55import re
66import git
77
8+ FIPS_PROTECTED_DIRECOTRIES = [b'arch/x86/crypto/' , b'cypto/aysmmetric_keys/' , b'crypto/' , b'drivers/crypto/' ,
9+ b'drivers/char/random.c' , b'include/cyrpto' ]
10+
811def find_common_tag (old_tags , new_tags ):
912 for tag in old_tags :
1013 if tag in new_tags :
@@ -28,11 +31,60 @@ def get_branch_tag_sha_list(repo, branch):
2831 tags .append (line .split (b' ' )[0 ])
2932 return tags
3033
34+ def check_for_fips_protected_changes (repo , branch , common_tag ):
35+ print ('[rolling release update] Checking for FIPS protected changes' )
36+ repo .git .checkout (branch )
37+ print (f'[rolling release update] Getting SHAS { common_tag .decode ()} )
38+ results = subprocess .run (['git' , 'log' , '--pretty=%H' , f'{ common_tag .decode ()} ], stderr = subprocess .PIPE ,
39+ stdout = subprocess .PIPE , cwd = repo .working_dir )
40+ if results .returncode != 0 :
41+ print (results .stderr )
42+ exit (1 )
43+
44+ num_commits = len (results .stdout .split (b'\n ' ))
45+ print ('[rolling release update] Number of commits to check: ' , num_commits )
46+ shas_to_check = []
47+ commits_checked = 0
48+
49+ print ('[rolling release update] Checkking modifications of shas' )
50+ for sha in results .stdout .split (b'\n ' ):
51+ commits_checked += 1
52+ if commits_checked % (num_commits // 10 ) == 0 :
53+ print (f'[rolling release update] Checked { commits_checked } { num_commits } )
54+ if sha == b'' :
55+ continue
56+ res = subprocess .run (['git' , 'show' , '--name-only' , '--pretty=%H %s' , f'{ sha .decode ()} ], stderr = subprocess .PIPE , stdout = subprocess .PIPE ,
57+ cwd = repo .working_dir )
58+ if res .returncode != 0 :
59+ print (res )
60+ print (res .stderr )
61+ exit (1 )
62+
63+ sha_hash_and_subject = b''
64+ for line in res .stdout .split (b'\n ' ):
65+ if sha_hash_and_subject == b'' :
66+ sha_hash_and_subject = line
67+ continue
68+ if line == b'' :
69+ continue
70+
71+ for dir in FIPS_PROTECTED_DIRECOTRIES :
72+ if line .startswith (dir ):
73+ print (f'FIPS protected directory change found in commit { sha } )
74+ print (sha_hash_and_subject )
75+ shas_to_check .append (sha_hash_and_subject .split (b' ' )[0 ])
76+ sha_hash_and_subject = b''
77+ print (f'[rolling release update] { len (shas_to_check )} { num_commits } )
78+
79+ return shas_to_check
80+
81+
3182if __name__ == '__main__' :
3283 parser = argparse .ArgumentParser (description = 'Rolling release update' )
3384 parser .add_argument ('--repo' , help = 'Repository path' , required = True )
3485 parser .add_argument ('--new-base-branch' , help = 'Branch name' , required = True )
3586 parser .add_argument ('--old-rolling-branch' , help = 'Branch name for old rolling release: ex: sig-cloud-8/4.18.0-553.33.1.el8_10' , required = True )
87+ parser .add_argument ('--fips-override' , help = 'Override FIPS check abort' , action = 'store_true' )
3688 args = parser .parse_args ()
3789
3890 repo = git .Repo (args .repo )
@@ -50,6 +102,17 @@ def get_branch_tag_sha_list(repo, branch):
50102 print ('[rolling release update] Latest RESF tag sha: ' , latest_resf_sha )
51103 print (repo .git .show ('--pretty="%H %s"' , '-s' , latest_resf_sha .decode ()))
52104
105+ if 'fips' in rolling_product :
106+ print ('[rolling release update] Checking for FIPS protected changes between the common tag and HEAD' )
107+ shas_to_check = check_for_fips_protected_changes (repo , args .new_base_branch , latest_resf_sha )
108+ if shas_to_check and args .fips_override is False :
109+ for sha in shas_to_check :
110+ print (repo .git .show (sha .decode ()))
111+ print ('[rolling release update] FIPS protected changes found between the common tag and HEAD' )
112+ print ('[rolling release update] Please Contact the CIQ FIPS / Security team for further instructions' )
113+ print ('[rolling release update] Exiting' )
114+ exit (1 )
115+
53116
54117 print ('[rolling release update] Checking out old rolling branch: ' , args .old_rolling_branch )
55118 repo .git .checkout (args .old_rolling_branch )
@@ -68,8 +131,14 @@ def get_branch_tag_sha_list(repo, branch):
68131
69132 print ('[rolling release update] Last RESF tag sha: ' , latest_resf_sha )
70133
134+ print ('[rolling release update] Total Commit in old branch: ' , len (rolling_commit_map ))
71135 print ('{ "CIQ COMMMIT" : "UPSTREAM COMMMIT" }' )
72- print (json .dumps (rolling_commit_map , indent = 2 ))
136+ if len (rolling_commit_map ) > 10 :
137+ print ('Printing first 5 and last 5 commits' )
138+ print (json .dumps ({k : rolling_commit_map [k ] for k in list (rolling_commit_map )[:5 ]}, indent = 2 ))
139+ print (json .dumps ({k : rolling_commit_map [k ] for k in list (rolling_commit_map )[- 5 :]}, indent = 2 ))
140+ else :
141+ print (json .dumps (rolling_commit_map , indent = 2 ))
73142
74143 print ('[rolling release update] Checking out new base branch: ' , args .new_base_branch )
75144 repo .git .checkout (args .new_base_branch )
@@ -118,8 +187,14 @@ def get_branch_tag_sha_list(repo, branch):
118187 new_base_commit_map [ciq_commit ] = upstream_commit
119188 new_base_commit_map_rev [upstream_commit ] = ciq_commit
120189
190+ print ('[rolling release update] Total Commit in new branch: ' , len (new_base_commit_map ))
121191 print ('{ "CIQ COMMMIT" : "UPSTREAM COMMMIT" }' )
122- print (json .dumps (new_base_commit_map , indent = 2 ))
192+ if len (new_base_commit_map ) > 10 :
193+ print ('Printing first 5 and last 5 commits' )
194+ print (json .dumps ({k : new_base_commit_map [k ] for k in list (new_base_commit_map )[:5 ]}, indent = 2 ))
195+ print (json .dumps ({k : new_base_commit_map [k ] for k in list (new_base_commit_map )[- 5 :]}, indent = 2 ))
196+ else :
197+ print (json .dumps (new_base_commit_map , indent = 2 ))
123198
124199 print ('[rolling release update] Checking if any of the commits from the old rolling release are already present in the new base branch' )
125200 commits_to_remove = {}
0 commit comments