Adjust xpi-manifest cot-scopes (#502)

Author: jmaher

HISTORY.rst

@@ -4,6 +4,13 @@ Change Log
 All notable changes to this project will be documented in this file.
 This project adheres to `Semantic Versioning <http://semver.org/>`__.
 
+[38.1.0] - 2021-05-19
+---------------------
+Changed
+~~~~~~~
+ - added support for cot_restricted_scopes to match <scope>*
+
+
 [38.0.0] - 2021-05-17
 ---------------------
 Removed

src/scriptworker/constants.py

@@ -122,44 +122,24 @@
                         "xpi": "github",
                         "adhoc": "github",
                         "scriptworker": "github",
-                    },
-                ),
-            },
+                    }
+                )
+            }
         ),
         # decision task cot
         "valid_decision_worker_pools": immutabledict(
             {
                 "by-cot-product": immutabledict(
                     {
-                        "firefox": (
-                            "gecko-1/decision",
-                            "gecko-2/decision",
-                            "gecko-3/decision",
-                        ),
-                        "thunderbird": (
-                            "comm-1/decision",
-                            "comm-2/decision",
-                            "comm-3/decision",
-                        ),
-                        "mobile": (
-                            "mobile-1/decision",
-                            "mobile-3/decision",
-                        ),
+                        "firefox": ("gecko-1/decision", "gecko-2/decision", "gecko-3/decision"),
+                        "thunderbird": ("comm-1/decision", "comm-2/decision", "comm-3/decision"),
+                        "mobile": ("mobile-1/decision", "mobile-3/decision"),
                         "mpd001": ("mpd001-1/decision", "mpd001-3/decision"),
-                        "app-services": (
-                            "app-services-1/decision",
-                            "app-services-3/decision",
-                        ),
-                        "glean": (
-                            "glean-1/decision",
-                            "glean-3/decision",
-                        ),
+                        "app-services": ("app-services-1/decision", "app-services-3/decision"),
+                        "glean": ("glean-1/decision", "glean-3/decision"),
                         "xpi": ("xpi-1/decision", "xpi-3/decision"),
                         "adhoc": ("adhoc-1/decision", "adhoc-3/decision"),
-                        "scriptworker": (
-                            "scriptworker-1/decision",
-                            "scriptworker-3/decision",
-                        ),
+                        "scriptworker": ("scriptworker-1/decision", "scriptworker-3/decision"),
                     }
                 )
             }
@@ -169,35 +149,15 @@
             {
                 "by-cot-product": immutabledict(
                     {
-                        "firefox": (
-                            "gecko-1/images",
-                            "gecko-2/images",
-                            "gecko-3/images",
-                        ),
-                        "thunderbird": (
-                            "comm-1/images",
-                            "comm-2/images",
-                            "comm-3/images",
-                        ),
-                        "mobile": (
-                            "mobile-1/images",
-                            "mobile-3/images",
-                        ),
+                        "firefox": ("gecko-1/images", "gecko-2/images", "gecko-3/images"),
+                        "thunderbird": ("comm-1/images", "comm-2/images", "comm-3/images"),
+                        "mobile": ("mobile-1/images", "mobile-3/images"),
                         "mpd001": ("mpd001-1/images", "mpd001-3/images"),
-                        "app-services": (
-                            "app-services-1/images",
-                            "app-services-3/images",
-                        ),
-                        "glean": (
-                            "glean-1/images",
-                            "glean-3/images",
-                        ),
+                        "app-services": ("app-services-1/images", "app-services-3/images"),
+                        "glean": ("glean-1/images", "glean-3/images"),
                         "xpi": ("xpi-1/images", "xpi-3/images"),
                         "adhoc": ("adhoc-1/images", "adhoc-3/images"),
-                        "scriptworker": (
