From 1c81d6e190f4995903373adad7c5599e5b134de4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jakub=20Soko=C5=82owski?= <jakub@status.im>
Date: Tue, 25 Feb 2020 22:42:47 +0100
Subject: [PATCH] nix: force sandbox in CI
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

For more details see:
https://github.com/status-im/security-internal/blob/master/overview/infra.md#continuous-integration-ci

Signed-off-by: Jakub Sokołowski <jakub@status.im>
---
 ci/Jenkinsfile.fastlane.clean |  2 +-
 ci/android.groovy             | 12 ++++++------
 ci/desktop.groovy             | 12 ++++++------
 ci/ios.groovy                 |  6 +++---
 ci/nix.groovy                 | 32 ++++++++++++++++++--------------
 5 files changed, 34 insertions(+), 30 deletions(-)

diff --git a/ci/Jenkinsfile.fastlane.clean b/ci/Jenkinsfile.fastlane.clean
index f22cd63232..a8cf277f68 100644
--- a/ci/Jenkinsfile.fastlane.clean
+++ b/ci/Jenkinsfile.fastlane.clean
@@ -44,7 +44,7 @@ pipeline {
         ]) {
           nix.shell(
             'bundle exec --gemfile=fastlane/Gemfile fastlane ios clean',
-            keep: ['FASTLANE_APPLE_ID', 'FASTLANE_PASSWORD'],
+            keepEnv: ['FASTLANE_APPLE_ID', 'FASTLANE_PASSWORD'],
             attr: 'shells.fastlane',
           )
         }
diff --git a/ci/android.groovy b/ci/android.groovy
index e1371733db..b7587c3e23 100644
--- a/ci/android.groovy
+++ b/ci/android.groovy
@@ -49,12 +49,12 @@ def bundle() {
         'STATUS_RELEASE_STORE_PASSWORD',
         'STATUS_RELEASE_KEY_PASSWORD',
       ],
-      keep: [
+      keepEnv: [
         'ANDROID_ABI_SPLIT',
         'ANDROID_ABI_INCLUDE',
         'STATUS_RELEASE_STORE_FILE',
       ],
-      sbox: [
+      sandboxPaths: [
         env.STATUS_RELEASE_STORE_FILE,
       ],
       link: false
@@ -110,7 +110,7 @@ def uploadToPlayStore(type = 'nightly') {
   ]) {
     nix.shell(
       "fastlane android ${type}",
-      keep: ['FASTLANE_DISABLE_COLORS', 'APK_PATHS', 'GOOGLE_PLAY_JSON_KEY'],
+      keepEnv: ['FASTLANE_DISABLE_COLORS', 'APK_PATHS', 'GOOGLE_PLAY_JSON_KEY'],
       attr: 'shells.fastlane',
       pure: false
     )
@@ -134,7 +134,7 @@ def uploadToSauceLabs() {
   ]) {
     nix.shell(
       'fastlane android saucelabs',
-      keep: [
+      keepEnv: [
         'FASTLANE_DISABLE_COLORS', 'APK_PATHS',
         'SAUCE_ACCESS_KEY', 'SAUCE_USERNAME', 'SAUCE_LABS_NAME'
       ],
@@ -151,7 +151,7 @@ def uploadToDiawi() {
   ]) {
     nix.shell(
       'fastlane android upload_diawi',
-      keep: ['FASTLANE_DISABLE_COLORS', 'APK_PATHS', 'DIAWI_TOKEN'],
+      keepEnv: ['FASTLANE_DISABLE_COLORS', 'APK_PATHS', 'DIAWI_TOKEN'],
       attr: 'shells.fastlane',
       pure: false
     )
@@ -166,7 +166,7 @@ def coverage() {
   ]) {
     nix.shell(
       'make coverage',
-      keep: ['COVERALLS_REPO_TOKEN', 'COVERALLS_SERVICE_NAME', 'COVERALLS_SERVICE_JOB_ID']
+      keepEnv: ['COVERALLS_REPO_TOKEN', 'COVERALLS_SERVICE_NAME', 'COVERALLS_SERVICE_JOB_ID']
     )
   }
 }
diff --git a/ci/desktop.groovy b/ci/desktop.groovy
index bd94c5f644..70b96a6c20 100644
--- a/ci/desktop.groovy
+++ b/ci/desktop.groovy
@@ -9,7 +9,7 @@ def buildJSBundle() {
       make jsbundle-desktop && \
       ./scripts/build-desktop.sh buildJSBundle
     ''',
-    keep: ['VERBOSE_LEVEL']
+    keepEnv: ['VERBOSE_LEVEL']
   )
 }
 
