[toolchain-utils] Fix security issue.

Remove the chromeos-toolchain-credentials.json file, which should not be in a publicly visible repo. Update the buildbot_test_* scripts to take an argument for the directory containing the credentials file. Update the buildbot_utils.py file to use the credentials file argument, and to default to the location in our role account. BUG=782452 TEST=With some code commented out, did basic testing of flag/options to make sure they work as expected. Change-Id: I47a98a69b9ba8d2704d25abc37fe4447fa6ba343 Reviewed-on: https://chromium-review.googlesource.com/757901 Commit-Ready: Caroline Tice <cmtice@chromium.org> Tested-by: Caroline Tice <cmtice@chromium.org> Reviewed-by: Manoj Gupta <manojgupta@chromium.org>
author: Caroline Tice <cmtice@google.com> 2017-11-07 16:37:33 -0800
committer: chrome-bot <chrome-bot@chromium.org> 2017-11-07 19:41:40 -0800
commit: 9c4003a995ec910718bed777efe9ecb893d71ef9 (patch)
tree: 2047722863f4187126402fd33e57f660b99c88c5 /cros_utils
parent: 51272fcb9ed2a31f998890c572bc353ab5cef519 (diff)
download: toolchain-utils-9c4003a995ec910718bed777efe9ecb893d71ef9.tar.gz
2 files changed, 26 insertions, 30 deletions
diff --git a/cros_utils/buildbot_utils.py b/cros_utils/buildbot_utils.py
index ae707eae..51841545 100644
--- a/cros_utils/buildbot_utils.py
+++ b/cros_utils/buildbot_utils.py
@@ -117,8 +117,12 @@ def GetBuildInfo(file_dir, waterfall_builder):
     builder = 'llvm_next_toolchain'
 
   sa_file = os.path.expanduser(
-      os.path.join(file_dir, 'cros_utils',
-                   'chromeos-toolchain-credentials.json'))
+      os.path.join(file_dir, 'chromeos-toolchain-credentials.json'))
+
+  if not os.path.exists(sa_file):
+    logger.GetLogger().LogFatal('ERROR:  Unable to find %s; please check '
+                                'your script arguments.' % sa_file)
+
   scopes = ['https://www.googleapis.com/auth/userinfo.email']
 
   credentials = ServiceAccountCredentials.from_json_keyfile_name(
@@ -195,13 +199,15 @@ def FindArchiveImage(chromeos_root, build, build_id):
   return trybot_image
 
 
-def GetTrybotImage(chromeos_root,
-                   buildbot_name,
-                   patch_list,
-                   build_tag,
-                   tryjob_flags=[],
-                   build_toolchain=False,
-                   async=False):
+def GetTrybotImage(
+    chromeos_root,
+    buildbot_name,
+    patch_list,
+    build_tag,
+    tryjob_flags=[],
+    build_toolchain=False,
+    credentials_dir='/usr/local/google/home/mobiletc-prebuild/sheriff_utils',
+    async=False):
   """Launch buildbot and get resulting trybot artifact name.
 
   This function launches a buildbot with the appropriate flags to
@@ -221,10 +227,13 @@ def GetTrybotImage(chromeos_root,
   build_tag is a (unique) string to be used to look up the buildbot results
   from among all the build records.
 
+  tryjob_flags See cros tryjob --help for available options.
+
   build_toolchain builds and uses the latest toolchain, rather than the
   prebuilt one in SDK.
 
-  tryjob_flags See cros tryjob --help for available options.
+  credentials_dir is the path to the chromeos-toolchain-credentials.json file,
+  which should be in the crostc repo.
   """
   ce = command_executer.GetCommandExecuter()
   base_dir = os.getcwd()
@@ -242,8 +251,7 @@ def GetTrybotImage(chromeos_root,
   build = buildbot_name
   description = build_tag
   command = ('cros tryjob --yes --nochromesdk --remote-description %s'
-             ' %s %s %s' %
-             (description, tryjob_flags, patch_arg, build))
+             ' %s %s %s' % (description, tryjob_flags, patch_arg, build))
   _, out, _ = ce.RunCommandWOutput(command)
   if 'Tryjob submitted!' not in out:
     logger.GetLogger().LogFatal('Error occurred while launching trybot job: '
@@ -269,7 +277,7 @@ def GetTrybotImage(chromeos_root,
   long_slept = False
   while not done:
     done = True
-    build_info = GetBuildInfo(base_dir, build)
+    build_info = GetBuildInfo(credentials_dir, build)
     if not build_info:
       if pending_time > TIME_OUT:
         logger.GetLogger().LogFatal(
@@ -320,8 +328,8 @@ def GetTrybotImage(chromeos_root,
                                      (pending_time / 60))
         pending_time += SLEEP_TIME
       else:
-        logger.GetLogger().LogOutput(
-            '{0} minutes passed.'.format(running_time / 60))
+        logger.GetLogger().LogOutput('{0} minutes passed.'.format(
+            running_time / 60))
         logger.GetLogger().LogOutput('Sleeping {0} seconds.'.format(SLEEP_TIME))
         running_time += SLEEP_TIME
 
