Bug 1098467: Validate the task before build the phone image r=lightsofapollo.

Phone builds are special because they may contain vendor blobs that we
are not allowed to distribute. So, we have to make sure the task is not
leaking anything.

We check that the gecko repository is a mozilla oficial repository and
that we are not copying the built stuff to public folders.

testing/docker/phone-builder/VERSION

@@ -1 +1 @@
-0.0.1
+0.0.2

testing/docker/phone-builder/bin/build-phone.sh

@@ -5,6 +5,11 @@ test $GECKO_HEAD_REPOSITORY # Should be an hg repository url to pull from
 test $GECKO_HEAD_REV # Should be an hg revision to pull down
 test $TARGET
 
+if ! validate_task.py; then
+    echo "Not a valid task" >&2
+    exit 1
+fi
+
 # First check if the mozharness directory is available. This is intended to be
 # used locally in development to test mozharness changes:
 #

testing/docker/phone-builder/bin/validate_task.py

@@ -0,0 +1,48 @@
+#!/usr/bin/env python
+
+from __future__ import print_function
+import os
+import os.path
+import json
+import urllib2
+import sys
+import re
+
+def get_task(taskid):
+    return json.load(urllib2.urlopen('https://queue.taskcluster.net/v1/task/' + taskid))
+
+def check_task(task):
+    payload = task['payload']
+
+    if 'REPOSITORY' not in payload['env']:
+        print('Task has no gecko repository', file=sys.stderr)
+        return -1
+
+    repo = payload['env']['REPOSITORY']
+    # if it is not a mozilla repository, fail
+    if not re.match(r'[a-z]+://hg\.mozilla\.org', repo):
+        print('Invalid repository', repo, file=sys.stderr)
+        return -1
+
+    if 'artifacts' in payload:
+        artifacts = payload['artifacts']
+        # If any of the artifacts makes reference to 'public',
+        # abort the task
+        if any(map(lambda a: 'public' in a, artifacts)):
+            print('Cannot upload to public', file=sys.stderr)
+            return -1
+
+    return 0
+
+def main():
+    taskid = os.getenv('TASK_ID')
+
+    # If the task id is None, we assume we are running docker locally
+    if taskid is None:
+        sys.exit(0)
+
+    task = get_task(taskid)
+    sys.exit(check_task(task))
+
+if __name__ == '__main__':
+    main()

testing/docker/phone-builder/tests/invalid_repo.yml

@@ -0,0 +1,49 @@
+taskId: 1
+task:
+  metadata:
+    source: http://todo.com/soon
+    owner: user@domain.com
+    name: B2G Emulator
+    description: B2G Emulator
+
+  workerType: b2gbuild
+  provisionerId: aws-provisioner
+
+  scopes:
+    - 'docker-worker:cache:build-emulator-objects'
+    - 'docker-worker:image:quay.io/mozilla/phone-builder:0.0.1'
+
+  payload:
+    cache:
+      build-emulator-objects: '/home/worker/object-folder-flame-kk-1'
+
+    env:
+      TARGET: 'flame-kk'
+      B2G_DEBUG: '1'
+      # revision/project params defined originally here https://github.com/taskcluster/taskcluster-try/blob/master/try/instantiate.js
+      REVISION: 'tip'
+      REPOSITORY: 'git@github.com:mozilla/gecko-dev.git'
+
+    image: 'quay.io/mozilla/phone-builder:0.0.1'
+    maxRunTime: 14400
+
+    command:
+      - build-phone.sh
+
+    artifacts:
+      'private/build':
+        type: directory
+        path: '/home/worker/artifacts/'
+
+  extra:
+    # Rather then enforcing particular conventions we require that all build
+    # tasks provide the "build" extra field to specify where the build and tests
+    # files are located.
+    locations:
+      build: 'private/build/emulator.tar.gz'
+      tests: 'private/build/b2g-tests.zip'
+      symbols: 'private/build/b2g-crashreporter-symbols.zip'
+      sources: 'private/build/sources.xml'
+
+    treeherder:
+      symbol: B

