Bug 1406354 - sha pinning (#214)

* Bug 1504971 - Set-ChainOfTrustKeyAndShutdown * Bug 1504971 - Wait-GenericWorkerStart * Bug 1504971 - Initialize-NativeImageCache * Bug 1504971 - Mozilla Public License * Bug 1504971 - move functions to module * Bug 1406354 - use pinned revision * Bug 1406354 - create registry path * Bug 1406354 - handle missing SchUseStrongCrypto reg key * Bug 1406354 - correction to manifest replacement syntax * Bug 1406354 - correction to manifest replacement syntax * Bug 1406354 - correction to registry read * Bug 1406354 - prevent ec2config drive letter change * Bug 1406354 - prevent ec2config drive letter change * Bug 1406354 - prevent ec2config drive letter change * Bug 1406354 - modify ec2config settings before reboot * Bug 1406354 - let ec2config assign drive letters * Bug 1459660 - rename earlier * debugging: log drive mapping attempt count * debugging: corrections to setting of Ec2HandleUserData to prevent running more than one occ process at the same time (one run by userdata, another by the scheduled task) - enable when running on an ami creation instance (-not ) and when rebooting before the RunDesiredStateConfigurationAtStartup scheduled task has been created - disable when the task has been created * debugging: restructure drive map reattempt logic * debugging: loop until manual debug completes * debugging: restructure drive map reattempt logic for no reason i can fathom 'Test-Path -Path Z:\' is returning false when the path exists * debugging: restructure drive map reattempt logic * debugging: remove references to unused log file * debugging: take ownership of ec2config settings * debugging: handle missing Get-ScheduledTask on win 7 * debugging: handle missing Get-Volume on win 7 * debugging: ensure that an up to date nxlog configuration is used as early as possible * remove another failing 'Test-Path' call * path correction * remove more failing 'Test-Path' calls * debugging: resolve missing dsc module deploy: beta * debugging: quote path with spaces deploy: beta * debugging: use approved verbs for all bootstrap functions * debugging: temporarily disable restart/shutdown * debugging: revert disable restart/shutdown * debugging: correction to std out/err file read deploy: beta
mozilla-releng · Nov 25, 2018 · 9d74a89 · 9d74a89
1 parent 02f8fe1
commit 9d74a89
Show file tree

Hide file tree

Showing 8 changed files with 2,008 additions and 1,730 deletions.
diff --git a/userdata/HaltOnIdle.ps1 b/userdata/HaltOnIdle.ps1
@@ -1,3 +1,9 @@
+<#
+This Source Code Form is subject to the terms of the Mozilla Public
+License, v. 2.0. If a copy of the MPL was not distributed with this
+file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#>
+
 function Write-Log {
   param (
     [string] $message,

diff --git a/userdata/MaintainSystem.ps1 b/userdata/MaintainSystem.ps1
@@ -1,3 +1,9 @@
+<#
+This Source Code Form is subject to the terms of the Mozilla Public
+License, v. 2.0. If a copy of the MPL was not distributed with this
+file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#>
+
 function Write-Log {
   param (
     [string] $message,

diff --git a/userdata/OCC-Archive.psm1 b/userdata/OCC-Archive.psm1
@@ -1,3 +1,9 @@
+<#
+This Source Code Form is subject to the terms of the Mozilla Public
+License, v. 2.0. If a copy of the MPL was not distributed with this
+file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#>
+
 Add-Type -As System.IO.Compression.FileSystem
 
 function New-ZipFile {

diff --git a/userdata/OCC-Bootstrap.psm1 b/userdata/OCC-Bootstrap.psm1
diff --git a/userdata/OCC-User.psm1 b/userdata/OCC-User.psm1
@@ -1,3 +1,9 @@
+<#
+This Source Code Form is subject to the terms of the Mozilla Public
+License, v. 2.0. If a copy of the MPL was not distributed with this
+file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#>
+
 <#
 .SYNOPSIS
     Set a known folder path using SHSetKnownFolderPath.

diff --git a/userdata/hw-startup-check.ps1 b/userdata/hw-startup-check.ps1
@@ -1,3 +1,9 @@
+<#
+This Source Code Form is subject to the terms of the Mozilla Public
+License, v. 2.0. If a copy of the MPL was not distributed with this
+file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#>
+
 # This script is called by a schedule task that is implemented during the initial deployment
 
