Created
June 10, 2020 13:12
-
-
Save grahampugh/36b4eef803624c59e48d3b40f016ad3f to your computer and use it in GitHub Desktop.
Runs through a recipe list and verifies trust info. Creates a trusted recipe list and sends untrusted recipes to a Slack incoming web hook.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # | |
| # AutoPkg verify trust of existing recipes | |
| # by Graham Pugh | |
| # server name, used as the username in Slack | |
| server="$1" | |
| # slack webhook, e.g. https://hooks.slack.com/services/ASBCDSDAD/SDFGASDF/SDFAvSDfASDFvsdfA | |
| slack_webhook_url="$2" | |
| # Idenfity server | |
| JSS_URL=$( /usr/bin/defaults read com.github.autopkg JSS_URL ) | |
| # AutoPkg Recipe List. This is the recipe list you maintain manually | |
| AUTOPKG_JSS_RECIPE_LIST="${HOME}/Library/AutoPkg/JSS_AutoPkg_Recipe_List.txt" | |
| sendSlackNotification() { | |
| echo " [sendSlackNotification] Sending Slack notification" | |
| slack_text="{'username': '${server}', 'text': '*Untrusted Recipe Alert*\nURL: $JSS_URL\nRecipe: *$AUTOPKG_RECIPE*\nFailed: $recipe_fail'}" | |
| echo "$slack_text" | |
| response=$( | |
| curl -s -o /dev/null -S -i -X POST -H "Content-Type: application/json" \ | |
| --write-out %{http_code} \ | |
| --data "$slack_text" \ | |
| "$slack_webhook_url" | |
| ) | |
| echo " [sendSlackNotification] Got response: $response" | |
| } | |
| # temporary recipe lists | |
| TRUSTED_RECIPE_LIST="${HOME}/Library/AutoPkg/AutoPkg_Trusted_Recipe_List.txt" | |
| UNTRUSTED_RECIPE_LIST="${HOME}/Library/AutoPkg/AutoPkg_Untrusted_Recipe_List.txt" | |
| # Start a fresh list for trust checks | |
| [[ -f "$TRUSTED_RECIPE_LIST" ]] && rm $TRUSTED_RECIPE_LIST | |
| touch "$TRUSTED_RECIPE_LIST" | |
| [[ -f "$UNTRUSTED_RECIPE_LIST" ]] && rm $UNTRUSTED_RECIPE_LIST | |
| touch "$UNTRUSTED_RECIPE_LIST" | |
| LIST="$( cat $AUTOPKG_JSS_RECIPE_LIST )" | |
| while read -r AUTOPKG_RECIPE ; do | |
| verify_result=$( /usr/local/bin/autopkg verify-trust-info -v "$AUTOPKG_RECIPE" 2>&1 ) | |
| if [[ "$verify_result" == "$AUTOPKG_RECIPE: OK" ]]; then | |
| echo " [autopkg-verify-trust-info] $AUTOPKG_RECIPE trusted." | |
| echo "$AUTOPKG_RECIPE" >> "$TRUSTED_RECIPE_LIST" | |
| else | |
| if [[ "$verify_result" == *"differ from expected"* ]]; then | |
| recipe_fail="Parent recipe differs from expected." | |
| elif [[ "$verify_result" == *"NOT FOUND"* ]]; then | |
| recipe_fail="Parent recipe not found." | |
| else | |
| recipe_fail="Unspecified error." | |
| fi | |
| echo " [autopkg-verify-trust-info] $AUTOPKG_RECIPE not trusted." | |
| echo "$AUTOPKG_RECIPE" >> "$UNTRUSTED_RECIPE_LIST" | |
| # send Slack alert | |
| sendSlackNotification | |
| fi | |
| done <<< "$LIST" | |
| echo | |
| echo | |
| echo " [autopkg-verify-trust-info] Trusted Recipe List:" | |
| echo | |
| cat "$TRUSTED_RECIPE_LIST" | |
| echo | |
| echo " [autopkg-verify-trust-info] Untrusted Recipe List:" | |
| echo | |
| cat "$UNTRUSTED_RECIPE_LIST" | |
| echo |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment