mirror of
https://github.com/facebook/sapling.git
synced 2024-12-28 15:44:27 +03:00
remove dead code about secret tool
Summary: Better Engineering: remove dead code about secret tool. Secret tool is a FB specific tool (keychain like) and has been used to transfer OAuth token between different devservers without user's involvement. We have migrated to certs on devservers, so it is not needed anymore. Also, it is FB specific and doesn't make sense for open source either. Reviewed By: mitrandir77 Differential Revision: D22827264 fbshipit-source-id: cd89168ad75ca041d2a0f18d63474dd1eaad483d
This commit is contained in:
parent
01c4613ba0
commit
2c38313e9a
@ -91,9 +91,6 @@ Configs::
|
|||||||
# path can contains ${USER} or %i to substitute with the user identity
|
# path can contains ${USER} or %i to substitute with the user identity
|
||||||
scm_daemon_log_path = /path/to/%i/logfile
|
scm_daemon_log_path = /path/to/%i/logfile
|
||||||
|
|
||||||
# Use secrets_tool for token backup between machines
|
|
||||||
use_secrets_tool = true
|
|
||||||
|
|
||||||
# Maximum age (in days) of commits to pull when syncing
|
# Maximum age (in days) of commits to pull when syncing
|
||||||
max_sync_age = 14
|
max_sync_age = 14
|
||||||
|
|
||||||
|
@ -22,108 +22,26 @@ class TokenLocator(object):
|
|||||||
self.ui = ui
|
self.ui = ui
|
||||||
self.vfs = vfsmod.vfs(ccutil.getuserconfigpath(self.ui, "user_token_path"))
|
self.vfs = vfsmod.vfs(ccutil.getuserconfigpath(self.ui, "user_token_path"))
|
||||||
self.vfs.createmode = 0o600
|
self.vfs.createmode = 0o600
|
||||||
# using platform username
|
|
||||||
self.secretname = (self.servicename + "_" + util.getuser()).upper()
|
|
||||||
self.usesecretstool = self.ui.configbool("commitcloud", "use_secrets_tool")
|
|
||||||
|
|
||||||
def _gettokenfromfile(self):
|
def _gettokenfromfile(self):
|
||||||
"""On platforms except macOS tokens are stored in a file"""
|
"""On platforms except macOS tokens are stored in a file"""
|
||||||
if not self.vfs.exists(self.filename):
|
if not self.vfs.exists(self.filename):
|
||||||
if self.usesecretstool:
|
|
||||||
# check if token has been backed up and recover it if possible
|
|
||||||
try:
|
|
||||||
token = self._gettokenfromsecretstool()
|
|
||||||
if token:
|
|
||||||
self._settokentofile(token, isbackedup=True)
|
|
||||||
return token
|
|
||||||
except Exception:
|
|
||||||
pass
|
|
||||||
return None
|
return None
|
||||||
|
|
||||||
with self.vfs.open(self.filename, r"rb") as f:
|
with self.vfs.open(self.filename, r"rb") as f:
|
||||||
tokenconfig = config.config()
|
tokenconfig = config.config()
|
||||||
tokenconfig.read(self.filename, f)
|
tokenconfig.read(self.filename, f)
|
||||||
token = tokenconfig.get("commitcloud", "user_token")
|
token = tokenconfig.get("commitcloud", "user_token")
|
||||||
if self.usesecretstool:
|
|
||||||
isbackedup = tokenconfig.get("commitcloud", "backedup")
|
|
||||||
if not isbackedup:
|
|
||||||
self._settokentofile(token)
|
|
||||||
return token
|
return token
|
||||||
|
|
||||||
def _settokentofile(self, token, isbackedup=False):
|
def _settokentofile(self, token, isbackedup=False):
|
||||||
"""On platforms except macOS tokens are stored in a file"""
|
"""On platforms except macOS tokens are stored in a file"""
|
||||||
# backup token if optional backup is enabled
|
|
||||||
if self.usesecretstool and not isbackedup:
|
|
||||||
try:
|
|
||||||
self._settokeninsecretstool(token)
|
|
||||||
isbackedup = True
|
|
||||||
except Exception:
|
|
||||||
pass
|
|
||||||
with self.vfs.open(self.filename, "wb") as configfile:
|
with self.vfs.open(self.filename, "wb") as configfile:
|
||||||
configfile.write(
|
configfile.write(
|
||||||
b"[commitcloud]\nuser_token=%s\nbackedup=%s\n"
|
b"[commitcloud]\nuser_token=%s\nbackedup=%s\n"
|
||||||
% (pycompat.encodeutf8(token), pycompat.encodeutf8(str(isbackedup)))
