1#!/bin/bash -e
2#
3# Purpose:
4#  This script is responsible for determining the owner of a gerrit
5#  commit, verifying they are within an approved gerrit group, and
6#  then updating gerrit with that verification info.
7#
8# Note: It is assumed this script is run as a part of a jenkins job triggered
9#       by the gerrit plugin. Therefore it assumes certain env variables
10#       provided by that plugin are available (i.e. GERRIT_PROJECT, ...)
11#
12# Required Inputs:
13#  SSH_KEY:  Path to private ssh key used to post messages to gerrit
14
15GERRIT_COMMAND="curl -s --anyauth -n https://gerrit.openbmc.org"
16GERRIT_SSH_CMD=( \
17        ssh -o 'StrictHostKeyChecking no' -i "$SSH_KEY" \
18        -p 29418 jenkins-openbmc-ci@gerrit.openbmc.org gerrit \
19    )
20
21echo "Checking ${GERRIT_PROJECT}:${GERRIT_BRANCH}:${GERRIT_CHANGE_ID}:${GERRIT_PATCHSET_REVISION}"
22
23COMMITTER_USERNAME=$("${GERRIT_SSH_CMD[@]}" query "${GERRIT_CHANGE_NUMBER}" --current-patch-set --format json | jq -r '.currentPatchSet.uploader.username | select (. != null )')
24echo "USERNAME: $COMMITTER_USERNAME"
25if [ "${COMMITTER_USERNAME}" = "" ]; then
26    echo "Unable to determine github user for ${COMMITTER_EMAIL}."
27    "${GERRIT_SSH_CMD[@]}" review \
28        "${GERRIT_CHANGE_NUMBER},${GERRIT_PATCHSET_NUMBER}" \
29        --ok-to-test=0 "--message='Unable to determine github user'"
30    exit 1
31fi
32
33# Reset the vote to 0 so jenkins will detect a new +1 on retriggers
34"${GERRIT_SSH_CMD[@]}" review \
35    "${GERRIT_CHANGE_NUMBER},${GERRIT_PATCHSET_NUMBER}" \
36    --ok-to-test=0 -t autogenerated:jenkins --notify=NONE
37
38# Add reviewers based on OWNERS files.
39"${WORKSPACE}/openbmc-build-scripts/tools/owners" -p "${WORKSPACE}" reviewers |
40{
41    while read -r reviewer ;
42    do
43        # shellcheck disable=2086 # GERRIT_COMMAND is purposefully wordsplit.
44        ${GERRIT_COMMAND}/a/changes/${GERRIT_PROJECT/\//%2F}~${GERRIT_BRANCH}~${GERRIT_CHANGE_ID}/reviewers \
45            -X POST \
46            -H "Content-Type: application/json" \
47            -d "$reviewer" || true
48    done
49} || true
50
51# Write full list of users to a file
52GERRIT_CI_GROUPS=( \
53        aimvalley/ci-authorized \
54        akamai/ci-authorized \
55        alibaba/ci-authorized \
56        amd/ci-authorized \
57        ami/ci-authorized \
58        ampere/ci-authorized \
59        arm/ci-authorized \
60        aspeed/ci-authorized \
61        asus/ci-authorized \
62        bytedance/ci-authorized \
63        celestica/ci-authorized \
64        code-construct/ci-authorized \
65        cornelis/ci-authorized \
66        dell/ci-authorized \
67        depo/ci-authorized \
68        erg/ci-authorized \
69        equinix/ci-authorized \
70        facebook/ci-authorized \
71        fii/ci-authorized \
72        gagar-in/ci-authorized \
73        google/ci-authorized \
74        hcl/ci-authorized \
75        hp/ci-authorized \
76        hpe/ci-authorized \
77        ibm/ci-authorized \
78        iei/ci-authorized \
79        individual/ci-authorized \
80        inspur/ci-authorized \
81        intel/ci-authorized \
82        inventec/ci-authorized \
83        lenovo/ci-authorized \
84        microsoft/ci-authorized \
85        mitac/ci-authorized \
86        nineelements/ci-authorized \
87        nuvoton/ci-authorized \
88        nvidia/ci-authorized \
89        openbmc/ci-authorized \
90        pcpartner/ci-authorized \
91        phytium/ci-authorized \
92        plexus/ci-authorized \
93        quanta/ci-authorized \
94        quic/ci-authorized \
95        rcs/ci-authorized \
96        supermicro/ci-authorized \
97        tencent/ci-authorized \
98        triple-crown/ci-authorized \
99        ufispace/ci-authorized \
100        vaisala/ci-authorized \
101        wistron/ci-authorized \
102        wiwynn/ci-authorized \
103        yadro/ci-authorized \
104    )
105
106rm -f "$WORKSPACE/users.txt"
107for g in "${GERRIT_CI_GROUPS[@]}"; do
108    "${GERRIT_SSH_CMD[@]}" ls-members "$g" --recursive \
109        >> "$WORKSPACE/users.txt"
110done
111
112# grep for the specific username word in the file
113if grep -q -w "${COMMITTER_USERNAME}" "$WORKSPACE/users.txt"; then
114    "${GERRIT_SSH_CMD[@]}" review \
115        "${GERRIT_CHANGE_NUMBER},${GERRIT_PATCHSET_NUMBER}" \
116        --ok-to-test=1 -t autogenerated:jenkins --notify=NONE \
117        "--message='User approved, CI ok to start'"
118
119    # Immediately erase the score to prevent infinite triggers.
120    "${GERRIT_SSH_CMD[@]}" review \
121        "${GERRIT_CHANGE_NUMBER},${GERRIT_PATCHSET_NUMBER}" \
122        --ok-to-test=0 -t autogenerated:jenkins --notify=NONE
123
124    exit 0
125fi
126
127echo "${COMMITTER_USERNAME} is not on the approved list."
128"${GERRIT_SSH_CMD[@]}" review \
129    "${GERRIT_CHANGE_NUMBER},${GERRIT_PATCHSET_NUMBER}" \
130    --ok-to-test=0 -t autogenerated:jenkins \
131    "--message='User not approved, see admin, no CI'"
132
133exit 0
134