|
| 1 | +#!/usr/bin/env bash |
| 2 | +# Validate allowlist YAML expiry dates (minimal parser, no PyYAML). |
| 3 | +# Usage: check-allowlist-expiry.sh <allowlist-file> [id-field...] |
| 4 | +set -euo pipefail |
| 5 | + |
| 6 | +if [[ $# -lt 1 || -z "${1:-}" ]]; then |
| 7 | + echo "usage: check-allowlist-expiry.sh <allowlist-file> [id-field...]" >&2 |
| 8 | + exit 1 |
| 9 | +fi |
| 10 | + |
| 11 | +ALLOWLIST_FILE="$1" |
| 12 | +shift |
| 13 | +ID_FIELDS=("$@") |
| 14 | +if ((${#ID_FIELDS[@]} == 0)); then |
| 15 | + ID_FIELDS=(rule_id) |
| 16 | +fi |
| 17 | + |
| 18 | +if [[ ! -f "$ALLOWLIST_FILE" ]]; then |
| 19 | + echo "No allowlist file at $ALLOWLIST_FILE; skipping expiry check." |
| 20 | + exit 0 |
| 21 | +fi |
| 22 | + |
| 23 | +if ! command -v python3 >/dev/null 2>&1; then |
| 24 | + echo "python3 is required to validate $ALLOWLIST_FILE" >&2 |
| 25 | + exit 1 |
| 26 | +fi |
| 27 | + |
| 28 | +python3 - "$ALLOWLIST_FILE" "${ID_FIELDS[*]}" <<'PY' |
| 29 | +import datetime |
| 30 | +import re |
| 31 | +import sys |
| 32 | +
|
| 33 | +path = sys.argv[1] |
| 34 | +id_fields = sys.argv[2].split() |
| 35 | +patterns = { |
| 36 | + "rule_id": re.compile(r"rule_id:\s*(\S+)"), |
| 37 | + "cve_id": re.compile(r"cve_id:\s*(\S+)"), |
| 38 | + "id": re.compile(r"(?:^|\s)id:\s*(\S+)"), |
| 39 | +} |
| 40 | +
|
| 41 | +
|
| 42 | +def extract_id(text, anchored=False): |
| 43 | + for field in id_fields: |
| 44 | + pattern = patterns.get(field) |
| 45 | + if pattern is None: |
| 46 | + continue |
| 47 | + match = pattern.match(text) if anchored else pattern.search(text) |
| 48 | + if match: |
| 49 | + return match.group(1) |
| 50 | + return None |
| 51 | +
|
| 52 | +
|
| 53 | +text = open(path, encoding="utf-8").read() |
| 54 | +entries = [] |
| 55 | +current = None |
| 56 | +for line in text.splitlines(): |
| 57 | + stripped = line.strip() |
| 58 | + if stripped.startswith("- "): |
| 59 | + if current is not None: |
| 60 | + entries.append(current) |
| 61 | + current = {} |
| 62 | + item = stripped[2:].strip() |
| 63 | + entry_id = extract_id(item, anchored=False) |
| 64 | + if entry_id: |
| 65 | + current["id"] = entry_id |
| 66 | + match = re.search(r"expires:\s*(\S+)", item) |
| 67 | + if match: |
| 68 | + current["expires"] = match.group(1) |
| 69 | + continue |
| 70 | + if current is None: |
| 71 | + continue |
| 72 | + match = re.match(r"expires:\s*(\S+)", stripped) |
| 73 | + if match: |
| 74 | + current["expires"] = match.group(1) |
| 75 | + entry_id = extract_id(stripped, anchored=True) |
| 76 | + if entry_id: |
| 77 | + current["id"] = entry_id |
| 78 | +if current is not None: |
| 79 | + entries.append(current) |
| 80 | +
|
| 81 | +today = datetime.date.today() |
| 82 | +expired = [] |
| 83 | +for idx, entry in enumerate(entries): |
| 84 | + expires_raw = entry.get("expires") |
| 85 | + if not expires_raw: |
| 86 | + print( |
| 87 | + f"{path}: allowlist[{idx}] missing expires date " |
| 88 | + "(required for security on-call approval model)", |
| 89 | + file=sys.stderr, |
| 90 | + ) |
| 91 | + sys.exit(1) |
| 92 | + try: |
| 93 | + expires = datetime.date.fromisoformat(str(expires_raw)) |
| 94 | + except ValueError: |
| 95 | + print( |
| 96 | + f"{path}: allowlist[{idx}] has invalid expires date: {expires_raw!r}", |
| 97 | + file=sys.stderr, |
| 98 | + ) |
| 99 | + sys.exit(1) |
| 100 | + if expires < today: |
| 101 | + entry_id = entry.get("id", "<unknown>") |
| 102 | + expired.append(f"{entry_id} (expired {expires.isoformat()})") |
| 103 | +
|
| 104 | +if expired: |
| 105 | + print("Allowlist expired; contact security on-call to extend or remove:", file=sys.stderr) |
| 106 | + for item in expired: |
| 107 | + print(f" - {item}", file=sys.stderr) |
| 108 | + sys.exit(1) |
| 109 | +
|
| 110 | +print(f"PASS: {len(entries)} allowlist entries are current.") |
| 111 | +PY |
0 commit comments