openstack/project-config
Code Issues Proposed changes
464f4f586a
project-config/tools/normalize_acl.py

296 lines
10 KiB
Python
Raw Normal View History

Be more explicit about using python3 to run tools/ We have python scripts in the tools/ dir the vast majority of which we run regularly with python3 via our python3 default basepython in tox. However, most of these use a `python` shebang line which can be confusing as to whether or not these scripts run under python3 or not. To make this more clear set them to python3. I've confirmed the scripts running under tox are happy with these changes. For the ones that don't run under tox I've done a quick review and they look happy too. Change-Id: I983d23c33f7780e5708aa728c829c3262fc99ea0
2020-06-08 16:40:44 -07:00
#!/usr/bin/env python3
Add Apache 2.0 license to source file As per OpenStack licensing guide lines [1]: [H102 H103] Newly contributed Source Code should be licensed under the Apache 2.0 license. [H104] Files with no code shouldn't contain any license header nor comments, and must be left completely empty. [1] http://docs.openstack.org/developer/hacking/#openstack-licensing Change-Id: Iabfc781800f080b8235a2d812d16bdb3ee57067a
2017-01-10 11:00:27 +08:00
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
Add a script to normalize Gerrit ACLs * tools/normalize_acl.py: Script which can perform one or more of a list of normalizing transformations to an ACL file. Change-Id: I063ab91b6e786eccaee61c669f0e840c7af6be14
2014-05-09 14:53:14 +00:00
# Usage: normalize_acl.py acl.config [transformation [transformation [...]]]
#
# Transformations:
Check that Gerrit ACL files are normalized Enhance Gerrit ACL check to check that the files are properly normalized. Co-Authored-By: Armando Migliaccio <armamig@gmail.com> Change-Id: I9cdee60e77dab9c6943626d5fa1eda0402840277
2014-12-10 20:37:09 +01:00
# all Apply all transformations.
Add a script to normalize Gerrit ACLs * tools/normalize_acl.py: Script which can perform one or more of a list of normalizing transformations to an ACL file. Change-Id: I063ab91b6e786eccaee61c669f0e840c7af6be14
2014-05-09 14:53:14 +00:00
# 0 - dry run (default, print to stdout rather than modifying file in place)
# 1 - strip/condense whitespace and sort (implied by any other transformation)
# 2 - get rid of unneeded create on refs/tags
# 3 - remove any project.stat{e,us} = active since it's a default or a typo
# 4 - strip default *.owner = group Administrators permissions
# 5 - sort the exclusiveGroupPermissions group lists
Combine infra/ci core/admin gerrit groups This is the result of running: find modules/openstack_project/files/gerrit/acls/ -type f \ -name "*.config" -exec ./tools/normalize_acl.py {} 6 \; Change-Id: I7aa27b859529b2bc8a990d6272334222996cbbc4
2014-06-30 17:30:45 +00:00
# 6 - replace openstack-ci-admins and openstack-ci-core with infra-core
Check that Gerrit ACL files are normalized Enhance Gerrit ACL check to check that the files are properly normalized. Co-Authored-By: Armando Migliaccio <armamig@gmail.com> Change-Id: I9cdee60e77dab9c6943626d5fa1eda0402840277
2014-12-10 20:37:09 +01:00
# 7 - add at least one core team, if no team is defined with special suffixes
# like core, admins, milestone or Users
Unshadow All-Projects in exclusiveGroupPermissions Whenever a project-specific ACL declares exclusiveGroupPermissions on some permission, it can block other valid uses of that permission which would otherwise be inherited from the All-Projects pseudoACL. Make sure that Project Bootstrappers retains access to abandon, -2..+2 on label-Code-Review and -1..+1 on label-Workflow. Also make sure Change Owners can still abandon and add -1..0 on label-Workflow, and that Registered Users can always -1..+1 on label-Code-Review. This change corrects existing ACLs to meet the above criteria, and also introduces a normalization rule to prevent regression. Change-Id: I2eecb7028bcab7d5d82ad4155a775a9b2daa441f
2016-02-17 22:39:03 +00:00
# 8 - fix All-Projects inheritance shadowed by exclusiveGroupPermissions
gerrit/acl : check for function/s-r in normalize This ensures that labels only use "function = NoBlock" and that every label has a corresponding submit-requirement section. We don't really have unit tests for this, but the first check actually found some missed functions in I557f3615d15eca899a262b0989986fb2754ac870. I manually tested the second by removing some submit-requirements, and it correctly failed. Change-Id: I971f626bd7dbee012dc93a5807145d206b645cfd
2023-03-02 11:17:23 +11:00
