diff options
Diffstat (limited to 'security/nss/automation/taskcluster/scripts')
9 files changed, 262 insertions, 0 deletions
diff --git a/security/nss/automation/taskcluster/scripts/build.sh b/security/nss/automation/taskcluster/scripts/build.sh new file mode 100755 index 000000000..69968b138 --- /dev/null +++ b/security/nss/automation/taskcluster/scripts/build.sh @@ -0,0 +1,18 @@ +#!/usr/bin/env bash + +source $(dirname $0)/tools.sh + +if [[ $(id -u) -eq 0 ]]; then + # Drop privileges by re-running this script. + exec su worker $0 +fi + +# Clone NSPR if needed. +hg_clone https://hg.mozilla.org/projects/nspr nspr default + +# Build. +make -C nss nss_build_all + +# Package. +mkdir artifacts +tar cvfjh artifacts/dist.tar.bz2 dist diff --git a/security/nss/automation/taskcluster/scripts/build_gyp.sh b/security/nss/automation/taskcluster/scripts/build_gyp.sh new file mode 100755 index 000000000..590e634a3 --- /dev/null +++ b/security/nss/automation/taskcluster/scripts/build_gyp.sh @@ -0,0 +1,18 @@ +#!/usr/bin/env bash + +source $(dirname $0)/tools.sh + +if [[ $(id -u) -eq 0 ]]; then + # Drop privileges by re-running this script. + exec su worker -c "$0 $*" +fi + +# Clone NSPR if needed. +hg_clone https://hg.mozilla.org/projects/nspr nspr default + +# Build. +nss/build.sh ${*--g -v} + +# Package. +mkdir artifacts +tar cvfjh artifacts/dist.tar.bz2 dist diff --git a/security/nss/automation/taskcluster/scripts/extend_task_graph.sh b/security/nss/automation/taskcluster/scripts/extend_task_graph.sh new file mode 100755 index 000000000..5a3fb8d98 --- /dev/null +++ b/security/nss/automation/taskcluster/scripts/extend_task_graph.sh @@ -0,0 +1,16 @@ +#!/usr/bin/env bash + +set -v -e -x + +if [ $(id -u) = 0 ]; then + # Drop privileges by re-running this script. + exec su worker $0 +fi + +mkdir -p /home/worker/artifacts + +# Install Node.JS dependencies. +cd nss/automation/taskcluster/graph/ && npm install + +# Extend the task graph. +node lib/index.js diff --git a/security/nss/automation/taskcluster/scripts/fuzz.sh b/security/nss/automation/taskcluster/scripts/fuzz.sh new file mode 100755 index 000000000..5f8dd7bff --- /dev/null +++ b/security/nss/automation/taskcluster/scripts/fuzz.sh @@ -0,0 +1,20 @@ +#!/usr/bin/env bash + +source $(dirname $0)/tools.sh + +if [ $(id -u) = 0 ]; then + # Drop privileges by re-running this script. + exec su worker -c "$0 $*" +fi + +# Fetch artifact if needed. +fetch_dist + +# Clone corpus. +./nss/fuzz/clone_corpus.sh + +# Fetch objdir name. +objdir=$(cat dist/latest) + +# Run nssfuzz. +LD_LIBRARY_PATH=$LD_LIBRARY_PATH:dist/$objdir/lib dist/$objdir/bin/nssfuzz $* diff --git a/security/nss/automation/taskcluster/scripts/gen_certs.sh b/security/nss/automation/taskcluster/scripts/gen_certs.sh new file mode 100755 index 000000000..aee100147 --- /dev/null +++ b/security/nss/automation/taskcluster/scripts/gen_certs.sh @@ -0,0 +1,26 @@ +#!/usr/bin/env bash + +set -v -e -x + +source $(dirname $0)/tools.sh + +if [ $(id -u) = 0 ]; then + # Stupid Docker. + echo "127.0.0.1 localhost.localdomain" >> /etc/hosts + + # Drop privileges by re-running this script. + exec su worker $0 +fi + +# Fetch artifact if needed. +fetch_dist + +# Generate certificates. +NSS_TESTS=cert NSS_CYCLES="standard pkix sharedb" $(dirname $0)/run_tests.sh + +# Reset test counter so that test runs pick up our certificates. +echo 1 > tests_results/security/localhost + +# Package. +mkdir artifacts +tar cvfjh artifacts/dist.tar.bz2 dist tests_results diff --git a/security/nss/automation/taskcluster/scripts/run_clang_format.sh b/security/nss/automation/taskcluster/scripts/run_clang_format.sh new file mode 100755 index 000000000..c4b60290f --- /dev/null +++ b/security/nss/automation/taskcluster/scripts/run_clang_format.sh @@ -0,0 +1,63 @@ +#!