diff options
author | Caroline Tice <cmtice@google.com> | 2017-11-07 16:37:33 -0800 |
---|---|---|
committer | chrome-bot <chrome-bot@chromium.org> | 2017-11-07 19:41:40 -0800 |
commit | 9c4003a995ec910718bed777efe9ecb893d71ef9 (patch) | |
tree | 2047722863f4187126402fd33e57f660b99c88c5 /cros_utils | |
parent | 51272fcb9ed2a31f998890c572bc353ab5cef519 (diff) | |
download | toolchain-utils-9c4003a995ec910718bed777efe9ecb893d71ef9.tar.gz |
[toolchain-utils] Fix security issue.
Remove the chromeos-toolchain-credentials.json file, which should
not be in a publicly visible repo. Update the buildbot_test_*
scripts to take an argument for the directory containing the
credentials file. Update the buildbot_utils.py file to use the
credentials file argument, and to default to the location in our
role account.
BUG=782452
TEST=With some code commented out, did basic testing of flag/options
to make sure they work as expected.
Change-Id: I47a98a69b9ba8d2704d25abc37fe4447fa6ba343
Reviewed-on: https://chromium-review.googlesource.com/757901
Commit-Ready: Caroline Tice <cmtice@chromium.org>
Tested-by: Caroline Tice <cmtice@chromium.org>
Reviewed-by: Manoj Gupta <manojgupta@chromium.org>
Diffstat (limited to 'cros_utils')
-rw-r--r-- | cros_utils/buildbot_utils.py | 44 | ||||
-rw-r--r-- | cros_utils/chromeos-toolchain-credentials.json | 12 |
2 files changed, 26 insertions, 30 deletions
diff --git a/cros_utils/buildbot_utils.py b/cros_utils/buildbot_utils.py index ae707eae..51841545 100644 --- a/cros_utils/buildbot_utils.py +++ b/cros_utils/buildbot_utils.py @@ -117,8 +117,12 @@ def GetBuildInfo(file_dir, waterfall_builder): builder = 'llvm_next_toolchain' sa_file = os.path.expanduser( - os.path.join(file_dir, 'cros_utils', - 'chromeos-toolchain-credentials.json')) + os.path.join(file_dir, 'chromeos-toolchain-credentials.json')) + + if not os.path.exists(sa_file): + logger.GetLogger().LogFatal('ERROR: Unable to find %s; please check ' + 'your script arguments.' % sa_file) + scopes = ['https://www.googleapis.com/auth/userinfo.email'] credentials = ServiceAccountCredentials.from_json_keyfile_name( @@ -195,13 +199,15 @@ def FindArchiveImage(chromeos_root, build, build_id): return trybot_image -def GetTrybotImage(chromeos_root, - buildbot_name, - patch_list, - build_tag, - tryjob_flags=[], - build_toolchain=False, - async=False): +def GetTrybotImage( + chromeos_root, + buildbot_name, + patch_list, + build_tag, + tryjob_flags=[], + build_toolchain=False, + credentials_dir='/usr/local/google/home/mobiletc-prebuild/sheriff_utils', + async=False): """Launch buildbot and get resulting trybot artifact name. This function launches a buildbot with the appropriate flags to @@ -221,10 +227,13 @@ def GetTrybotImage(chromeos_root, build_tag is a (unique) string to be used to look up the buildbot results from among all the build records. + tryjob_flags See cros tryjob --help for available options. + build_toolchain builds and uses the latest toolchain, rather than the prebuilt one in SDK. - tryjob_flags See cros tryjob --help for available options. + credentials_dir is the path to the chromeos-toolchain-credentials.json file, + which should be in the crostc repo. """ ce = command_executer.GetCommandExecuter() base_dir = os.getcwd() @@ -242,8 +251,7 @@ def GetTrybotImage(chromeos_root, build = buildbot_name description = build_tag command = ('cros tryjob --yes --nochromesdk --remote-description %s' - ' %s %s %s' % - (description, tryjob_flags, patch_arg, build)) + ' %s %s %s' % (description, tryjob_flags, patch_arg, build)) _, out, _ = ce.RunCommandWOutput(command) if 'Tryjob submitted!' not in out: logger.GetLogger().LogFatal('Error occurred while launching trybot job: ' @@ -269,7 +277,7 @@ def GetTrybotImage(chromeos_root, long_slept = False while not done: done = True - build_info = GetBuildInfo(base_dir, build) + build_info = GetBuildInfo(credentials_dir, build) if not build_info: if pending_time > TIME_OUT: logger.GetLogger().LogFatal( @@ -320,8 +328,8 @@ def GetTrybotImage(chromeos_root, (pending_time / 60)) pending_time += SLEEP_TIME else: - logger.GetLogger().LogOutput( - '{0} minutes passed.'