Turn on hermetic toolchain for all corp machines.

BUG=659726 Committed: https://crrev.com/7778e931dabc1fa85d0b77321e3fdef166e0b6a0 Review-Url: https://codereview.chromium.org/2445993004 Cr-Original-Commit-Position: refs/heads/master@{#430376} Cr-Commit-Position: refs/heads/master@{#430863}
hylschwy · Nov 9, 2016 · da01626 · da01626
1 parent 8826eda
commit da01626
Show file tree

Hide file tree

Showing 4 changed files with 76 additions and 29 deletions.
diff --git a/.gn b/.gn
@@ -235,6 +235,7 @@ exec_script_whitelist = [
   "//build/toolchain/concurrent_links.gni",
   "//build/toolchain/mac/BUILD.gn",
   "//build/toolchain/nacl/BUILD.gn",
+  "//build/toolchain/toolchain.gni",
   "//build/toolchain/win/BUILD.gn",
   "//build/util/branding.gni",
   "//build/util/version.gni",

diff --git a/build/mac/should_use_hermetic_xcode.py b/build/mac/should_use_hermetic_xcode.py
@@ -0,0 +1,26 @@
+#!/usr/bin/env python
+# Copyright 2016 The Chromium Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+"""Prints "1" if Chrome targets should be built with hermetic xcode. Otherwise
+prints "0"."""
+
+import os
+import sys
+
+
+def _IsCorpMachine():
+  return os.path.isdir('/Library/GoogleCorpSupport/')
+
+
+def main():
+  if os.environ.get('FORCE_MAC_TOOLCHAIN') or _IsCorpMachine():
+    return "1"
+  else:
+    return "0"
+
+
+if __name__ == '__main__':
+  print main()
+  sys.exit(0)
diff --git a/build/mac_toolchain.py b/build/mac_toolchain.py
@@ -3,19 +3,14 @@
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
-"""Download necessary mac toolchain files under certain conditions.  If
-xcode-select is already set and points to an external folder
-(e.g. /Application/Xcode.app), this script only runs if the GYP_DEFINE
-|force_mac_toolchain| is set.  To override the values in
-|TOOLCHAIN_REVISION|-|TOOLCHAIN_SUB_REVISION| below, GYP_DEFINE
-mac_toolchain_revision can be used instead.
-
-This script will only run on machines if /usr/bin/xcodebuild and
-/usr/bin/xcode-select has been added to the sudoers list so the license can be
-accepted.
-
-Otherwise, user input would be required to complete the script.  Perhaps future
-versions can be modified to allow for user input on developer machines.
+"""
+If should_use_hermetic_xcode.py emits "1", and the current toolchain is out of
+date:
+  * Downloads the hermetic mac toolchain
+    * Requires gsutil to be configured.
+  * Accepts the license.
+    * If xcode-select and xcodebuild are not passwordless in sudoers, requires
+      user interaction.
 """
 
 import os
@@ -138,23 +133,42 @@ def AcceptLicense():
     subprocess.check_call(['sudo', '/usr/bin/xcode-select', '-s', old_path])
 
 
-def _UseLocalMacSDK():
-  force_pull = os.environ.has_key('FORCE_MAC_TOOLCHAIN')
-
-  # Don't update the toolchain if there's already one installed outside of the
-  # expected location for a Chromium mac toolchain, unless |force_pull| is set.
-  proc = subprocess.Popen(['xcode-select', '-p'], stdout=subprocess.PIPE)
-  xcode_select_dir = proc.communicate()[0]
-  rc = proc.returncode
-  return (not force_pull and rc == 0 and
-          TOOLCHAIN_BUILD_DIR not in xcode_select_dir)
+def _UseHermeticToolchain():
+  current_dir = os.path.dirname(os.path.realpath(__file__))
+  script_path = os.path.join(current_dir, 'mac/should_use_hermetic_xcode.py')
+  proc = subprocess.Popen([script_path], stdout=subprocess.PIPE)
+  return '1' in proc.stdout.readline()
+
+
+def RequestGsAuthentication():
+  """Requests that the user authenticate to be able to access gs://.
+  """
+  print 'Access to ' + TOOLCHAIN_URL + ' not configured.'
+  print '-----------------------------------------------------------------'
+  print
+  print 'You appear to be a Googler.'
+  print
+  print 'I\'m sorry for the hassle, but you need to do a one-time manual'
+  print 'authentication. Please run:'
+  print
+  print '    download_from_google_storage --config'
+  print
+  print 'and follow the instructions.'
+  print
+  print 'NOTE 1: Use your google.com credentials, not chromium.org.'
+  print 'NOTE 2: Enter 0 when asked for a "project-id".'
+  print
+  print '-----------------------------------------------------------------'
+  print
+  sys.stdout.flush()
+  sys.exit(1)
 
 
 def main():
   if sys.platform != 'darwin':
     return 0
 
-  if _UseLocalMacSDK():
+  if not _UseHermeticToolchain():
     print 'Using local toolchain.'
     return 0
 
@@ -166,8 +180,8 @@ def main():
     return 0
 
   if not CanAccessToolchainBucket():
-    print 'Cannot access toolchain bucket.'
-    return 0
+    RequestGsAuthentication()
+    return 1
 
   # Reset the stamp file in case the build is unsuccessful.
   WriteStampFile('')

diff --git a/build/toolchain/toolchain.gni b/build/toolchain/toolchain.gni
@@ -49,9 +49,15 @@ declare_args() {
   use_system_xcode = ""
 }
 
-if ((is_mac || is_ios) && use_system_xcode == "") {
-  _result = getenv("FORCE_MAC_TOOLCHAIN")
-  use_system_xcode = _result == ""
+if (use_system_xcode == "") {
+  if (target_os == "mac") {
+    _result =
+        exec_script("//build/mac/should_use_hermetic_xcode.py", [], "value")
+    use_system_xcode = _result == 0
+  }
+  if (target_os == "ios") {
+    use_system_xcode = true
+  }
 }
 
 # The path to the hermetic install of Xcode. Only relevant when