[grizzly] Use a separate token for reducer tasks.

These tasks required read/write access to FuzzManager.
MozillaSecurity · Jun 26, 2023 · 249bdba · 249bdba
1 parent cdab72b
commit 249bdba
Show file tree

Hide file tree

Showing 9 changed files with 25 additions and 10 deletions.
diff --git a/services/grizzly-macos/launch.sh b/services/grizzly-macos/launch.sh
@@ -89,8 +89,14 @@ EOF
 fluent-bit -c td-agent-bit.conf &
 
 # Get fuzzmanager configuration from TC
+if [ "$ADAPTER" = "reducer" ]
+then
+  fmsecret=fuzzmanagerconf-rw
+else
+  fmsecret=fuzzmanagerconf
+fi
 set +x
-retry_curl "$TASKCLUSTER_PROXY_URL/secrets/v1/secret/project/fuzzing/fuzzmanagerconf" | python -c "import json,sys;open('.fuzzmanagerconf','w').write(json.load(sys.stdin)['secret']['key'])"
+retry_curl "$TASKCLUSTER_PROXY_URL/secrets/v1/secret/project/fuzzing/$fmsecret" | python -c "import json,sys;open('.fuzzmanagerconf','w').write(json.load(sys.stdin)['secret']['key'])"
 set -x
 export FM_CONFIG_PATH="$PWD/.fuzzmanagerconf"
 

diff --git a/services/grizzly-reduce-monitor/src/grizzly_reduce_monitor/common.py b/services/grizzly-reduce-monitor/src/grizzly_reduce_monitor/common.py
@@ -125,7 +125,6 @@ def _list_objs(
         )
 
         while next_url:
-
             resp_json = self.get(next_url, params=params).json()
 
             if isinstance(resp_json, dict):
@@ -237,7 +236,7 @@ def ensure_credentials() -> None:
         # get fuzzmanager config from taskcluster
         conf_path = Path.home() / ".fuzzmanagerconf"
         if not conf_path.is_file():
-            key = Taskcluster.load_secrets("project/fuzzing/fuzzmanagerconf")["key"]
+            key = Taskcluster.load_secrets("project/fuzzing/fuzzmanagerconf-rw")["key"]
             conf_path.write_text(key)
             conf_path.chmod(0o400)
 

diff --git a/services/grizzly-reduce-monitor/src/grizzly_reduce_monitor/monitor.py b/services/grizzly-reduce-monitor/src/grizzly_reduce_monitor/monitor.py
@@ -133,7 +133,7 @@ def _fuzzmanager_get_crashes(
     )
 
     buckets_by_tool: Dict[str, List[str]] = {}
-    for (bucket, tool) in bucket_tools:
+    for bucket, tool in bucket_tools:
         buckets_by_tool.setdefault(tool, [])
         buckets_by_tool[tool].append(bucket)
     for tool, bucket_filter in buckets_by_tool.items():