@@ -49,7 +49,7 @@ def compile() {
   }
   nix.shell(
     './scripts/build-desktop.sh compile',
-    keep: ['VERBOSE_LEVEL']
+    keepEnv: ['VERBOSE_LEVEL']
   )
 }
 
@@ -58,7 +58,7 @@ def bundleWindows(type = 'nightly') {
 
   nix.shell(
     './scripts/build-desktop.sh bundle',
-    keep: ['VERBOSE_LEVEL']
+    keepEnv: ['VERBOSE_LEVEL']
   )
   dir(packageFolder) {
     pkg = utils.pkgFilename(type, 'exe')
@@ -71,7 +71,7 @@ def bundleLinux(type = 'nightly') {
   def pkg
   nix.shell(
     './scripts/build-desktop.sh bundle',
-    keep: ['VERBOSE_LEVEL']
+    keepEnv: ['VERBOSE_LEVEL']
   )
   dir(packageFolder) {
     pkg = utils.pkgFilename(type, 'AppImage')
@@ -84,7 +84,7 @@ def bundleMacOS(type = 'nightly') {
   def pkg = utils.pkgFilename(type, 'dmg')
   nix.shell(
     './scripts/build-desktop.sh bundle',
-    keep: ['VERBOSE_LEVEL']
+    keepEnv: ['VERBOSE_LEVEL']
   )
   dir(packageFolder) {
     withCredentials([
@@ -99,7 +99,7 @@ def bundleMacOS(type = 'nightly') {
         ../scripts/sign-macos-pkg.sh ${pkg} ../deployment/macos/macos-developer-id.keychain-db.gpg
         """,
         pure: false,
-        keep: ['GPG_PASS_OUTER', 'GPG_PASS_INNER', 'KEYCHAIN_PASS']
+        keepEnv: ['GPG_PASS_OUTER', 'GPG_PASS_INNER', 'KEYCHAIN_PASS']
       )
     }
   }
diff --git a/ci/ios.groovy b/ci/ios.groovy
index b27fa6a735..9580ed1db4 100644
--- a/ci/ios.groovy
+++ b/ci/ios.groovy
@@ -34,7 +34,7 @@ def bundle() {
   ]) {
     nix.shell(
       "bundle exec --gemfile=fastlane/Gemfile fastlane ios ${target}",
-      keep: [
+      keepEnv: [
         'FASTLANE_DISABLE_COLORS',
         'FASTLANE_PASSWORD', 'KEYCHAIN_PASSWORD',
         'MATCH_PASSWORD', 'FASTLANE_APPLE_ID',
@@ -66,7 +66,7 @@ def uploadToDiawi() {
     /* This can silently fail with 'File is not processed.' */
     nix.shell(
       'bundle exec --verbose --gemfile=fastlane/Gemfile fastlane ios upload_diawi',
-      keep: ['FASTLANE_DISABLE_COLORS', 'DIAWI_TOKEN'],
+      keepEnv: ['FASTLANE_DISABLE_COLORS', 'DIAWI_TOKEN'],
       attr: 'shells.fastlane'
     )
   }
@@ -92,7 +92,7 @@ def uploadToSauceLabs() {
   ]) {
     nix.shell(
       'bundle exec --gemfile=fastlane/Gemfile fastlane ios saucelabs',
-      keep: ['FASTLANE_DISABLE_COLORS', 'SAUCE_ACCESS_KEY', 'SAUCE_USERNAME'],
+      keepEnv: ['FASTLANE_DISABLE_COLORS', 'SAUCE_ACCESS_KEY', 'SAUCE_USERNAME'],
       attr: 'shells.fastlane'
     )
   }
diff --git a/ci/nix.groovy b/ci/nix.groovy
index 614e70c565..caefd2fa6c 100644
--- a/ci/nix.groovy
+++ b/ci/nix.groovy
@@ -1,19 +1,20 @@
 /**
  * Arguments:
  *  - pure - Use --pure mode with Nix for more deterministic behaviour
- *  - keep - List of env variables to keep even in pure mode
  *  - args - Map of arguments to provide to --argstr
+ *  - keepEnv - List of env variables to keep even in pure mode
  **/
 def shell(Map opts = [:], String cmd) {
   def defaults = [
     pure: true,
     args: ['target': env.TARGET ? env.TARGET : 'default'],
-    keep: ['LOCALE_ARCHIVE_2_27'],
+    keepEnv: ['LOCALE_ARCHIVE_2_27'],
+    sandbox: true,
   ]
   /* merge defaults with received opts */
   opts = defaults + opts
   /* previous merge overwrites the array */
-  opts.keep = (opts.keep + defaults.keep).unique()
+  opts.keepEnv = (opts.keepEnv + defaults.keepEnv).unique()
   /* not all targets can use a pure build */
   if (env.TARGET in ['windows', 'ios']) {
     opts.pure = false
@@ -30,29 +31,31 @@ def shell(Map opts = [:], String cmd) {
  * Arguments:
  *  - pure - Use --pure mode with Nix for more deterministic behaviour
  *  - link - Bu default build creates a `result` directory, you can turn that off
- *  - keep - List of env variables to pass through to Nix build
  *  - conf - Map of config values to provide to --arg config
  *  - args - Map of arguments to provide to --argstr
  *  - attr - Name of attribute to use with --attr flag
- *  - sbox - List of host file paths to pass to the Nix expression
+ *  - keepEnv - List of env variables to pass through to Nix build
  *  - safeEnv - Name of env variables to pass securely through to Nix build (they won't get captured in Nix derivation file)
+ *  - sandbox - If build process should run inside of a sandbox
+ *  - sandboxPaths - List of file paths to make available in Nix sandbox
  **/
 def build(Map opts = [:]) {
   def defaults = [
     pure: true,
     link: true,
     args: ['target': env.TARGET],
-    keep: [],
     conf: [:],
     attr: null,
-    sbox: [],
+    keepEnv: [],
     safeEnv: [],
+    sandbox: true,
+    sandboxPaths: [],
   ]
   /* merge defaults with received opts */
   opts = defaults + opts
   /* Previous merge overwrites the array */
   opts.args = defaults.args + opts.args
-  opts.keep = (opts.keep + defaults.keep).unique()
+  opts.keepEnv = (opts.keepEnv + defaults.keepEnv).unique()
 
