jenkins/userid-validation - damiankrolik/openbmc-build-scripts - Gitiles

 #!/bin/bash -e
 #
 # Purpose:
 #  This script is responsible for determining the owner of a gerrit
 #  commit, verifying they are within an approved gerrit group, and
 #  then updating gerrit with that verification info.
 #
 # Note: It is assumed this script is run as a part of a jenkins job triggered
 #       by the gerrit plugin. Therefore it assumes certain env variables
 #       provided by that plugin are avialable (i.e. GERRIT_PROJECT, ...)
 #
 # Required Inputs:
 #  SSH_KEY:  Path to private ssh key used to post messages to gerrit

 GERRIT_COMMAND="curl -s --anyauth -n https://gerrit.openbmc.org"
 GERRIT_SSH_CMD=( \
         ssh -o 'StrictHostKeyChecking no' -i "$SSH_KEY" \
         -p 29418 jenkins-openbmc-ci@gerrit.openbmc.org gerrit \
     )

 echo "Checking ${GERRIT_PROJECT}:${GERRIT_BRANCH}:${GERRIT_CHANGE_ID}:${GERRIT_PATCHSET_REVISION}"

 COMMITTER_USERNAME=$("${GERRIT_SSH_CMD[@]}" query "${GERRIT_CHANGE_NUMBER}" --current-patch-set --format json | jq -r '.currentPatchSet.uploader.username | select (. != null )')
 echo "USERNAME: $COMMITTER_USERNAME"
 if [ "${COMMITTER_USERNAME}" = "" ]; then
     echo "Unable to determine github user for ${COMMITTER_EMAIL}."
     "${GERRIT_SSH_CMD[@]}" review \
         "${GERRIT_CHANGE_NUMBER},${GERRIT_PATCHSET_NUMBER}" \
         --ok-to-test=0 "--message='Unable to determine github user'"
     exit 1
 fi

 # Reset the vote to 0 so jenkins will detect a new +1 on retriggers
 "${GERRIT_SSH_CMD[@]}" review \
     "${GERRIT_CHANGE_NUMBER},${GERRIT_PATCHSET_NUMBER}" \
     --ok-to-test=0 -t autogenerated:jenkins --notify=NONE

 # Add reviewers based on OWNERS files.
 "${WORKSPACE}/openbmc-build-scripts/tools/owners" -p "${WORKSPACE}" reviewers |
 {
     while read -r reviewer ;
     do
         # shellcheck disable=2086 # GERRIT_COMMAND is purposefully wordsplit.
         ${GERRIT_COMMAND}/a/changes/${GERRIT_PROJECT/\//%2F}~${GERRIT_BRANCH}~${GERRIT_CHANGE_ID}/reviewers \
             -X POST \
             -H "Content-Type: application/json" \
             -d "$reviewer" || true
     done
 } || true

 # Write full list of users to a file
 GERRIT_CI_GROUPS=( \
         akamai/ci-authorized \
         alibaba/ci-authorized \
         amd/ci-authorized \
         ami/ci-authorized \
         ampere/ci-authorized \
         arm/ci-authorized \
         aspeed/ci-authorized \
         asus/ci-authorized \
         bytedance/ci-authorized \
         celestica/ci-authorized \
         code-construct/ci-authorized \
         depo/ci-authorized \
         erg/ci-authorized \
         equinix/ci-authorized \
         facebook/ci-authorized \
         fii/ci-authorized \
         gagar-in/ci-authorized \
         google/ci-authorized \
         hcl/ci-authorized \
         hpe/ci-authorized \
         ibm/ci-authorized \
         iei/ci-authorized \
         individual/ci-authorized \
         inspur/ci-authorized \
         intel/ci-authorized \
         inventec/ci-authorized \
         lenovo/ci-authorized \
         microsoft/ci-authorized \
         nineelements/ci-authorized \
         nuvoton/ci-authorized \
         nvidia/ci-authorized \
         openbmc/ci-authorized \
         pcpartner/ci-authorized \
         phytium/ci-authorized \
         plexus/ci-authorized \
         quanta/ci-authorized \
         quic/ci-authorized \
         rcs/ci-authorized \
         supermicro/ci-authorized \
         tencent/ci-authorized \
         triple-crown/ci-authorized \
         ufispace/ci-authorized \
         vaisala/ci-authorized \
         wistron/ci-authorized \
         wiwynn/ci-authorized \
         yadro/ci-authorized \
     )

 rm -f "$WORKSPACE/users.txt"
 for g in "${GERRIT_CI_GROUPS[@]}"; do
     "${GERRIT_SSH_CMD[@]}" ls-members "$g" --recursive \
         >> "$WORKSPACE/users.txt"
 done

 # grep for the specific username word in the file
 if grep -q -w "${COMMITTER_USERNAME}" "$WORKSPACE/users.txt"; then
     "${GERRIT_SSH_CMD[@]}" review \
         "${GERRIT_CHANGE_NUMBER},${GERRIT_PATCHSET_NUMBER}" \
         --ok-to-test=1 -t autogenerated:jenkins --notify=NONE \
         "--message='User approved, CI ok to start'"

     # Immediately erase the score to prevent infinite triggers.
     "${GERRIT_SSH_CMD[@]}" review \
         "${GERRIT_CHANGE_NUMBER},${GERRIT_PATCHSET_NUMBER}" \
         --ok-to-test=0 -t autogenerated:jenkins --notify=NONE

     exit 0
 fi

 echo "${COMMITTER_USERNAME} is not on the approved list."
 "${GERRIT_SSH_CMD[@]}" review \
     "${GERRIT_CHANGE_NUMBER},${GERRIT_PATCHSET_NUMBER}" \
     --ok-to-test=0 -t autogenerated:jenkins \
     "--message='User not approved, see admin, no CI'"

 exit 0
	#!/bin/bash -e
	#
	# Purpose:
	# This script is responsible for determining the owner of a gerrit
	# commit, verifying they are within an approved gerrit group, and
	# then updating gerrit with that verification info.
	#
	# Note: It is assumed this script is run as a part of a jenkins job triggered
	# by the gerrit plugin. Therefore it assumes certain env variables
	# provided by that plugin are avialable (i.e. GERRIT_PROJECT, ...)
	#
	# Required Inputs:
	# SSH_KEY: Path to private ssh key used to post messages to gerrit