 [string[]] $flags = @(

diff --git a/userdata/rundsc.ps1 b/userdata/rundsc.ps1
diff --git a/userdata/xDynamicConfig.ps1 b/userdata/xDynamicConfig.ps1
@@ -6,8 +6,11 @@ file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
 Configuration xDynamicConfig {
   Import-DscResource -ModuleName PSDesiredStateConfiguration,xPSDesiredStateConfiguration,xWindowsUpdate
-  # sourceRepo is in place to toggle between production and testing environments
-  $sourceRepo = 'mozilla-releng'
+
+  $sourceOrg = $(if ((Test-Path -Path 'HKLM:\SOFTWARE\Mozilla\OpenCloudConfig\Source' -ErrorAction SilentlyContinue) -and (Get-ItemProperty -Path 'HKLM:\SOFTWARE\Mozilla\OpenCloudConfig\Source' -Name 'Organisation' -ErrorAction SilentlyContinue)) { (Get-ItemProperty -Path 'HKLM:\SOFTWARE\Mozilla\OpenCloudConfig\Source' -Name 'Organisation').Organisation } else { 'mozilla-releng' })
+  $sourceRepo = $(if ((Test-Path -Path 'HKLM:\SOFTWARE\Mozilla\OpenCloudConfig\Source' -ErrorAction SilentlyContinue) -and (Get-ItemProperty -Path 'HKLM:\SOFTWARE\Mozilla\OpenCloudConfig\Source' -Name 'Repository' -ErrorAction SilentlyContinue)) { (Get-ItemProperty -Path 'HKLM:\SOFTWARE\Mozilla\OpenCloudConfig\Source' -Name 'Repository').Repository } else { 'OpenCloudConfig' })
+  $sourceRev = $(if ((Test-Path -Path 'HKLM:\SOFTWARE\Mozilla\OpenCloudConfig\Source' -ErrorAction SilentlyContinue) -and (Get-ItemProperty -Path 'HKLM:\SOFTWARE\Mozilla\OpenCloudConfig\Source' -Name 'Revision' -ErrorAction SilentlyContinue)) { (Get-ItemProperty -Path 'HKLM:\SOFTWARE\Mozilla\OpenCloudConfig\Source' -Name 'Revision').Revision } else { 'master' })
+
   if ((Get-Service 'Ec2Config' -ErrorAction SilentlyContinue) -or (Get-Service 'AmazonSSMAgent' -ErrorAction SilentlyContinue)) {
     $locationType = 'AWS'
   } else {
@@ -56,21 +59,21 @@ Configuration xDynamicConfig {
         } else{
           $gpg = ('{0}\GNU\GnuPG\pub\gpg.exe' -f $env:ProgramFiles)
         }
-        $files = Invoke-WebRequest -Uri 'https://raw.githubusercontent.com/mozilla-releng/OpenCloudConfig/master/userdata/Manifest/releng-secrets.json' -UseBasicParsing | ConvertFrom-Json
+        $files = Invoke-WebRequest -Uri ('https://raw.githubusercontent.com/{0}/{1}/{2}/userdata/Manifest/releng-secrets.json' -f $using:sourceOrg, $using:sourceRepo, $using:sourceRev) -UseBasicParsing | ConvertFrom-Json
         foreach ($file in $files) {
           (New-Object Net.WebClient).DownloadFile(('https://s3.amazonaws.com/windows-opencloudconfig-packages/FirefoxBuildResources/{0}.gpg?raw=true' -f $file), ('{0}\builds\{1}.gpg' -f $env:SystemDrive, $file))
           Start-Process $gpg -ArgumentList @('-d', ('{0}\builds\{1}.gpg' -f $env:SystemDrive, $file)) -Wait -NoNewWindow -PassThru -RedirectStandardOutput ('{0}\builds\{1}' -f $env:SystemDrive, $file) -RedirectStandardError ('{0}\log\{1}.gpg-decrypt-{2}.stderr.log' -f $env:SystemDrive, [DateTime]::Now.ToString("yyyyMMddHHmmss"), $file)
           Remove-Item -Path ('{0}\builds\{1}.gpg' -f $env:SystemDrive, $file) -Force
         }
       }
-      TestScript = { if ((Test-Path -Path ('{0}\builds\*.tok' -f $env:SystemDrive) -ErrorAction SilentlyContinue) -and (-not (Compare-Object -ReferenceObject (Invoke-WebRequest -Uri 'https://raw.githubusercontent.com/mozilla-releng/OpenCloudConfig/master/userdata/Manifest/releng-secrets.json' -UseBasicParsing | ConvertFrom-Json) -DifferenceObject (Get-ChildItem -Path ('{0}\builds' -f $env:SystemDrive) | Where-Object { !$_.PSIsContainer } | % { $_.Name })))) { $true } else { $false } }
+      TestScript = { if ((Test-Path -Path ('{0}\builds\*.tok' -f $env:SystemDrive) -ErrorAction SilentlyContinue) -and (-not (Compare-Object -ReferenceObject (Invoke-WebRequest -Uri ('https://raw.githubusercontent.com/{0}/{1}/{2}/userdata/Manifest/releng-secrets.json' -f $using:sourceOrg, $using:sourceRepo, $using:sourceRev) -UseBasicParsing | ConvertFrom-Json) -DifferenceObject (Get-ChildItem -Path ('{0}\builds' -f $env:SystemDrive) | Where-Object { !$_.PSIsContainer } | % { $_.Name })))) { $true } else { $false } }
     }
   }
 
