cli: add CI integration command

martonilles · martonilles · commit 19482048e58c · 2023-03-29T15:55:22.000+02:00
diff --git a/onekey_client/cli/ci.py b/onekey_client/cli/ci.py
@@ -0,0 +1,221 @@
+import sys
+import time
+from uuid import UUID
+
+import click
+import httpx
+
+from onekey_client import Client
+from onekey_client.queries import load_query
+
+FIRMWARE_STATUS_QUERY = load_query("get_firmware_latest_analysis_state.graphql")
+GET_ALL_FIRMWARES = load_query("get_same_product_firmwares.graphql")
+COMPARE_FIRMWARE = load_query("compare_firmware.graphql")
+LATEST_ISSUES_QUERY = load_query("get_firmware_latest_results.graphql")
+
+
+class ResultHandler:
+    def __init__(
+        self,
+        client: Client,
+        firmware_id: UUID,
+        retry_count=10,
+        retry_wait=60,
+        check_interval=60,
+    ):
+        self.client = client
+        self.firmware_id = str(firmware_id)
+        self.retry_count = retry_count
+        self.retry_wait = retry_wait
+        self.check_interval = check_interval
+
+    def get_result(self):
+        error_count = 1
+
+        while True:
+            try:
+                return self._get_result()
+            except httpx.HTTPError as e:
+                if error_count <= self.retry_count:
+                    click.echo(
+                        "Error communicating with ONEKEY platform, retrying; error='{}'".format(
+                            str(e)
+                        )
+                    )
+                    time.sleep(self.retry_wait * error_count)
+                    error_count += 1
+                else:
+                    click.echo(
+                        "Too many communication error with ONEKEY platform, failing"
+                    )
+                    raise
+
+    def _get_result(self):
+        self.wait_for_analysis_finish()
+
+        recent_id = self.get_recent_firmware_id()
+        if recent_id is not None:
+            click.echo(
+                f"Previous firmware results: {self.get_firmware_ui_url(recent_id)}"
+            )
+            res = self.client.query(
+                COMPARE_FIRMWARE, {"base": recent_id, "other": self.firmware_id}
+            )
+            new_issues = res["compareFirmwareAnalyses"]["issues"]["new"]
+            dropped_issues = res["compareFirmwareAnalyses"]["issues"]["dropped"]
+            new_cves = {
+                tuple(cve_entry.items())
+                for cve_entry in res["compareFirmwareAnalyses"]["cveEntries"]["new"]
+            }
+            dropped_cves = {
+                cve_entry["id"]
+                for cve_entry in res["compareFirmwareAnalyses"]["cveEntries"]["dropped"]
+            }
+        else:
+            click.echo("No previous firmware has been uploaded")
+            res = self.client.query(LATEST_ISSUES_QUERY, {"id": self.firmware_id})
+            new_issues = res["firmware"]["latestIssues"]
+            dropped_issues = []
+            new_cves = {
+                tuple(cve_match["cve"].items())
+                for cve_match in res["firmware"]["cveMatches"]
+            }
+            dropped_cves = []
+
+        click.echo("#" * 80)
+        click.echo(
+            f"New / dropped issue count: {len(new_issues)} / {len(dropped_issues)}"
+        )
+        click.echo(f"New / dropped CVE count: {len(new_cves)} / {len(dropped_cves)}")
+        if recent_id is not None and (
+            new_issues or dropped_issues or new_cves or dropped_cves
+        ):
+            click.echo(
+                f"Firmware comparison results with previous firmware: {self.get_firmware_compare_ui_url(recent_id, self.firmware_id)}"
+            )
+        else:
+            click.echo("No changes since previous firmware")
+
+        return new_issues, dropped_issues, new_cves, dropped_cves
+
+    def wait_for_analysis_finish(self):
+        click.echo(f"Waiting for analysis to finish on firmware: {self.firmware_id}")
+        while True:
+            try:
+                self.client.refresh_tenant_token()
+
+                res = self.client.query(FIRMWARE_STATUS_QUERY, {"id": self.firmware_id})
+                if res["firmware"] is None:
+                    click.echo(
+                        "Firmware is not yet available, analysis not started yet, waiting."
+                    )
+                    time.sleep(self.check_interval)
+                    continue
+
+                latest_analysis = res["firmware"]["latestAnalysis"]
+                if latest_analysis is None:
+                    click.echo("Analysis has not started yet, waiting.")
+                    time.sleep(self.check_interval)
+                    continue
+
+                if latest_analysis["state"] != "DONE":
+                    click.echo("Firmware analysis still in progress, waiting.")
+                    time.sleep(self.check_interval)
+                    continue
+
+                if latest_analysis["result"] != "COMPLETE":
+                    click.echo(
+                        f"Firmware analysis failed, check details: {self.get_firmware_ui_url(self.firmware_id)}"
+                    )
+                    sys.exit(2)
+                else:
+                    click.echo(
+                        f"Firmware analysis finished successfully, results: {self.get_firmware_ui_url(self.firmware_id)}"
+                    )
+                    break
+            except Exception as e:
+                click.echo(f"Error fetching results {str(e)}")
+                sys.exit(10)
+
+    def get_recent_firmware_id(self):
+        res = self.client.query(GET_ALL_FIRMWARES, {"id": self.firmware_id})
+
+        firmware_ids = [
+            timeline["firmware"]["id"]
+            for timeline in res["firmware"]["product"]["firmwareTimeline"]
+        ]
+
+        latest_id = firmware_ids.pop(0)
+        if latest_id != self.firmware_id:
+            click.echo(
+                f"Latest firmware upload is not the current firmware, skipping comparison with previous, latest={latest_id}"
+            )
+            return
+
+        if not firmware_ids:
+            click.echo("No previous firmware")
+            return
+
+        return firmware_ids[0]
+
+    def get_firmware_ui_url(self, firmware_id):
+        return f"https://{self.client.api_url.host}/firmwares?firmwareId={firmware_id}"
+
+    def get_firmware_compare_ui_url(self, recent_id, firmware_id):
+        return f"https://{self.client.api_url.host}/firmwares/compare-firmwares?baseFirmwareId={recent_id}&otherFirmwareId={firmware_id}"
+
+
+@click.command()
+@click.option("--firmware-id", required=True, type=UUID, help="Firmware ID")
+@click.option(
+    "--exit-code-on-new-finding",
+    "exit_code",
+    type=int,
+    default=1,
+    show_default=True,
+    help="Exit code to use when findings are identified compared to previous firmware upload",
+)
+@click.option(
+    "--check-interval",
+    type=int,
+    default=60,
+    show_default=True,
+    help="Wait time between checking for result",
+)
+@click.option(
+    "--retry-count",
+    type=int,
+    default=10,
+    show_default=True,
+    help="Number of times to retry fetching results due to communication problem",
+)
+@click.option(
+    "--retry-wait",
+    type=int,
+    default=60,
+    show_default=True,
+    help="Wait time between retries due to communication problem",
+)
+@click.pass_obj
+def ci_result(
+    client: Client,
+    firmware_id: UUID,
+    exit_code: int,
+    retry_count: int,
+    retry_wait: int,
+    check_interval: int,
+):
+    """Fetch analysis results for CI"""
+
+    handler = ResultHandler(
+        client,
+        firmware_id,
+        retry_count=retry_count,
+        retry_wait=retry_wait,
+        check_interval=check_interval,
+    )
+    new_issues, dropped_issues, new_cves, dropped_cves = handler.get_result()
+
+    exit_code = exit_code if new_issues or new_cves else 0
+
+    sys.exit(exit_code)
diff --git a/onekey_client/cli/cli.py b/onekey_client/cli/cli.py
@@ -6,6 +6,7 @@
 from onekey_client import Client
 from .firmware_upload import upload_firmware
 from .misc import list_tenants, get_tenant_token
+from .ci import ci_result
 
