Bug 1608103 - Fix dummy secrets generation (#8855)
parent
e6e2dd94c7
commit
d390baefaf
|
@ -38,8 +38,8 @@ token_file = sys.argv[2]
|
||||||
with open(token_file) as f:
|
with open(token_file) as f:
|
||||||
key = f.read()
|
key = f.read()
|
||||||
|
|
||||||
if key.rstrip() == '--':
|
if key.rstrip() == "faketoken":
|
||||||
print('Nimbledroid key "--" detected. Not uploading anything to the service.')
|
print('Nimbledroid key "faketoken" detected. Not uploading anything to the service.')
|
||||||
sys.exit(0)
|
sys.exit(0)
|
||||||
|
|
||||||
with open(apk_path) as apk_file:
|
with open(apk_path) as apk_file:
|
||||||
|
|
|
@ -25,11 +25,12 @@ job-defaults:
|
||||||
key: api_key
|
key: api_key
|
||||||
path: .nimbledroid_token
|
path: .nimbledroid_token
|
||||||
default: []
|
default: []
|
||||||
pre-commands:
|
dummy-secrets:
|
||||||
by-level:
|
by-level:
|
||||||
'3': []
|
'3': []
|
||||||
default:
|
default:
|
||||||
- [echo, '--', '>', .nimbledroid_token]
|
- content: "faketoken"
|
||||||
|
path: .nimbledroid_token
|
||||||
run-on-tasks-for: []
|
run-on-tasks-for: []
|
||||||
treeherder:
|
treeherder:
|
||||||
kind: test
|
kind: test
|
||||||
|
|
|
@ -19,6 +19,12 @@ secret_schema = {
|
||||||
Optional("json"): bool,
|
Optional("json"): bool,
|
||||||
}
|
}
|
||||||
|
|
||||||
|
dummy_secret_schema = {
|
||||||
|
Required("content"): text_type,
|
||||||
|
Required("path"): text_type,
|
||||||
|
Optional("json"): bool,
|
||||||
|
}
|
||||||
|
|
||||||
gradlew_schema = Schema({
|
gradlew_schema = Schema({
|
||||||
Required("using"): "gradlew",
|
Required("using"): "gradlew",
|
||||||
Optional("pre-gradlew"): [[text_type]],
|
Optional("pre-gradlew"): [[text_type]],
|
||||||
|
@ -28,6 +34,7 @@ gradlew_schema = Schema({
|
||||||
Required("workdir"): text_type,
|
Required("workdir"): text_type,
|
||||||
Optional("use-caches"): bool,
|
Optional("use-caches"): bool,
|
||||||
Optional("secrets"): [secret_schema],
|
Optional("secrets"): [secret_schema],
|
||||||
|
Optional("dummy-secrets"): [dummy_secret_schema],
|
||||||
})
|
})
|
||||||
|
|
||||||
run_commands_schema = Schema({
|
run_commands_schema = Schema({
|
||||||
|
@ -37,6 +44,7 @@ run_commands_schema = Schema({
|
||||||
Required("workdir"): text_type,
|
Required("workdir"): text_type,
|
||||||
Optional("use-caches"): bool,
|
Optional("use-caches"): bool,
|
||||||
Optional("secrets"): [secret_schema],
|
Optional("secrets"): [secret_schema],
|
||||||
|
Optional("dummy-secrets"): [dummy_secret_schema],
|
||||||
})
|
})
|
||||||
|
|
||||||
|
|
||||||
|
@ -44,9 +52,13 @@ run_commands_schema = Schema({
|
||||||
def configure_run_commands_schema(config, job, taskdesc):
|
def configure_run_commands_schema(config, job, taskdesc):
|
||||||
run = job["run"]
|
run = job["run"]
|
||||||
pre_commands = run.pop("pre-commands", [])
|
pre_commands = run.pop("pre-commands", [])
|
||||||
|
pre_commands += [
|
||||||
|
_generate_dummy_secret_command(secret) for secret in run.pop("dummy-secrets", [])
|
||||||
|
]
|
||||||
pre_commands += [
|
pre_commands += [
|
||||||
_generate_secret_command(secret) for secret in run.get("secrets", [])
|
_generate_secret_command(secret) for secret in run.get("secrets", [])
|
||||||
]
|
]
|
||||||
|
|
||||||
all_commands = pre_commands + run.pop("commands", [])
|
all_commands = pre_commands + run.pop("commands", [])
|
||||||
|
|
||||||
run["command"] = _convert_commands_to_string(all_commands)
|
run["command"] = _convert_commands_to_string(all_commands)
|
||||||
|
@ -72,6 +84,9 @@ def configure_gradlew(config, job, taskdesc):
|
||||||
|
|
||||||
def _extract_gradlew_command(run):
|
def _extract_gradlew_command(run):
|
||||||
pre_gradle_commands = run.pop("pre-gradlew", [])
|
pre_gradle_commands = run.pop("pre-gradlew", [])
|
||||||
|
pre_gradle_commands += [
|
||||||
|
_generate_dummy_secret_command(secret) for secret in run.pop("dummy-secrets", [])
|
||||||
|
]
|
||||||
pre_gradle_commands += [
|
pre_gradle_commands += [
|
||||||
_generate_secret_command(secret) for secret in run.get("secrets", [])
|
_generate_secret_command(secret) for secret in run.get("secrets", [])
|
||||||
]
|
]
|
||||||
|
@ -96,6 +111,18 @@ def _generate_secret_command(secret):
|
||||||
return secret_command
|
return secret_command
|
||||||
|
|
||||||
|
|
||||||
|
def _generate_dummy_secret_command(secret):
|
||||||
|
secret_command = [
|
||||||