   $supportingModules = @(
-    'https://raw.githubusercontent.com/mozilla-releng/OpenCloudConfig/master/userdata/OCC-User.psm1',
-    'https://raw.githubusercontent.com/mozilla-releng/OpenCloudConfig/master/userdata/OCC-Validate.psm1',
-    'https://raw.githubusercontent.com/mozilla-releng/OpenCloudConfig/master/userdata/OCC-Archive.psm1'
+    ('https://raw.githubusercontent.com/{0}/{1}/{2}/userdata/OCC-User.psm1' -f $sourceOrg, $sourceRepo, $sourceRev),
+    ('https://raw.githubusercontent.com/{0}/{1}/{2}/userdata/OCC-Validate.psm1' -f $sourceOrg, $sourceRepo, $sourceRev),
+    ('https://raw.githubusercontent.com/{0}/{1}/{2}/userdata/OCC-Archive.psm1' -f $sourceOrg, $sourceRepo, $sourceRev)
   )
   Script InstallSupportingModules {
     GetScript = "@{ Script = InstallSupportingModules }"
@@ -93,7 +96,7 @@ Configuration xDynamicConfig {
     TestScript = { return $false }
   }
 
-  if ($locationType -eq 'AWS') { 
+  if ($locationType -eq 'AWS') {
     $instancekey = (Invoke-WebRequest -Uri 'http://169.254.169.254/latest/meta-data/public-keys' -UseBasicParsing).Content
     if ($instancekey.StartsWith('0=mozilla-taskcluster-worker-')) {
       # ami creation instance
@@ -103,25 +106,25 @@ Configuration xDynamicConfig {
       $workerType = (Invoke-WebRequest -Uri 'http://169.254.169.254/latest/user-data' -UseBasicParsing | ConvertFrom-Json).workerType
     }
     if ($workerType) {
-      $manifest = (Invoke-WebRequest -Uri ('https://raw.githubusercontent.com/{0}/OpenCloudConfig/master/userdata/Manifest/{1}.json?{2}' -f $sourceRepo, $workerType, [Guid]::NewGuid()) -UseBasicParsing | ConvertFrom-Json)
+      $manifest = ((Invoke-WebRequest -Uri ('https://raw.githubusercontent.com/{0}/{1}/{2}/userdata/Manifest/{3}.json?{4}' -f $sourceOrg, $sourceRepo, $sourceRev, $workerType, [Guid]::NewGuid()) -UseBasicParsing).Content.Replace('mozilla-releng/OpenCloudConfig/master', ('{0}/{1}/{2}' -f $sourceOrg, $sourceRepo, $sourceRev)) | ConvertFrom-Json)
     }
   } else {
     switch -wildcard ((Get-WmiObject -class Win32_OperatingSystem).Caption) {
       'Microsoft Windows 7*' {
-        $manifest = (Invoke-WebRequest -Uri ('https://raw.githubusercontent.com/{0}/OpenCloudConfig/master/userdata/Manifest/gecko-t-win7-32-hw.json?{1}' -f $sourceRepo, [Guid]::NewGuid()) -UseBasicParsing | ConvertFrom-Json)
+        $manifest = ((Invoke-WebRequest -Uri ('https://raw.githubusercontent.com/{0}/{1}/{2}/userdata/Manifest/gecko-t-win7-32-hw.json?{3}' -f $sourceOrg, $sourceRepo, $sourceRev, [Guid]::NewGuid()) -UseBasicParsing).Content.Replace('mozilla-releng/OpenCloudConfig/master', ('{0}/{1}/{2}' -f $sourceOrg, $sourceRepo, $sourceRev)) | ConvertFrom-Json)
       }
