remove dead code about secret tool

Summary:
Better Engineering: remove dead code about secret tool.

Secret tool is a FB specific tool (keychain like) and has been used to transfer OAuth token between
different devservers without user's involvement. We have migrated to certs on devservers, so it is not needed anymore.

Also, it is FB specific and doesn't make sense for open source either.

Reviewed By: mitrandir77

Differential Revision: D22827264

fbshipit-source-id: cd89168ad75ca041d2a0f18d63474dd1eaad483d
This commit is contained in:
Liubov Dmitrieva 2020-07-30 06:08:42 -07:00 committed by Facebook GitHub Bot
parent 01c4613ba0
commit 2c38313e9a
3 changed files with 0 additions and 119 deletions

View File

@ -91,9 +91,6 @@ Configs::
# path can contains ${USER} or %i to substitute with the user identity # path can contains ${USER} or %i to substitute with the user identity
scm_daemon_log_path = /path/to/%i/logfile scm_daemon_log_path = /path/to/%i/logfile
# Use secrets_tool for token backup between machines
use_secrets_tool = true
# Maximum age (in days) of commits to pull when syncing # Maximum age (in days) of commits to pull when syncing
max_sync_age = 14 max_sync_age = 14

View File

@ -22,108 +22,26 @@ class TokenLocator(object):
self.ui = ui self.ui = ui
self.vfs = vfsmod.vfs(ccutil.getuserconfigpath(self.ui, "user_token_path")) self.vfs = vfsmod.vfs(ccutil.getuserconfigpath(self.ui, "user_token_path"))
self.vfs.createmode = 0o600 self.vfs.createmode = 0o600
# using platform username
self.secretname = (self.servicename + "_" + util.getuser()).upper()
self.usesecretstool = self.ui.configbool("commitcloud", "use_secrets_tool")
def _gettokenfromfile(self): def _gettokenfromfile(self):
"""On platforms except macOS tokens are stored in a file""" """On platforms except macOS tokens are stored in a file"""
if not self.vfs.exists(self.filename): if not self.vfs.exists(self.filename):
if self.usesecretstool:
# check if token has been backed up and recover it if possible
try:
token = self._gettokenfromsecretstool()
if token:
self._settokentofile(token, isbackedup=True)
return token
except Exception:
pass
return None return None
with self.vfs.open(self.filename, r"rb") as f: with self.vfs.open(self.filename, r"rb") as f:
tokenconfig = config.config() tokenconfig = config.config()
tokenconfig.read(self.filename, f) tokenconfig.read(self.filename, f)
token = tokenconfig.get("commitcloud", "user_token") token = tokenconfig.get("commitcloud", "user_token")
if self.usesecretstool:
isbackedup = tokenconfig.get("commitcloud", "backedup")
if not isbackedup:
self._settokentofile(token)
return token return token
def _settokentofile(self, token, isbackedup=False): def _settokentofile(self, token, isbackedup=False):
"""On platforms except macOS tokens are stored in a file""" """On platforms except macOS tokens are stored in a file"""
# backup token if optional backup is enabled
if self.usesecretstool and not isbackedup:
try:
self._settokeninsecretstool(token)
isbackedup = True
except Exception:
pass
with self.vfs.open(self.filename, "wb") as configfile: with self.vfs.open(self.filename, "wb") as configfile:
configfile.write( configfile.write(
b"[commitcloud]\nuser_token=%s\nbackedup=%s\n" b"[commitcloud]\nuser_token=%s\nbackedup=%s\n"
% (pycompat.encodeutf8(token), pycompat.encodeutf8(str(isbackedup))) % (pycompat.encodeutf8(token), pycompat.encodeutf8(str(isbackedup)))
) )
def _gettokenfromsecretstool(self):
"""Token stored in keychain as individual secret"""
try:
p = subprocess.Popen(
["secrets_tool", "get", self.secretname],
close_fds=util.closefds,
stdout=subprocess.PIPE,
stderr=subprocess.PIPE,
)
(stdoutdata, stderrdata) = p.communicate()
rc = p.returncode
if rc != 0:
return None
text = stdoutdata.strip()
return text or None
except OSError as e:
raise ccerror.UnexpectedError(self.ui, e)
except ValueError as e:
raise ccerror.UnexpectedError(self.ui, e)
def _settokeninsecretstool(self, token, update=False):
"""Token stored in keychain as individual secrets"""
action = "update" if update else "create"
try:
p = subprocess.Popen(
[
"secrets_tool",
action,
"--read_contents_from_stdin",
self.secretname,
"Mercurial commitcloud token",
],
close_fds=util.closefds,
stdout=subprocess.PIPE,
stderr=subprocess.PIPE,
stdin=subprocess.PIPE,
)
(stdoutdata, stderrdata) = p.communicate(token)
rc = p.returncode
if rc != 0:
if action == "create":
# Try updating token instead
self._settokeninsecretstool(token, update=True)
else:
raise ccerror.SubprocessError(self.ui, rc, stderrdata)
else:
self.ui.debug(
"access token is backup up in secrets tool in %s\n"
% self.secretname
)
except OSError as e:
raise ccerror.UnexpectedError(self.ui, e)
except ValueError as e:
raise ccerror.UnexpectedError(self.ui, e)
def _gettokenosx(self): def _gettokenosx(self):
"""On macOS tokens are stored in keychain """On macOS tokens are stored in keychain
this function fetches token from keychain this function fetches token from keychain

View File

@ -249,40 +249,6 @@ pub fn read_access_token(user_token_path: &Option<PathBuf>) -> Result<Token> {
} }
} }
} }
// try to read token from secrets tool
if token.is_none() {
// try to read from secrets_tool
info!("Token Lookup: reading commitcloud OAuth token from secrets_tool...");
let user = env::var("USER")?.to_uppercase();
let key = format!("COMMITCLOUD_{}", user);
let output = Command::new("secrets_tool")
.args(vec!["get", key.as_str()])
.output();
match output {
Err(e) => {
if let io::ErrorKind::NotFound = e.kind() {
info!("`secrets_tool` executable is not found");
}
}
Ok(output) => {
if !output.status.success() {
error!("OAuth token: failed to retrieve from secrets using key {}, process exited with: {}", key, output.status);
} else {
let token = str::from_utf8(&output.stdout)?.trim().to_string();
if token.is_empty() {
error!("OAuth token not found in secrets");
} else {
info!("OAuth token is found in secrets");
return Ok(Token {
token,
token_type: TokenType::OAuth,
});
}
}
}
}
}
} }
token token
.map(|token| Token { .map(|token| Token {