verify asdfa

Author: anthony-nhs

src/base/.devcontainer/.tool-versions.asdf

@@ -9,16 +9,18 @@ ARG CONTAINER_NAME
 ARG IMAGE_TAG
 ARG TARGETARCH
 ARG SAM_VERSION="v1.158.0"
+ARG ASDF_VERSION="v0.18.1"
 
 ENV SCRIPTS_DIR=${SCRIPTS_DIR}
 ENV CONTAINER_NAME=${CONTAINER_NAME}
 ENV TARGETARCH=${TARGETARCH}
 ENV SAM_VERSION=${SAM_VERSION}
+ENV ASDF_VERSION=${ASDF_VERSION}
 
-COPY .tool-versions.asdf ${SCRIPTS_DIR}/${CONTAINER_NAME}/.tool-versions.asdf
 COPY --chmod=755 scripts/lifecycle/*.sh ${SCRIPTS_DIR}/
 COPY --chmod=755 scripts/root_install.sh ${SCRIPTS_DIR}/${CONTAINER_NAME}/root_install.sh
 COPY --chmod=755 scripts/install_aws_sam_cli.sh ${SCRIPTS_DIR}/${CONTAINER_NAME}/install_aws_sam_cli.sh
+COPY --chmod=755 scripts/install_asdf.sh ${SCRIPTS_DIR}/${CONTAINER_NAME}/install_asdf.sh
 COPY --chmod=755 Mk ${SCRIPTS_DIR}/Mk
 
 WORKDIR ${SCRIPTS_DIR}/${CONTAINER_NAME}
@@ -30,7 +32,6 @@ COPY --from=grant-build /grant /usr/local/bin/grant
 COPY --from=zizmor-build /zizmor /usr/local/bin/zizmor
 COPY --chmod=755 scripts/vscode_install.sh ${SCRIPTS_DIR}/${CONTAINER_NAME}/vscode_install.sh
 USER vscode
-COPY --chown=vscode:vscode .tool-versions.asdf /home/vscode/.tool-versions.asdf
 COPY --chown=vscode:vscode .tool-versions /home/vscode/.tool-versions
 COPY --chown=vscode:vscode .grant.yaml /home/vscode/.grant.yaml
 

src/base/.devcontainer/Dockerfile

@@ -0,0 +1,56 @@
+#!/usr/bin/env bash
+
+VERSION=${VERSION:-"v0.18.1"}
+# Expected SHA256 checksums taken from https://github.com/asdf-vm/asdf/releases/tag/v0.18.1
+# When we change asdf versions, these must be changed
+sha256sum_expected_arm="sha256:1850faf576cab7acb321e99dd98d3fe0d4665e1331086ad9ed991aeec1dc9d36"
+sha256sum_expected_amd64="sha256:56141dc99eab75c140dcdd85cf73f3b82fed2485a8dccd4f11a4dc5cbcb6ea5c"
+
+if [ "$(id -u)" -ne 0 ]; then
+    echo -e 'Script must be run as root. Use sudo, su, or add "USER root" to your Dockerfile before running this script.'
+    exit 1
+fi
+
+# Checks if packages are installed and installs them if not
+check_packages() {
+    if ! dpkg -s "$@" > /dev/null 2>&1; then
+        apt_get_update
+        apt-get -y install --no-install-recommends "$@"
+    fi
+}
+
+check_packages curl ca-certificates tar sha256sum
+
+install() {
+    tmp_dir="$(mktemp -d)"
+    trap 'rm -rf "${tmp_dir}"' EXIT
+
+    download_file="${tmp_dir}/asdf.tar.gz"
+
+    if [ "$TARGETARCH" = "arm64" ] || [ "$TARGETARCH" == "aarch64" ]; then
+        download_url="https://github.com/asdf-vm/asdf/releases/download/${VERSION}/asdf-${VERSION}-linux-arm64.tar.gz"
+        sha256sum_expected="${sha256sum_expected_arm}"
+    else
+        download_url="https://github.com/asdf-vm/asdf/releases/download/${VERSION}/asdf-${VERSION}-linux-amd64.tar.gz"
+        sha256sum_expected="${sha256sum_expected_amd64}"
+    fi
+    curl -fsSL "${download_url}" -o "${download_file}"
+
+    download_file_sha256sum=$(sha256sum "${download_file}" | awk '{print $1}')
+    if [ "${download_file_sha256sum}" != "${sha256sum_expected#sha256:}" ]; then
+        echo "SHA256 checksum mismatch for downloaded asdf archive"
+        echo "Expected: ${sha256sum_expected}"
+        echo "Actual:   sha256:${download_file_sha256sum}"
+        exit 1
+    fi
+
+    tar -xzf "${download_file}" -C "${tmp_dir}"
+    mkdir -p /usr/bin
+    mv "${tmp_dir}/asdf" /usr/bin/asdf
+    chmod +x /usr/bin/asdf
+}
+echo "(*) Installing asdf..."
+
+install
+
+echo "Done!"

src/base/.devcontainer/scripts/install_asdf.sh

@@ -36,17 +36,7 @@ apt-get -y install --no-install-recommends htop vim curl git build-essential \
 VERSION="${SAM_VERSION}" "${SCRIPTS_DIR}/${CONTAINER_NAME}/install_aws_sam_cli.sh"
 # Install ASDF
 echo "Installing asdf"
-ASDF_VERSION=$(awk '!/^#/ && NF {print $1; exit}' "${SCRIPTS_DIR}/${CONTAINER_NAME}/.tool-versions.asdf")
-if [ "$TARGETARCH" = "arm64" ] || [ "$TARGETARCH" == "aarch64" ]; then
-    wget -O /tmp/asdf.tar.gz --no-verbose "https://github.com/asdf-vm/asdf/releases/download/v${ASDF_VERSION}/asdf-v${ASDF_VERSION}-linux-arm64.tar.gz"
-else
-    wget -O /tmp/asdf.tar.gz --no-verbose "https://github.com/asdf-vm/asdf/releases/download/v${ASDF_VERSION}/asdf-v${ASDF_VERSION}-linux-amd64.tar.gz"
-fi
-tar -xzf /tmp/asdf.tar.gz -C /tmp
-mkdir -p /usr/bin
-mv /tmp/asdf /usr/bin/asdf
-chmod +x /usr/bin/asdf
-rm -rf /tmp/asdf.tar.gz 
+VERSION="${ASDF_VERSION}" "${SCRIPTS_DIR}/${CONTAINER_NAME}/install_asdf.sh"
 
 # install gitsecrets
 git clone https://github.com/awslabs/git-secrets.git /tmp/git-secrets