@@ -402,6 +410,6 @@ def GetLatestImage(chromeos_root, path):
   candidates = [[int(r) for r in m.group(1, 2, 3, 4)] for m in candidates if m]
   candidates.sort(reverse=True)
   for c in candidates:
-      build = '%s/R%d-%d.%d.%d' % (path, c[0], c[1], c[2], c[3])
-      if DoesImageExist(chromeos_root, build):
-          return build
+    build = '%s/R%d-%d.%d.%d' % (path, c[0], c[1], c[2], c[3])
+    if DoesImageExist(chromeos_root, build):
+      return build
diff --git a/cros_utils/chromeos-toolchain-credentials.json b/cros_utils/chromeos-toolchain-credentials.json
deleted file mode 100644
index aed9a527..00000000
--- a/cros_utils/chromeos-toolchain-credentials.json
+++ /dev/null
@@ -1,12 +0,0 @@
-{
-  "type": "service_account",
-  "project_id": "chromeos-toolchain-u",
-  "private_key_id": "d0efe593ad39aad4c685273ee80e4c24bb3f2e92",
-  "private_key": "-----BEGIN PRIVATE KEY-----\nMIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQC5Rm6aqSjMNrRp\ntYNc++ec79L3QZ2MxLMYKyhlgGhppVt6p/wiSvLdI19nS5TAkKMjKv71rb9DbQlG\nfQVckiY+MlADJKi29lJrwqqNDCcRgB7CL6hgDfmhWMKonZn2MwvBVROD0gi7sY+A\nipIe92jVeqG8Gvp5kOgsBxCRV5YQok8j1FxE5fIsS2sg93VS1YAzH8uPYadWb/Z5\n9uwc8U7SL0mEPjXjsLEm8Y70zovGVjv7kOLqYBMUmROLvSouG/HrZWy9uTgxFOb5\njOhxKhDcDMPVM3g8lfc0EwPUB1NxXztoST9qBJVqdzQmHpPjeDxgru0A+zaQMkWA\ne8Sn5EQrAgMBAAECggEAUnhbe1SY6G3hWLyHQLiQnHbUPWNjselMnxF25deGoqAM\nXEiyHsGl4XGBYgVurVi0hU76NnmkjWrXmhzEajRT+ZODsiJ7RxXWEkmQiUBDk7Kn\n/mAgXsFZwMw1ucCNa93E+cXY7fBsGsAq1FjaOhZ+/6eanpSTsdEix5ZNdaS7E6Op\n9zIba9EjLIvSl435+eWq0C3aU9nd1RbbRwD6vGpgG8L/r957s+AAALTqdSZGWxJX\nEC9OKT07e76qvwAsq2BoBx5vW0xmeQdZgKrA10LLDWa7UjFbwSDJIBESYtd4rYMj\nAqg5eND0bC1RrgzI+RD/10l6Vj8bBFo/403s0P5LYQKBgQDiVGVFkrw5LSy82CGC\nvSraxPriivEweMfpkp6buMbD2Je0RMR4glc1vW5m0QUJmy+ymiIHVMCmE9xNBwbS\nRyCBnrs2+3FtdnruNdcaGh6sbTlY+qJI0rEZUdbb5OhlHZF47KW66hI6sWJ1YF8O\niLQTokW8ejybprCtl1HvEHhEbwKBgQDRkD/acZrvmcnqqmorqW6mgJEkrRF/i5Th\npDo3WegXA4irX0tNqh5w+wms8r41vUZSCZYvyi0Of9LMObVdB/gA/qVzETE0p5he\ns3Skp/VK8nF53pAUd+4dKlnCvD3TOEkIq+kxuEOs2iHJcvSjmKtMgqfMK/UtieB4\n7+MaOcbyBQKBgHOUndMVyEF6rGoUBaj6abQm++hNBDa4t360fYMQrZC+P1qz85GH\nHno3LvYar/Pj6EvRIqeTxH4LjmlXuUgRQqxvHzRI2/gGlWio3hxaUmfDr5GdDNsb\nnY1MmejZ0UQyAWQ7lbcKahzHEXzXpjOJ5ExShkJmOiVSzs8Xg6QOSRzJAoGAemYs\nRWQxQFysqJlcZaASdsGFBMzo+XwHOzt2nTmv6zEvNBj2nKgOG6MkZZVqL20bk3Lx\n+3u0kVFrR8k0+t9apQoWjHywJrb0setS55EKHfo4+RtbP/lEZFiGEM1ttt6bGat/\nCoE7VcwaC9VOufbDpm5xnzjVfQGY0EocdQbmAhkCgYB/isdqeDyafawr+38fcU1r\nX2+cK5JCrEzHIwg2QN3Z56cRrqrb+kK1H3w/F7ZfrlPSmS8XMwZV73QwieoGNIYL\nie9UZqRoZSG73FzIw5mXhWWA1adFz8HpGG5wRNshnPI2liOPwhnblfadJUfXb2br\n021vPgpsxamLjHSDSmSf6Q==\n-----END PRIVATE KEY-----\n",
-  "client_email": "mobiletc-prebuild-2@chromeos-toolchain-u.iam.gserviceaccount.com",
-  "client_id": "114495086044042319417",
-  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
-  "token_uri": "https://accounts.google.com/o/oauth2/token",
-  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
-  "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/mobiletc-prebuild-2%40chromeos-toolchain-u.iam.gserviceaccount.com"
-}
author	Caroline Tice <cmtice@google.com>	2017-11-07 16:37:33 -0800
committer	chrome-bot <chrome-bot@chromium.org>	2017-11-07 19:41:40 -0800
commit	9c4003a995ec910718bed777efe9ecb893d71ef9 (patch)
tree	2047722863f4187126402fd33e57f660b99c88c5 /cros_utils
parent	51272fcb9ed2a31f998890c572bc353ab5cef519 (diff)
download	toolchain-utils-9c4003a995ec910718bed777efe9ecb893d71ef9.tar.gz