ci: add script to validate user is approved
This is the script run within the following jenkins job:
https://jenkins.openbmc.org/job/CI-MISC/job/openbmc-userid-validation/
Put it into a source controlled script so others can review and update
it.
Tested:
- Extracted this into the jenkins job and ran it. Verified it worked as
expected.
Change-Id: I6deefcf6b443ea33b028ee25451e9377dabbfb22
Signed-off-by: Andrew Geissler <geissonator@yahoo.com>
diff --git a/jenkins/userid-validation b/jenkins/userid-validation
new file mode 100755
index 0000000..250785d
--- /dev/null
+++ b/jenkins/userid-validation
@@ -0,0 +1,123 @@
+#!/bin/bash -e
+#
+# Purpose:
+# This script is responsible for determining the owner of a gerrit
+# commit, verifying they are within an approved gerrit group, and
+# then updating gerrit with that verification info.
+#
+# Note: It is assumed this script is run as a part of a jenkins job triggered
+# by the gerrit plugin. Therefore it assumes certain env variables
+# provided by that plugin are avialable (i.e. GERRIT_PROJECT, ...)
+#
+# Required Inputs:
+# SSH_KEY: Path to private ssh key used to post messages to gerrit
+
+GERRIT_COMMAND="curl -s --anyauth -n https://gerrit.openbmc-project.xyz"
+
+echo "Checking ${GERRIT_PROJECT}:${GERRIT_BRANCH}:${GERRIT_CHANGE_ID}:${GERRIT_PATCHSET_REVISION}"
+
+COMMITTER_EMAIL=`${GERRIT_COMMAND}/a/changes/${GERRIT_PROJECT/\//%2F}~${GERRIT_BRANCH}~${GERRIT_CHANGE_ID}/revisions/${GERRIT_PATCHSET_REVISION}/commit | python2 -c "import sys, json; sys.stdin.read(4); print json.load(sys.stdin)['committer']['email']"`
+if [ "x${COMMITTER_EMAIL}" == "x" ]; then
+ echo "Unable to find committer."
+ ssh -o 'StrictHostKeyChecking no' -i $SSH_KEY -p 29418 jenkins-openbmc-ci@gerrit.openbmc-project.xyz gerrit review \
+ ${GERRIT_CHANGE_NUMBER},${GERRIT_PATCHSET_NUMBER} --label=Ok-To-Test=0 --message=\'Unable to determine committer\'
+ exit -1
+fi
+
+#echo "Commit by '${COMMITTER_EMAIL}'"
+COMMITTER_USERNAME=`${GERRIT_COMMAND}/a/accounts/${COMMITTER_EMAIL} | python2 -c "import sys, json; sys.stdin.read(4); print json.load(sys.stdin)['username']"`
+#COMMITTER_USERNAME=`${GERRIT_COMMAND}/a/accounts/${COMMITTER_EMAIL}`
+echo "USERNAME: $COMMITTER_USERNAME"
+if [ "x${COMMITTER_USERNAME}" == "x" ]; then
+ echo "Unable to determine github user for ${COMMITTER_EMAIL}."
+ ssh -o 'StrictHostKeyChecking no' -i $SSH_KEY -p 29418 jenkins-openbmc-ci@gerrit.openbmc-project.xyz gerrit review \
+ ${GERRIT_CHANGE_NUMBER},${GERRIT_PATCHSET_NUMBER} --label=Ok-To-Test=0 --message=\'Unable to determine github user\'
+ exit -1
+fi
+
+# Reset the vote to 0 so jenkins will detect a new +1 on retriggers
+ssh -o 'StrictHostKeyChecking no' -i $SSH_KEY -p 29418 jenkins-openbmc-ci@gerrit.openbmc-project.xyz gerrit review \
+ ${GERRIT_CHANGE_NUMBER},${GERRIT_PATCHSET_NUMBER} --label=Ok-To-Test=0 -t autogenerated:jenkins
+
+# Write full list of users to a file
+ssh -o 'StrictHostKeyChecking no' -i $SSH_KEY -p 29418 jenkins-openbmc-ci@gerrit.openbmc-project.xyz gerrit \
+ ls-members openbmc/ci-authorized --recursive > $WORKSPACE/users.txt
+
+ssh -o 'StrictHostKeyChecking no' -i $SSH_KEY -p 29418 jenkins-openbmc-ci@gerrit.openbmc-project.xyz gerrit \
+ ls-members ampere/ci-authorized --recursive >> $WORKSPACE/users.txt
+
+ssh -o 'StrictHostKeyChecking no' -i $SSH_KEY -p 29418 jenkins-openbmc-ci@gerrit.openbmc-project.xyz gerrit \
+ ls-members facebook/ci-authorized --recursive >> $WORKSPACE/users.txt
+
+ssh -o 'StrictHostKeyChecking no' -i $SSH_KEY -p 29418 jenkins-openbmc-ci@gerrit.openbmc-project.xyz gerrit \
+ ls-members google/ci-authorized --recursive >> $WORKSPACE/users.txt
+
+ssh -o 'StrictHostKeyChecking no' -i $SSH_KEY -p 29418 jenkins-openbmc-ci@gerrit.openbmc-project.xyz gerrit \
+ ls-members ibm/ci-authorized --recursive >> $WORKSPACE/users.txt
+
+ssh -o 'StrictHostKeyChecking no' -i $SSH_KEY -p 29418 jenkins-openbmc-ci@gerrit.openbmc-project.xyz gerrit \
