xref: /openbmc/openbmc-build-scripts/jenkins/userid-validation (revision 3c88e2d1b057226b3d6b3312bc253a4151d07022)

#!/bin/bash -e
#
# Purpose:
#  This script is responsible for determining the owner of a gerrit
#  commit, verifying they are within an approved gerrit group, and
#  then updating gerrit with that verification info.
#
# Note: It is assumed this script is run as a part of a jenkins job triggered
#       by the gerrit plugin. Therefore it assumes certain env variables
#       provided by that plugin are avialable (i.e. GERRIT_PROJECT, ...)
#
# Required Inputs:
#  SSH_KEY:  Path to private ssh key used to post messages to gerrit

GERRIT_COMMAND="curl -s --anyauth -n https://gerrit.openbmc-project.xyz"

echo "Checking ${GERRIT_PROJECT}:${GERRIT_BRANCH}:${GERRIT_CHANGE_ID}:${GERRIT_PATCHSET_REVISION}"

COMMITTER_EMAIL=`${GERRIT_COMMAND}/a/changes/${GERRIT_PROJECT/\//%2F}~${GERRIT_BRANCH}~${GERRIT_CHANGE_ID}/revisions/${GERRIT_PATCHSET_REVISION}/commit | python2 -c "import sys, json; sys.stdin.read(4); print json.load(sys.stdin)['committer']['email']"`
if [ "x${COMMITTER_EMAIL}" == "x" ]; then
    echo "Unable to find committer."
        ssh -o 'StrictHostKeyChecking no' -i $SSH_KEY -p 29418 jenkins-openbmc-ci@gerrit.openbmc-project.xyz gerrit review \
  ${GERRIT_CHANGE_NUMBER},${GERRIT_PATCHSET_NUMBER} --label=Ok-To-Test=0 --message=\'Unable to determine committer\'
    exit -1
fi

#echo "Commit by '${COMMITTER_EMAIL}'"
COMMITTER_USERNAME=`${GERRIT_COMMAND}/a/accounts/${COMMITTER_EMAIL} | python2 -c "import sys, json; sys.stdin.read(4); print json.load(sys.stdin)['username']"`
#COMMITTER_USERNAME=`${GERRIT_COMMAND}/a/accounts/${COMMITTER_EMAIL}`
echo "USERNAME: $COMMITTER_USERNAME"
if [ "x${COMMITTER_USERNAME}" == "x" ]; then
    echo "Unable to determine github user for ${COMMITTER_EMAIL}."
    ssh -o 'StrictHostKeyChecking no' -i $SSH_KEY -p 29418 jenkins-openbmc-ci@gerrit.openbmc-project.xyz gerrit review \
  ${GERRIT_CHANGE_NUMBER},${GERRIT_PATCHSET_NUMBER} --label=Ok-To-Test=0 --message=\'Unable to determine github user\'
    exit -1
fi

# Reset the vote to 0 so jenkins will detect a new +1 on retriggers
ssh -o 'StrictHostKeyChecking no' -i $SSH_KEY -p 29418 jenkins-openbmc-ci@gerrit.openbmc-project.xyz gerrit review \
  ${GERRIT_CHANGE_NUMBER},${GERRIT_PATCHSET_NUMBER} --label=Ok-To-Test=0 -t autogenerated:jenkins

# Write full list of users to a file
ssh -o 'StrictHostKeyChecking no' -i $SSH_KEY -p 29418 jenkins-openbmc-ci@gerrit.openbmc-project.xyz gerrit \
    ls-members openbmc/ci-authorized --recursive > $WORKSPACE/users.txt

ssh -o 'StrictHostKeyChecking no' -i $SSH_KEY -p 29418 jenkins-openbmc-ci@gerrit.openbmc-project.xyz gerrit \
    ls-members ampere/ci-authorized --recursive >> $WORKSPACE/users.txt

ssh -o 'StrictHostKeyChecking no' -i $SSH_KEY -p 29418 jenkins-openbmc-ci@gerrit.openbmc-project.xyz gerrit \
    ls-members facebook/ci-authorized --recursive >> $WORKSPACE/users.txt

ssh -o 'StrictHostKeyChecking no' -i $SSH_KEY -p 29418 jenkins-openbmc-ci@gerrit.openbmc-project.xyz gerrit \
    ls-members google/ci-authorized --recursive >> $WORKSPACE/users.txt

ssh -o 'StrictHostKeyChecking no' -i $SSH_KEY -p 29418 jenkins-openbmc-ci@gerrit.openbmc-project.xyz gerrit \
    ls-members ibm/ci-authorized --recursive >> $WORKSPACE/users.txt

ssh -o 'StrictHostKeyChecking no' -i $SSH_KEY -p 29418 jenkins-openbmc-ci@gerrit.openbmc-project.xyz gerrit \
    ls-members intel/ci-authorized --recursive >> $WORKSPACE/users.txt

ssh -o 'StrictHostKeyChecking no' -i $SSH_KEY -p 29418 jenkins-openbmc-ci@gerrit.openbmc-project.xyz gerrit \
    ls-members inventec/ci-authorized --recursive >> $WORKSPACE/users.txt