       'Microsoft Windows 10*' {
         if (Test-Path -Path 'C:\dsc\GW10UX.semaphore' -ErrorAction SilentlyContinue) {
-          $manifest = (Invoke-WebRequest -Uri ('https://raw.githubusercontent.com/{0}/OpenCloudConfig/master/userdata/Manifest/gecko-t-win10-64-ux.json?{1}' -f $sourceRepo, [Guid]::NewGuid()) -UseBasicParsing | ConvertFrom-Json)
+          $manifest = ((Invoke-WebRequest -Uri ('https://raw.githubusercontent.com/{0}/{1}/{2}/userdata/Manifest/gecko-t-win10-64-ux.json?{3}' -f $sourceOrg, $sourceRepo, $sourceRev, [Guid]::NewGuid()) -UseBasicParsing).Content.Replace('mozilla-releng/OpenCloudConfig/master', ('{0}/{1}/{2}' -f $sourceOrg, $sourceRepo, $sourceRev)) | ConvertFrom-Json)
         } else {
-          $manifest = (Invoke-WebRequest -Uri ('https://raw.githubusercontent.com/{0}/OpenCloudConfig/master/userdata/Manifest/gecko-t-win10-64-hw.json?{1}' -f $sourceRepo, [Guid]::NewGuid()) -UseBasicParsing | ConvertFrom-Json)
+          $manifest = ((Invoke-WebRequest -Uri ('https://raw.githubusercontent.com/{0}/{1}/{2}/userdata/Manifest/gecko-t-win10-64-hw.json?{3}' -f $sourceOrg, $sourceRepo, $sourceRev, [Guid]::NewGuid()) -UseBasicParsing).Content.Replace('mozilla-releng/OpenCloudConfig/master', ('{0}/{1}/{2}' -f $sourceOrg, $sourceRepo, $sourceRev)) | ConvertFrom-Json)
         }
       }	
       'Microsoft Windows Server 2012*' {
-        $manifest = (Invoke-WebRequest -Uri ('https://raw.githubusercontent.com/{0}/OpenCloudConfig/master/userdata/Manifest/gecko-1-b-win2012.json?{1}' -f $sourceRepo, [Guid]::NewGuid()) -UseBasicParsing | ConvertFrom-Json)
+        $manifest = ((Invoke-WebRequest -Uri ('https://raw.githubusercontent.com/{0}/{1}/{2}/userdata/Manifest/gecko-1-b-win2012.json?{3}' -f $sourceOrg, $sourceRepo, $sourceRev, [Guid]::NewGuid()) -UseBasicParsing).Content.Replace('mozilla-releng/OpenCloudConfig/master', ('{0}/{1}/{2}' -f $sourceOrg, $sourceRepo, $sourceRev)) | ConvertFrom-Json)
       }
       'Microsoft Windows Server 2016*' {
-        $manifest = (Invoke-WebRequest -Uri ('https://raw.githubusercontent.com/{0}/OpenCloudConfig/master/userdata/Manifest/gecko-1-b-win2016.json?{1}' -f $sourceRepo, [Guid]::NewGuid()) -UseBasicParsing | ConvertFrom-Json)
+        $manifest = ((Invoke-WebRequest -Uri ('https://raw.githubusercontent.com/{0}/{1}/{2}/userdata/Manifest/gecko-1-b-win2016.json?{3}' -f $sourceOrg, $sourceRepo, $sourceRev, [Guid]::NewGuid()) -UseBasicParsing).Content.Replace('mozilla-releng/OpenCloudConfig/master', ('{0}/{1}/{2}' -f $sourceOrg, $sourceRepo, $sourceRev)) | ConvertFrom-Json)
       }
       default {
         $manifest = ('{"Items":[{"ComponentType":"DirectoryCreate","Path":"$env:SystemDrive\\log"}]}' | ConvertFrom-Json)