-                            "scriptworker-1/images",
-                            "scriptworker-3/images",
-                        ),
+                        "scriptworker": ("scriptworker-1/images", "scriptworker-3/images"),
                     }
                 )
             }
@@ -427,7 +387,11 @@
                     "app-services": immutabledict({"project:mozilla:app-services:releng:beetmover:bucket:maven-production": "app-services-repo"}),
                     "glean": immutabledict({"project:mozilla:glean:releng:beetmover:bucket:maven-production": "glean-repo"}),
                     "xpi": immutabledict(
-                        {"project:xpi:signing:cert:release-signing": "xpi-manifest-repo", "project:xpi:ship-it:production": "xpi-manifest-repo"}
+                        {
+                            "project:xpi:signing:cert:release-signing": "xpi-manifest-repo",
+                            "project:xpi:releng:github:project:mozilla-extensions/*": "xpi-manifest-repo",
+                            "project:xpi:ship-it:production": "xpi-manifest-repo",
+                        }
                     ),
                     "adhoc": immutabledict({"project:adhoc:signing:cert:release-signing": "adhoc-signing-repos"}),
                     "scriptworker": immutabledict(
@@ -448,12 +412,7 @@
                             # Which repos can perform release actions?
                             # XXX remove /projects/maple when we have a
                             #     different prod signing testing solution
-                            "all-release-branches": (
-                                "/releases/mozilla-beta",
-                                "/releases/mozilla-release",
-                                "/releases/mozilla-esr78",
-                                "/projects/maple",
-                            ),
+                            "all-release-branches": ("/releases/mozilla-beta", "/releases/mozilla-release", "/releases/mozilla-esr78", "/projects/maple"),
                             # Limit things like pushapk to just these branches
                             "release": ("/releases/mozilla-release",),
                             "beta": ("/releases/mozilla-beta",),
@@ -476,27 +435,15 @@
                                 "/projects/oak",
                                 "/projects/pine",
                             ),
-                            "all-production-branches": (
-                                "/mozilla-central",
-                                "/releases/mozilla-beta",
-                                "/releases/mozilla-release",
-                                "/releases/mozilla-esr78",
-                            ),
+                            "all-production-branches": ("/mozilla-central", "/releases/mozilla-beta", "/releases/mozilla-release", "/releases/mozilla-esr78"),
                         }
                     ),
                     "thunderbird": immutabledict(
                         {
-                            "all-release-branches": (
-                                "/releases/comm-beta",
-                                "/releases/comm-esr78",
-                            ),
+                            "all-release-branches": ("/releases/comm-beta", "/releases/comm-esr78"),
                             "beta": ("/releases/comm-beta",),
                             "esr": ("/releases/comm-esr78",),
-                            "all-nightly-branches": (
-                                "/comm-central",
-                                "/releases/comm-beta",
-                                "/releases/comm-esr78",
-                            ),
+                            "all-nightly-branches": ("/comm-central", "/releases/comm-beta", "/releases/comm-esr78"),
                             "nightly": ("/comm-central",),
                         }
                     ),
@@ -518,10 +465,7 @@
                     "scriptworker": immutabledict(
                         {
                             "scriptworker-scripts-repo": ("/mozilla-releng/scriptworker-scripts",),
-                            "all-production-repos": (
-                                "/mozilla-releng/scriptworker",
-                                "/mozilla-releng/scriptworker-scripts",
-                            ),
+                            "all-production-repos": ("/mozilla-releng/scriptworker", "/mozilla-releng/scriptworker-scripts"),
                         }
                     ),
                 }