# 9 - Ensure submit requirements
# * functions only noblock
# * each label has a s-r block
Add a script to normalize Gerrit ACLs * tools/normalize_acl.py: Script which can perform one or more of a list of normalizing transformations to an ACL file. Change-Id: I063ab91b6e786eccaee61c669f0e840c7af6be14
2014-05-09 14:53:14 +00:00
import re
import sys
aclfile = sys.argv[1]
try:
transformations = sys.argv[2:]
Check that Gerrit ACL files are normalized Enhance Gerrit ACL check to check that the files are properly normalized. Co-Authored-By: Armando Migliaccio <armamig@gmail.com> Change-Id: I9cdee60e77dab9c6943626d5fa1eda0402840277
2014-12-10 20:37:09 +01:00
if transformations and transformations[0] == 'all':
gerrit/acl : check for function/s-r in normalize This ensures that labels only use "function = NoBlock" and that every label has a corresponding submit-requirement section. We don't really have unit tests for this, but the first check actually found some missed functions in I557f3615d15eca899a262b0989986fb2754ac870. I manually tested the second by removing some submit-requirements, and it correctly failed. Change-Id: I971f626bd7dbee012dc93a5807145d206b645cfd
2023-03-02 11:17:23 +11:00
transformations = [str(x) for x in range(0, 10)]
Add a script to normalize Gerrit ACLs * tools/normalize_acl.py: Script which can perform one or more of a list of normalizing transformations to an ACL file. Change-Id: I063ab91b6e786eccaee61c669f0e840c7af6be14
2014-05-09 14:53:14 +00:00
except KeyError:
transformations = []
def tokens(data):
"""Human-order comparison
This handles embedded positive and negative integers, for sorting
strings in a more human-friendly order."""
data = data.replace('.', ' ').split()
for n in range(len(data)):
try:
data[n] = int(data[n])
except ValueError:
pass
return data
Require function = NoBlock to be set on Gerrit labels A recent change to the openstack/releases ACLs pointed out that we don't require function to be set on Gerrit label definitions. This would result in the Gerrit default of MaxWithBlock which will interfere with submit requirements. Enforce that function is set and that the value is NoBlock via our normalize script. This will add function = NoBlock entries to the file if not set which results in a diff causing the test to fail. In order to do this I refactored the submit-requirements and function checking of the normalize script a bit. We now check the label section independently of all other sections which allows us to reduce repetition when dealing with label sections. Change-Id: I9e83c1cde3fe20ea2c34cdf86cd2fd3006bfe62a
2023-04-03 09:23:17 -07:00
def normalize_boolean_ops(key, value):
# Gerrit 3.6 takes lower-case "and/or" literally -- as in
# you literally need to have and/or in the commit string.
# Gerrit 3.7 fixes this, but let's standarise on capital
# booleans
if key in ('copyCondition', 'submittableIf', 'applicableIf'):
value = value.replace(' and ', ' AND ')
value = value.replace(' or ', ' OR ')
return "%s = %s" % (key, value)
Add a script to normalize Gerrit ACLs * tools/normalize_acl.py: Script which can perform one or more of a list of normalizing transformations to an ACL file. Change-Id: I063ab91b6e786eccaee61c669f0e840c7af6be14
2014-05-09 14:53:14 +00:00
acl = {}
out = ''
Gerrit ACLs: Check for valid keys Add check for valid keys to find obvious typos in keys. Fix the one error found in openstack.config. Change-Id: I6a2af22db0b9425372e66dca93498a33a07275e9
2016-07-07 08:43:49 +02:00
valid_keys = {'abandon',
'access',
gerrit/acl : handle submit requirements in normalise tool This adds the keys "applicableIf" and "submittableIf" that are used by submit-requirements [1]. [1] https://gerrit-review.googlesource.com/Documentation/config-submit-requirements.html Change-Id: Ic4dc5877d9326897839bbe62c02c0986c6e53e25
2023-03-02 09:25:15 +11:00
'applicableIf',
Gerrit ACLs: Check for valid keys Add check for valid keys to find obvious typos in keys. Fix the one error found in openstack.config. Change-Id: I6a2af22db0b9425372e66dca93498a33a07275e9
2016-07-07 08:43:49 +02:00
'create',
Update bindep ACL to use new createSignedTag perm The pushSignedTag permission is deprecated, and has a new name: createSignedTag. Update the opendev/bindep ACL accordingly, as we're seeing a regression with the old name and would like to rule out whether the new name has the same problem. Change-Id: Ia95919bcfe71ce488096584c784fe7376f66f34a
2022-01-25 15:15:52 +00:00
'createSignedTag',
