xref: /openbmc/openbmc-build-scripts/jenkins/userid-validation (revision 30f8ede9a0235118606cb9ff861ceeab3408800f) 
1#!/bin/bash -e
2#
3# Purpose:
4#  This script is responsible for determining the owner of a gerrit
5#  commit, verifying they are within an approved gerrit group, and
6#  then updating gerrit with that verification info.
7#
8# Note: It is assumed this script is run as a part of a jenkins job triggered
9#       by the gerrit plugin. Therefore it assumes certain env variables
10#       provided by that plugin are available (i.e. GERRIT_PROJECT, ...)
11#
12# Required Inputs:
13#  SSH_KEY:  Path to private ssh key used to post messages to gerrit
14
15GERRIT_COMMAND="curl -s --anyauth -n https://gerrit.openbmc.org"
16GERRIT_SSH_CMD=( \
17        ssh -o 'StrictHostKeyChecking no' -i "$SSH_KEY" \
18        -p 29418 jenkins-openbmc-ci@gerrit.openbmc.org gerrit \
19    )
20
21echo "Checking ${GERRIT_PROJECT}:${GERRIT_BRANCH}:${GERRIT_CHANGE_ID}:${GERRIT_PATCHSET_REVISION}"
22
23COMMITTER_USERNAME=$("${GERRIT_SSH_CMD[@]}" query "${GERRIT_CHANGE_NUMBER}" --current-patch-set --format json | jq -r '.currentPatchSet.uploader.username | select (. != null )')
24echo "USERNAME: $COMMITTER_USERNAME"
25if [ "${COMMITTER_USERNAME}" = "" ]; then
26    echo "Unable to determine github user for ${COMMITTER_EMAIL}."
27    "${GERRIT_SSH_CMD[@]}" review \
28        "${GERRIT_CHANGE_NUMBER},${GERRIT_PATCHSET_NUMBER}" \
29        --ok-to-test=0 "--message='Unable to determine github user'"
30    exit 1
31fi
32
33# Reset the vote to 0 so jenkins will detect a new +1 on retriggers
34"${GERRIT_SSH_CMD[@]}" review \
35    "${GERRIT_CHANGE_NUMBER},${GERRIT_PATCHSET_NUMBER}" \
36    --ok-to-test=0 -t autogenerated:jenkins --notify=NONE
37
38# Add reviewers based on OWNERS files.
39"${WORKSPACE}/openbmc-build-scripts/tools/owners" -p "${WORKSPACE}" reviewers |
40{
41    while read -r reviewer ;
42    do
43        # shellcheck disable=2086 # GERRIT_COMMAND is purposefully wordsplit.
44        ${GERRIT_COMMAND}/a/changes/${GERRIT_PROJECT/\//%2F}~${GERRIT_BRANCH}~${GERRIT_CHANGE_ID}/reviewers \
45            -X POST \
46            -H "Content-Type: application/json" \
47            -d "$reviewer" || true
48    done
49} || true
50
51# Write full list of users to a file
52GERRIT_CI_GROUPS=( \
53        aimvalley/ci-authorized \
54        akamai/ci-authorized \
55        alibaba/ci-authorized \
56        amd/ci-authorized \
57        ami/ci-authorized \
58        ampere/ci-authorized \
59        arm/ci-authorized \
60        aspeed/ci-authorized \
61        asus/ci-authorized \
62        bytedance/ci-authorized \
63        celestica/ci-authorized \
64        code-construct/ci-authorized \
65        coreweave/ci-authorized \
66        cornelis/ci-authorized \
67        dell/ci-authorized \
68        depo/ci-authorized \
69        erg/ci-authorized \
70        equinix/ci-authorized \
71        facebook/ci-authorized \
72        fii/ci-authorized \
73        gagar-in/ci-authorized \
74        google/ci-authorized \
75        hcl/ci-authorized \
76        hetzner/ci-authorized \
77        hp/ci-authorized \
78        hpe/ci-authorized \
79        ibm/ci-authorized \
80        iei/ci-authorized \
81        individual/ci-authorized \
82        ingrasys/ci-authorized \
83        inspur/ci-authorized \
84        intel/ci-authorized \
85        inventec/ci-authorized \
86        lenovo/ci-authorized \
87        microsoft/ci-authorized \
88        mitac/ci-authorized \
89        multicoreware/ci-authorized \
90        napatech/ci-authorized \
91        nineelements/ci-authorized \
92        nuvoton/ci-authorized \
93        nvidia/ci-authorized \
94        openbmc/ci-authorized \
95        pcpartner/ci-authorized \
96        phytium/ci-authorized \
97        plexus/ci-authorized \
98        qualcomm/ci-authorized \
99        quanta/ci-authorized \
100        quic/ci-authorized \
101        raptorcs/ci-authorized \
102        sipearl/ci-authorized \
103        supermicro/ci-authorized \
104        tencent/ci-authorized \
105        tenstorrent/ci-authorized \
106        triple-crown/ci-authorized \
107        ufispace/ci-authorized \
108        vaisala/ci-authorized \
109        wistron/ci-authorized \
110        wiwynn/ci-authorized \
111    )
112
113rm -f "$WORKSPACE/users.txt"
114for g in "${GERRIT_CI_GROUPS[@]}"; do
115    "${GERRIT_SSH_CMD[@]}" ls-members "$g" --recursive \
116        >> "$WORKSPACE/users.txt"
117done
118
119# grep for the specific username word in the file
120if grep -q -w "${COMMITTER_USERNAME}" "$WORKSPACE/users.txt"; then
121    "${GERRIT_SSH_CMD[@]}" review \
122        "${GERRIT_CHANGE_NUMBER},${GERRIT_PATCHSET_NUMBER}" \
123        --ok-to-test=1 -t autogenerated:jenkins --notify=NONE \
124        "--message='User approved, CI ok to start'"
125
126    # Immediately erase the score to prevent infinite triggers.
127    "${GERRIT_SSH_CMD[@]}" review \
128        "${GERRIT_CHANGE_NUMBER},${GERRIT_PATCHSET_NUMBER}" \
129        --ok-to-test=0 -t autogenerated:jenkins --notify=NONE
130
131    exit 0
132fi
133
134echo "${COMMITTER_USERNAME} is not on the approved list."
135"${GERRIT_SSH_CMD[@]}" review \
136    "${GERRIT_CHANGE_NUMBER},${GERRIT_PATCHSET_NUMBER}" \
137    --ok-to-test=0 -t autogenerated:jenkins \
138    "--message='User not approved, see admin, no CI'"
139
140exit 0
141