From 5d1a34285b1aadbfa39de4fecfac81656482c195 Mon Sep 17 00:00:00 2001
From: Sarah Clements <sclements@mozilla.com>
Date: Fri, 28 Feb 2020 08:54:24 -0800
Subject: [PATCH] Bug 1613265 - More CSP and url changes for
 taskcluster-staging  (#6071)

* Add more domains to CSP and remove taskcluster.net for legacy support
* Add checkRootUrls for a few I missed
---
 treeherder/middleware.py                  |  2 +-
 ui/job-view/CustomJobActions.jsx          |  6 +++++-
 ui/job-view/details/summary/ActionBar.jsx |  3 ++-
 ui/models/taskcluster.js                  | 15 ++++++++-------
 ui/shared/JobInfo.jsx                     |  3 ++-
 5 files changed, 18 insertions(+), 11 deletions(-)

diff --git a/treeherder/middleware.py b/treeherder/middleware.py
index d7c55e58a..a2d6b649d 100644
--- a/treeherder/middleware.py
+++ b/treeherder/middleware.py
@@ -19,7 +19,7 @@ CSP_DIRECTIVES = [
     "font-src 'self' https://fonts.gstatic.com",
     # The `data:` is required for images that were inlined by webpack's url-loader (as an optimisation).
     "img-src 'self' data:",
-    "connect-src 'self' https://community-tc.services.mozilla.com https://firefox-ci-tc.services.mozilla.com https://*.taskcluster-artifacts.net https://taskcluster-artifacts.net https://*.taskcluster.net https://treestatus.mozilla-releng.net https://bugzilla.mozilla.org https://auth.mozilla.auth0.com https://stage.taskcluster.nonprod.cloudops.mozgcp.net/",
+    "connect-src 'self' https://community-tc.services.mozilla.com https://firefox-ci-tc.services.mozilla.com https://*.taskcluster-artifacts.net https://taskcluster-artifacts.net https://treestatus.mozilla-releng.net https://bugzilla.mozilla.org https://auth.mozilla.auth0.com https://stage.taskcluster.nonprod.cloudops.mozgcp.net/ https://artifacts.tcstage.mozaws.net/ https://*.artifacts.tcstage.mozaws.net/",
     # Required since auth0-js performs session renewals in an iframe.
     "frame-src 'self' https://auth.mozilla.auth0.com",
     "report-uri {}".format(reverse('csp-report')),
diff --git a/ui/job-view/CustomJobActions.jsx b/ui/job-view/CustomJobActions.jsx
index bf0eca2a7..ffd665255 100644
--- a/ui/job-view/CustomJobActions.jsx
+++ b/ui/job-view/CustomJobActions.jsx
@@ -27,6 +27,7 @@ import { faCheckSquare } from '@fortawesome/free-regular-svg-icons';
 import { formatTaskclusterError } from '../helpers/errorMessage';
 import TaskclusterModel from '../models/taskcluster';
 import DropdownMenuItems from '../shared/DropdownMenuItems';
+import { checkRootUrl } from '../taskcluster-auth-callback/constants';
 
 import { notify } from './redux/stores/notifications';
 
@@ -158,7 +159,10 @@ class CustomJobActions extends React.PureComponent {
       taskId => {
         this.setState({ triggering: false });
         let message = 'Custom action request sent successfully:';
-        let url = tcLibUrls.ui(currentRepo.tc_root_url, `/tasks/${taskId}`);
+        let url = tcLibUrls.ui(
+          checkRootUrl(currentRepo.tc_root_url),
+          `/tasks/${taskId}`,
+        );
 
         // For the time being, we are redirecting specific actions to
         // specific urls that are different than usual. At this time, we are
diff --git a/ui/job-view/details/summary/ActionBar.jsx b/ui/job-view/details/summary/ActionBar.jsx
index 8b09d7983..1d45304c7 100644
--- a/ui/job-view/details/summary/ActionBar.jsx
+++ b/ui/job-view/details/summary/ActionBar.jsx
@@ -33,6 +33,7 @@ import CustomJobActions from '../../CustomJobActions';
 import { notify } from '../../redux/stores/notifications';
 import { pinJob } from '../../redux/stores/pinnedJobs';
 import { getAction } from '../../../helpers/taskcluster';
+import { checkRootUrl } from '../../../taskcluster-auth-callback/constants';
 
 import LogUrls from './LogUrls';
 