   def nixPath = sh(
     returnStdout: true,
@@ -92,7 +95,7 @@ private makeNixBuildEnvFile(Map opts = [:]) {
     """
 
     opts.args = opts.args + [ 'secrets-file': envFile.absolutePath ]
-    opts.sbox = opts.sbox + envFile.absolutePath
+    opts.sandboxPaths = opts.sandboxPaths + envFile.absolutePath
   }
 
   return envFile
@@ -104,12 +107,13 @@ private def _getNixCommandArgs(Map opts = [:], boolean isShell) {
   if (!isShell || opts.attr != null) {
     entryPoint = "\'${env.WORKSPACE}/default.nix\'"
   }
-  def extraSandboxPathsFlag = ''
+  /* don't let nix.conf control sandbox status */
+  def extraSandboxPathsFlag = "--option sandbox ${opts.sandbox}"
 
   if (isShell) {
-    keepFlags = opts.keep.collect { var -> "--keep ${var} " }
+    keepFlags = opts.keepEnv.collect { var -> "--keep ${var} " }
   } else {
-    def envVarsList = opts.keep.collect { var -> "${var}=\"${env[var]}\";" }
+    def envVarsList = opts.keepEnv.collect { var -> "${var}=\"${env[var]}\";" }
     keepFlags = ["--arg env \'{${envVarsList.join("")}}\'"]
 
     /* Export the environment variables we want to keep into
@@ -128,8 +132,8 @@ private def _getNixCommandArgs(Map opts = [:], boolean isShell) {
     def configFlags = opts.conf.collect { key,val -> "${key}=\"${val}\";" }
     configFlag = "--arg config \'{${configFlags.join('')}}\'"
   }
-  if (opts.sbox != null && !opts.sbox.isEmpty()) {
-    extraSandboxPathsFlag = "--option extra-sandbox-paths \"${opts.sbox.join(' ')}\""
+  if (opts.sandboxPaths != null && !opts.sandboxPaths.isEmpty()) {
+    extraSandboxPathsFlag += " --option extra-sandbox-paths \"${opts.sandboxPaths.join(' ')}\""
   }
 
   return [