.format(running_time / 60)) + logger.GetLogger().LogOutput('{0} minutes passed.'.format( + running_time / 60)) logger.GetLogger().LogOutput('Sleeping {0} seconds.'.format(SLEEP_TIME)) running_time += SLEEP_TIME @@ -402,6 +410,6 @@ def GetLatestImage(chromeos_root, path): candidates = [[int(r) for r in m.group(1, 2, 3, 4)] for m in candidates if m] candidates.sort(reverse=True) for c in candidates: - build = '%s/R%d-%d.%d.%d' % (path, c[0], c[1], c[2], c[3]) - if DoesImageExist(chromeos_root, build): - return build + build = '%s/R%d-%d.%d.%d' % (path, c[0], c[1], c[2], c[3]) + if DoesImageExist(chromeos_root, build): + return build diff --git a/cros_utils/chromeos-toolchain-credentials.json b/cros_utils/chromeos-toolchain-credentials.json deleted file mode 100644 index aed9a527..00000000 --- a/cros_utils/chromeos-toolchain-credentials.json +++ /dev/null @@ -1,12 +0,0 @@ -{ - "type": "service_account", - "project_id": "chromeos-toolchain-u", - "private_key_id": "d0efe593ad39aad4c685273ee80e4c24bb3f2e92", - "private_key": "-----BEGIN PRIVATE KEY-----\nMIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQC5Rm6aqSjMNrRp\ntYNc++ec79L3QZ2MxLMYKyhlgGhppVt6p/wiSvLdI19nS5TAkKMjKv71rb9DbQlG\nfQVckiY+MlADJKi29lJrwqqNDCcRgB7CL6hgDfmhWMKonZn2MwvBVROD0gi7sY+A\nipIe92jVeqG8Gvp5kOgsBxCRV5YQok8j1FxE5fIsS2sg93VS1YAzH8uPYadWb/Z5\n9uwc8U7SL0mEPjXjsLEm8Y70zovGVjv7kOLqYBMUmROLvSouG/HrZWy9uTgxFOb5\njOhxKhDcDMPVM3g8lfc0EwPUB1NxXztoST9qBJVqdzQmHpPjeDxgru0A+zaQMkWA\ne8Sn5EQrAgMBAAECggEAUnhbe1SY6G3hWLyHQLiQnHbUPWNjselMnxF25deGoqAM\nXEiyHsGl4XGBYgVurVi0hU76NnmkjWrXmhzEajRT+ZODsiJ7RxXWEkmQiUBDk7Kn\n/mAgXsFZwMw1ucCNa93E+cXY7fBsGsAq1FjaOhZ+/6eanpSTsdEix5ZNdaS7E6Op\n9zIba9EjLIvSl435+eWq0C3aU9nd1RbbRwD6vGpgG8L/r957s+AAALTqdSZGWxJX\nEC9OKT07e76qvwAsq2BoBx5vW0xmeQdZgKrA10LLDWa7UjFbwSDJIBESYtd4rYMj\nAqg5eND0bC1RrgzI+RD/10l6Vj8bBFo/403s0P5LYQKBgQDiVGVFkrw5LSy82CGC\nvSraxPriivEweMfpkp6buMbD2Je0RMR4glc1vW5m0QUJmy+ymiIHVMCmE9xNBwbS\nRyCBnrs2+3FtdnruNdcaGh6sbTlY+qJI0rEZUdbb5OhlHZF47KW66hI6sWJ1YF8O\niLQTokW8ejybprCtl1HvEHhEbwKBgQDRkD/acZrvmcnqqmorqW6mgJEkrRF/i5Th\npDo3WegXA4irX0tNqh5w+wms8r41vUZSCZYvyi0Of9LMObVdB/gA/qVzETE0p5he\ns3Skp/VK8nF53pAUd+4dKlnCvD3TOEkIq+kxuEOs2iHJcvSjmKtMgqfMK/UtieB4\n7+MaOcbyBQKBgHOUndMVyEF6rGoUBaj6abQm++hNBDa4t360fYMQrZC+P1qz85GH\nHno3LvYar/Pj6EvRIqeTxH4LjmlXuUgRQqxvHzRI2/gGlWio3hxaUmfDr5GdDNsb\nnY1MmejZ0UQyAWQ7lbcKahzHEXzXpjOJ5ExShkJmOiVSzs8Xg6QOSRzJAoGAemYs\nRWQxQFysqJlcZaASdsGFBMzo+XwHOzt2nTmv6zEvNBj2nKgOG6MkZZVqL20bk3Lx\n+3u0kVFrR8k0+t9apQoWjHywJrb0setS55EKHfo4+RtbP/lEZFiGEM1ttt6bGat/\nCoE7VcwaC9VOufbDpm5xnzjVfQGY0EocdQbmAhkCgYB/isdqeDyafawr+38fcU1r\nX2+cK5JCrEzHIwg2QN3Z56cRrqrb+kK1H3w/F7ZfrlPSmS8XMwZV73QwieoGNIYL\nie9UZqRoZSG73FzIw5mXhWWA1adFz8HpGG5wRNshnPI2liOPwhnblfadJUfXb2br\n021vPgpsxamLjHSDSmSf6Q==\n-----END PRIVATE KEY-----\n", - "client_email": "mobiletc-prebuild-2@chromeos-toolchain-u.iam.gserviceaccount.com", - "client_id": "114495086044042319417", - "auth_uri": "https://accounts.google.com/o/oauth2/auth", - "token_uri": "https://accounts.google.com/o/oauth2/token", - "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs", - "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/mobiletc-prebuild-2%40chromeos-toolchain-u.iam.gserviceaccount.com" -} |