laster 0.0.1

2026-05-25 15:49:42 +07:00
parent 14d3a3152a
commit e2c4881bb7
22 changed files with 1139 additions and 158 deletions
--- a/agent/app/core/downloader.py
+++ b/agent/app/core/downloader.py
@@ -33,6 +33,7 @@ class Downloader:
        self.repository.add_log(self.task_id, "info", f"Downloading {url}")
        with httpx.stream("GET", url, follow_redirects=True, timeout=120) as response:
            response.raise_for_status()
+            self._validate_response(url, response)
            with destination.open("wb") as handle:
                for chunk in response.iter_bytes():
                    handle.write(chunk)
@@ -40,3 +41,13 @@ class Downloader:
        self.repository.add_log(self.task_id, "info", f"Downloaded to {destination}")
        return destination

+    def _validate_response(self, requested_url: str, response: httpx.Response) -> None:
+        final_url = str(response.url)
+        validate_url_host(final_url, settings.allowed_download_hosts)
+
+        content_type = response.headers.get("content-type", "").split(";", 1)[0].strip().lower()
+        if content_type in {"text/html", "text/plain"}:
+            raise ValueError(
+                "download did not return a package file "
+                f"(requested {requested_url}, final {final_url}, content-type {content_type or 'unknown'})"
+            )
--- a/agent/app/core/task_runner.py
+++ b/agent/app/core/task_runner.py
@@ -6,7 +6,7 @@ import traceback
 from typing import Any

 from app.config import settings
-from app.core.checksum import verify_sha256
+from app.core.checksum import sha256_file
 from app.core.command_runner import CommandRunner
 from app.core.downloader import Downloader
 from app.core.installer import DebInstaller
@@ -197,8 +197,12 @@ class TaskRunner:

        package_path = downloader.download(component["downloadUrl"])
        self.repository.update_task_component(task_id, component_id, progress=35, current_step="verifying checksum")
-        if not verify_sha256(package_path, component["sha256"]):
-            raise ValueError(f"Checksum mismatch for {component_id}")
+        actual_sha256 = sha256_file(package_path)
+        expected_sha256 = component["sha256"].lower()
+        if actual_sha256.lower() != expected_sha256:
+            raise ValueError(
+                f"Checksum mismatch for {component_id}: expected {expected_sha256}, got {actual_sha256}"
+            )
        self.repository.add_log(task_id, "info", f"Checksum verified for {component_id}")

        self.repository.update_task_component(task_id, component_id, progress=60, current_step="installing package")
@@ -245,4 +249,3 @@ class TaskRunner:
        geteuid = getattr(os, "geteuid", None)
        if callable(geteuid) and geteuid() != 0:
            raise PermissionError("Agent must run as root to call apt and systemctl")
-
--- a/agent/packaging/DEBIAN/control
+++ b/agent/packaging/DEBIAN/control
@@ -1,5 +1,5 @@
 Package: local-installer-agent
-Version: 0.1.0
+Version: 0.1.3
 Section: utils
 Priority: optional
 Architecture: amd64
--- a/agent/scripts/build-deb.sh
+++ b/agent/scripts/build-deb.sh
@@ -1,11 +1,22 @@
 #!/usr/bin/env bash
 set -euo pipefail

-VERSION="${VERSION:-0.1.0}"
+VERSION="${VERSION:-0.1.3}"
 ARCH="${ARCH:-amd64}"
 PKG_NAME="local-installer-agent"
-BUILD_ROOT="build"
+BUILD_ROOT="${BUILD_ROOT:-build}"
 BUILD_DIR="${BUILD_ROOT}/${PKG_NAME}_${VERSION}_${ARCH}"
+OUTPUT_PACKAGE="${BUILD_DIR}.deb"
+
+if [[ ! "$VERSION" =~ ^[a-zA-Z0-9][a-zA-Z0-9._:+~=-]*$ ]]; then
+  echo "Invalid VERSION: ${VERSION}" >&2
+  exit 1
+fi
+
+if [[ ! "$ARCH" =~ ^[a-z0-9][a-z0-9._-]*$ ]]; then
+  echo "Invalid ARCH: ${ARCH}" >&2
+  exit 1
+fi

 rm -rf "${BUILD_ROOT}"

@@ -25,9 +36,15 @@ cp packaging/DEBIAN/postinst "${BUILD_DIR}/DEBIAN/postinst"
 cp packaging/DEBIAN/prerm "${BUILD_DIR}/DEBIAN/prerm"
 cp packaging/DEBIAN/postrm "${BUILD_DIR}/DEBIAN/postrm"

+sed -i \
+  -e "s/^Version:.*/Version: ${VERSION}/" \
+  -e "s/^Architecture:.*/Architecture: ${ARCH}/" \
+  "${BUILD_DIR}/DEBIAN/control"
+
 chmod 755 "${BUILD_DIR}/DEBIAN/postinst"
 chmod 755 "${BUILD_DIR}/DEBIAN/prerm"
 chmod 755 "${BUILD_DIR}/DEBIAN/postrm"
+chmod 755 "${BUILD_DIR}/DEBIAN"

 cat > "${BUILD_DIR}/etc/local-installer-agent/agent.env" <<EOF
 AGENT_VERSION=${VERSION}
@@ -47,7 +64,14 @@ ALLOW_DOCKER=false
 ALLOW_DOCKER_COMPOSE=false
 EOF

-dpkg-deb --build "${BUILD_DIR}"
+dpkg-deb --root-owner-group --build "${BUILD_DIR}"

 echo "Built package:"
-echo "${BUILD_DIR}.deb"
+echo "${OUTPUT_PACKAGE}"
+
+if [ -n "${PUBLISH_DIR:-}" ]; then
+  mkdir -p "${PUBLISH_DIR}"
+  cp "${OUTPUT_PACKAGE}" "${PUBLISH_DIR}/"
+  echo "Published package:"
+  echo "${PUBLISH_DIR}/$(basename "${OUTPUT_PACKAGE}")"
+fi