changeset 27: |
529419ac94f3 |
author: |
ellis <ellis@rwest.io> |
date: |
Tue, 06 Jun 2023 18:55:17 -0400 |
permissions: |
-rw-r--r-- |
description: |
refactor 2 (wip) |
2 # install demo build dependencies 4 PKG_URL_ROOT="${PKG_URL_ROOT:-https://rwest.io/otom8/packy/bundle}" 5 PKG_NAME="demo_build_deps" 6 say
() {printf 'babel-installer: %s\n' "$1"} 7 err
() {say
"$1" >
&2; exit 1} 9 if !
check_cmd
"$1"; then 10 err
"need '$1' (command not found)" 12 check_cmd
() {command -v
"$1" >
/dev/null
2>
&1} 13 ensure
() {if !
"$@"; then err
"command failed: $*"; fi} 21 get_architecture
|| return 1 23 assert_nz
"$_arch" "arch" 25 # no extension unless on windows 33 local _url="${PKG_URL_ROOT}/bin/dist/${_arch}/${PKG_NAME}${_ext}" 36 _dir="$(ensure
mktemp
-d
)" 37 local _file="${_dir}/${PKG_NAME}${_ext}" 39 local _ansi_escapes_are_valid=false 41 if [ "${TERM+set}" = 'set' ]; then 43 xterm*
|rxvt*
|urxvt*
|linux*
|vt*
) 44 _ansi_escapes_are_valid=true 50 # check if we have to use /dev/tty to prompt the user 55 # user wants to skip the prompt -- 56 # we don't need /dev/tty 64 if $_ansi_escapes_are_valid; then 65 printf "\33[1minfo:\33[0m downloading $PKG_NAME\n" 1>
&2 67 printf '%s\n' 'info: downloading $PKG_NAME' 1>
&2 70 ensure
mkdir
-p
"$_dir" 71 ensure
downloader
"$_url" "$_file" "$_arch" 72 ensure
chmod
u+x
"$_file" 73 if [ !
-x
"$_file" ]; then 74 printf '%s\n' "Cannot execute $_file (likely because of mounting /tmp as noexec)." 1>
&2 75 printf '%s\n' "Please copy the file to a location where you can execute binaries and run ./${PKG_NAME}${_ext}." 1>
&2 79 if [ "$need_tty" = "yes" ]; then 80 # The installer is going to want to ask for confirmation by 81 # reading stdin. This script was piped into `sh` though and 82 # doesn't have stdin to pass to its children. Instead we're going 83 # to explicitly connect /dev/tty to the installer's stdin. 85 err
"Unable to run interactively. Run with -y to accept defaults" 88 ignore
"$_file" "$@" <
/dev/tty
101 dl
() { # curl || wget 106 if check_cmd
curl
; then 108 elif check_cmd
wget
; then 111 _dld='curl or wget' # to be used in error message of need_cmd 114 if [ "$1" = --check
]; then 116 elif [ "$_dld" = curl
]; then 117 get_ciphersuites_for_curl
118 _ciphersuites="$RETVAL" 119 if [ -n
"$_ciphersuites" ]; then 120 _err=$(curl
--proto
'=https' --tlsv1.2
--ciphers
"$_ciphersuites" --silent
--show-error
--fail
--location
"$1" --output
"$2" 2>
&1) 123 echo "Warning: Not enforcing strong cipher suites for TLS, this is potentially less secure" 124 if !
check_help_for
"$3" curl
--proto
--tlsv1.2
; then 125 echo "Warning: Not enforcing TLS v1.2, this is potentially less secure" 126 _err=$(curl
--silent
--show-error
--fail
--location
"$1" --output
"$2" 2>
&1) 129 _err=$(curl
--proto
'=https' --tlsv1.2
--silent
--show-error
--fail
--location
"$1" --output
"$2" 2>
&1) 133 if [ -n
"$_err" ]; then 135 if echo "$_err" | grep
-q
404$
; then 136 err
"installer for platform '$3' not found 8^C - ask ellis to support your platform" 140 elif [ "$_dld" = wget
]; then 141 get_ciphersuites_for_wget
142 _ciphersuites="$RETVAL" 143 if [ -n
"$_ciphersuites" ]; then 144 _err=$(wget
--https-only
--secure-protocol
=TLSv1_2
--ciphers
"$_ciphersuites" "$1" -O
"$2" 2>
&1) 147 echo "Warning: Not enforcing strong cipher suites for TLS, this is potentially less secure" 148 if !
check_help_for
"$3" wget
--https-only
--secure-protocol
; then 149 echo "Warning: Not enforcing TLS v1.2, this is potentially less secure" 150 _err=$(wget
"$1" -O
"$2" 2>
&1) 153 _err=$(wget
--https-only
--secure-protocol
=TLSv1_2
"$1" -O
"$2" 2>
&1) 157 if [ -n
"$_err" ]; then 159 if echo "$_err" | grep
-q
' 404 Not Found$'; then 160 err
"installer for platform '$3' not found!" 165 err
"Unknown downloader" # should not reach here 179 if "$_cmd" --help
| grep
-q
'For all options use the manual or "--help all".'; then 188 if check_cmd
sw_vers
; then 189 case $(sw_vers
-productVersion
) in 191 # If we're running on macOS, older than 10.13, then we always 192 # fail to find these options to force fallback 193 if [ "$(sw_vers
-productVersion
| cut
-d.