+ ls-members intel/ci-authorized --recursive >> $WORKSPACE/users.txt
+
+ssh -o 'StrictHostKeyChecking no' -i $SSH_KEY -p 29418 jenkins-openbmc-ci@gerrit.openbmc-project.xyz gerrit \
+ ls-members inventec/ci-authorized --recursive >> $WORKSPACE/users.txt
+
+ssh -o 'StrictHostKeyChecking no' -i $SSH_KEY -p 29418 jenkins-openbmc-ci@gerrit.openbmc-project.xyz gerrit \
+ ls-members nuvoton/ci-authorized --recursive >> $WORKSPACE/users.txt
+
+ssh -o 'StrictHostKeyChecking no' -i $SSH_KEY -p 29418 jenkins-openbmc-ci@gerrit.openbmc-project.xyz gerrit \
+ ls-members quanta/ci-authorized --recursive >> $WORKSPACE/users.txt
+
+ssh -o 'StrictHostKeyChecking no' -i $SSH_KEY -p 29418 jenkins-openbmc-ci@gerrit.openbmc-project.xyz gerrit \
+ ls-members yadro/ci-authorized --recursive >> $WORKSPACE/users.txt
+
+ssh -o 'StrictHostKeyChecking no' -i $SSH_KEY -p 29418 jenkins-openbmc-ci@gerrit.openbmc-project.xyz gerrit \
+ ls-members inspur/ci-authorized --recursive >> $WORKSPACE/users.txt
+
+ssh -o 'StrictHostKeyChecking no' -i $SSH_KEY -p 29418 jenkins-openbmc-ci@gerrit.openbmc-project.xyz gerrit \
+ ls-members wistron/ci-authorized --recursive >> $WORKSPACE/users.txt
+
+ssh -o 'StrictHostKeyChecking no' -i $SSH_KEY -p 29418 jenkins-openbmc-ci@gerrit.openbmc-project.xyz gerrit \
+ ls-members hcl/ci-authorized --recursive >> $WORKSPACE/users.txt
+
+ssh -o 'StrictHostKeyChecking no' -i $SSH_KEY -p 29418 jenkins-openbmc-ci@gerrit.openbmc-project.xyz gerrit \
+ ls-members rcs/ci-authorized --recursive >> $WORKSPACE/users.txt
+
+ssh -o 'StrictHostKeyChecking no' -i $SSH_KEY -p 29418 jenkins-openbmc-ci@gerrit.openbmc-project.xyz gerrit \
+ ls-members wiwynn/ci-authorized --recursive >> $WORKSPACE/users.txt
+
+ssh -o 'StrictHostKeyChecking no' -i $SSH_KEY -p 29418 jenkins-openbmc-ci@gerrit.openbmc-project.xyz gerrit \
+ ls-members hpe/ci-authorized --recursive >> $WORKSPACE/users.txt
+
+ssh -o 'StrictHostKeyChecking no' -i $SSH_KEY -p 29418 jenkins-openbmc-ci@gerrit.openbmc-project.xyz gerrit \
+ ls-members individual/ci-authorized --recursive >> $WORKSPACE/users.txt
+
+ssh -o 'StrictHostKeyChecking no' -i $SSH_KEY -p 29418 jenkins-openbmc-ci@gerrit.openbmc-project.xyz gerrit \
+ ls-members gager-in/ci-authorized --recursive >> $WORKSPACE/users.txt
+
+ssh -o 'StrictHostKeyChecking no' -i $SSH_KEY -p 29418 jenkins-openbmc-ci@gerrit.openbmc-project.xyz gerrit \
+ ls-members amd/ci-authorized --recursive >> $WORKSPACE/users.txt
+
+ssh -o 'StrictHostKeyChecking no' -i $SSH_KEY -p 29418 jenkins-openbmc-ci@gerrit.openbmc-project.xyz gerrit \
+ ls-members nvidia/ci-authorized --recursive >> $WORKSPACE/users.txt
+
+ssh -o 'StrictHostKeyChecking no' -i $SSH_KEY -p 29418 jenkins-openbmc-ci@gerrit.openbmc-project.xyz gerrit \
+ ls-members bytedance/ci-authorized --recursive >> $WORKSPACE/users.txt
+
+ssh -o 'StrictHostKeyChecking no' -i $SSH_KEY -p 29418 jenkins-openbmc-ci@gerrit.openbmc-project.xyz gerrit \
+ ls-members alibaba/ci-authorized --recursive >> $WORKSPACE/users.txt
+
+ssh -o 'StrictHostKeyChecking no' -i $SSH_KEY -p 29418 jenkins-openbmc-ci@gerrit.openbmc-project.xyz gerrit \
+ ls-members supermicro/ci-authorized --recursive >> $WORKSPACE/users.txt
+
+# grep for the specific username word in the file
+if grep -q -w ${COMMITTER_USERNAME} $WORKSPACE/users.txt; then
+ ssh -o 'StrictHostKeyChecking no' -i $SSH_KEY -p 29418 jenkins-openbmc-ci@gerrit.openbmc-project.xyz gerrit review \
+ ${GERRIT_CHANGE_NUMBER},${GERRIT_PATCHSET_NUMBER} --label=Ok-To-Test=1 -t autogenerated:jenkins --message=\'User approved, CI ok to start\'
+ exit 0
+fi
+
+echo "${COMMITTER_USERNAME} is not on the approved list."
+ssh -o 'StrictHostKeyChecking no' -i $SSH_KEY -p 29418 jenkins-openbmc-ci@gerrit.openbmc-project.xyz gerrit review \
+ ${GERRIT_CHANGE_NUMBER},${GERRIT_PATCHSET_NUMBER} --label=Ok-To-Test=0 -t autogenerated:jenkins --message=\'User not approved, see admin, no CI\'
+
+exit 0