jenkins/userid-validation - openbmc/openbmc-build-scripts - Gitiles

 #!/bin/bash -e
 #
 # Purpose:
 #  This script is responsible for determining the owner of a gerrit
 #  commit, verifying they are within an approved gerrit group, and
 #  then updating gerrit with that verification info.
 #
 # Note: It is assumed this script is run as a part of a jenkins job triggered
 #       by the gerrit plugin. Therefore it assumes certain env variables
 #       provided by that plugin are avialable (i.e. GERRIT_PROJECT, ...)
 #
 # Required Inputs:
 #  SSH_KEY:  Path to private ssh key used to post messages to gerrit

 GERRIT_COMMAND="curl -s --anyauth -n https://gerrit.openbmc.org"
 GERRIT_SSH_CMD=( \
     ssh -o 'StrictHostKeyChecking no' -i "$SSH_KEY" \
     -p 29418 jenkins-openbmc-ci@gerrit.openbmc.org gerrit \
 )

 echo "Checking ${GERRIT_PROJECT}:${GERRIT_BRANCH}:${GERRIT_CHANGE_ID}:${GERRIT_PATCHSET_REVISION}"

 # shellcheck disable=2086 # GERRIT_COMMAND is purposefully wordsplit.
 COMMITTER_EMAIL=$(${GERRIT_COMMAND}/a/changes/${GERRIT_PROJECT/\//%2F}~${GERRIT_BRANCH}~${GERRIT_CHANGE_ID}/revisions/${GERRIT_PATCHSET_REVISION}/commit | python3 -c "import sys, json; sys.stdin.read(4); print(json.load(sys.stdin)['committer']['email'])")
 if [ "${COMMITTER_EMAIL}" = "" ]; then
     echo "Unable to find committer."
     "${GERRIT_SSH_CMD[@]}" review \
         "${GERRIT_CHANGE_NUMBER},${GERRIT_PATCHSET_NUMBER}" \
         --ok-to-test=0 "--message='Unable to determine committer'"
     exit 1
 fi

 #echo "Commit by '${COMMITTER_EMAIL}'"
 # shellcheck disable=2086 # GERRIT_COMMAND is purposefully wordsplit.
 COMMITTER_USERNAME=$(${GERRIT_COMMAND}/a/accounts/${COMMITTER_EMAIL} | python3 -c "import sys, json; sys.stdin.read(4); print(json.load(sys.stdin)['username'])")
 #COMMITTER_USERNAME=`${GERRIT_COMMAND}/a/accounts/${COMMITTER_EMAIL}`
 echo "USERNAME: $COMMITTER_USERNAME"
 if [ "${COMMITTER_USERNAME}" = "" ]; then
     echo "Unable to determine github user for ${COMMITTER_EMAIL}."
     "${GERRIT_SSH_CMD[@]}" review \
         "${GERRIT_CHANGE_NUMBER},${GERRIT_PATCHSET_NUMBER}" \
         --ok-to-test=0 "--message='Unable to determine github user'"
     exit 1
 fi

 # Reset the vote to 0 so jenkins will detect a new +1 on retriggers
 "${GERRIT_SSH_CMD[@]}" review \
     "${GERRIT_CHANGE_NUMBER},${GERRIT_PATCHSET_NUMBER}" \
     --ok-to-test=0 -t autogenerated:jenkins --notify=NONE

 # Add reviewers based on OWNERS files.
 "${WORKSPACE}/openbmc-build-scripts/tools/owners" -p "${WORKSPACE}" reviewers |
 {
     while read -r reviewer ;
     do
         # shellcheck disable=2086 # GERRIT_COMMAND is purposefully wordsplit.
         ${GERRIT_COMMAND}/a/changes/${GERRIT_PROJECT/\//%2F}~${GERRIT_BRANCH}~${GERRIT_CHANGE_ID}/reviewers \
             -X POST \
             -H "Content-Type: application/json" \
             -d "$reviewer" || true
     done
 } || true

