From 249bdba0af714aee480daaa749bb261ecd08f6de Mon Sep 17 00:00:00 2001 From: Jesse Schwartzentruber Date: Mon, 26 Jun 2023 10:29:50 -0400 Subject: [PATCH] [grizzly] Use a separate token for reducer tasks. These tasks required read/write access to FuzzManager. --- services/grizzly-macos/launch.sh | 8 +++++++- .../src/grizzly_reduce_monitor/common.py | 3 +-- .../src/grizzly_reduce_monitor/monitor.py | 2 +- .../task_templates/reduce-android.yaml | 2 +- .../task_templates/reduce-macos.yaml | 2 +- .../task_templates/reduce-windows.yaml | 2 +- .../src/grizzly_reduce_monitor/task_templates/reduce.yaml | 2 +- services/grizzly-win/launch.sh | 8 +++++++- services/grizzly/launch-grizzly-worker.sh | 6 +++++- 9 files changed, 25 insertions(+), 10 deletions(-) diff --git a/services/grizzly-macos/launch.sh b/services/grizzly-macos/launch.sh index dc6d2ca0..9f81a798 100755 --- a/services/grizzly-macos/launch.sh +++ b/services/grizzly-macos/launch.sh @@ -89,8 +89,14 @@ EOF fluent-bit -c td-agent-bit.conf & # Get fuzzmanager configuration from TC +if [ "$ADAPTER" = "reducer" ] +then + fmsecret=fuzzmanagerconf-rw +else + fmsecret=fuzzmanagerconf +fi set +x -retry_curl "$TASKCLUSTER_PROXY_URL/secrets/v1/secret/project/fuzzing/fuzzmanagerconf" | python -c "import json,sys;open('.fuzzmanagerconf','w').write(json.load(sys.stdin)['secret']['key'])" +retry_curl "$TASKCLUSTER_PROXY_URL/secrets/v1/secret/project/fuzzing/$fmsecret" | python -c "import json,sys;open('.fuzzmanagerconf','w').write(json.load(sys.stdin)['secret']['key'])" set -x export FM_CONFIG_PATH="$PWD/.fuzzmanagerconf" diff --git a/services/grizzly-reduce-monitor/src/grizzly_reduce_monitor/common.py b/services/grizzly-reduce-monitor/src/grizzly_reduce_monitor/common.py index 4efeb779..c7560c98 100644 --- a/services/grizzly-reduce-monitor/src/grizzly_reduce_monitor/common.py +++ b/services/grizzly-reduce-monitor/src/grizzly_reduce_monitor/common.py @@ -125,7 +125,6 @@ def _list_objs( ) while next_url: - resp_json = self.get(next_url, params=params).json() if isinstance(resp_json, dict): @@ -237,7 +236,7 @@ def ensure_credentials() -> None: # get fuzzmanager config from taskcluster conf_path = Path.home() / ".fuzzmanagerconf" if not conf_path.is_file(): - key = Taskcluster.load_secrets("project/fuzzing/fuzzmanagerconf")["key"] + key = Taskcluster.load_secrets("project/fuzzing/fuzzmanagerconf-rw")["key"] conf_path.write_text(key) conf_path.chmod(0o400) diff --git a/services/grizzly-reduce-monitor/src/grizzly_reduce_monitor/monitor.py b/services/grizzly-reduce-monitor/src/grizzly_reduce_monitor/monitor.py index 9c7a0dc5..458c85db 100644 --- a/services/grizzly-reduce-monitor/src/grizzly_reduce_monitor/monitor.py +++ b/services/grizzly-reduce-monitor/src/grizzly_reduce_monitor/monitor.py @@ -133,7 +133,7 @@ def _fuzzmanager_get_crashes( ) buckets_by_tool: Dict[str, List[str]] = {} - for (bucket, tool) in bucket_tools: + for bucket, tool in bucket_tools: buckets_by_tool.setdefault(tool, []) buckets_by_tool[tool].append(bucket) for tool, bucket_filter in buckets_by_tool.items(): diff --git a/services/grizzly-reduce-monitor/src/grizzly_reduce_monitor/task_templates/reduce-android.yaml b/services/grizzly-reduce-monitor/src/grizzly_reduce_monitor/task_templates/reduce-android.yaml index bfda4e13..8e9a74fa 100644 --- a/services/grizzly-reduce-monitor/src/grizzly_reduce_monitor/task_templates/reduce-android.yaml +++ b/services/grizzly-reduce-monitor/src/grizzly_reduce_monitor/task_templates/reduce-android.yaml @@ -45,7 +45,7 @@ scopes: - "docker-worker:capability:privileged" - "secrets:get:project/fuzzing/deploy-bearspray" - "secrets:get:project/fuzzing/deploy-grizzly-private" - - "secrets:get:project/fuzzing/fuzzmanagerconf" + - "secrets:get:project/fuzzing/fuzzmanagerconf-rw" - "secrets:get:project/fuzzing/google-logging-creds" taskGroupId: "${task_group}" workerType: "${worker}" diff --git