Add authorize_adb_keys step that will add host key to device.

scripts/slave/android/authorize_adb_devices.py

+#!/usr/bin/env python
+# Copyright 2015 The Chromium Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+"""Push host key onto Android devices using public userdebug key.
+
+If the device has the chrome-infrastructure private adb key on it, use
+ADB_VENDOR_KEYS to push the host-specific private key onto the devices that are
+not authorized.
+
+"""
+import optparse
+import os
+import subprocess
+import sys
+import tempfile
+
+CURPATH = os.path.dirname(os.path.realpath(__file__))
+ADB = os.path.join(CURPATH, os.pardir, os.pardir, 'tools', 'adb')

[jbudorick, 2015/03/05 05:15:02]

O_O

What's this script's intended lifetime? We've seen elsewhere (i.e., the test
runner scripts) how rapidly unmaintainable handrolled adb commands can become.
I'd really prefer to do this some other way if this is intended to live for any
length of time.

[Vadim Sh., 2015/03/05 05:20:26]

Committing binary into the repository is not a good idea:
1. It will permanently make the repo fatter.
2. The binary in repo may depend on shared libraries not present elsewhere. For
example, binaries for Ubuntu Precise may not work on Trusty (because libc.so
version changed).

Is "adb" available on android buildbot slaves? I think it would be better to
hardcode "/usr/bin/adb" (or whereever it is) instead of trying to distribute it
with scripts.

[jbudorick, 2015/03/05 05:30:03]

adb is part of the android SDK, which gets pulled into android checkouts of
chromium. There's an adb recipe_module that uses it (though I don't have any
experience with using that recipe_module).

[navabi, 2015/03/05 05:30:20]

I checked and we don't have an adb binary in /usr/bin/adb or /bin/.

There is one in build_internal/scripts/slave/android/adb, but that may not be
available because this is a public bot.

I don't know of an adb binary I can call from the /b/build/ directory. Perhaps
we can get the sys admins to roll out adb to /usr/bin on all android bots.

We intend for this script to stay around. The problem is, this script belongs in
the infra stuff (i.e. /b/build directory) instead of the chromium checkout (as
it is specifically for the bots) and the checkout is where we have all the
utilities for running adb commands.

I'm open to other alternatives, but putting this in the chromium checkout just
because that is where the adb utility libraries are seems wrong to me.

[navabi, 2015/03/05 05:35:34]

Yes, we can point to the ADB in the chromium checkout. I can make that change.

[jbudorick, 2015/03/05 05:37:37]

Can we not just use the one from the checkout?
Yeah, after reading this, I agree that it doesn't belong in the chromium
checkout. We're looking at extracting the device-handling python stuff from
build/android/ into its own library s.t. telemetry can use it when it gets
pulled out of chromium; perhaps this could use that at that point, too.

[jbudorick, 2015/03/05 05:38:53]

didn't see this before my last response, oops.

+ADB_KEYS_PATH = '/data/misc/adb/adb_keys'
+
+
+def GetCmdOutput(cmd, env={}):
+  env['HOME'] = os.environ['HOME']
+  stdout, stderr = subprocess.Popen(cmd, stdout=subprocess.PIPE,
+                                    stderr=subprocess.PIPE,
+                                    env=env).communicate()
+  output = stdout + stderr
+  return output
+
+
+def PushHostPubkey(device, env, public_keys_set):
+ GetCmdOutput([ADB, 'devices'], env)
+ GetCmdOutput([ADB, '-s', device, 'root'], env)
+ adb_ls_output = GetCmdOutput([ADB, '-s', device, 'shell', 'ls', ADB_KEYS_PATH],
+                              env)
+ # If adb_keys file exists on device add its contents to the public keys set.
+ if adb_ls_output == ADB_KEYS_PATH:
+   dev_keys = GetCmdOutput([ADB, '-s', device, 'shell', 'cat', ADB_KEYS_PATH],
+                           env).splitlines()
+   public_keys_set.update(dev_keys)
+ f = tempfile.NamedTemporaryFile(delete=False)
+ f.write('\n'.join(public_keys_set))
+ f.close()
+ GetCmdOutput(['cat', f.name], env)

[navabi, 2015/03/05 05:14:45]

this was for debugging. remove.

+ GetCmdOutput([ADB, '-s', device, 'push', f.name, ADB_KEYS_PATH], env)
+ os.unlink(f.name)
+ os.path.exists(f.name)
+
+
+def GetUnauthorizedDevices():
+  output = GetCmdOutput([ADB, 'devices']).splitlines()
+  unauthorized_devices = [line.split('\t')[0] for line in output
+                          if '\tunauthorized' in line]
+  return unauthorized_devices
+
+
+def main(argv):
+  parser = optparse.OptionParser()
+  parser.add_option('--adb-keys-dir',
+                    help='Point to directory that contains adb keys.',
+                    default=os.path.join(os.environ['HOME'], '.android'))
+  options, _ = parser.parse_args()
+  dir_contents = os.listdir(options.adb_keys_dir)
+  private_key_files = [os.path.join(options.adb_keys_dir, key)
+                       for key in dir_contents if key.endswith('adbkey')]
+  public_key_files = [os.path.join(options.adb_keys_dir, key)
+                      for key in dir_contents if key.endswith('adbkey.pub')]
+  public_keys_set = set()
+  for public_key_file in public_key_files:
+    with open(public_key_file, 'r') as f:
+      public_keys_set.add(f.read().strip())
+
+  # Kill server and find unauthorized devices without ADB_VENDOR_KEYS
+  GetCmdOutput([ADB, 'kill-server'], env={}).splitlines()
+  unauthorized_devices = GetUnauthorizedDevices()
+
+  # Kill server and relaunch with ADB_VENDOR_KEYS
+  env = {'ADB_VENDOR_KEYS': ':'.join(private_key_files)} \
+      if private_key_files else {}
+  GetCmdOutput([ADB, 'kill-server']).splitlines()
+  for device in unauthorized_devices:
+    PushHostPubkey(device, env, public_keys_set)

[jbudorick, 2015/03/05 05:30:03]

Also, does this even work? If they're unauthorized and don't have the public
keys, does adb let you push?

[navabi, 2015/03/05 05:35:34]

The idea is that all the devices will have the chromium-infra key on them. The
sys admins make sure of that after they flash.

Then we can communicate with the devices with ADB_VENDOR_KEYS=<path to
chromium-infra private key on host>.

Instead of requiring we do everything with ADB_VENDOR_KEYS in the environment,
this single step uses ADB_VENDOR_KEYS just to push the host-specific public key
onto the device, so from there on out, the device is authorized for the host,
just like we currently do manually.

+
+
+if __name__ == '__main__':
+  sys.exit(main(sys.argv))