| # Copyright 2018 The Fuchsia Authors. All rights reserved. |
| # Use of this source code is governed by a BSD-style license that can be |
| # found in the LICENSE file. |
| |
| declare_args() { |
| # Location of CloudKMS crypto keys within the fuchsia infra GCE project. |
| cloudkms_key_dir = |
| "projects/fuchsia-infra/locations/global/keyRings/test-secrets/cryptoKeys" |
| } |
| |
| # Describes a 'secret', a plaintext to be supplied to a test at runtime. The |
| # JSON spec of the secret and its associated ciphertext file will be written to |
| # $root_build_dir/secret_specs/$target_name.json |
| # and |
| # $root_build_dir/secret_spec/ciphertext/$target_name.ciphertext |
| # respectively. |
| # |
| # Parameters |
| # |
| # key_name |
| # Required: Name of the private key used for encryption. It is assumed that this key |
| # lives in CloudKMS at |
| # projects/fuchsia-infra/locations/global/keyRings/test-secrets/cryptoKeys/<key_name> |
| # |
| # ciphertext_file |
| # Required: Relative path to a text file containing the encrypted plaintext |
| # (maximum 64KiB) |
| template("secret_spec") { |
| assert(defined(invoker.key_name), "key_name must be defined.") |
| assert(defined(invoker.ciphertext_file), "ciphertext_file must be defined.") |
| |
| secret_spec_dir = "$root_build_dir/secret_specs" |
| |
| # If we are building for the default toolchain, root_build_dir == root_out_dir, |
| # and the copy target complies with gn's invariant that outputs should go to |
| # root_out_dir. |
| if (current_toolchain == default_toolchain) { |
| copy(target_name) { |
| sources = [ |
| invoker.ciphertext_file, |
| ] |
| outputs = [ |
| "$secret_spec_dir/ciphertext/$target_name.ciphertext", |
| ] |
| } |
| } else { |
| # If we are not building for the default toolchain, depend on the default toolchain |
| # to trigger the rule above. |
| group(target_name) { |
| testonly = true |
| deps = [ |
| ":${target_name}(${default_toolchain})", |
| ] |
| not_needed([ "invoker" ]) |
| } |
| } |
| |
| secret_spec = { |
| cloudkms_key_path = "$cloudkms_key_dir/${invoker.key_name}" |
| ciphertext_file = invoker.ciphertext_file |
| } |
| |
| write_file("$secret_spec_dir/$target_name.json", secret_spec, "json") |
| } |