 # Write full list of users to a file
 GERRIT_CI_GROUPS=( \
     alibaba/ci-authorized \
     amd/ci-authorized \
     ami/ci-authorized \
     ampere/ci-authorized \
     arm/ci-authorized \
     aspeed/ci-authorized \
     bytedance/ci-authorized \
     code-construct/ci-authorized \
     depo/ci-authorized \
     erg/ci-authorized \
     facebook/ci-authorized \
     fii/ci-authorized \
     gager-in/ci-authorized \
     google/ci-authorized \
     hcl/ci-authorized \
     hpe/ci-authorized \
     ibm/ci-authorized \
     individual/ci-authorized \
     inspur/ci-authorized \
     intel/ci-authorized \
     inventec/ci-authorized \
     lenovo/ci-authorized \
     microsoft/ci-authorized \
     nineelements/ci-authorized \
     nuvoton/ci-authorized \
     nvidia/ci-authorized \
     openbmc/ci-authorized \
     pcpartner/ci-authorized \
     phytium/ci-authorized \
     quanta/ci-authorized \
     quic/ci-authorized \
     rcs/ci-authorized \
     supermicro/ci-authorized \
     wistron/ci-authorized \
     wiwynn/ci-authorized \
     yadro/ci-authorized \
 )

 rm -f "$WORKSPACE/users.txt"
 for g in "${GERRIT_CI_GROUPS[@]}"; do
     "${GERRIT_SSH_CMD[@]}" ls-members "$g" --recursive \
         >> "$WORKSPACE/users.txt"
 done

 # grep for the specific username word in the file
 if grep -q -w "${COMMITTER_USERNAME}" "$WORKSPACE/users.txt"; then
     "${GERRIT_SSH_CMD[@]}" review \
         "${GERRIT_CHANGE_NUMBER},${GERRIT_PATCHSET_NUMBER}" \
         --ok-to-test=1 -t autogenerated:jenkins --notify=NONE \
         "--message='User approved, CI ok to start'"

     # Immediately erase the score to prevent infinite triggers.
     "${GERRIT_SSH_CMD[@]}" review \
         "${GERRIT_CHANGE_NUMBER},${GERRIT_PATCHSET_NUMBER}" \
         --ok-to-test=0 -t autogenerated:jenkins --notify=NONE

     exit 0
 fi

 echo "${COMMITTER_USERNAME} is not on the approved list."
 "${GERRIT_SSH_CMD[@]}" review \
     "${GERRIT_CHANGE_NUMBER},${GERRIT_PATCHSET_NUMBER}" \
     --ok-to-test=0 -t autogenerated:jenkins \
     "--message='User not approved, see admin, no CI'"

 exit 0
	#!/bin/bash -e
	#
	# Purpose:
	# This script is responsible for determining the owner of a gerrit
	# commit, verifying they are within an approved gerrit group, and
	# then updating gerrit with that verification info.
	#
	# Note: It is assumed this script is run as a part of a jenkins job triggered
	# by the gerrit plugin. Therefore it assumes certain env variables
	# provided by that plugin are avialable (i.e. GERRIT_PROJECT, ...)
	#
	# Required Inputs:
	# SSH_KEY: Path to private ssh key used to post messages to gerrit

	GERRIT_COMMAND="curl -s --anyauth -n https://gerrit.openbmc.org"
	GERRIT_SSH_CMD=( \
	ssh -o 'StrictHostKeyChecking no' -i "$SSH_KEY" \
	-p 29418 jenkins-openbmc-ci@gerrit.openbmc.org gerrit \
	)

	echo "Checking ${GERRIT_PROJECT}:${GERRIT_BRANCH}:${GERRIT_CHANGE_ID}:${GERRIT_PATCHSET_REVISION}"

	# shellcheck disable=2086 # GERRIT_COMMAND is purposefully wordsplit.
	COMMITTER_EMAIL=$(${GERRIT_COMMAND}/a/changes/${GERRIT_PROJECT/\//%2F}~${GERRIT_BRANCH}~${GERRIT_CHANGE_ID}/revisions/${GERRIT_PATCHSET_REVISION}/commit \| python3 -c "import sys, json; sys.stdin.read(4); print(json.load(sys.stdin)['committer']['email'])")
	if [ "${COMMITTER_EMAIL}" = "" ]; then
	echo "Unable to find committer."
	"${GERRIT_SSH_CMD[@]}" review \
	"${GERRIT_CHANGE_NUMBER},${GERRIT_PATCHSET_NUMBER}" \
	--ok-to-test=0 "--message='Unable to determine committer'"
	exit 1
	fi