testing/docker/phone-builder/tests/public.yml

@@ -0,0 +1,49 @@
+taskId: 1
+task:
+  metadata:
+    source: http://todo.com/soon
+    owner: user@domain.com
+    name: B2G Emulator
+    description: B2G Emulator
+
+  workerType: b2gbuild
+  provisionerId: aws-provisioner
+
+  scopes:
+    - 'docker-worker:cache:build-emulator-objects'
+    - 'docker-worker:image:quay.io/mozilla/phone-builder:0.0.1'
+
+  payload:
+    cache:
+      build-emulator-objects: '/home/worker/object-folder-flame-kk-1'
+
+    env:
+      TARGET: 'flame-kk'
+      B2G_DEBUG: '1'
+      # revision/project params defined originally here https://github.com/taskcluster/taskcluster-try/blob/master/try/instantiate.js
+      REVISION: 'tip'
+      REPOSITORY: 'http://hg.mozilla.org/mozilla-central'
+
+    image: 'quay.io/mozilla/phone-builder:0.0.1'
+    maxRunTime: 14400
+
+    command:
+      - build-phone.sh
+
+    artifacts:
+      'public/build':
+        type: directory
+        path: '/home/worker/artifacts/'
+
+  extra:
+    # Rather then enforcing particular conventions we require that all build
+    # tasks provide the "build" extra field to specify where the build and tests
+    # files are located.
+    locations:
+      build: 'public/build/emulator.tar.gz'
+      tests: 'public/build/b2g-tests.zip'
+      symbols: 'public/build/b2g-crashreporter-symbols.zip'
+      sources: 'public/build/sources.xml'
+
+    treeherder:
+      symbol: B

testing/docker/phone-builder/tests/test_validation.py

@@ -0,0 +1,27 @@
+#!/usr/bin/env python
+
+import unittest
+import sys
+import yaml
+sys.path.append('../bin')
+from validate_task import check_task
+
+def load_task(task_file):
+    content = open(task_file, 'r')
+    return yaml.load(content)['task']
+
+class TaskValidationTest(unittest.TestCase):
+    def test_valid_task(self):
+        task = load_task('valid.yml')
+        self.assertEquals(check_task(task), 0)
+
+    def test_invalid_repo(self):
+        task = load_task('invalid_repo.yml')
+        self.assertEquals(check_task(task), -1)
+
+    def test_public_artifact(self):
+        task = load_task('public.yml')
+        self.assertEquals(check_task(task), -1)
+
+if __name__ == '__main__':
+    unittest.main()

testing/docker/phone-builder/tests/valid.yml

@@ -0,0 +1,51 @@
+taskId: 1
+task:
+  metadata:
+    source: http://todo.com/soon
+    owner: user@domain.com
+    name: B2G flame-kk opt
+    description: B2G flame-kk opt
+
+  workerType: b2gbuild
+  provisionerId: aws-provisioner
+
+  scopes:
+    - 'docker-worker:cache:build-phone-objects'
+    - 'docker-worker:image:{{#docker_image}}phone-builder{{/docker_image}}'
+
+  payload:
+    cache:
+      build-phone-objects: '/home/worker/object-folder-flame-kk-1'
+
+    env:
+      TARGET: 'flame-kk'
+      B2G_DEBUG: '1'
+      # revision/project params defined originally here https://github.com/taskcluster/taskcluster-try/blob/master/try/instantiate.js
+      REVISION: 'tip'
+      REPOSITORY: 'http://hg.mozilla.org/mozilla-central'
+
+    image: '{{#docker_image}}phone-builder{{/docker_image}}'
+    maxRunTime: 14400
+
+    command:
+      - build-phone.sh
+
+    artifacts:
+      'private/build':
+        type: directory
+        path: '/home/worker/artifacts/'
+        expires: '{{#from_now}}1 year{{/from_now}}'
+
+  extra:
+    # Rather then enforcing particular conventions we require that all build
+    # tasks provide the "build" extra field to specify where the build and tests
+    # files are located.
+    locations:
+      build: 'private/build/b2g-android-arm.tar.gz'
+      img: 'private/build/flame-kk.zip'
+      tests: 'private/build/gaia.zip'
+      symbols: 'private/build/b2g-crashreporter-symbols.zip'
+      sources: 'private/build/sources.xml'
+
+    treeherder:
+      symbol: B