-f2
)" -lt
13 ]; then 195 echo "Warning: Detected macOS platform older than 10.13" 200 # We assume Big Sur will be OK for now 203 # Unknown product version, warn and continue 204 echo "Warning: Detected unknown macOS major version: $(sw_vers
-productVersion
)" 205 echo "Warning TLS capabilities detection may fail" 214 if !
"$_cmd" --help
$_category | grep
-q
--
"$_arg"; then 219 true # not strictly needed 222 # Return cipher suite string specified by user, otherwise return strong TLS 1.2-1.3 cipher suites 223 # if support by local tools is detected. Detection currently supports these curl backends: 224 # GnuTLS and OpenSSL (possibly also LibreSSL and BoringSSL). Return value can be empty. 225 get_ciphersuites_for_curl
() { 226 if [ -n
"${BABEL_TLS_CIPHERSUITES-}" ]; then 227 # user specified custom cipher suites, assume they know what they're doing 228 RETVAL="$BABEL_TLS_CIPHERSUITES" 232 local _openssl_syntax="no" 233 local _gnutls_syntax="no" 234 local _backend_supported="yes" 235 if curl
-V
| grep
-q
' OpenSSL/'; then 236 _openssl_syntax="yes" 237 elif curl
-V
| grep
-iq
' LibreSSL/'; then 238 _openssl_syntax="yes" 239 elif curl
-V
| grep
-iq
' BoringSSL/'; then 240 _openssl_syntax="yes" 241 elif curl
-V
| grep
-iq
' GnuTLS/'; then 244 _backend_supported="no" 247 local _args_supported="no" 248 if [ "$_backend_supported" = "yes" ]; then 249 # "unspecified" is for arch, allows for possibility old OS using macports, homebrew, etc. 250 if check_help_for
"notspecified" "curl" "--tlsv1.2" "--ciphers" "--proto"; then 251 _args_supported="yes" 256 if [ "$_args_supported" = "yes" ]; then 257 if [ "$_openssl_syntax" = "yes" ]; then 258 _cs=$(get_strong_ciphersuites_for
"openssl") 259 elif [ "$_gnutls_syntax" = "yes" ]; then 260 _cs=$(get_strong_ciphersuites_for
"gnutls") 267 # Return cipher suite string specified by user, otherwise return strong TLS 1.2-1.3 cipher suites 268 # if support by local tools is detected. Detection currently supports these wget backends: 269 # GnuTLS and OpenSSL (possibly also LibreSSL and BoringSSL). Return value can be empty. 270 get_ciphersuites_for_wget
() { 271 if [ -n
"${BABEL_TLS_CIPHERSUITES-}" ]; then 272 # user specified custom cipher suites, assume they know what they're doing 273 RETVAL="$BABEL_TLS_CIPHERSUITES" 278 if wget
-V
| grep
-q
'\-DHAVE_LIBSSL'; then 279 # "unspecified" is for arch, allows for possibility old OS using macports, homebrew, etc. 280 if check_help_for
"notspecified" "wget" "TLSv1_2" "--ciphers" "--https-only" "--secure-protocol"; then 281 _cs=$(get_strong_ciphersuites_for
"openssl") 283 elif wget
-V
| grep
-q
'\-DHAVE_LIBGNUTLS'; then 284 # "unspecified" is for arch, allows for possibility old OS using macports, homebrew, etc. 285 if check_help_for
"notspecified" "wget" "TLSv1_2" "--ciphers" "--https-only" "--secure-protocol"; then 286 _cs=$(get_strong_ciphersuites_for
"gnutls") 293 # Return strong TLS 1.2-1.3 cipher suites in OpenSSL or GnuTLS syntax. TLS 1.2 294 # excludes non-ECDHE and non-AEAD cipher suites. DHE is excluded due to bad 295 # DH params often found on servers (see RFC 7919). Sequence matches or is 296 # similar to Firefox 68 ESR with weak cipher suites disabled via about:config. 297 # $1 must be openssl or gnutls. 298 get_strong_ciphersuites_for
() { 299 if [ "$1" = "openssl" ]; then 300 # OpenSSL is forgiving of unknown values, no problems with TLS 1.3 values on versions that don't support it yet. 301 echo "TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384" 302 elif [ "$1" = "gnutls" ]; then 303 # GnuTLS isn't forgiving of unknown values, so this may require a GnuTLS version that supports TLS 1.3 even if wget doesn't. 304 # Begin with SECURE128 (and higher) then remove/add to build cipher suites. Produces same 9 cipher suites as OpenSSL but in slightly different order. 305 echo "SECURE128:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-DTLS-ALL:-CIPHER-ALL:-MAC-ALL:-KX-ALL:+AEAD:+ECDHE-ECDSA:+ECDHE-RSA:+AES-128-GCM:+CHACHA20-POLY1305:+AES-256-GCM"