Skip to content

SDK-485 fix: install.sh should use TLS 1.3 if available #213

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
hansl merged 3 commits into from
Dec 2, 2019
Merged

SDK-485 fix: install.sh should use TLS 1.3 if available #213

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
acdb0b0
fix: install.sh should use TLS 1.3 if available
hansl Dec 1, 2019
e77b9cc
fixup
Dec 2, 2019
6adb459
fixup: add support for passing in flags too
Dec 2, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions public/install.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,9 @@
#!/usr/bin/env sh
. install/000_header.sh
. install/010_manifest.sh
. install/020_flags.sh
. install/100_log.sh
. install/110_assert.sh
. install/200_downloader.sh
. install/300_license.sh
. install/999_footer.sh
56 changes: 56 additions & 0 deletions public/install/020_flags.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,56 @@
## 020_flags.sh

# A newline separated list of boolean flags. See the read_flags function to see how it's parsed.
DFX_BOOL_FLAGS=""

# Make a BOOLEAN flag and its description.
#
# Arguments:
# $1 - The long name of the boolean. This will be used on the command line. The name of the
# environment variable will be `flag_NAME` where NAME is this argument, capitalized.
# The value of this argument is empty string if not specified, and "1" if it is.
Copy link
Contributor

@eftychis eftychis Dec 2, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So if I am reading this right we have to call flag_INSECURE ./install.sh?

Copy link
Contributor Author

@hansl hansl Dec 2, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not quite. That will not work as the value of flag_INSECURE is reset to "", but ./install.sh --insecure will set up the internal var flag_INSECURE. So in the shell script you need to use $flag_INSECURE.

# $2 - A description of the flag. This is not currently used but will be when we have enough
# flags to implement help.
define_flag_BOOL() {
local VARNAME="flag_$(echo $1 | tr /a-z/ /A-Z)"
eval $VARNAME="\${$VARNAME:-}"
DFX_BOOL_FLAGS="${DFX_BOOL_FLAGS}--${1} $VARNAME $2"
}

# Get the flag name of a line in the flag description.
get_flag_name() {
echo $1
}

# Get the variable name of a line in the flag description.
get_var_name() {
echo $2
}

# Read all the command line flags and set the flag_XXXX environment variables.
#
# Arguments:
# $* - Flags to parse.
# Side Effects:
# Environment variables are set according to flags defined and flags.
read_flags() {
# Set values from command line.
while [[ "$@" ]]; do
local ARG=$1
shift

OLD_IFS="$IFS"
IFS=$'\n'
for line in ${DFX_BOOL_FLAGS}; do
[ "$line" ] || break

IFS="$OLD_IFS"
FLAG=$(get_flag_name $line)
VARNAME=$(get_var_name $line)

if [ "$ARG" == "$FLAG" ]; then
eval $VARNAME="1"
fi
done
done
}
8 changes: 8 additions & 0 deletions public/install/100_log.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,14 @@ say() {
printf 'dfinity-sdk: %s\n' "$1"
}

warn() {
if $_ansi_escapes_are_valid; then
printf "\33[1mwarn:\33[0m %s\n" "$1" 1>&2
else
printf '%s\n' "$1" 1>&2
fi
}

err() {
say "$1" >&2
exit 1
Expand Down
69 changes: 69 additions & 0 deletions public/install/200_downloader.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,69 @@
## 200_downloader.sh

define_flag_BOOL "insecure" "Allows downloading from insecure URLs, either using HTTP or TLS 1.2 or less."