/usr/bin/env bash + +set -v -e -x + +if [ $(id -u) -eq 0 ]; then + # Drop privileges by re-running this script. + exec su worker $0 "$@" +fi + +# Apply clang-format on the provided folder and verify that this doesn't change any file. +# If any file differs after formatting, the script eventually exits with 1. +# Any differences between formatted and unformatted files is printed to stdout to give a hint what's wrong. + +# Includes a default set of directories. + +if [ $# -gt 0 ]; then + dirs=("$@") +else + top=$(dirname $0)/../../.. + dirs=( \ + "$top/cmd" \ + "$top/fuzz" \ + "$top/lib/base" \ + "$top/lib/certdb" \ + "$top/lib/certhigh" \ + "$top/lib/ckfw" \ + "$top/lib/crmf" \ + "$top/lib/cryptohi" \ + "$top/lib/dbm" \ + "$top/lib/dev" \ + "$top/lib/freebl" \ + "$top/lib/jar" \ + "$top/lib/nss" \ + "$top/lib/pk11wrap" \ + "$top/lib/pkcs7" \ + "$top/lib/pkcs12" \ + "$top/lib/pki" \ + "$top/lib/smime" \ + "$top/lib/softoken" \ + "$top/lib/ssl" \ + "$top/lib/sysinit" \ + "$top/lib/util" \ + "$top/gtests/common" \ + "$top/gtests/der_gtest" \ + "$top/gtests/freebl_gtest" \ + "$top/gtests/pk11_gtest" \ + "$top/gtests/ssl_gtest" \ + "$top/gtests/util_gtest" \ + ) +fi + +for dir in "${dirs[@]}"; do + find "$dir" -type f \( -name '*.[ch]' -o -name '*.cc' \) -exec clang-format -i {} \+ +done + +TMPFILE=$(mktemp /tmp/$(basename $0).XXXXXX) +trap 'rm $TMPFILE' exit +if (cd $(dirname $0); hg root >/dev/null 2>&1); then + hg diff --git "$top" | tee $TMPFILE +else + git -C "$top" diff | tee $TMPFILE +fi +[[ ! -s $TMPFILE ]] diff --git a/security/nss/automation/taskcluster/scripts/run_scan_build.sh b/security/nss/automation/taskcluster/scripts/run_scan_build.sh new file mode 100755 index 000000000..99f80ab5f --- /dev/null +++ b/security/nss/automation/taskcluster/scripts/run_scan_build.sh @@ -0,0 +1,56 @@ +#!/usr/bin/env bash + +source $(dirname $0)/tools.sh + +if [ $(id -u) = 0 ]; then + # Drop privileges by re-running this script. + exec su worker $0 $@ +fi + +# Clone NSPR if needed. +if [ ! -d "nspr" ]; then + hg_clone https://hg.mozilla.org/projects/nspr nspr default +fi + +# Build. +cd nss +make nss_build_all + +# What we want to scan. +# key: directory to scan +# value: number of errors expected in that directory +declare -A scan=( \ + [lib/base]=0 \ + [lib/certdb]=0 \ + [lib/certhigh]=0 \ + [lib/ckfw]=0 \ + [lib/crmf]=0 \ + [lib/cryptohi]=0 \ + [lib/dev]=0 \ + [lib/freebl]=0 \ + [lib/nss]=0 \ + [lib/ssl]=0 \ + [lib/util]=0 \ + ) + +# remove .OBJ directories to force a rebuild of just the select few +for i in "${!scan[@]}"; do + find "$i" -name "*.OBJ" -exec rm -rf {} \+ +done + +# run scan-build (only building affected directories) +scan-build -o /home/worker/artifacts --use-cc=$CC --use-c++=$CCC make nss_build_all && cd .. + +# print errors we found +set +v +x +STATUS=0 +for i in "${!scan[@]}"; do + n=$(grep -Rn "$i" /home/worker/artifacts/*/report-*.html | wc -l) + if [ $n -ne ${scan[$i]} ]; then + STATUS=1 + echo "$(date '+%T') WARNING - TEST-UNEXPECTED-FAIL: $i contains $n scan-build errors" + elif [ $n -ne 0 ]; then + echo "$(date '+%T') WARNING - TEST-EXPECTED-FAIL: $i contains $n scan-build errors" + fi +done +exit $STATUS diff --git a/security/nss/automation/taskcluster/scripts/run_tests.sh b/security/nss/automation/taskcluster/scripts/run_tests.sh new file mode 100755 index 000000000..4c87e7e32 --- /dev/null +++ b/security/nss/automation/taskcluster/scripts/run_tests.sh @@ -0,0 +1,17 @@ +#!/usr/bin/env bash + +source $(dirname $0)/tools.sh + +if [ $(id -u) = 0 ]; then + # Stupid Docker. + echo "127.0.0.1 localhost.localdomain" >> /etc/hosts + + # Drop privileges by re-running this script. + exec su worker $0 +fi + +# Fetch artifact if needed. +fetch_dist + +# Run tests. +cd nss/tests && ./all.sh diff --git a/security/nss/automation/taskcluster/scripts/tools.sh b/security/nss/automation/taskcluster/scripts/tools.sh new file mode 100644 index 000000000..dacfdeb28 --- /dev/null +++ b/security/nss/automation/taskcluster/scripts/tools.sh @@ -0,0 +1,28 @@ +#!/usr/bin/env bash + +set -v -e -x + +# Usage: hg_clone repo dir [revision=@] +hg_clone() { + repo=$1 + dir=$2 + rev=${3:-@} + for i in 0 2 5; do + sleep $i + hg clone -r "$rev" "$repo" "$dir" && return + rm -rf "$dir" + done + exit 1 +} + +fetch_dist() { + url=https://queue.taskcluster.net/v1/task/$TC_PARENT_TASK_ID/artifacts/public/dist.tar.bz2 + if [ ! -d "dist" ]; then + for i in 0 2 5; do + sleep $i + curl --retry 3 -Lo dist.tar.bz2 $url && tar xvjf dist.tar.bz2 && return + rm -fr dist.tar.bz2 dist + done + exit 1 + fi +} |