Closed
Bug 1098467
Opened 10 years ago
Closed 10 years ago
gecko: Add utilities for validating tasks for security|sanity for emulators/phone
Categories
(Taskcluster :: General, defect, P1)
Taskcluster
General
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: jlal, Assigned: wcosta)
References
Details
Attachments
(1 file, 1 obsolete file)
For all phone (and potentially emulator) builds we should begin the task by pulling down the task definition (via TASK_ID / RUN_ID) and ensuring that the task is not doing various "bad" things. This only works when we correctly scope docker images and are using a private registry (otherwise you could just override the image). Current list of "bad" things are: - uploading to public/ - fetching unknown repositories (we should only fetch mozilla hosted repos for these builds)
Reporter | ||
Comment 1•10 years ago
|
||
This should probably be some python script which just fetched from the queue via a hard coded url (we don't need the full client here) and performs domain specific validation.
Comment 2•10 years ago
|
||
I would do it in node and just strip dynamic properties, such as: taskId, taskGroupId, created, deadline, and possibly extra.location. After stripping those, just do a deep equals with lodash, to check that all other properties are specified exactly as they should be. Updating these self-validating tasks or self-protecting task, won't be trivial. But that'll keep people who shouldn't modify them from doing so :)
Reporter | ||
Comment 3•10 years ago
|
||
lodash -> assert.deepEquals (as joans says updating these things is not that easy so we should limit what they do as much as possible)
Assignee | ||
Updated•10 years ago
|
Assignee: nobody → wcosta
Priority: -- → P1
Assignee | ||
Updated•10 years ago
|
Status: NEW → ASSIGNED
Assignee | ||
Comment 5•10 years ago
|
||
Attachment #8537397 -
Flags: review?(jlal)
Assignee | ||
Comment 6•10 years ago
|
||
/r/1507 - Bug 1098467: Validate the task before build the phone image r=lightsofapollo. Pull down this commit: hg pull review -r 1520c6cd07da116dc1c7aac462d1807247cdc7f9
Assignee | ||
Comment 7•10 years ago
|
||
/r/1507 - Bug 1098467: Validate the task before build the phone image r=lightsofapollo. Pull down this commit: hg pull review -r 1520c6cd07da116dc1c7aac462d1807247cdc7f9
Reporter | ||
Comment 8•10 years ago
|
||
https://reviewboard.mozilla.org/r/1505/#review923 ::: testing/docker/phone-builder/bin/validate_task.py (Diff revision 1) > + if 'REPOSITORY' not in payload['env']: Hrm this is going to be somewhat tricky can you validate both the base/head (see the newer task definitions) this is mostly a performance win by caching repos.
Reporter | ||
Comment 9•10 years ago
|
||
Comment on attachment 8537397 [details]
MozReview Request: bz://1098467/wcosta
lgtm need to make some tweaks so we can run this on try but can do after landing.
Attachment #8537397 -
Flags: review?(jlal) → review+
Reporter | ||
Comment 10•10 years ago
|
||
https://hg.mozilla.org/projects/alder/rev/1520c6cd07da
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Assignee | ||
Comment 12•9 years ago
|
||
Attachment #8537397 -
Attachment is obsolete: true
Attachment #8618631 -
Flags: review+
Assignee | ||
Comment 13•9 years ago
|
||
Updated•9 years ago
|
Component: TaskCluster → General
Product: Testing → Taskcluster
Target Milestone: --- → mozilla41
Version: unspecified → Trunk
Comment 14•9 years ago
|
||
Resetting Version and Target Milestone that accidentally got changed...
Target Milestone: mozilla41 → ---
Version: Trunk → unspecified
You need to log in
before you can comment on or make changes to this bug.
Description
•