1#!/bin/bash -e
2#
3# Purpose:
4#  This script is responsible for determining the owner of a gerrit
5#  commit, verifying they are within an approved gerrit group, and
6#  then updating gerrit with that verification info.
7#
8# Note: It is assumed this script is run as a part of a jenkins job triggered
9#       by the gerrit plugin. Therefore it assumes certain env variables
10#       provided by that plugin are avialable (i.e. GERRIT_PROJECT, ...)
11#
12# Required Inputs:
13#  SSH_KEY:  Path to private ssh key used to post messages to gerrit
14
15GERRIT_COMMAND="curl -s --anyauth -n https://gerrit.openbmc.org"
16GERRIT_SSH_CMD=( \
17        ssh -o 'StrictHostKeyChecking no' -i "$SSH_KEY" \
18        -p 29418 jenkins-openbmc-ci@gerrit.openbmc.org gerrit \
19    )
20
21echo "Checking ${GERRIT_PROJECT}:${GERRIT_BRANCH}:${GERRIT_CHANGE_ID}:${GERRIT_PATCHSET_REVISION}"
22
23# shellcheck disable=2086 # GERRIT_COMMAND is purposefully wordsplit.
24COMMITTER_EMAIL=$(${GERRIT_COMMAND}/a/changes/${GERRIT_PROJECT/\//%2F}~${GERRIT_BRANCH}~${GERRIT_CHANGE_ID}/revisions/${GERRIT_PATCHSET_REVISION}/commit | python3 -c "import sys, json; sys.stdin.read(4); print(json.load(sys.stdin)['committer']['email'])")
25if [ "${COMMITTER_EMAIL}" = "" ]; then
26    echo "Unable to find committer."
27    "${GERRIT_SSH_CMD[@]}" review \
28        "${GERRIT_CHANGE_NUMBER},${GERRIT_PATCHSET_NUMBER}" \
29        --ok-to-test=0 "--message='Unable to determine committer'"
30    exit 1
31fi
32
33#echo "Commit by '${COMMITTER_EMAIL}'"
34# shellcheck disable=2086 # GERRIT_COMMAND is purposefully wordsplit.
35COMMITTER_USERNAME=$(${GERRIT_COMMAND}/a/accounts/${COMMITTER_EMAIL} | python3 -c "import sys, json; sys.stdin.read(4); print(json.load(sys.stdin)['username'])")
36#COMMITTER_USERNAME=`${GERRIT_COMMAND}/a/accounts/${COMMITTER_EMAIL}`
37echo "USERNAME: $COMMITTER_USERNAME"
38if [ "${COMMITTER_USERNAME}" = "" ]; then
39    echo "Unable to determine github user for ${COMMITTER_EMAIL}."
40    "${GERRIT_SSH_CMD[@]}" review \
41        "${GERRIT_CHANGE_NUMBER},${GERRIT_PATCHSET_NUMBER}" \
42        --ok-to-test=0 "--message='Unable to determine github user'"
43    exit 1
44fi
45
46# Reset the vote to 0 so jenkins will detect a new +1 on retriggers
47"${GERRIT_SSH_CMD[@]}" review \
48    "${GERRIT_CHANGE_NUMBER},${GERRIT_PATCHSET_NUMBER}" \
49    --ok-to-test=0 -t autogenerated:jenkins --notify=NONE
50
51# Add reviewers based on OWNERS files.
52"${WORKSPACE}/openbmc-build-scripts/tools/owners" -p "${WORKSPACE}" reviewers |
53{
54    while read -r reviewer ;
55    do
56        # shellcheck disable=2086 # GERRIT_COMMAND is purposefully wordsplit.
57        ${GERRIT_COMMAND}/a/changes/${GERRIT_PROJECT/\//%2F}~${GERRIT_BRANCH}~${GERRIT_CHANGE_ID}/reviewers \
58            -X POST \
59            -H "Content-Type: application/json" \
60            -d "$reviewer" || true
61    done
62} || true
63
64# Write full list of users to a file
65GERRIT_CI_GROUPS=( \
66        akamai/ci-authorized \
67        alibaba/ci-authorized \
68        amd/ci-authorized \
69        ami/ci-authorized \
70        ampere/ci-authorized \
71        arm/ci-authorized \
72        aspeed/ci-authorized \
73        asus/ci-authorized \
74        bytedance/ci-authorized \
75        celestica/ci-authorized \
76        code-construct/ci-authorized \
77        depo/ci-authorized \
78        erg/ci-authorized \
79        equinix/ci-authorized \
80        facebook/ci-authorized \
81        fii/ci-authorized \
82        gager-in/ci-authorized \
83        google/ci-authorized \
84        hcl/ci-authorized \
85        hpe/ci-authorized \
86        ibm/ci-authorized \
87        iei/ci-authorized \
88        individual/ci-authorized \
89        inspur/ci-authorized \
90        intel/ci-authorized \
91        inventec/ci-authorized \
92        lenovo/ci-authorized \
93        microsoft/ci-authorized \
94        nineelements/ci-authorized \
95        nuvoton/ci-authorized \
96        nvidia/ci-authorized \
97        openbmc/ci-authorized \
98        pcpartner/ci-authorized \
99        phytium/ci-authorized \
100        quanta/ci-authorized \
101        quic/ci-authorized \
102        rcs/ci-authorized \
103        supermicro/ci-authorized \
104        tencent/ci-authorized \
105        ufispace/ci-authorized \
106        vaisala/ci-authorized \
107        wistron/ci-authorized \
108        wiwynn/ci-authorized \
109        yadro/ci-authorized \
110    )
111
112rm -f "$WORKSPACE/users.txt"
113for g in "${GERRIT_CI_GROUPS[@]}"; do
114    "${GERRIT_SSH_CMD[@]}" ls-members "$g" --recursive \
115        >> "$WORKSPACE/users.txt"
116done
117
118# grep for the specific username word in the file
119if grep -q -w "${COMMITTER_USERNAME}" "$WORKSPACE/users.txt"; then
120    "${GERRIT_SSH_CMD[@]}" review \
121        "${GERRIT_CHANGE_NUMBER},${GERRIT_PATCHSET_NUMBER}" \
122        --ok-to-test=1 -t autogenerated:jenkins --notify=NONE \
123        "--message='User approved, CI ok to start'"
124
125    # Immediately erase the score to prevent infinite triggers.
126    "${GERRIT_SSH_CMD[@]}" review \
127        "${GERRIT_CHANGE_NUMBER},${GERRIT_PATCHSET_NUMBER}" \
128        --ok-to-test=0 -t autogenerated:jenkins --notify=NONE
129
130    exit 0
131fi
132
133echo "${COMMITTER_USERNAME} is not on the approved list."
134"${GERRIT_SSH_CMD[@]}" review \
135    "${GERRIT_CHANGE_NUMBER},${GERRIT_PATCHSET_NUMBER}" \
136    --ok-to-test=0 -t autogenerated:jenkins \
137    "--message='User not approved, see admin, no CI'"
138
139exit 0
140