|
% (pycompat.encodeutf8(token), pycompat.encodeutf8(str(isbackedup)))
|
||||||
)
|
)
|
||||||
|
|
||||||
def _gettokenfromsecretstool(self):
|
|
||||||
"""Token stored in keychain as individual secret"""
|
|
||||||
try:
|
|
||||||
p = subprocess.Popen(
|
|
||||||
["secrets_tool", "get", self.secretname],
|
|
||||||
close_fds=util.closefds,
|
|
||||||
stdout=subprocess.PIPE,
|
|
||||||
stderr=subprocess.PIPE,
|
|
||||||
)
|
|
||||||
(stdoutdata, stderrdata) = p.communicate()
|
|
||||||
rc = p.returncode
|
|
||||||
if rc != 0:
|
|
||||||
return None
|
|
||||||
text = stdoutdata.strip()
|
|
||||||
return text or None
|
|
||||||
|
|
||||||
except OSError as e:
|
|
||||||
raise ccerror.UnexpectedError(self.ui, e)
|
|
||||||
except ValueError as e:
|
|
||||||
raise ccerror.UnexpectedError(self.ui, e)
|
|
||||||
|
|
||||||
def _settokeninsecretstool(self, token, update=False):
|
|
||||||
"""Token stored in keychain as individual secrets"""
|
|
||||||
action = "update" if update else "create"
|
|
||||||
try:
|
|
||||||
p = subprocess.Popen(
|
|
||||||
[
|
|
||||||
"secrets_tool",
|
|
||||||
action,
|
|
||||||
"--read_contents_from_stdin",
|
|
||||||
self.secretname,
|
|
||||||
"Mercurial commitcloud token",
|
|
||||||
],
|
|
||||||
close_fds=util.closefds,
|
|
||||||
stdout=subprocess.PIPE,
|
|
||||||
stderr=subprocess.PIPE,
|
|
||||||
stdin=subprocess.PIPE,
|
|
||||||
)
|
|
||||||
(stdoutdata, stderrdata) = p.communicate(token)
|
|
||||||
rc = p.returncode
|
|
||||||
|
|
||||||
if rc != 0:
|
|
||||||
if action == "create":
|
|
||||||
# Try updating token instead
|
|
||||||
self._settokeninsecretstool(token, update=True)
|
|
||||||
else:
|
|
||||||
raise ccerror.SubprocessError(self.ui, rc, stderrdata)
|
|
||||||
|
|
||||||
else:
|
|
||||||
self.ui.debug(
|
|
||||||
"access token is backup up in secrets tool in %s\n"
|
|
||||||
% self.secretname
|
|
||||||
)
|
|
||||||
|
|
||||||
except OSError as e:
|
|
||||||
raise ccerror.UnexpectedError(self.ui, e)
|
|
||||||
except ValueError as e:
|
|
||||||
raise ccerror.UnexpectedError(self.ui, e)
|
|
||||||
|
|
||||||
def _gettokenosx(self):
|
def _gettokenosx(self):
|
||||||
"""On macOS tokens are stored in keychain
|
"""On macOS tokens are stored in keychain
|
||||||
this function fetches token from keychain
|
this function fetches token from keychain
|
||||||
|
@ -249,40 +249,6 @@ pub fn read_access_token(user_token_path: &Option<PathBuf>) -> Result<Token> {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
// try to read token from secrets tool
|
|
||||||
if token.is_none() {
|
|
||||||
// try to read from secrets_tool
|
|
||||||
info!("Token Lookup: reading commitcloud OAuth token from secrets_tool...");
|
|
||||||
let user = env::var("USER")?.to_uppercase();
|
|
||||||
let key = format!("COMMITCLOUD_{}", user);
|
|
||||||
let output = Command::new("secrets_tool")
|
|
||||||
.args(vec!["get", key.as_str()])
|
|
||||||
.output();
|
|
||||||
|
|
||||||
match output {
|
|
||||||
Err(e) => {
|
|
||||||
if let io::ErrorKind::NotFound = e.kind() {
|
|
||||||
info!("`secrets_tool` executable is not found");
|
|
||||||
}
|
|
||||||
}
|
|
||||||
Ok(output) => {
|
|
||||||
if !output.status.success() {
|
|
||||||
error!("OAuth token: failed to retrieve from secrets using key {}, process exited with: {}", key, output.status);
|
|
||||||
} else {
|
|
||||||
let token = str::from_utf8(&output.stdout)?.trim().to_string();
|
|
||||||
if token.is_empty() {
|
|
||||||
error!("OAuth token not found in secrets");
|
|
||||||
} else {
|
|
||||||
info!("OAuth token is found in secrets");
|
|
||||||
return Ok(Token {
|
|
||||||
token,
|
|
||||||
token_type: TokenType::OAuth,
|
|
||||||
});
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
token
|
token
|
||||||
.map(|token| Token {
|
.map(|token| Token {
|
||||||
|
Loading…
Reference in New Issue
Block a user