767c971623
Backed out changeset a7d50dbb2c8e (bug 1492664) Backed out changeset 2d876c4ece8b (bug 1492664) Backed out changeset c82285d253de (bug 1492664) Backed out changeset bf6d089640eb (bug 1492664) Backed out changeset d9a7f2ce49c3 (bug 1492664) Backed out changeset 06c466ab4323 (bug 1492664) Backed out changeset c1ea4a10cc8d (bug 1492664) Backed out changeset 4c63a04fdd47 (bug 1492664) Backed out changeset 742b038bb1dd (bug 1492664) Backed out changeset 911b4b0fb683 (bug 1492664) Backed out changeset 870c8cec99e5 (bug 1492664) Backed out changeset 77699b51336b (bug 1492664) Backed out changeset 29f33f22fd8b (bug 1492664) Backed out changeset e7f305408708 (bug 1492664) Backed out changeset 335a92b1f424 (bug 1492664) Backed out changeset c566f1c8dcdf (bug 1492664) Backed out changeset c77ae59aba41 (bug 1492664) Backed out changeset 9c35dd209c6b (bug 1492664) Backed out changeset a972d6b4434e (bug 1492664) Backed out changeset 5ea6f03f845e (bug 1492664) Backed out changeset 0699d3873e44 (bug 1492664) --HG-- extra : histedit_source : 5cb1f7e50f25d4a875c1a58c86b7dce902e1a89c%2C20f1ab1a843b612cfcc67cf5c6ff745d65abf076 |
||
---|---|---|
.. | ||
scripts | ||
.eslintrc.js | ||
Dockerfile | ||
README.md | ||
runme.sh | ||
setup.sh |
==Periodic File Updates==
This docker image examines the in-tree files for HSTS preload data, HPKP pinning and blocklist.xml, and will produce a diff for each necessary to update the in-tree files.
If given a conduit API token, it will also use the arcanist client to submit the commits for review.
==Quick Start==
docker build -t hsts-local --no-cache --rm .
docker run -e DO_HSTS=1 -e DO_HPKP=1 -e DO_BLOCKLIST=1 -e PRODUCT="firefox" -e BRANCH="mozilla-central" -e USE_MOZILLA_CENTRAL=1 hsts-local
HSTS checks will only be run if the DO_HSTS
environment variable is set.
Likewise for DO_HPKP
and the HPKP checks, and DO_BLOCKLIST
and the
blocklist checks. Environment variables are used rather than command line
arguments to make constructing taskcluster tasks easier.
==Background==
These scripts have been moved from
https://hg.mozilla.org/build/tools/scripts/periodic_file_updates/
and
security/manager/tools/
in the main repos.
==HSTS Checks==
scripts/getHSTSPreloadList.js
will examine the current contents of
nsSTSPreloadList.inc from whichever BRANCH
is specified, add in the mandatory
hosts, and those from the Chromium source, and check them all to see if their
SSL configuration is valid, and whether or not they have the
Strict-Transport-Security header set with an appropriate max-age
.
This javascript has been modified to use async calls to improve performance.
==HPKP Checks==
scripts/genHPKPStaticPins.js
will ensure the list of pinned public keys are
up to date.
==Example Taskcluster Task==
https://tools.taskcluster.net/tasks/create
provisionerId: aws-provisioner-v1
workerType: gecko-1-b-linux
retries: 0
created: '2018-02-07T14:45:57.347Z'
deadline: '2018-02-07T17:45:57.348Z'
expires: '2019-02-07T17:45:57.348Z'
scopes: []
payload:
image: srfraser/hsts1
maxRunTime: 1800
artifacts:
public/build/nsSTSPreloadList.diff:
path: /home/worker/artifacts/nsSTSPreloadList.diff
expires: '2019-02-07T13:57:35.448Z'
type: file
public/build/StaticHPKPins.h.diff:
path: /home/worker/artifacts/StaticHPKPins.h.diff
expires: '2019-02-07T13:57:35.448Z'
type: file
public/build/blocklist.diff:
path: /home/worker/artifacts/blocklist.diff
expires: '2019-02-07T13:57:35.448Z'
type: file
env:
DO_HSTS: 1
DO_HPKP: 1
DO_BLOCKLIST: 1
PRODUCT: firefox
BRANCH: mozilla-central
USE_MOZILLA_CENTRAL: 1
REVIEWERS: catlee
metadata:
name: Periodic updates testing
description: Produce diffs for HSTS and HPKP in-tree files.
owner: sfraser@mozilla.com
source: 'https://tools.taskcluster.net/task-creator/'
tags: {}
extra:
treeherder:
jobKind: test
machine:
platform: linux64
tier: 1
symbol: 'hsts'