autoupdate: backport changes from 23.05

Author: pktpls

packages/falter-berlin-autoupdate/LICENSE

@@ -1,7 +1,10 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=falter-berlin-autoupdate
-PKG_VERSION:=0.1
+PKG_VERSION:=2022.08.29
+
+PKG_LICENSE:=GPL-3.0-or-later
+PKG_LICENSE_FILES:=LICENSE
 
 include $(INCLUDE_DIR)/package.mk
 
@@ -10,6 +13,8 @@ define Package/falter-berlin-autoupdate/default
   CATEGORY:=falter-berlin
   URL:=https://github.com/freifunk-berlin/falter-packages
   PKGARCH:=all
+  # falter-berlin-migration holds the semver-library needed by the autoupdater
+  EXTRA_DEPENDS:=uci, jshn, falter-berlin-migration
 endef
 
 define Package/falter-berlin-autoupdate

packages/falter-berlin-autoupdate/Makefile

@@ -1,10 +1,22 @@
-#! /bin/sh
+#!/bin/sh
+
+# This software originates from Freifunk Berlin and implements a basic autoupdate mechanism
+# by using OpenWrts built-in sysupgrade.
+# It is licensed under GNU General Public License v3.0 or later
+# Copyright (C) 2022   Martin Hübner and Tobias Schwarz
+
+# shellcheck shell=dash
 
 # except than noted, this script is not posix-compliant in one way: we use "local"
 # variables definition. As nearly all shells out there implement local, this should
 # work anyway. This is a little reminder to you, if you use some rare shell without
 # a builtin "local" statement.
 
+# We don't need the return values and check the correct execution in other ways.
+# shellcheck disable=SC2155
+
+# we can't check those dependencies at the CI
+# shellcheck source=/dev/null
 . /lib/functions.sh
 . /lib/config/uci.sh
 . /etc/freifunk_release
@@ -54,14 +66,14 @@ Example call:
 #   Load Configuration   #
 ##########################
 
-SELECTOR_URL=$(uci_get autoupdate cfg selector_fqdn)
+export SELECTOR_URL=$(uci_get autoupdate cfg selector_fqdn)
 FW_SERVER_URL=$(uci_get autoupdate cfg fw_server_fqdn)
 MIN_CERTS=$(uci_get autoupdate cfg minimum_certs)
 DISABLED=$(uci_get autoupdate cfg disabled)
 
 PATH_DIR="/tmp/autoupdate"
 PATH_BIN="$PATH_DIR/freifunk_syupgrade.bin"
-KEY_DIR="/etc/autoupdate/keys/"
+export KEY_DIR="/etc/autoupdate/keys/"
 
 MIN_RAM_FREE=1536 # amount of kiB that must be free in RAM after firmware-download
 
@@ -107,19 +119,19 @@ log "starting autoupdate..."
 #  Checks and Checks again
 
 is_stable_release=$(echo "$FREIFUNK_RELEASE" | grep -E '^[0-9]+\.[0-9]+\.[0-9]+$')
-if [ -z $OPT_FORCE ] && [ -z "$is_stable_release" ]; then
+if [ -z "$OPT_FORCE" ] && [ -z "$is_stable_release" ]; then
     log "automatic updates aren't supported for development-firmwares. Please update manually or use the force update option '-f' or new-install option '-n'."
     exit 2
 fi
 
-if [ -z $OPT_FORCE ] && { [ "$DISABLED" = "1" ] || [ "$DISABLED" = "yes" ] || [ "$DISABLED" = "true" ]; }; then
+if [ -z "$OPT_FORCE" ] && { [ "$DISABLED" = "1" ] || [ "$DISABLED" = "yes" ] || [ "$DISABLED" = "true" ]; }; then
     log "autoupdate is disabled. Change the configs at /et/config/autoupdate to enable it."
     exit 2
 fi
 
 UPTIME=$(cut -d'.' -f1 </proc/uptime)
 # only update, if router runs for at least two hours (so the update probably won't get disrupted)
-if [ -z $OPT_FORCE ] && [ "$UPTIME" -lt 7200 ]; then
+if [ -z "$OPT_FORCE" ] && [ "$UPTIME" -lt 7200 ]; then
     log "Router didn't run for two hours. It might be just plugged in for testing. Aborting..."
     exit 2
 fi
@@ -129,15 +141,14 @@ rm -rf "$PATH_DIR"
 mkdir -p "$PATH_DIR"
 
 log "fetch autoupdate.json from $FW_SERVER_URL ..."
-load_overview_and_certs "$FW_SERVER_URL"
-if [ $? != 0 ]; then
+if load_overview_and_certs "$FW_SERVER_URL"; then
     log "fetching autoupdate.json failed. Probably no internet connection."
     exit 2
 fi
 log "done."
 