ssh -o 'StrictHostKeyChecking no' -i $SSH_KEY -p 29418 jenkins-openbmc-ci@gerrit.openbmc-project.xyz gerrit \
    ls-members nuvoton/ci-authorized --recursive >> $WORKSPACE/users.txt

ssh -o 'StrictHostKeyChecking no' -i $SSH_KEY -p 29418 jenkins-openbmc-ci@gerrit.openbmc-project.xyz gerrit \
    ls-members quanta/ci-authorized --recursive >> $WORKSPACE/users.txt

ssh -o 'StrictHostKeyChecking no' -i $SSH_KEY -p 29418 jenkins-openbmc-ci@gerrit.openbmc-project.xyz gerrit \
    ls-members yadro/ci-authorized --recursive >> $WORKSPACE/users.txt

ssh -o 'StrictHostKeyChecking no' -i $SSH_KEY -p 29418 jenkins-openbmc-ci@gerrit.openbmc-project.xyz gerrit \
    ls-members inspur/ci-authorized --recursive >> $WORKSPACE/users.txt

ssh -o 'StrictHostKeyChecking no' -i $SSH_KEY -p 29418 jenkins-openbmc-ci@gerrit.openbmc-project.xyz gerrit \
    ls-members wistron/ci-authorized --recursive >> $WORKSPACE/users.txt

ssh -o 'StrictHostKeyChecking no' -i $SSH_KEY -p 29418 jenkins-openbmc-ci@gerrit.openbmc-project.xyz gerrit \
    ls-members hcl/ci-authorized --recursive >> $WORKSPACE/users.txt

ssh -o 'StrictHostKeyChecking no' -i $SSH_KEY -p 29418 jenkins-openbmc-ci@gerrit.openbmc-project.xyz gerrit \
    ls-members rcs/ci-authorized --recursive >> $WORKSPACE/users.txt

ssh -o 'StrictHostKeyChecking no' -i $SSH_KEY -p 29418 jenkins-openbmc-ci@gerrit.openbmc-project.xyz gerrit \
    ls-members wiwynn/ci-authorized --recursive >> $WORKSPACE/users.txt

ssh -o 'StrictHostKeyChecking no' -i $SSH_KEY -p 29418 jenkins-openbmc-ci@gerrit.openbmc-project.xyz gerrit \
    ls-members hpe/ci-authorized --recursive >> $WORKSPACE/users.txt

ssh -o 'StrictHostKeyChecking no' -i $SSH_KEY -p 29418 jenkins-openbmc-ci@gerrit.openbmc-project.xyz gerrit \
    ls-members individual/ci-authorized --recursive >> $WORKSPACE/users.txt

ssh -o 'StrictHostKeyChecking no' -i $SSH_KEY -p 29418 jenkins-openbmc-ci@gerrit.openbmc-project.xyz gerrit \
    ls-members gager-in/ci-authorized --recursive >> $WORKSPACE/users.txt

ssh -o 'StrictHostKeyChecking no' -i $SSH_KEY -p 29418 jenkins-openbmc-ci@gerrit.openbmc-project.xyz gerrit \
    ls-members amd/ci-authorized --recursive >> $WORKSPACE/users.txt

ssh -o 'StrictHostKeyChecking no' -i $SSH_KEY -p 29418 jenkins-openbmc-ci@gerrit.openbmc-project.xyz gerrit \
    ls-members nvidia/ci-authorized --recursive >> $WORKSPACE/users.txt

ssh -o 'StrictHostKeyChecking no' -i $SSH_KEY -p 29418 jenkins-openbmc-ci@gerrit.openbmc-project.xyz gerrit \
    ls-members bytedance/ci-authorized --recursive >> $WORKSPACE/users.txt

ssh -o 'StrictHostKeyChecking no' -i $SSH_KEY -p 29418 jenkins-openbmc-ci@gerrit.openbmc-project.xyz gerrit \
    ls-members alibaba/ci-authorized --recursive >> $WORKSPACE/users.txt

ssh -o 'StrictHostKeyChecking no' -i $SSH_KEY -p 29418 jenkins-openbmc-ci@gerrit.openbmc-project.xyz gerrit \
    ls-members supermicro/ci-authorized --recursive >> $WORKSPACE/users.txt

# grep for the specific username word in the file
if grep -q -w ${COMMITTER_USERNAME} $WORKSPACE/users.txt; then
    ssh -o 'StrictHostKeyChecking no' -i $SSH_KEY -p 29418 jenkins-openbmc-ci@gerrit.openbmc-project.xyz gerrit review \
      ${GERRIT_CHANGE_NUMBER},${GERRIT_PATCHSET_NUMBER} --label=Ok-To-Test=1 -t autogenerated:jenkins --message=\'User approved, CI ok to start\'
    exit 0
fi

echo "${COMMITTER_USERNAME} is not on the approved list."
ssh -o 'StrictHostKeyChecking no' -i $SSH_KEY -p 29418 jenkins-openbmc-ci@gerrit.openbmc-project.xyz gerrit review \
  ${GERRIT_CHANGE_NUMBER},${GERRIT_PATCHSET_NUMBER} --label=Ok-To-Test=0 -t autogenerated:jenkins --message=\'User not approved, see admin, no CI\'

exit 0