#!/usr/bin/env python3 import argparse import hashlib import subprocess import sys import tempfile from pathlib import Path import requests import glog as log from decouple import config from kinto_http import Client from kinto_http.patch_type import BasicPatch from kinto_http.exceptions import KintoException KINTO_RW_SERVER_URL = config( "KINTO_RW_SERVER_URL", default="https://remote-settings.allizom.org/v1/" ) KINTO_AUTH_USER = config("KINTO_AUTH_USER", default="") KINTO_AUTH_PASSWORD = config("KINTO_AUTH_PASSWORD", default="") KINTO_BUCKET = config("KINTO_BUCKET", default="security-state-staging") KINTO_CRLITE_COLLECTION = config("KINTO_CRLITE_COLLECTION", default="cert-revocations") KINTO_INTERMEDIATES_COLLECTION = config( "KINTO_INTERMEDIATES_COLLECTION", default="intermediates" ) KINTO_NOOP = config("KINTO_NOOP", default=False, cast=lambda x: bool(x)) class SignoffClient(Client): def sign_collection(self, *, collection=None): try: resp = self.get_collection(id=collection) except KintoException as e: log.error(f"Couldn't determine {collection} review status: {e}") raise e original = resp.get("data") if original is None: raise KintoException("Malformed response from Kinto") status = original.get("status") if status is None: raise KintoException("Malformed response from Kinto") if status != "to-review": log.info("Collection is not marked for review. Skipping.") return try: resp = self.patch_collection( original=original, changes=BasicPatch({"status": "to-sign"}) ) except KintoException as e: log.error(f"Couldn't sign {collection}") raise e if __name__ == "__main__": OK = 0 ERROR = 1 parser = argparse.ArgumentParser() parser.add_argument( "collection", help="Collection to sign, either 'cert-revocations' or 'intermediates'", ) parser.add_argument( "--noop", default=KINTO_NOOP, action="store_true", help="Don't update Kinto" ) args = parser.parse_args() if args.collection == "cert-revocations": collection = KINTO_CRLITE_COLLECTION elif args.collection == "intermediates": collection = KINTO_INTERMEDIATES_COLLECTION else: log.error(f"Unknown collection {args.collection}") sys.exit(ERROR) if args.noop: log.info(f"Would sign off on {collection}, but noop requested") sys.exit(OK) auth = requests.auth.HTTPBasicAuth(KINTO_AUTH_USER, KINTO_AUTH_PASSWORD) rw_client = SignoffClient( server_url=KINTO_RW_SERVER_URL, auth=auth, bucket=KINTO_BUCKET, retry=5, ) try: rw_client.sign_collection(collection=collection) except KintoException as e: log.error(f"Kinto exception: {e}") sys.exit(ERROR) sys.exit(OK)