DXR is a code search and navigation tool aimed at making sense of large projects. It supports full-text and regex searches as well as structural queries.

Mercurial (93bdbca5399c)

VCS Links

Line Code
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79
#!/usr/bin/env python
# ***** BEGIN LICENSE BLOCK *****
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this file,
# You can obtain one at http://mozilla.org/MPL/2.0/.
# ***** END LICENSE BLOCK *****
"""Support for fetching secrets from the secrets API
"""

import os
from six.moves import urllib
import json


class SecretsMixin(object):

    def _fetch_secret(self, secret_name):
        self.info("fetching secret {} from API".format(secret_name))
        # fetch from http://taskcluster, which points to the taskcluster proxy
        # within a taskcluster task.  Outside of that environment, do not
        # use this action.
        url = "http://taskcluster/secrets/v1/secret/" + secret_name
        res = urllib.request.urlopen(url)
        if res.getcode() != 200:
            self.fatal("Error fetching from secrets API:" + res.read())

        return json.load(res)['secret']['content']

    def get_secrets(self):
        """
        Get the secrets specified by the `secret_files` configuration.  This is
        a list of dictionaries, one for each secret.  The `secret_name` key
        names the key in the TaskCluster secrets API to fetch (see
        http://docs.taskcluster.net/services/secrets/).  It can contain
        %-substitutions based on the `subst` dictionary below.

        Since secrets must be JSON objects, the `content` property of the
        secret is used as the value to be written to disk.

        The `filename` key in the dictionary gives the filename to which the
        secret should be written.

        The optional `min_scm_level` key gives a minimum SCM level at which
        this secret is required.  For lower levels, the value of the 'default`
        key or the contents of the file specified by `default-file` is used, or
        no secret is written.

        The optional 'mode' key allows a mode change (chmod) after the file is written
        """
        dirs = self.query_abs_dirs()
        secret_files = self.config.get('secret_files', [])

        scm_level = int(os.environ.get('MOZ_SCM_LEVEL', '1'))
        subst = {
            'scm-level': scm_level,
        }

        for sf in secret_files:
            filename = os.path.abspath(sf['filename'])
            secret_name = sf['secret_name'] % subst
            min_scm_level = sf.get('min_scm_level', 0)
            if scm_level < min_scm_level:
                if 'default' in sf:
                    self.info("Using default value for " + filename)
                    secret = sf['default']
                elif 'default-file' in sf:
                    default_path = sf['default-file'].format(**dirs)
                    with open(default_path, 'r') as f:
                        secret = f.read()
                else:
                    self.info("No default for secret; not writing " + filename)
                    continue
            else:
                secret = self._fetch_secret(secret_name)

            open(filename, "w").write(secret)

            if sf.get('mode'):
                os.chmod(filename, sf['mode'])