Bug 1492639 Add destination checks to bouncer validation r=mtabara a=release
authorSimon Fraser <sfraser@mozilla.com>
Wed, 10 Oct 2018 15:00:18 +0100
changeset 490257 06296e32a38a047fe7503b1ea6707f80fdb39206
parent 490256 725973b45a9390e24257b66e718c0358a9fe888c
child 490258 bcd58b71091df777dd0a1257cf8ab02054f1c68b
push id9967
push usersfraser@mozilla.com
push dateThu, 11 Oct 2018 12:18:55 +0000
treeherdermozilla-beta@06296e32a38a [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersmtabara, release
bugs1492639
milestone63.0
Bug 1492639 Add destination checks to bouncer validation r=mtabara a=release Reviewers: mtabara Reviewed By: mtabara Subscribers: bhearsum, sfraser, catlee, mtabara Tags: #secure-revision, #bmo-releng-security Bug #: 1492639 Differential Revision: https://phabricator.services.mozilla.com/D8189
.cron.yml
taskcluster/ci/cron-bouncer-check/kind.yml
testing/mozharness/scripts/release/bouncer_check.py
--- a/.cron.yml
+++ b/.cron.yml
@@ -114,16 +114,19 @@ jobs:
           by-project:
               # No default branch
               mozilla-beta:
                   - {hour: 7, minute: 0}
                   - {hour: 19, minute: 0}
               mozilla-release:
                   - {hour: 7, minute: 0}
                   - {hour: 19, minute: 0}
+              mozilla-esr60:
+                  - {hour: 7, minute: 0}
+                  - {hour: 19, minute: 0}
 
     - name: periodic-update
       job:
           type: decision-task
           treeherder-symbol: Nfile
           target-tasks-method: file_update
       run-on-projects:
           - mozilla-central
--- a/taskcluster/ci/cron-bouncer-check/kind.yml
+++ b/taskcluster/ci/cron-bouncer-check/kind.yml
@@ -46,16 +46,17 @@ jobs:
                     jamun:
                         - releases/dev_bouncer_firefox_esr.py
                     default:
                         - releases/dev_bouncer_firefox_beta.py
             product-field:
                 by-project:
                     mozilla-beta: LATEST_FIREFOX_RELEASED_DEVEL_VERSION
                     mozilla-release: LATEST_FIREFOX_VERSION
+                    mozilla-esr60: FIREFOX_ESR
                     default: LATEST_FIREFOX_DEVEL_VERSION
             products-url: https://product-details.mozilla.org/1.0/firefox_versions.json
         treeherder:
             platform: firefox-release/opt
 
     devedition:
         shipping-product: devedition
         index:
--- a/testing/mozharness/scripts/release/bouncer_check.py
+++ b/testing/mozharness/scripts/release/bouncer_check.py
@@ -96,26 +96,45 @@ class BouncerCheck(BaseScript, Virtualen
 
         if self.config['product_field'] not in firefox_versions:
             self.fatal('Unknown Firefox label: {}'.format(self.config['product_field']))
         self.config["version"] = firefox_versions[self.config["product_field"]]
         self.log("Set Firefox version {}".format(self.config["version"]))
 
     def check_url(self, session, url):
         from redo import retry
+        try:
+            from urllib.parse import urlparse
+        except ImportError:
+            # Python 2
+            from urlparse import urlparse
+
+        mozilla_locations = [
+            'download-installer.cdn.mozilla.net',
+            'download.cdn.mozilla.net',
+            'download.mozilla.org',
+            'archive.mozilla.org',
+        ]
 
         def do_check_url():
             self.log("Checking {}".format(url))
             r = session.head(url, verify=True, timeout=10, allow_redirects=True)
             try:
                 r.raise_for_status()
             except Exception:
                 self.warning("FAIL: {}, status: {}".format(url, r.status_code))
                 raise
 
+            final_url = urlparse(r.url)
+            if final_url.scheme != 'https':
+                self.warning('FAIL: URL scheme is not https: {}'.format(r.url))
+
+            if final_url.netloc not in mozilla_locations:
+                self.warning('FAIL: host not in allowed locations: {}'.format(r.url))
+
         retry(do_check_url, sleeptime=3, max_sleeptime=10, attempts=3)
 
     def get_urls(self):
         for product in self.config["products"].values():
             if not product["check_uptake"]:
                 continue
             product_name = product["product-name"] % {"version": self.config["version"]}
             for path in product["paths"].values():