|
"taskcluster/scripts/write-dummy-secret.py",
|
||||||
|
"-f", secret["path"],
|
||||||
|
"-c", secret["content"],
|
||||||
|
]
|
||||||
|
if secret.get("json"):
|
||||||
|
secret_command.append("--json")
|
||||||
|
|
||||||
|
return secret_command
|
||||||
|
|
||||||
|
|
||||||
def _convert_commands_to_string(commands):
|
def _convert_commands_to_string(commands):
|
||||||
should_artifact_reference = False
|
should_artifact_reference = False
|
||||||
should_task_reference = False
|
should_task_reference = False
|
||||||
|
|
|
@ -32,6 +32,7 @@ def add_variant_config(config, tasks):
|
||||||
def add_shippable_secrets(config, tasks):
|
def add_shippable_secrets(config, tasks):
|
||||||
for task in tasks:
|
for task in tasks:
|
||||||
secrets = task["run"].setdefault("secrets", [])
|
secrets = task["run"].setdefault("secrets", [])
|
||||||
|
dummy_secrets = task["run"].setdefault("dummy-secrets", [])
|
||||||
|
|
||||||
if task.pop("include-shippable-secrets", False) and config.params["level"] == "3":
|
if task.pop("include-shippable-secrets", False) and config.params["level"] == "3":
|
||||||
build_type = task["attributes"]["build-type"]
|
build_type = task["attributes"]["build-type"]
|
||||||
|
@ -50,15 +51,16 @@ def add_shippable_secrets(config, tasks):
|
||||||
('mls', '.mls_token'),
|
('mls', '.mls_token'),
|
||||||
)])
|
)])
|
||||||
else:
|
else:
|
||||||
task["run"]["pre-gradlew"] = [[
|
dummy_secrets.extend([{
|
||||||
"echo", '"{}"'.format(fake_value), ">", target_file
|
"content": fake_value,
|
||||||
] for fake_value, target_file in (
|
"path": target_file,
|
||||||
("--", ".adjust_token"),
|
} for fake_value, target_file in (
|
||||||
("", ".digital_asset_links_token"),
|
("faketoken", ".adjust_token"),
|
||||||
("-:-", ".leanplum_token"),
|
("faketoken", ".digital_asset_links_token"),
|
||||||
("", ".mls_token"),
|
("fake:token", ".leanplum_token"), # : is used by leanplum
|
||||||
|
("faketoken", ".mls_token"),
|
||||||
("https://fake@sentry.prod.mozaws.net/368", ".sentry_token"),
|
("https://fake@sentry.prod.mozaws.net/368", ".sentry_token"),
|
||||||
)]
|
)])
|
||||||
|
|
||||||
yield task
|
yield task
|
||||||
|
|
||||||
|
|
|
@ -18,7 +18,7 @@ transforms = TransformSequence()
|
||||||
@transforms.add
|
@transforms.add
|
||||||
def resolve_keys(config, tasks):
|
def resolve_keys(config, tasks):
|
||||||
for task in tasks:
|
for task in tasks:
|
||||||
for key in ("run.secrets", "run.pre-commands"):
|
for key in ("run.secrets", "run.dummy-secrets"):
|
||||||
resolve_keyed_by(
|
resolve_keyed_by(
|
||||||
task,
|
task,
|
||||||
key,
|
key,
|
||||||
|
|
|
@ -0,0 +1,43 @@
|
||||||
|
#!/usr/bin/env python
|
||||||
|
|
||||||
|
# This Source Code Form is subject to the terms of the Mozilla Public
|
||||||
|
# License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||||
|
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
||||||
|
|
||||||
|
from __future__ import absolute_import, print_function, unicode_literals
|
||||||
|
|
||||||
|
import argparse
|
||||||
|
import errno
|
||||||
|
import json
|
||||||
|
import os
|
||||||
|
|
||||||
|
|
||||||
|
def write_secret_to_file(path, secret, key, json_secret=False):
|
||||||
|
path = os.path.abspath(os.path.join(os.path.dirname(__file__), '../../' + path))
|
||||||
|
try:
|
||||||
|
os.makedirs(os.path.dirname(path))
|
||||||
|
except OSError as error:
|
||||||
|
if error.errno != errno.EEXIST:
|
||||||
|
raise
|
||||||
|
print("Outputting secret to: {}".format(path))
|
||||||
|
|
||||||
|
with open(path, 'w') as f:
|
||||||
|
if json_secret:
|
||||||
|
secret = json.dumps(secret)
|
||||||
|
f.write(secret)
|
||||||
|
|
||||||
|
|
||||||
|
def main():
|
||||||
|
parser = argparse.ArgumentParser(description="Store a dummy secret to a file")
|
||||||
|
|
||||||
|
parser.add_argument("-c", dest="content", action="store", help="content of the secret")
|
||||||
|
parser.add_argument("-f", dest="path", action="store", help="file to save secret to")
|
||||||
|
parser.add_argument("--json", dest="json", action="store_true", default=False, help="serializes the secret to JSON format")
|
||||||
|
|
||||||
|
result = parser.parse_args()
|
||||||
|
|
||||||
|
write_secret_to_file(result.path, result.content, result.json)
|
||||||
|
|
||||||
|
|
||||||
|
if __name__ == "__main__":
|
||||||
|
main()
|
Loading…
Reference in New Issue