	#echo "Commit by '${COMMITTER_EMAIL}'"
	# shellcheck disable=2086 # GERRIT_COMMAND is purposefully wordsplit.
	COMMITTER_USERNAME=$(${GERRIT_COMMAND}/a/accounts/${COMMITTER_EMAIL} \| python3 -c "import sys, json; sys.stdin.read(4); print(json.load(sys.stdin)['username'])")
	#COMMITTER_USERNAME=`${GERRIT_COMMAND}/a/accounts/${COMMITTER_EMAIL}`
	echo "USERNAME: $COMMITTER_USERNAME"
	if [ "${COMMITTER_USERNAME}" = "" ]; then
	echo "Unable to determine github user for ${COMMITTER_EMAIL}."
	"${GERRIT_SSH_CMD[@]}" review \
	"${GERRIT_CHANGE_NUMBER},${GERRIT_PATCHSET_NUMBER}" \
	--ok-to-test=0 "--message='Unable to determine github user'"
	exit 1
	fi

	# Reset the vote to 0 so jenkins will detect a new +1 on retriggers
	"${GERRIT_SSH_CMD[@]}" review \
	"${GERRIT_CHANGE_NUMBER},${GERRIT_PATCHSET_NUMBER}" \
	--ok-to-test=0 -t autogenerated:jenkins --notify=NONE

	# Add reviewers based on OWNERS files.
	"${WORKSPACE}/openbmc-build-scripts/tools/owners" -p "${WORKSPACE}" reviewers \|
	{
	while read -r reviewer ;
	do
	# shellcheck disable=2086 # GERRIT_COMMAND is purposefully wordsplit.
	${GERRIT_COMMAND}/a/changes/${GERRIT_PROJECT/\//%2F}~${GERRIT_BRANCH}~${GERRIT_CHANGE_ID}/reviewers \
	-X POST \
	-H "Content-Type: application/json" \
	-d "$reviewer" \|\| true
	done
	} \|\| true

	# Write full list of users to a file
	GERRIT_CI_GROUPS=( \
	alibaba/ci-authorized \
	amd/ci-authorized \
	ami/ci-authorized \
	ampere/ci-authorized \
	arm/ci-authorized \
	aspeed/ci-authorized \
	bytedance/ci-authorized \
	code-construct/ci-authorized \
	depo/ci-authorized \
	erg/ci-authorized \
	facebook/ci-authorized \
	fii/ci-authorized \
	gager-in/ci-authorized \
	google/ci-authorized \
	hcl/ci-authorized \
	hpe/ci-authorized \
	ibm/ci-authorized \
	individual/ci-authorized \
	inspur/ci-authorized \
	intel/ci-authorized \
	inventec/ci-authorized \
	lenovo/ci-authorized \
	microsoft/ci-authorized \
	nineelements/ci-authorized \
	nuvoton/ci-authorized \
	nvidia/ci-authorized \
	openbmc/ci-authorized \
	pcpartner/ci-authorized \
	phytium/ci-authorized \
	quanta/ci-authorized \
	quic/ci-authorized \
	rcs/ci-authorized \
	supermicro/ci-authorized \
	wistron/ci-authorized \
	wiwynn/ci-authorized \
	yadro/ci-authorized \
	)

	rm -f "$WORKSPACE/users.txt"
	for g in "${GERRIT_CI_GROUPS[@]}"; do
	"${GERRIT_SSH_CMD[@]}" ls-members "$g" --recursive \
	>> "$WORKSPACE/users.txt"
	done

	# grep for the specific username word in the file
	if grep -q -w "${COMMITTER_USERNAME}" "$WORKSPACE/users.txt"; then
	"${GERRIT_SSH_CMD[@]}" review \
	"${GERRIT_CHANGE_NUMBER},${GERRIT_PATCHSET_NUMBER}" \
	--ok-to-test=1 -t autogenerated:jenkins --notify=NONE \
	"--message='User approved, CI ok to start'"

	# Immediately erase the score to prevent infinite triggers.
	"${GERRIT_SSH_CMD[@]}" review \
	"${GERRIT_CHANGE_NUMBER},${GERRIT_PATCHSET_NUMBER}" \
	--ok-to-test=0 -t autogenerated:jenkins --notify=NONE

	exit 0
	fi

	echo "${COMMITTER_USERNAME} is not on the approved list."
	"${GERRIT_SSH_CMD[@]}" review \
	"${GERRIT_CHANGE_NUMBER},${GERRIT_PATCHSET_NUMBER}" \
	--ok-to-test=0 -t autogenerated:jenkins \
	"--message='User not approved, see admin, no CI'"

	exit 0