@@ -550,7 +551,7 @@ class ActionBar extends React.PureComponent {
                         className="pl-4"
                         href={getInspectTaskUrl(
                           selectedJobFull.task_id,
-                          currentRepo.tc_root_url,
+                          checkRootUrl(currentRepo.tc_root_url),
                           selectedJobFull.submit_timestamp,
                         )}
                       >
diff --git a/ui/models/taskcluster.js b/ui/models/taskcluster.js
index 42afdfdcb..bc698597e 100644
--- a/ui/models/taskcluster.js
+++ b/ui/models/taskcluster.js
@@ -4,6 +4,7 @@ import { Auth, Hooks } from 'taskcluster-client-web';
 import { satisfiesExpression } from 'taskcluster-lib-scopes';
 
 import taskcluster, { tcCredentialsMessage } from '../helpers/taskcluster';
+import { checkRootUrl } from '../taskcluster-auth-callback/constants';
 
 export default class TaskclusterModel {
   static taskInContext(tagSetList, taskTags) {
@@ -34,8 +35,8 @@ export default class TaskclusterModel {
       },
       staticActionVariables,
     );
-
-    const queue = taskcluster.getQueue(currentRepo.tc_root_url, testMode);
+    const rootUrl = checkRootUrl(currentRepo.tc_root_url);
+    const queue = taskcluster.getQueue(rootUrl, testMode);
 
     if (action.kind === 'task') {
       context.task = task;
@@ -52,7 +53,7 @@ export default class TaskclusterModel {
     if (action.kind === 'hook') {
       const hookPayload = jsone(action.hookPayload, context);
       const { hookId, hookGroupId } = action;
-      const auth = new Auth({ rootUrl: currentRepo.tc_root_url });
+      const auth = new Auth({ rootUrl });
 
       const userCredentials = testMode
         ? taskcluster.getMockCredentials()
@@ -61,7 +62,7 @@ export default class TaskclusterModel {
         throw new Error(tcCredentialsMessage);
       }
       const hooks = new Hooks({
-        rootUrl: currentRepo.tc_root_url,
+        rootUrl,
         credentials: userCredentials.credentials,
       });
       const decisionTask = await queue.task(decisionTaskId);
@@ -86,8 +87,8 @@ export default class TaskclusterModel {
     if (!decisionTaskID) {
       throw Error("No decision task, can't find taskcluster actions");
     }
-
-    const queue = taskcluster.getQueue(currentRepo.tc_root_url, testMode);
+    const rootUrl = checkRootUrl(currentRepo.tc_root_url);
+    const queue = taskcluster.getQueue(rootUrl, testMode);
     const actionsUrl = queue.buildUrl(
       queue.getLatestArtifact,
       decisionTaskID,
@@ -99,7 +100,7 @@ export default class TaskclusterModel {
     let originalTaskPromise = Promise.resolve(null);
     if (job) {
       originalTaskId = job.task_id;
-      const queue = taskcluster.getQueue(currentRepo.tc_root_url, testMode);
+      const queue = taskcluster.getQueue(rootUrl, testMode);
       originalTaskPromise = queue.task(originalTaskId);
     }
 
diff --git a/ui/shared/JobInfo.jsx b/ui/shared/JobInfo.jsx
index 7131b8df1..50e5414a2 100644
--- a/ui/shared/JobInfo.jsx
+++ b/ui/shared/JobInfo.jsx
@@ -4,6 +4,7 @@ import PropTypes from 'prop-types';
 import { getInspectTaskUrl } from '../helpers/url';
 import { getJobSearchStrHref } from '../helpers/job';
 import { toDateStr } from '../helpers/display';
+import { checkRootUrl } from '../taskcluster-auth-callback/constants';
 
 import Clipboard from './Clipboard';
 
@@ -82,7 +83,7 @@ export default class JobInfo extends React.PureComponent {
               id="taskInfo"
               href={getInspectTaskUrl(
                 taskId,
-                currentRepo.tc_root_url,
+                checkRootUrl(currentRepo.tc_root_url),
                 submitTimestamp,
               )}
               target="_blank"