check_help_for() {
local _cmd
local _arg
local _ok
_cmd="$1"
_ok="y"
shift

# If we're running on OS-X, older than 10.13, then we always
# fail to find these options to force fallback
if check_cmd sw_vers; then
if [ "$(sw_vers -productVersion | cut -d. -f2)" -lt 13 ]; then
# Older than 10.13
echo "Warning: Detected OS X platform older than 10.13"
_ok="n"
fi
fi

for _arg in "$@"; do
if ! "$_cmd" --help | grep -q -- "$_arg"; then
_ok="n"
fi
done

test "$_ok" = "y"
}

# This wraps curl or wget. Try curl first, if not installed, use wget instead.
# Arguments:
# $1 - URL to download.
# $2 - Path to output the download. Use - to output to stdout.
downloader() {
local _dld
if check_cmd curl; then
_dld=curl
elif check_cmd wget; then
_dld=wget
else
_dld='curl or wget' # to be used in error message of need_cmd
fi

if [ "$1" = --check ]; then
need_cmd "$_dld"
elif [ "$_dld" = curl ]; then
if check_help_for curl --proto --tlsv1.3; then
curl --proto '=https' --tls-max=1.3 --silent --show-error --fail --location "$1" --output "$2"
elif ! [ "$_flag_INSECURE" ]; then
warn "Not forcing TLS v1.3, this is potentially less secure"
curl --silent --show-error --fail --location "$1" --output "$2"
else
err "TLS 1.3 is not supported on this platform. To force using it, use the --insecure flag."
fi
elif [ "$_dld" = wget ]; then
if check_help_for wget --https-only --secure-protocol; then
wget --https-only --secure-protocol=TLSv1_3 "$1" -O "$2"
elif ! [ "$_flag_INSECURE" ]; then
warn "Not forcing TLS v1.3, this is potentially less secure"
wget "$1" -O "$2"
else
err "TLS 1.3 is not supported on this platform. To force using it, use the --insecure flag."
fi
else
err "Unknown downloader" # should not reach here
fi
}
67 changes: 4 additions & 63 deletions public/install/999_footer.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -80,6 +80,10 @@ main() {
esac
fi
fi

# Read flags.
read_flags "$@"

log "Executing DFINITY SDK install script, commit: $SCRIPT_COMMIT_DESC"

downloader --check
Expand Down Expand Up @@ -188,42 +192,6 @@ get_architecture() {
RETVAL="$_arch"
}

# This wraps curl or wget. Try curl first, if not installed,
# use wget instead.
# Arguments:
# $1 - URL to download.
# $2 - Path to output the download. Use - to output to stdout.
downloader() {
local _dld
if check_cmd curl; then
_dld=curl
elif check_cmd wget; then
_dld=wget
else
_dld='curl or wget' # to be used in error message of need_cmd
fi

if [ "$1" = --check ]; then
need_cmd "$_dld"
elif [ "$_dld" = curl ]; then
if ! check_help_for curl --proto --tlsv1.2; then
echo "Warning: Not forcing TLS v1.2, this is potentially less secure"
curl --silent --show-error --fail --location "$1" --output "$2"
else
curl --proto '=https' --tlsv1.2 --silent --show-error --fail --location "$1" --output "$2"
fi
elif [ "$_dld" = wget ]; then
if ! check_help_for wget --https-only --secure-protocol; then
echo "Warning: Not forcing TLS v1.2, this is potentially less secure"
wget "$1" -O "$2"
else
wget --https-only --secure-protocol=TLSv1_2 "$1" -O "$2"
fi
else
err "Unknown downloader" # should not reach here
fi
}

install_uninstall_script() {
set +u
local uninstall_file_path
Expand Down Expand Up @@ -272,31 +240,4 @@ EOF
ensure chmod u+x "${uninstall_file_path}"
}

check_help_for() {
local _cmd
local _arg
local _ok
_cmd="$1"
_ok="y"
shift

# If we're running on OS-X, older than 10.13, then we always
# fail to find these options to force fallback
if check_cmd sw_vers; then
if [ "$(sw_vers -productVersion | cut -d. -f2)" -lt 13 ]; then
# Older than 10.13
echo "Warning: Detected OS X platform older than 10.13"
_ok="n"
fi
fi

for _arg in "$@"; do
if ! "$_cmd" --help | grep -q -- "$_arg"; then
_ok="n"
fi
done

test "$_ok" = "y"
}

main "$@" || exit $?