Verifying config file correctness with Python git patch

The git module in Python has the ability to show the difference between two commits in Linux patch format, similar to running a "git diff". This makes it possible to programmatically check for specific file content differences.

Here's some sample code to show how it's done.

In this example we start by identify the repo we're working with in line 383 and the head (last) commit is defined in head.commit in line 384.

Getting the previous commit takes a little more work. We have to call iter_commits() on the main repo and then convert that into a python list, eventually returning the second item since the head is in the first.

Calling the diff() method on a previous commit with the "create_patch=True" argument will create the patch.

Examining the Patch

Once we have the patch, we can examine its contents to verify that whatever changes have been made are acceptable.

The second image snippet shows the difference between two commits as seen in Gitlab, but the patch contents are essentially the same. In the linux patch format, lines that have been removed from the previous version begin with a '-' while lines that have been added from the previous version begin with a '+'.

Verifying a DNS zone file

In this example, we're looking at a snippet of a DNS zone file and we want to check that a host has been added correctly.

Zone files have a unique serial number that must be incremented every time a change is made in order for the DNS server to update its database as seen in line 3. Lines 4229 and 4230 show the last two octets of an IP address in reverse order for a host named stella.

Now we can check that our changes are OK. Line 3 shows that the old serial number 2024121701 was removed and that serial number 2024121702 was added, so this checks out. Lines 4229 and 4230 show that a commented out entry was removed as well as a line with an invalid value in the last octet (393), both for the host stella. The last line shows a new line was added for stella with valid values, so overall the last commit is valid.

Using Python

How would we check this programmatically?

To check that the serial number was updated, we used a regular expression to look for lines that begin with either a '-' or '+' and have a serial number (I realize this regex could be a lot tighter). For the lines that match, we check if the operation was an addition or subtraction. We now know the previous serial number since we was removed and we know the current serial number because it was added.

Now we can check the two values to make sure that the serial number was updated (line 443). If there was no update, no lines would have been removed or added, leaving the corresponding variables empty. If they're not empty, but in reverse order, then something got added incorrectly, line 448.

General application

Virtually all configuration files are required to follow a specific format so they can be read by their application. Because we know the format and can isolate changes into a single patch, it becomes relatively easy to verify that a configuration file is correct.

I wrote this code for DNS as part of larger tool that verifies zone files for a couple of reasons; one is to make sure I didn't make a typo or forget something simple, but the second is to prevent the named daemon from crashing on a bad zone file. The last thing we need is a non-responsive production DNS server. We push changes to DNS using a GitLab CI/CD pipeline and this script runs before pushing changes to production. This makes changes safer and allows for rapid rollback by reverting the GitLab commit.