taskcluster/docker/periodic_updates/README.md
author Bogdan Tara <btara@mozilla.com>
Wed, 07 Mar 2018 13:21:46 +0200
changeset 406976 13671c01b9873e227d8bf54bc118fa9c8c95793e
parent 406975 taskcluster/docker/periodic-updates/README.md@6ba388ca08dab3ebe94c3e9749fd1ff4c174cd64
permissions -rw-r--r--
Backed out changeset 6ba388ca08da (bug 1436369) for taskcluster-images bustage and linting failure at taskcluster/ci/repo-update/kind.yml:49:1 on a CLOSED TREE


==Periodic File Updates==

This docker image examines the in-tree files for HSTS preload data, HPKP pinning and blocklist.xml, and
will produce a diff for each necessary to update the in-tree files.

If given a conduit API token, it will also use the arcanist client to submit the commits for review.


==Quick Start==

```sh
docker build -t hsts-local --no-cache --rm .

docker run -e DO_HSTS=1 -e DO_HPKP=1 -e DO_BLOCKLIST=1 -e PRODUCT="firefox" -e BRANCH="mozilla-central" -e USE_MOZILLA_CENTRAL=1 hsts-local
```

HSTS checks will only be run if the `DO_HSTS` environment variable is set.
Likewise for `DO_HPKP` and the HPKP checks, and `DO_BLOCKLIST` and the
blocklist checks. Environment variables are used rather than command line
arguments to make constructing taskcluster tasks easier.

==Background==

These scripts have been moved from `https://hg.mozilla.org/build/tools/scripts/periodic_file_updates/` and
`security/manager/tools/` in the main repos, as part of the buildbot to taskcluster migration.

==HSTS Checks==

`scripts/getHSTSPreloadList.js` will examine the current contents of
nsSTSPreloadList.inc from whichever `BRANCH` is specified, add in the mandatory
hosts, and those from the Chromium source, and check them all to see if their
SSL configuration is valid, and whether or not they have the
Strict-Transport-Security header set with an appropriate `max-age`. 

This javascript has been modified to use async calls to improve performance.

==HPKP Checks==

`scripts/genHPKPStaticPins.js` will ensure the list of pinned public keys are
up to date.

==Example Taskcluster Task==

https://tools.taskcluster.net/tasks/create

```yaml
provisionerId: aws-provisioner-v1
workerType: gecko-1-b-linux
retries: 0
created: '2018-02-07T14:45:57.347Z'
deadline: '2018-02-07T17:45:57.348Z'
expires: '2019-02-07T17:45:57.348Z'
scopes: []
payload:
  image: srfraser/hsts1
  maxRunTime: 1800
  artifacts:
    public/build/nsSTSPreloadList.diff:
      path: /home/worker/artifacts/nsSTSPreloadList.diff
      expires: '2019-02-07T13:57:35.448Z'
      type: file
    public/build/StaticHPKPins.h.diff:
      path: /home/worker/artifacts/StaticHPKPins.h.diff
      expires: '2019-02-07T13:57:35.448Z'
      type: file
    public/build/blocklist.diff:
      path: /home/worker/artifacts/blocklist.diff
      expires: '2019-02-07T13:57:35.448Z'
      type: file
  env:
    DO_HSTS: 1
    DO_HPKP: 1
    DO_BLOCKLIST: 1
    PRODUCT: firefox
    BRANCH: mozilla-central
    USE_MOZILLA_CENTRAL: 1
    REVIEWERS: catlee
metadata:
  name: Periodic updates testing
  description: Produce diffs for HSTS and HPKP in-tree files.
  owner: sfraser@mozilla.com
  source: 'https://tools.taskcluster.net/task-creator/'
tags: {}
extra:
  treeherder:
    jobKind: test
    machine:
      platform: linux64
    tier: 1
    symbol: 'hsts'

```