 # prove to be signed by minimum amount of certs
-if [ -z $OPT_IGNORE_CERTS ]; then
+if [ -z "$OPT_IGNORE_CERTS" ]; then
     log "Verifying image-signatures..."
     min_valid_certificates "$PATH_DIR/autoupdate.json" "$MIN_CERTS"
     ret_code=$?
@@ -151,8 +162,7 @@ else
     log "ignoring certificates as requested."
 fi
 
-latest_release=$(read_latest_stable "$PATH_DIR/autoupdate.json")
-if [ $? != 0 ]; then
+if latest_release=$(read_latest_stable "$PATH_DIR/autoupdate.json"); then
     log "wasn't able to read latest stable version from autoupdate.json"
     exit 2
 else
@@ -182,7 +192,7 @@ if semverLT "$FREIFUNK_RELEASE" "$latest_release"; then
     log "download link is: $link."
 
     # delete json and signatures to save space in RAM
-    if [ -z $OPT_TESTRUN ]; then
+    if [ -z "$OPT_TESTRUN" ]; then
         json_sig_files=$(find "$PATH_DIR" -name "autoupdate.json*")
         for f in $json_sig_files; do
             rm "$f"
@@ -222,12 +232,12 @@ if semverLT "$FREIFUNK_RELEASE" "$latest_release"; then
     fi
 
     # flash image
-    if [ -z $OPT_TESTRUN ]; then
+    if [ -z "$OPT_TESTRUN" ]; then
         log "start flashing the image..."
         if [ -n "$OPT_N" ]; then
-            sysupgrade -n --ignore-minor-compat-version "$PATH_BIN"
+            sysupgrade -n "$PATH_BIN"
         else
-            sysupgrade --ignore-minor-compat-version "$PATH_BIN"
+            sysupgrade "$PATH_BIN"
         fi
         log "done."
     fi

packages/falter-berlin-autoupdate/files/autoupdate.sh

@@ -1,5 +1,23 @@
 #!/bin/sh
 
+# This software originates from Freifunk Berlin and implements a basic autoupdate mechanism
+# by using OpenWrts built-in sysupgrade.
+# It is licensed under GNU General Public License v3.0 or later
+# Copyright (C) 2022   Martin Hübner and Tobias Schwarz
+
+# shellcheck shell=dash
+
+# jshn assigns the variables for us, but shellcheck doesn't get it.
+# shellcheck disable=SC2154
+# We don't need the return values and check the correct execution in other ways.
+# shellcheck disable=SC2155
+# using printf with variables and nc didn't work correctly. Thus this hack
+# shellcheck disable=SC2059
+# FW_SERVER_URL isn't mispelled, but a global variable defined in autoupdate.sh
+# shellcheck disable=SC2153
+
+# Those dependencies aren't available for CI checking.
+# shellcheck source=/dev/null
 . /lib/functions.sh
 . /lib/functions/semver.sh
 . /lib/config/uci.sh
@@ -142,6 +160,11 @@ get_download_link_and_hash() {
     # load board-specific json with image-name from selector
     board_json=$(wget -qO - "https://${SELECTOR_URL}/${version}/${flavour}/${curr_target}/${BOARD}.json")
 
+    if [ -z "$board_json" ]; then
+        log "Failed to download board-specific JSON-File from firmware selector. Exiting..."
+        exit 2
+    fi
+
     json_init
     json_load "$board_json"
     json_for_each_item "iter_images" "images"
@@ -215,7 +238,7 @@ min_valid_certificates() {
                 #pop key from list. Thus one key cannot validate multiple certs.
                 key_list=$(pop_element "$key_list" "$key")
             fi
-            if [ $cert_cnt = $min_cnt ]; then
+            if [ $cert_cnt = "$min_cnt" ]; then
                 return 255
             fi
         done

packages/falter-berlin-autoupdate/files/lib_autoupdate.sh

@@ -1,6 +1,8 @@
 #!/bin/sh
 
-[ -z $IPKG_INSTROOT ] || exit 0
+# I can remember, that this script was fairly horrible to get it working as
+# intended. You better shouldn't touch anything here.
+# shellcheck disable=all
 
 # if autoupdate is not present in crontab, include it.
 crontab -l | grep /usr/bin/autoupdate >>/dev/null