diff --git a/...ices/grizzly-reduce-monitor/src/grizzly_reduce_monitor/task_templates/reduce-android.yaml b/...ices/grizzly-reduce-monitor/src/grizzly_reduce_monitor/task_templates/reduce-android.yaml
@@ -45,7 +45,7 @@ scopes:
   - "docker-worker:capability:privileged"
   - "secrets:get:project/fuzzing/deploy-bearspray"
   - "secrets:get:project/fuzzing/deploy-grizzly-private"
-  - "secrets:get:project/fuzzing/fuzzmanagerconf"
+  - "secrets:get:project/fuzzing/fuzzmanagerconf-rw"
   - "secrets:get:project/fuzzing/google-logging-creds"
 taskGroupId: "${task_group}"
 workerType: "${worker}"
diff --git a/services/grizzly-reduce-monitor/src/grizzly_reduce_monitor/task_templates/reduce-macos.yaml b/services/grizzly-reduce-monitor/src/grizzly_reduce_monitor/task_templates/reduce-macos.yaml
@@ -51,7 +51,7 @@ schedulerId: "${scheduler}"
 scopes:
   - "secrets:get:project/fuzzing/deploy-bearspray"
   - "secrets:get:project/fuzzing/deploy-grizzly-private"
-  - "secrets:get:project/fuzzing/fuzzmanagerconf"
+  - "secrets:get:project/fuzzing/fuzzmanagerconf-rw"
   - "secrets:get:project/fuzzing/google-logging-creds"
 taskGroupId: "${task_group}"
 workerType: "${worker}"
diff --git a/...ices/grizzly-reduce-monitor/src/grizzly_reduce_monitor/task_templates/reduce-windows.yaml b/...ices/grizzly-reduce-monitor/src/grizzly_reduce_monitor/task_templates/reduce-windows.yaml
@@ -56,7 +56,7 @@ scopes:
   - "generic-worker:run-as-administrator:${provisioner}/grizzly-reduce-worker-windows"
   - "secrets:get:project/fuzzing/deploy-bearspray"
   - "secrets:get:project/fuzzing/deploy-grizzly-private"
-  - "secrets:get:project/fuzzing/fuzzmanagerconf"
+  - "secrets:get:project/fuzzing/fuzzmanagerconf-rw"
   - "secrets:get:project/fuzzing/google-logging-creds"
 taskGroupId: "${task_group}"
 workerType: "${worker}"
diff --git a/services/grizzly-reduce-monitor/src/grizzly_reduce_monitor/task_templates/reduce.yaml b/services/grizzly-reduce-monitor/src/grizzly_reduce_monitor/task_templates/reduce.yaml
@@ -40,7 +40,7 @@ scopes:
   - "docker-worker:capability:device:loopbackAudio"
   - "secrets:get:project/fuzzing/deploy-bearspray"
   - "secrets:get:project/fuzzing/deploy-grizzly-private"
-  - "secrets:get:project/fuzzing/fuzzmanagerconf"
+  - "secrets:get:project/fuzzing/fuzzmanagerconf-rw"
   - "secrets:get:project/fuzzing/google-logging-creds"
 taskGroupId: "${task_group}"
 workerType: "${worker}"
diff --git a/services/grizzly-win/launch.sh b/services/grizzly-win/launch.sh
@@ -78,8 +78,14 @@ EOF
 retry pip install git+https://github.com/MozillaSecurity/FuzzManager
 
 # Get fuzzmanager configuration from TC
+if [ "$ADAPTER" = "reducer" ]
+then
+  fmsecret=fuzzmanagerconf-rw
+else
+  fmsecret=fuzzmanagerconf
+fi
 set +x
-retry_curl "$TASKCLUSTER_PROXY_URL/secrets/v1/secret/project/fuzzing/fuzzmanagerconf" | python -c "import json,sys;open('.fuzzmanagerconf','w').write(json.load(sys.stdin)['secret']['key'])"
+retry_curl "$TASKCLUSTER_PROXY_URL/secrets/v1/secret/project/fuzzing/$fmsecret" | python -c "import json,sys;open('.fuzzmanagerconf','w').write(json.load(sys.stdin)['secret']['key'])"
 set -x
 
 # Update fuzzmanager config for this instance

diff --git a/services/grizzly/launch-grizzly-worker.sh b/services/grizzly/launch-grizzly-worker.sh
@@ -22,7 +22,11 @@ pushd /src/fuzzmanager >/dev/null
 popd >/dev/null
 
 # Get fuzzmanager configuration from TC
-get-tc-secret fuzzmanagerconf .fuzzmanagerconf
+if [[ "$ADAPTER" = "reducer" ]]; then
+  get-tc-secret fuzzmanagerconf-rw .fuzzmanagerconf
+else
+  get-tc-secret fuzzmanagerconf .fuzzmanagerconf
+fi
 
 # Update fuzzmanager config for this instance
 mkdir -p signatures