verify_wheel_contents.py 5.3 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123
  1. #!/usr/bin/env python3
  2. """Verify a built wheel ships the required bundled data and only the intended configuration templates.
  3. The wheel must contain the tracked configuration templates and must NOT contain a
  4. live configuration.py (which holds SECRET_KEY and database credentials), any other
  5. local configuration*.py variant, or any ldap_config*.py (which holds LDAP bind
  6. credentials). This guards against a dirty or manual build leaking secrets into a
  7. published artifact. The wheel must also ship the runtime-critical bundled data
  8. (release metadata, templates, translations, static assets, documentation sources,
  9. deployment examples), so a broken build fails here with a precise message instead of
  10. at smoke-test time. main() also cross-checks pyproject.toml's wheel force-include
  11. table against REQUIRED_FILES/REQUIRED_PREFIXES/ALLOWED, so an addition there without
  12. matching verifier coverage fails too.
  13. """
  14. import sys
  15. import tomllib
  16. import zipfile
  17. from pathlib import Path, PurePosixPath
  18. # The scan covers the entire wheel; only these two tracked templates (at netbox/<name> after the
  19. # wheel `sources = ["netbox"]` strip) are allowed to ship.
  20. ALLOWED = {
  21. 'netbox/configuration_example.py',
  22. 'netbox/configuration_testing.py',
  23. }
  24. # Runtime-critical bundled data; mirrors the force-include table in pyproject.toml.
  25. # Hand-maintained, not derived: main() cross-checks pyproject.toml's wheel
  26. # force-include table against these sets (plus ALLOWED) in the other direction, so a
  27. # force-include added there without matching coverage here also fails.
  28. REQUIRED_FILES = {
  29. 'netbox/_data/contrib/apache.conf',
  30. 'netbox/_data/contrib/gunicorn.py',
  31. 'netbox/_data/contrib/netbox-rq.service',
  32. 'netbox/_data/contrib/netbox.env',
  33. 'netbox/_data/contrib/netbox.service',
  34. 'netbox/_data/contrib/nginx.conf',
  35. 'netbox/_data/contrib/uwsgi.ini',
  36. 'netbox/_data/mkdocs.yml',
  37. 'netbox/_data/release.yaml',
  38. }
  39. REQUIRED_PREFIXES = (
  40. 'netbox/_data/docs/',
  41. 'netbox/_data/project-static/dist/',
  42. 'netbox/_data/project-static/img/',
  43. 'netbox/_data/project-static/js/',
  44. 'netbox/_data/templates/',
  45. 'netbox/_data/translations/',
  46. )
  47. def configuration_members(names):
  48. """Return the set of configuration*.py members anywhere inside the wheel."""
  49. members = set()
  50. for name in names:
  51. path = PurePosixPath(name)
  52. # Scan the whole wheel: any configuration*.py outside the two tracked templates, or any
  53. # ldap_config*.py at all, is a leak, wherever it sits in the archive.
  54. if path.suffix == '.py' and (path.name.startswith('configuration') or path.name.startswith('ldap_config')):
  55. members.add(name)
  56. return members
  57. def missing_runtime_data(names):
  58. """Return the sorted list of required bundled files and prefixes absent from the wheel."""
  59. missing = sorted(REQUIRED_FILES - names)
  60. missing += [prefix for prefix in REQUIRED_PREFIXES if not any(name.startswith(prefix) for name in names)]
  61. return missing
  62. def uncovered_force_includes(pyproject_path):
  63. """Return wheel force-include destinations in pyproject.toml not covered by this verifier.
  64. REQUIRED_FILES/REQUIRED_PREFIXES/ALLOWED stay hand-owned and independent of pyproject.toml
  65. (a full derivation would let a deleted force-include line shrink the expectations with it
  66. and go silently green), so this only catches drift in one direction: a force-include added
  67. to pyproject.toml without matching verifier coverage. A deleted force-include line still
  68. fails the REQUIRED_FILES/REQUIRED_PREFIXES checks in missing_runtime_data().
  69. """
  70. with open(pyproject_path, 'rb') as handle:
  71. pyproject = tomllib.load(handle)
  72. force_include = pyproject['tool']['hatch']['build']['targets']['wheel']['force-include']
  73. uncovered = []
  74. for destination in force_include.values():
  75. # The wheel's `sources = ["netbox"]` setting strips one leading "netbox/" segment from
  76. # every path, including these force-include destinations.
  77. stripped = destination.removeprefix('netbox/')
  78. if stripped in REQUIRED_FILES or stripped in ALLOWED or f'{stripped}/' in REQUIRED_PREFIXES:
  79. continue
  80. uncovered.append(destination)
  81. return sorted(uncovered)
  82. def main(argv):
  83. if len(argv) != 2:
  84. print('usage: verify_wheel_contents.py <wheel>')
  85. return 2
  86. with zipfile.ZipFile(argv[1]) as archive:
  87. names = set(archive.namelist())
  88. found = configuration_members(names)
  89. missing = sorted(ALLOWED - found)
  90. unexpected = sorted(found - ALLOWED)
  91. missing_data = missing_runtime_data(names)
  92. pyproject_path = Path(__file__).resolve().parents[1] / 'pyproject.toml'
  93. uncovered = uncovered_force_includes(pyproject_path)
  94. if missing or unexpected or missing_data or uncovered:
  95. print('Wheel contents are not as expected:')
  96. if missing:
  97. print(f' - missing templates: {missing}')
  98. if unexpected:
  99. print(f' - unexpected (possible secret leak): {unexpected}')
  100. if missing_data:
  101. print(f' - missing runtime data: {missing_data}')
  102. if uncovered:
  103. print(f' - pyproject.toml force-includes not covered by this verifier: {uncovered}')
  104. return 1
  105. print(f'OK: wheel ships the required bundled data and only the {len(ALLOWED)} configuration templates')
  106. return 0
  107. if __name__ == '__main__':
  108. sys.exit(main(sys.argv))