	GERRIT_COMMAND="curl -s --anyauth -n https://gerrit.openbmc.org"
	GERRIT_SSH_CMD=( \
	ssh -o 'StrictHostKeyChecking no' -i "$SSH_KEY" \
	-p 29418 jenkins-openbmc-ci@gerrit.openbmc.org gerrit \
	)

	echo "Checking ${GERRIT_PROJECT}:${GERRIT_BRANCH}:${GERRIT_CHANGE_ID}:${GERRIT_PATCHSET_REVISION}"

	COMMITTER_USERNAME=$("${GERRIT_SSH_CMD[@]}" query "${GERRIT_CHANGE_NUMBER}" --current-patch-set --format json \| jq -r '.currentPatchSet.uploader.username \| select (. != null )')
	echo "USERNAME: $COMMITTER_USERNAME"
	if [ "${COMMITTER_USERNAME}" = "" ]; then
	echo "Unable to determine github user for ${COMMITTER_EMAIL}."
	"${GERRIT_SSH_CMD[@]}" review \
	"${GERRIT_CHANGE_NUMBER},${GERRIT_PATCHSET_NUMBER}" \
	--ok-to-test=0 "--message='Unable to determine github user'"
	exit 1
	fi

	# Reset the vote to 0 so jenkins will detect a new +1 on retriggers
	"${GERRIT_SSH_CMD[@]}" review \
	"${GERRIT_CHANGE_NUMBER},${GERRIT_PATCHSET_NUMBER}" \
	--ok-to-test=0 -t autogenerated:jenkins --notify=NONE

	# Add reviewers based on OWNERS files.
	"${WORKSPACE}/openbmc-build-scripts/tools/owners" -p "${WORKSPACE}" reviewers \|
	{
	while read -r reviewer ;
	do
	# shellcheck disable=2086 # GERRIT_COMMAND is purposefully wordsplit.
	${GERRIT_COMMAND}/a/changes/${GERRIT_PROJECT/\//%2F}~${GERRIT_BRANCH}~${GERRIT_CHANGE_ID}/reviewers \
	-X POST \
	-H "Content-Type: application/json" \
	-d "$reviewer" \|\| true
	done
	} \|\| true

	# Write full list of users to a file
	GERRIT_CI_GROUPS=( \
	akamai/ci-authorized \
	alibaba/ci-authorized \
	amd/ci-authorized \
	ami/ci-authorized \
	ampere/ci-authorized \
	arm/ci-authorized \
	aspeed/ci-authorized \
	asus/ci-authorized \
	bytedance/ci-authorized \
	celestica/ci-authorized \
	code-construct/ci-authorized \
	depo/ci-authorized \
	erg/ci-authorized \
	equinix/ci-authorized \
	facebook/ci-authorized \
	fii/ci-authorized \
	gagar-in/ci-authorized \
	google/ci-authorized \
	hcl/ci-authorized \
	hpe/ci-authorized \
	ibm/ci-authorized \
	iei/ci-authorized \
	individual/ci-authorized \
	inspur/ci-authorized \
	intel/ci-authorized \
	inventec/ci-authorized \
	lenovo/ci-authorized \
	microsoft/ci-authorized \
	nineelements/ci-authorized \
	nuvoton/ci-authorized \
	nvidia/ci-authorized \
	openbmc/ci-authorized \
	pcpartner/ci-authorized \
	phytium/ci-authorized \
	plexus/ci-authorized \
	quanta/ci-authorized \
	quic/ci-authorized \
	rcs/ci-authorized \
	supermicro/ci-authorized \
	tencent/ci-authorized \
	triple-crown/ci-authorized \
	ufispace/ci-authorized \
	vaisala/ci-authorized \
	wistron/ci-authorized \
	wiwynn/ci-authorized \
	yadro/ci-authorized \
	)

	rm -f "$WORKSPACE/users.txt"
	for g in "${GERRIT_CI_GROUPS[@]}"; do
	"${GERRIT_SSH_CMD[@]}" ls-members "$g" --recursive \
	>> "$WORKSPACE/users.txt"
	done

	# grep for the specific username word in the file
	if grep -q -w "${COMMITTER_USERNAME}" "$WORKSPACE/users.txt"; then
	"${GERRIT_SSH_CMD[@]}" review \
	"${GERRIT_CHANGE_NUMBER},${GERRIT_PATCHSET_NUMBER}" \
	--ok-to-test=1 -t autogenerated:jenkins --notify=NONE \
	"--message='User approved, CI ok to start'"

	# Immediately erase the score to prevent infinite triggers.
	"${GERRIT_SSH_CMD[@]}" review \
	"${GERRIT_CHANGE_NUMBER},${GERRIT_PATCHSET_NUMBER}" \
	--ok-to-test=0 -t autogenerated:jenkins --notify=NONE

	exit 0
	fi

	echo "${COMMITTER_USERNAME} is not on the approved list."
	"${GERRIT_SSH_CMD[@]}" review \
	"${GERRIT_CHANGE_NUMBER},${GERRIT_PATCHSET_NUMBER}" \
	--ok-to-test=0 -t autogenerated:jenkins \
	"--message='User not approved, see admin, no CI'"

	exit 0