blallo
/
fenix
1
0
Fork 0
Code Releases Activity

Bug 1608103 - Fix dummy secrets generation (#8855)

master
Johan Lorenzo 2020-03-03 17:22:48 +01:00 committed by GitHub
parent e6e2dd94c7
commit d390baefaf
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 86 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
automation/taskcluster/upload_apk_nimbledroid.py
View File

@ -38,8 +38,8 @@ token_file = sys.argv[2]
with open(token_file) as f:
key = f.read()
if key.rstrip() == '--':
print('Nimbledroid key "--" detected. Not uploading anything to the service.')
if key.rstrip() == "faketoken":
print('Nimbledroid key "faketoken" detected. Not uploading anything to the service.')
sys.exit(0)
with open(apk_path) as apk_file:

5
taskcluster/ci/nimbledroid/kind.yml
View File

@ -25,11 +25,12 @@ job-defaults:
key: api_key
path: .nimbledroid_token
default: []
pre-commands:
dummy-secrets:
by-level:
'3': []
default:
- [echo, '--', '>', .nimbledroid_token]
- content: "faketoken"
path: .nimbledroid_token
run-on-tasks-for: []
treeherder:
kind: test

27
taskcluster/fenix_taskgraph/job.py
View File

@ -19,6 +19,12 @@ secret_schema = {
Optional("json"): bool,
}
dummy_secret_schema = {
Required("content"): text_type,
Required("path"): text_type,
Optional("json"): bool,
}
gradlew_schema = Schema({
Required("using"): "gradlew",
Optional("pre-gradlew"): [[text_type]],
@ -28,6 +34,7 @@ gradlew_schema = Schema({
Required("workdir"): text_type,
Optional("use-caches"): bool,
Optional("secrets"): [secret_schema],
Optional("dummy-secrets"): [dummy_secret_schema],
})
run_commands_schema = Schema({
@ -37,6 +44,7 @@ run_commands_schema = Schema({
Required("workdir"): text_type,
Optional("use-caches"): bool,
Optional("secrets"): [secret_schema],
Optional("dummy-secrets"): [dummy_secret_schema],
})
@ -44,9 +52,13 @@ run_commands_schema = Schema({
def configure_run_commands_schema(config, job, taskdesc):
run = job["run"]
pre_commands = run.pop("pre-commands", [])
pre_commands += [
_generate_dummy_secret_command(secret) for secret in run.pop("dummy-secrets", [])
]
pre_commands += [
_generate_secret_command(secret) for secret in run.get("secrets", [])
]
all_commands = pre_commands + run.pop("commands", [])
run["command"] = _convert_commands_to_string(all_commands)
@ -72,6 +84,9 @@ def configure_gradlew(config, job, taskdesc):
def _extract_gradlew_command(run):
pre_gradle_commands = run.pop("pre-gradlew", [])
pre_gradle_commands += [
_generate_dummy_secret_command(secret) for secret in run.pop("dummy-secrets", [])
]
pre_gradle_commands += [
_generate_secret_command(secret) for secret in run.get("secrets", [])
]
@ -96,6 +111,18 @@ def _generate_secret_command(secret):
return secret_command
def _generate_dummy_secret_command(secret):
secret_command = [
"taskcluster/scripts/write-dummy-secret.py",
"-f", secret["path"],
"-c", secret["content"],
]
if secret.get("json"):
secret_command.append("--json")
return secret_command
def _convert_commands_to_string(commands):
should_artifact_reference = False
should_task_reference = False

18
taskcluster/fenix_taskgraph/transforms/build.py
View File

@ -32,6 +32,7 @@ def add_variant_config(config, tasks):
def add_shippable_secrets(config, tasks):
for task in tasks:
secrets = task["run"].setdefault("secrets", [])
dummy_secrets = task["run"].setdefault("dummy-secrets", [])
if task.pop("include-shippable-secrets", False) and config.params["level"] == "3":
build_type = task["attributes"]["build-type"]
@ -50,15 +51,16 @@ def add_shippable_secrets(config, tasks):
('mls', '.mls_token'),
)])
else:
task["run"]["pre-gradlew"] = [[
"echo", '"{}"'.format(fake_value), ">", target_file
] for fake_value, target_file in (
("--", ".adjust_token"),
("", ".digital_asset_links_token"),
("-:-", ".leanplum_token"),
("", ".mls_token"),
dummy_secrets.extend([{
"content": fake_value,
"path": target_file,
} for fake_value, target_file in (
("faketoken", ".adjust_token"),
("faketoken", ".digital_asset_links_token"),
("fake:token", ".leanplum_token"), # : is used by leanplum
("faketoken", ".mls_token"),
("https://fake@sentry.prod.mozaws.net/368", ".sentry_token"),
)]
)])
yield task

2
taskcluster/fenix_taskgraph/transforms/nimbledroid.py
View File

@ -18,7 +18,7 @@ transforms = TransformSequence()
@transforms.add
def resolve_keys(config, tasks):
for task in tasks:
for key in ("run.secrets", "run.pre-commands"):
for key in ("run.secrets", "run.dummy-secrets"):
resolve_keyed_by(
task,
key,

43
taskcluster/scripts/write-dummy-secret.py 100755
View File

@ -0,0 +1,43 @@
#!/usr/bin/env python
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
from __future__ import absolute_import, print_function, unicode_literals
import argparse
import errno
import json
import os
def write_secret_to_file(path, secret, key, json_secret=False):
path = os.path.abspath(os.path.join(os.path.dirname(__file__), '../../' + path))
try:
os.makedirs(os.path.dirname(path))
except OSError as error:
if error.errno != errno.EEXIST:
raise
print("Outputting secret to: {}".format(path))
with open(path, 'w') as f:
if json_secret:
secret = json.dumps(secret)
f.write(secret)
def main():
parser = argparse.ArgumentParser(description="Store a dummy secret to a file")
parser.add_argument("-c", dest="content", action="store", help="content of the secret")
parser.add_argument("-f", dest="path", action="store", help="file to save secret to")
parser.add_argument("--json", dest="json", action="store_true", default=False, help="serializes the secret to JSON format")
result = parser.parse_args()
write_secret_to_file(result.path, result.content, result.json)
if __name__ == "__main__":
main()