allow for beetmover and balrog restricted scopes.

When adding the beetmover and balrog restricted scopes, I noticed that we redefine the nightly and release trees several times. To avoid this, I split this into two dicts: a scope-to-level dict, and a level-to-trees dict. I also am indexing by `cot_product`, because these tree lists may likely be different for addons or servo or whatnot.
escapewindow · Dec 7, 2016 · 914e5c7 · 914e5c7
1 parent 6929330
commit 914e5c7
Show file tree

Hide file tree

Showing 3 changed files with 36 additions and 9 deletions.
diff --git a/scriptworker/constants.py b/scriptworker/constants.py
@@ -59,6 +59,7 @@
     "verify_chain_of_trust": False,  # TODO True
     "verify_cot_signature": False,
     "cot_job_type": "unknown",  # e.g., signing
+    "cot_product": "firefox",
 
     # Specify a default gpg home other than ~/.gnupg
     "gpg_home": None,
@@ -212,14 +213,25 @@
         ],
     }, ),
 
-    # Scopes, restricted by task type and repo
+    # Map scopes to restricted-level
     'cot_restricted_scopes': frozendict({
-        'signing': {
-            # Which repos can do release signing?
+        'firefox': {
+            'project:releng:beetmover:release': 'release',
+            'project:releng:balrog:release': 'release',
+            'project:releng:signing:cert:release-signing': 'release',
+            'project:releng:balrog:nightly': 'nightly',
+            'project:releng:beetmover:nightly': 'nightly',
+            'project:releng:signing:cert:nightly-signing': 'nightly',
+        }
+    }),
+    # Map restricted-level to trees
+    'cot_restricted_trees': frozendict({
+        'firefox': {
+            # Which repos can perform release actions?
             # Allow aurora for staging betas.
             # XXX remove /projects/jamun when we no longer release firefox
             #     from it
-            'project:releng:signing:cert:release-signing': (
+            'release': (
                 "/releases/mozilla-aurora",
                 "/releases/mozilla-beta",
                 "/releases/mozilla-release",
@@ -232,7 +244,7 @@
             #     tier1 and landed on mozilla-central
             # XXX remove /projects/jamun when we no longer release firefox
             #     from it
-            'project:releng:signing:cert:nightly-signing': (
+            'nightly': (
                 "/mozilla-central",
                 "/releases/mozilla-unified",
                 "/releases/mozilla-aurora",
@@ -244,7 +256,6 @@
                 "/projects/date",
             ),
         },
-        # TODO other scriptworker instance types
     }),
 })
 

diff --git a/scriptworker/cot/verify.py b/scriptworker/cot/verify.py
@@ -1122,7 +1122,15 @@ async def trace_back_to_firefox_tree(chain):
     errors = []
     repos = {}
     restricted_privs = None
-    scope_rules = chain.context.config['cot_restricted_scopes'][chain.name]
+    rules = {}
+    cot_product = chain.context.config['cot_product']
+    for my_key, config_key in {
+        'scopes': 'cot_restricted_scopes',
+        'trees': 'cot_restricted_trees'
+    }.items():
+        rules[my_key] = chain.context.config[config_key].get(cot_product)
+        if not isinstance(rules[my_key], (dict, frozendict)):
+            raise_on_errors(["{} invalid for {}: {}!".format(config_key, cot_product, rules[my_key])])
 
     def callback(match):
         path_info = match.groupdict()
@@ -1137,10 +1145,11 @@ def callback(match):
     # check for restricted scopes.
     my_repo = repos[chain]
     for scope in chain.task['scopes']:
-        if scope in scope_rules:
+        if scope in rules['scopes']:
             log.info("Found privileged scope {}".format(scope))
             restricted_privs = True
-            if my_repo not in scope_rules[scope]:
+            level = rules['scopes'][scope]
+            if my_repo not in rules['trees'][level]:
                 errors.append("{} {}: repo {} not allowlisted for scope {}!".format(
                     chain.name, chain.task_id, my_repo, scope
                 ))

diff --git a/scriptworker/test/test_cot_verify.py b/scriptworker/test/test_cot_verify.py
@@ -942,6 +942,13 @@ async def test_trace_back_to_firefox_tree_bad_repo(chain):
         await cotverify.trace_back_to_firefox_tree(chain)
 
 
+@pytest.mark.asyncio
+async def test_trace_back_to_firefox_tree_bad_cot_product(chain):
+    chain.context.config['cot_product'] = 'invalid-product!!!111'
+    with pytest.raises(CoTError):
+        await cotverify.trace_back_to_firefox_tree(chain)
+
+
 @pytest.mark.asyncio
 async def test_trace_back_to_firefox_tree_unknown_repo(chain, decision_link,
                                                        build_link, docker_image_link):