Read secrets from .json file, and fetch from datastore for appengine (#…

…127)
web-platform-tests · Dec 13, 2019 · 0b09f01 · 0b09f01
1 parent c3599de
commit 0b09f01
Show file tree

Hide file tree

Showing 6 changed files with 613 additions and 4 deletions.
diff --git a/.gitignore b/.gitignore
@@ -1,3 +1,5 @@
+secrets.json
+
 node_modules/
 .DS_Store
 .nyc_output/
diff --git a/create-secrets.js b/create-secrets.js
@@ -0,0 +1,21 @@
+// istanbul ignore file
+
+'use strict'
+
+const {Datastore} = require('@google-cloud/datastore');
+const fs = require('fs');
+
+async function fetchSecret(tokenName) {
+    const datastore = new Datastore({projectId: 'wpt-pr-bot'});
+    const key = datastore.key(['Token', tokenName]);
+    let entity = await datastore.get(key);
+    return entity[0].Secret;
+}
+
+(async () => {
+    const secrets = {
+        webhookSecret: await fetchSecret('github-webhook-secret'),
+        githubToken: await fetchSecret('wpt-pr-bot-github-token'),
+    };
+    await fs.promises.writeFile('secrets.json', JSON.stringify(secrets), 'utf8');
+})().catch((reason) => { console.error(reason); process.exit(1) });
diff --git a/index.js b/index.js
@@ -7,6 +7,7 @@ var t0 = Date.now();
 var express = require("express"),
     bl = require("bl"),
     labelModel = require('./lib/label-model'),
+    github = require('./lib/github'),
     metadata = require('./lib/metadata'),
     comment = require('./lib/comment'),
     checkRequest = require('./lib/check-request'),
@@ -40,13 +41,27 @@ function funkLogErr(num, msg) {
     return function(err) { logArgs("#" + num + ": " + msg + "\n", err); };
 }
 
+// Load the secrets in.
+let secrets;
+try {
+    secrets = require('./secrets.json');
+} catch (err) {
+    console.log(`Unable to load secrets.json, falling back to env (error: ${err})`);
+    secrets = {
+        githubToken: process.env.GITHUB_TOKEN,
+        webhookSecret: process.env.GITHUB_SECRET,
+    };
+}
+// TODO(stephenmcgruer): Refactor code to avoid awkward global setter.
+github.setToken(secrets.githubToken);
+
 var currentlyRunning = {};
 
 app.post('/github-hook', function (req, res) {
     req.pipe(bl(function (err, body) {
         if (err) {
             logArgs(err.message);
-        } else if (process.env.NODE_ENV != 'production' || checkRequest(body, req.headers["x-hub-signature"], process.env.GITHUB_SECRET)) {
+        } else if (process.env.NODE_ENV != 'production' || checkRequest(body, req.headers["x-hub-signature"], secrets.webhookSecret)) {
             res.send(new Date().toISOString());
 
             try {

diff --git a/lib/github.js b/lib/github.js
@@ -128,7 +128,12 @@ function replaceURL(url, options) {
     });
 }
 
+function setToken(t) {
+    token = t;
+}
+
 exports.get = get;
 exports.post = post;
 exports.put = put;
 exports.patch = patch;
+exports.setToken = setToken;