taskcluster/scripts/get-secret.py


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115

#!/usr/bin/env python3

# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.


import argparse
import base64
import errno
import json
import os

import taskcluster


def write_secret_to_file(
    path, data, key, base64decode=False, json_secret=False, append=False, prefix=""
):
    path = os.path.abspath(os.path.join(os.getcwd(), path))
    try:
        os.makedirs(os.path.dirname(path))
    except OSError as error:
        if error.errno != errno.EEXIST:
            raise
    print(f"Outputting secret to: {path}")

    with open(path, "a" if append else "w") as f:
        value = data["secret"][key]
        if base64decode:
            value = base64.b64decode(value)
        if json_secret:
            value = json.dumps(value)

        if isinstance(value, bytes):
            value = value.decode("utf-8")
        f.write(prefix + value)


def fetch_secret_from_taskcluster(name):
    try:
        secrets = taskcluster.Secrets(
            {
                # BaseUrl is still needed for tasks that haven't migrated to taskgraph yet.
                "baseUrl": "http://taskcluster/secrets/v1",
            }
        )
    except taskcluster.exceptions.TaskclusterFailure:
        # taskcluster library >=5 errors out when `baseUrl` is used
        secrets = taskcluster.Secrets(
            {
                "rootUrl": os.environ.get(
                    "TASKCLUSTER_PROXY_URL", "https://taskcluster.net"
                ),
            }
        )

    return secrets.get(name)


def main():
    parser = argparse.ArgumentParser(
        description="Fetch a taskcluster secret value and save it to a file."
    )

    parser.add_argument("-s", dest="secret", action="store", help="name of the secret")
    parser.add_argument("-k", dest="key", action="store", help="key of the secret")
    parser.add_argument(
        "-f", dest="path", action="store", help="file to save secret to"
    )
    parser.add_argument(
        "--decode",
        dest="decode",
        action="store_true",
        default=False,
        help="base64 decode secret before saving to file",
    )
    parser.add_argument(
        "--json",
        dest="json",
        action="store_true",
        default=False,
        help="serializes the secret to JSON format",
    )
    parser.add_argument(
        "--append",
        dest="append",
        action="store_true",
        default=False,
        help="append secret to existing file",
    )
    parser.add_argument(
        "--prefix",
        dest="prefix",
        action="store",
        default="",
        help="add prefix when writing secret to file",
    )

    result = parser.parse_args()

    secret = fetch_secret_from_taskcluster(result.secret)
    write_secret_to_file(
        result.path,
        secret,
        result.key,
        result.decode,
        result.json,
        result.append,
        result.prefix,
    )


if __name__ == "__main__":
    main()