e6bbcf847d
Fixes CVE-2023-24999. https://discuss.hashicorp.com/t/hcsec-2023-07-vault-fails-to-verify-if-approle-secretid-belongs-to-role-during-a-destroy-operation/51305 https://developer.hashicorp.com/vault/docs/release-notes/1.13.0
43 lines
1.5 KiB
Bash
Executable file
43 lines
1.5 KiB
Bash
Executable file
#!/usr/bin/env nix-shell
|
|
#!nix-shell -i bash -p curl gnused gawk nix-prefetch
|
|
|
|
set -euo pipefail
|
|
|
|
ROOT="$(dirname "$(readlink -f "$0")")"
|
|
NIX_DRV="$ROOT/vault-bin.nix"
|
|
if [ ! -f "$NIX_DRV" ]; then
|
|
echo "ERROR: cannot find vault-bin in $ROOT"
|
|
exit 1
|
|
fi
|
|
|
|
fetch_arch() {
|
|
VER="$1"; ARCH="$2"
|
|
URL="https://releases.hashicorp.com/vault/${VER}/vault_${VER}_${ARCH}.zip"
|
|
nix-prefetch "{ stdenv, fetchzip }:
|
|
stdenv.mkDerivation rec {
|
|
pname = \"vault-bin\"; version = \"${VER}\";
|
|
src = fetchzip { url = \"$URL\"; };
|
|
}
|
|
"
|
|
}
|
|
|
|
replace_sha() {
|
|
sed -i "s#$1 = \"sha256-.\{44\}\"#$1 = \"$2\"#" "$NIX_DRV"
|
|
}
|
|
|
|
# https://releases.hashicorp.com/vault/1.9.4/vault_1.9.4_linux_arm64.zip
|
|
VAULT_VER=$(curl -Ls -w "%{url_effective}" -o /dev/null https://github.com/hashicorp/vault/releases/latest | awk -F'/' '{print $NF}' | sed 's/v//')
|
|
|
|
VAULT_LINUX_X86_SHA256=$(fetch_arch "$VAULT_VER" "linux_386")
|
|
VAULT_LINUX_X64_SHA256=$(fetch_arch "$VAULT_VER" "linux_amd64")
|
|
VAULT_DARWIN_X64_SHA256=$(fetch_arch "$VAULT_VER" "darwin_amd64")
|
|
VAULT_LINUX_AARCH64_SHA256=$(fetch_arch "$VAULT_VER" "linux_arm64")
|
|
VAULT_DARWIN_AARCH64_SHA256=$(fetch_arch "$VAULT_VER" "darwin_arm64")
|
|
|
|
sed -i "s/version = \".*\"/version = \"$VAULT_VER\"/" "$NIX_DRV"
|
|
|
|
replace_sha "i686-linux" "$VAULT_LINUX_X86_SHA256"
|
|
replace_sha "x86_64-linux" "$VAULT_LINUX_X64_SHA256"
|
|
replace_sha "x86_64-darwin" "$VAULT_DARWIN_X64_SHA256"
|
|
replace_sha "aarch64-linux" "$VAULT_LINUX_AARCH64_SHA256"
|
|
replace_sha "aarch64-darwin" "$VAULT_DARWIN_AARCH64_SHA256"
|