a/services/grizzly-reduce-monitor/src/grizzly_reduce_monitor/task_templates/reduce-macos.yaml b/services/grizzly-reduce-monitor/src/grizzly_reduce_monitor/task_templates/reduce-macos.yaml index 05056bad..91069e8f 100644 --- a/services/grizzly-reduce-monitor/src/grizzly_reduce_monitor/task_templates/reduce-macos.yaml +++ b/services/grizzly-reduce-monitor/src/grizzly_reduce_monitor/task_templates/reduce-macos.yaml @@ -51,7 +51,7 @@ schedulerId: "${scheduler}" scopes: - "secrets:get:project/fuzzing/deploy-bearspray" - "secrets:get:project/fuzzing/deploy-grizzly-private" - - "secrets:get:project/fuzzing/fuzzmanagerconf" + - "secrets:get:project/fuzzing/fuzzmanagerconf-rw" - "secrets:get:project/fuzzing/google-logging-creds" taskGroupId: "${task_group}" workerType: "${worker}" diff --git a/services/grizzly-reduce-monitor/src/grizzly_reduce_monitor/task_templates/reduce-windows.yaml b/services/grizzly-reduce-monitor/src/grizzly_reduce_monitor/task_templates/reduce-windows.yaml index 169cc886..5c150f99 100644 --- a/services/grizzly-reduce-monitor/src/grizzly_reduce_monitor/task_templates/reduce-windows.yaml +++ b/services/grizzly-reduce-monitor/src/grizzly_reduce_monitor/task_templates/reduce-windows.yaml @@ -56,7 +56,7 @@ scopes: - "generic-worker:run-as-administrator:${provisioner}/grizzly-reduce-worker-windows" - "secrets:get:project/fuzzing/deploy-bearspray" - "secrets:get:project/fuzzing/deploy-grizzly-private" - - "secrets:get:project/fuzzing/fuzzmanagerconf" + - "secrets:get:project/fuzzing/fuzzmanagerconf-rw" - "secrets:get:project/fuzzing/google-logging-creds" taskGroupId: "${task_group}" workerType: "${worker}" diff --git a/services/grizzly-reduce-monitor/src/grizzly_reduce_monitor/task_templates/reduce.yaml b/services/grizzly-reduce-monitor/src/grizzly_reduce_monitor/task_templates/reduce.yaml index 687065ef..e8935e2c 100644 --- a/services/grizzly-reduce-monitor/src/grizzly_reduce_monitor/task_templates/reduce.yaml +++ b/services/grizzly-reduce-monitor/src/grizzly_reduce_monitor/task_templates/reduce.yaml @@ -40,7 +40,7 @@ scopes: - "docker-worker:capability:device:loopbackAudio" - "secrets:get:project/fuzzing/deploy-bearspray" - "secrets:get:project/fuzzing/deploy-grizzly-private" - - "secrets:get:project/fuzzing/fuzzmanagerconf" + - "secrets:get:project/fuzzing/fuzzmanagerconf-rw" - "secrets:get:project/fuzzing/google-logging-creds" taskGroupId: "${task_group}" workerType: "${worker}" diff --git a/services/grizzly-win/launch.sh b/services/grizzly-win/launch.sh index 70802acb..a554748e 100644 --- a/services/grizzly-win/launch.sh +++ b/services/grizzly-win/launch.sh @@ -78,8 +78,14 @@ EOF retry pip install git+https://github.com/MozillaSecurity/FuzzManager # Get fuzzmanager configuration from TC +if [ "$ADAPTER" = "reducer" ] +then + fmsecret=fuzzmanagerconf-rw +else + fmsecret=fuzzmanagerconf +fi set +x -retry_curl "$TASKCLUSTER_PROXY_URL/secrets/v1/secret/project/fuzzing/fuzzmanagerconf" | python -c "import json,sys;open('.fuzzmanagerconf','w').write(json.load(sys.stdin)['secret']['key'])" +retry_curl "$TASKCLUSTER_PROXY_URL/secrets/v1/secret/project/fuzzing/$fmsecret" | python -c "import json,sys;open('.fuzzmanagerconf','w').write(json.load(sys.stdin)['secret']['key'])" set -x # Update fuzzmanager config for this instance diff --git a/services/grizzly/launch-grizzly-worker.sh b/services/grizzly/launch-grizzly-worker.sh index 4c203d9f..3b6938ff 100755 --- a/services/grizzly/launch-grizzly-worker.sh +++ b/services/grizzly/launch-grizzly-worker.sh @@ -22,7 +22,11 @@ pushd /src/fuzzmanager >/dev/null popd >/dev/null # Get fuzzmanager configuration from TC -get-tc-secret fuzzmanagerconf .fuzzmanagerconf +if [[ "$ADAPTER" = "reducer" ]]; then + get-tc-secret fuzzmanagerconf-rw .fuzzmanagerconf +else + get-tc-secret fuzzmanagerconf .fuzzmanagerconf +fi # Update fuzzmanager config for this instance mkdir -p signatures