Initial commit
This commit is contained in:
Warezpeddler
6
scripts/bootstrap_compliance.sh
Executable file
6
scripts/bootstrap_compliance.sh
Executable file
@@ -0,0 +1,6 @@
|
||||
#!/usr/bin/env bash
|
||||
# Clone NIST macos_security and Lynis into ./vendor (shallow). Requires git and network.
|
||||
set -euo pipefail
|
||||
ROOT="$(cd "$(dirname "$0")/.." && pwd)"
|
||||
cd "$ROOT"
|
||||
exec python3 -m applepy.bootstrap_compliance "$@"
|
||||
31
scripts/build_bundle.sh
Executable file
31
scripts/build_bundle.sh
Executable file
@@ -0,0 +1,31 @@
|
||||
#!/usr/bin/env bash
|
||||
# Build one-folder PyInstaller distribution (see applepy.spec). Requires: pip install -e ".[bundle]"
|
||||
# By default fetches NIST macos_security + Lynis into applepy/data/ (git + network). Offline:
|
||||
# SKIP_VENDOR_COMPLIANCE=1 ./scripts/build_bundle.sh
|
||||
set -euo pipefail
|
||||
ROOT="$(cd "$(dirname "$0")/.." && pwd)"
|
||||
cd "$ROOT"
|
||||
if [[ -f .venv/bin/activate ]]; then
|
||||
# shellcheck source=/dev/null
|
||||
source .venv/bin/activate
|
||||
fi
|
||||
if [[ "${SKIP_VENDOR_COMPLIANCE:-0}" != "1" ]]; then
|
||||
"${ROOT}/scripts/vendor_compliance_assets.sh" all
|
||||
else
|
||||
echo "SKIP_VENDOR_COMPLIANCE=1: skipping scripts/vendor_compliance_assets.sh"
|
||||
fi
|
||||
python -m pip install -q -e ".[bundle]"
|
||||
DIST_OUT="${ROOT}/dist/applepy"
|
||||
if [[ -e "${DIST_OUT}" ]]; then
|
||||
echo "Removing previous bundle: ${DIST_OUT}"
|
||||
if ! rm -rf "${DIST_OUT}"; then
|
||||
echo "ERROR: Could not remove ${DIST_OUT}." >&2
|
||||
echo "This usually means root-owned files under .../macos_security/build from a prior sudo run of the bundle." >&2
|
||||
echo "Fix: sudo rm -rf \"${DIST_OUT}\"" >&2
|
||||
echo "Then re-run this script. The spec omits mSCP build/ from the bundle to avoid shipping host output." >&2
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
python -m PyInstaller --noconfirm "${ROOT}/applepy.spec"
|
||||
echo "Output: ${ROOT}/dist/applepy/ → run: dist/applepy/applepy --help"
|
||||
echo "Note: build/applepy/ is PyInstaller’s work dir only (no _internal/). Do not run that copy."
|
||||
52
scripts/vendor_compliance_assets.sh
Executable file
52
scripts/vendor_compliance_assets.sh
Executable file
@@ -0,0 +1,52 @@
|
||||
#!/usr/bin/env bash
|
||||
# Shallow-clone NIST macos_security and Lynis into applepy/data/ for bundled / PyInstaller builds.
|
||||
# Preserves applepy/data/{macos_security,lynis}/README.md and .gitignore (excluded from rsync).
|
||||
set -euo pipefail
|
||||
ROOT="$(cd "$(dirname "$0")/.." && pwd)"
|
||||
MACP="${ROOT}/applepy/data/macos_security"
|
||||
LYNP="${ROOT}/applepy/data/lynis"
|
||||
TMP="${TMPDIR:-/tmp}/applepy-vendor-$$"
|
||||
cleanup() { rm -rf "${TMP}"; }
|
||||
trap cleanup EXIT
|
||||
mkdir -p "${TMP}"
|
||||
|
||||
refresh="${REFRESH:-0}"
|
||||
|
||||
clone_mscp() {
|
||||
if [[ -f "${MACP}/scripts/generate_guidance.py" ]] && [[ "${refresh}" != "1" ]]; then
|
||||
echo "macos_security already present under applepy/data/macos_security (set REFRESH=1 to re-fetch)"
|
||||
return 0
|
||||
fi
|
||||
mkdir -p "${MACP}"
|
||||
git clone --depth 1 "https://github.com/usnistgov/macos_security.git" "${TMP}/macos_security"
|
||||
rsync -a --delete \
|
||||
--exclude README.md --exclude .gitignore \
|
||||
"${TMP}/macos_security/" "${MACP}/"
|
||||
echo "Vendored macos_security -> ${MACP}"
|
||||
}
|
||||
|
||||
clone_lynis() {
|
||||
if [[ -f "${LYNP}/lynis" ]] && [[ "${refresh}" != "1" ]]; then
|
||||
echo "Lynis already present under applepy/data/lynis (set REFRESH=1 to re-fetch)"
|
||||
return 0
|
||||
fi
|
||||
mkdir -p "${LYNP}"
|
||||
git clone --depth 1 "https://github.com/cisofy/lynis.git" "${TMP}/lynis"
|
||||
rsync -a --delete \
|
||||
--exclude README.md --exclude .gitignore \
|
||||
"${TMP}/lynis/" "${LYNP}/"
|
||||
echo "Vendored Lynis -> ${LYNP}"
|
||||
}
|
||||
|
||||
case "${1:-all}" in
|
||||
mscp|macos_security) clone_mscp ;;
|
||||
lynis) clone_lynis ;;
|
||||
all)
|
||||
clone_mscp
|
||||
clone_lynis
|
||||
;;
|
||||
*)
|
||||
echo "Usage: $0 [all|mscp|lynis]" >&2
|
||||
exit 2
|
||||
;;
|
||||
esac
|
||||
25
scripts/verify.sh
Executable file
25
scripts/verify.sh
Executable file
@@ -0,0 +1,25 @@
|
||||
#!/usr/bin/env bash
|
||||
set -euo pipefail
|
||||
ROOT="$(cd "$(dirname "$0")/.." && pwd)"
|
||||
cd "$ROOT"
|
||||
if [[ -f .venv/bin/activate ]]; then
|
||||
# shellcheck source=/dev/null
|
||||
source .venv/bin/activate
|
||||
fi
|
||||
ruff check applepy tests
|
||||
pytest -q
|
||||
if command -v ty >/dev/null 2>&1; then
|
||||
ty check applepy
|
||||
fi
|
||||
if command -v semgrep >/dev/null 2>&1; then
|
||||
# Exclude vendored upstream trees under applepy/data/ (not project-owned source).
|
||||
_applepy_py=()
|
||||
while IFS= read -r _f; do
|
||||
_applepy_py+=("$_f")
|
||||
done < <(
|
||||
find "${ROOT}/applepy" \( -path "${ROOT}/applepy/data/macos_security" -o -path "${ROOT}/applepy/data/lynis" \) \
|
||||
-prune -o -name "*.py" -print
|
||||
)
|
||||
semgrep --config="${ROOT}/semgrep.yml" --error "${_applepy_py[@]}"
|
||||
semgrep --config=p/python --error "${_applepy_py[@]}"
|
||||
fi
|
||||
Reference in New Issue
Block a user