1
  44. print(f'OK: sdist ships only the {len(ALLOWED)} configuration templates')
  45. return 0
  46. if __name__ == '__main__':
  47. sys.exit(main(sys.argv))