src/scriptworker/cot/verify.py

@@ -164,14 +164,36 @@ def is_decision(self):
         """
         return self.task_type in DECISION_TASK_TYPES
 
+    def is_scope_in_restricted_scopes(self, scope, restricted_scopes):
+        """Determine if a scope matches in a list of restricted_scopes.
+           if one of the restricted scopes ends with '*', find a partial match.
+
+        Returns:
+            String: string of matching restricted_scope, if no match ""
+        """
+        match = []
+        for restricted in restricted_scopes:
+            if restricted.endswith("*"):
+                if scope.startswith(restricted.rstrip("*")):
+                    match.append(restricted)
+            elif scope == restricted:
+                match.append(restricted)
+
+        if len(match) > 1:
+            raise CoTError("Scope {} matches >1 restricted_scope: {}\n".format(scope, match))
+        elif len(match) == 1:
+            return match[0]
+        else:
+            return ""
+
     def has_restricted_scopes(self):
         """Determine if this task is requesting any restricted scopes.
 
         Returns:
             bool: whether this task requested restricted scopes.
 
         """
-        return any((scope in self.context.config["cot_restricted_scopes"]) for scope in self.task["scopes"])
+        return any((self.is_scope_in_restricted_scopes(scope, self.context.config["cot_restricted_scopes"])) for scope in self.task["scopes"])
 
     def get_all_links_in_chain(self):
         """Return all links in the chain of trust, including the target task.
@@ -1907,9 +1929,10 @@ async def trace_back_to_tree(chain):
     # check for restricted scopes.
     my_repo = repos[chain]
     for scope in chain.task["scopes"]:
-        if scope in rules["scopes"]:
+        matched_scope = chain.is_scope_in_restricted_scopes(scope, rules["scopes"])
+        if matched_scope:
             log.info("Found privileged scope {}".format(scope))
-            level = rules["scopes"][scope]
+            level = rules["scopes"][matched_scope]
             if my_repo not in rules["trees"][level]:
                 errors.append("{} {}: repo {} not allowlisted for scope {}!".format(chain.name, chain.task_id, my_repo, scope))
     # verify all tasks w/ same decision_task_id have the same source repo.

src/scriptworker/version.py

@@ -54,7 +54,7 @@ def get_version_string(version: Union[ShortVerType, LongVerType]) -> str:
 
 # 1}}}
 # Semantic versioning 2.0.0  http://semver.org/
-__version__ = (38, 0, 0)
+__version__ = (38, 1, 0)
 __version_string__ = get_version_string(__version__)
 
 

tests/test_cot_verify.py

@@ -2193,3 +2193,36 @@ async def test_get_scm_level(rw_context, project, level, raises):
             await cotverify.get_scm_level(rw_context, project)
     else:
         assert await cotverify.get_scm_level(rw_context, project) == level
+
+
+# tests for matching scopes with a partial match, implemented for xpi
+@pytest.mark.parametrize(
+    "scope, restricted_scopes, expected",
+    (
+        (
+            "project:xpi:signing:cert:release-signing",
+            ["project:xpi:ship-it:production", "project:xpi:signing:cert:release-signing"],
+            "project:xpi:signing:cert:release-signing",
+        ),
+        ("project:xpi:signing:cert:release", ["project:xpi:ship-it:production", "project:xpi:signing:cert:release-signing"], ""),
+        ("project:xpi:ship-it:production", ["project:xpi:ship-it:production"], "project:xpi:ship-it:production"),
+        (
+            "project:xpi:releng:github:project:mozilla-extensions/xpi-manifest",
+            ["project:xpi:releng:github:project:mozilla-extensions/*"],
+            "project:xpi:releng:github:project:mozilla-extensions/*",
+        ),
+        ("project:xpi:releng:github:project:mozilla-releng/xpi-manifest", ["project:xpi:releng:github:project:mozilla-extensions/*"], ""),
+        ("project:xpi:ship-it:production", ["project:xpi:ship-it:*"], "project:xpi:ship-it:*"),
+        ("project:xpi:ship-it:production", ["project:xpi:ship-it"], ""),
+        ("project:xpi:ship-it:production", ["project:xpi:ship-it:staging"], ""),
+        ("project:xpi:ship-it:*", ["project:xpi:ship-it:*"], "project:xpi:ship-it:*"),
+        ("project:xpi:ship-it", ["*project:xpi:ship-it"], ""),
+        ("project:xpi:ship-it:production", ["project:xpi:ship-it:production*", "project:xpi:ship-it:production"], "COTError"),
+    ),
+)
+def test_scope_in_restricted_scopes(chain, scope, restricted_scopes, expected):
+    if expected == "COTError":
+        with pytest.raises(CoTError):
+            chain.is_scope_in_restricted_scopes(scope, restricted_scopes)
+    else:
+        assert chain.is_scope_in_restricted_scopes(scope, restricted_scopes) is expected

version.json

@@ -1,8 +1,8 @@
 {
     "version":[
         38,
-        0,
+        1,
         0
     ],
-    "version_string":"38.0.0"
+    "version_string":"38.1.0"
 }