From a890e5f6e2f00bca29a756084b1de9d4d6a348cb Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 9 Oct 2024 10:21:33 +0200
Subject: [PATCH] firmware: add other pkg mirrors to CRL check and connectivity
 audit

---
 src/opnsense/scripts/firmware/hostnames.sh | 30 +++++++++++++++++++---
 1 file changed, 26 insertions(+), 4 deletions(-)

diff --git a/src/opnsense/scripts/firmware/hostnames.sh b/src/opnsense/scripts/firmware/hostnames.sh
index a404fb034..a14d041ab 100755
--- a/src/opnsense/scripts/firmware/hostnames.sh
+++ b/src/opnsense/scripts/firmware/hostnames.sh
@@ -27,15 +27,37 @@
 # collect HTTPS URLs related to firmware and provide the
 # deduplicated host names thereof for further processing
 
-# XXX add other URLs here from pkg repo configurations
 URLS=$(opnsense-update -M; opnsense-update -X)
 
+# Make a few assumptions about plugged pkg repositories:
+#
+# * grab the "url" key, delimited with double quotes
+# * remove the spurious "pkg+" prefix to treat it as raw HTTP(S)
+# * match config name against known enabled repos
+
+REPOS=$(opnsense-verify -l | awk '{ print $1 }')
+
+for CONF in $(find /etc/pkg /usr/local/etc/pkg/repos -name '*.conf' -type f); do
+	for REPO in ${REPOS}; do
+		if [ "${REPO}.conf" = "$(basename ${CONF})" ]; then
+			URL=$(grep 'url:.*"' ${CONF})
+			if [ -n "${URL}" ]; then
+				URL=${URL#*'"'}
+				URL=${URL#pkg+}
+				URLS="${URLS}
+${URL%%'"'*}"
+			fi
+			continue 2
+		fi
+	done
+done
+
 for HOST in $( (for URL in ${URLS}; do
 	if [ -n "${URL##https://*}" ]; then
 		continue
 	fi
-	HOST=${URL#*://}
-	HOST=${HOST%%/*}
 
-	echo ${HOST}
+	HOST=${URL#*://}
+	echo ${HOST%%/*}
+
 done) | sort -u); do echo ${HOST}; done