 
 @click.group()
@@ -67,6 +68,7 @@ def cli(ctx, api_url, disable_tls_verify, email, password, tenant_name):
 cli.add_command(list_tenants)
 cli.add_command(get_tenant_token)
 cli.add_command(upload_firmware)
+cli.add_command(ci_result)
 
 
 def main():
diff --git a/onekey_client/queries/compare_firmware.graphql b/onekey_client/queries/compare_firmware.graphql
@@ -0,0 +1,35 @@
+query CompareFirmware($base: ID!, $other: ID!){
+  compareFirmwareAnalyses (base: $base, other: $other) {
+    issues {
+      new {
+        __typename
+        id
+        severity
+        type
+        file {
+          path
+        }
+      }
+      dropped {
+        __typename
+        id
+        severity
+        type
+        file {
+          path
+        }
+      }
+    }
+
+    cveEntries {
+      new {
+        id
+        description
+        severity
+      }
+      dropped {
+        id
+      }
+    }
+  }
+}
diff --git a/onekey_client/queries/get_firmware_latest_analysis_state.graphql b/onekey_client/queries/get_firmware_latest_analysis_state.graphql
@@ -0,0 +1,9 @@
+query GetFirmwareLatestAnalysisState($id: ID!) {
+  firmware(id: $id) {
+    name
+    latestAnalysis {
+      state
+      result
+    }
+  }
+}
diff --git a/onekey_client/queries/get_firmware_latest_results.graphql b/onekey_client/queries/get_firmware_latest_results.graphql
@@ -0,0 +1,26 @@
+query GetFimrwareLatestResult($id: ID!){
+  firmware(id: $id) {
+    latestIssues (filter: {elf: false}){
+      __typename
+      id
+      severity
+      type
+      file {
+        path
+      }
+    }
+
+    cveMatches {
+      component {
+        name
+        version
+      }
+      cve {
+        id
+        description
+        severity
+      }
+    }
+
+  }
+}
diff --git a/onekey_client/queries/get_same_product_firmwares.graphql b/onekey_client/queries/get_same_product_firmwares.graphql
@@ -0,0 +1,11 @@
+query GetSameProductFirmwares($id: ID!){
+  firmware(id: $id) {
+    product {
+      firmwareTimeline {
+        firmware {
+          id
+        }
+      }
+    }
+  }
+}