gerrit/acl : remove deprecated copy conditions The copy conditions here have been replaced by the "copyCondition" query tag. This updates the deprecated values to a new query which does the same thing -- i.e. this should be a noop. Mostly these are setup to have votes on labels that should be copied on a no code change/trivial rebase, and if they're -2/+2 (i.e. max votes are sticky). To be exact the group of copyallScoresIfNoCodeChange = true copyAllScoresOnTrivialRebase = true copyMaxScore = true copyMinScore = true becomes changekind:NO_CODE_CHANGE or changekind:TRIVIAL_REBASE \ or is:MAX or is:MIN Note all but ocatvia.conf, octavia-dashboard, octavia-lib, and python-octaviaclient are copying -2/+2 votes; I feel like this is probably a bug but I have modified these 4 projects to maintain the same behaviour of not copying the votes. A small number of projects copy any vote; glance.config, kayobe.config, kolla.config, nova-specs.config, nova.config, os-vif.config, placement.config, python-novaclient.config -- they are replaced with is:ANY. The old conditions have been deprecated since gerrit 3.5 [1]. Although the old conditions have not been removed yet, this will help as we think about also changing these to submission requirements for Gerrit 3.7. [1] https://gerrit.googlesource.com/gerrit/+/c429ff33d944272b1f4da9f84f904f6403919ea3 Change-Id: Id13fdf588d07c1fec73978e7a69f1d9097989696
2022-12-16 14:31:41 +11:00
'copyCondition',
Gerrit ACLs: Check for valid keys Add check for valid keys to find obvious typos in keys. Fix the one error found in openstack.config. Change-Id: I6a2af22db0b9425372e66dca93498a33a07275e9
2016-07-07 08:43:49 +02:00
'defaultValue',
Allow delete permissions in Gerrit ACLs We now have the option to assign delete permissions to groups in Gerrit, which would grant them the ability to delete branches through the WebUI or API. Since this is a new setting, it was not previously recognized by our linter. Extend it so that we won't raise an error if this appears in an ACL. Change-Id: I2b182d31e3ca5809a53aec851015341f2e67825d
2021-04-13 18:28:48 +00:00
'delete',
gerrit/acl : handle submit requirements in normalise tool This adds the keys "applicableIf" and "submittableIf" that are used by submit-requirements [1]. [1] https://gerrit-review.googlesource.com/Documentation/config-submit-requirements.html Change-Id: Ic4dc5877d9326897839bbe62c02c0986c6e53e25
2023-03-02 09:25:15 +11:00
'description',
Add key editHashtags to normalize_acl script The editHashtags key should be accepted as acl entry key as it's required to define permissions to edit hashtags in the gerrit ui. Change-Id: I2294d72ee36e33ea5d137eb4e0faeac69ea86625
2021-01-26 10:23:09 +01:00
'editHashtags',
Gerrit ACLs: Check for valid keys Add check for valid keys to find obvious typos in keys. Fix the one error found in openstack.config. Change-Id: I6a2af22db0b9425372e66dca93498a33a07275e9
2016-07-07 08:43:49 +02:00
'exclusiveGroupPermissions',
'forgeAuthor',
'forgeCommitter',
'function',
Allow inheritFrom in Gerrit configs In order to utilize Gerrit's project configuration inheritance mechanism, we need to support the inheritFrom option. Allow it in the whitelist for our ACL normalization script. Change-Id: Id23b348bf42d322d5c97903ad82101ac1dc01c27
2021-04-16 16:04:19 +00:00
'inheritFrom',
Add Allow-Post-Review flag to OpenStackSDK project In order to implement post-check pipeline for dealing with secrets in the check pipeline it is required to add additional flag to gerrit that will be set as a prerequisite to start jobs. Change-Id: I3f0d7fe7e0014c28465aaab060e74e39a527b745
2022-09-30 13:25:18 +02:00
'label-Allow-Post-Review',
Create 'Backport-Candidate' for Octavia repos The Octavia team would like to enabled passive voting on patches for backport candidates. This means that backport candidate votes will not block a patch from merging, but will allow the team to better track patches that should be backported. Change-Id: Ib75714649848538e9fed171abd0b11f6fbc55503
2019-05-07 10:54:06 -07:00
'label-Backport-Candidate',
Gerrit ACLs: Check for valid keys Add check for valid keys to find obvious typos in keys. Fix the one error found in openstack.config. Change-Id: I6a2af22db0b9425372e66dca93498a33a07275e9
2016-07-07 08:43:49 +02:00
'label-Code-Review',
Add release-approval pipeline Define a release-approval pipeline to run the check-release-approval job on every comment added to a release request, and set a PTL-Approved label accordingly. This may be considered a bit resource-intensive, however the check-release-approval job is a fast python script that runs on the executor, and only release requests shall go in this pipeline. If this generates too much load, we could configure it to only run when the comment posted contains a magic "signoff" keyword. Another concern is that jobs other than check-release-approval would be added to this pipeline. There does not seem to be a way in Zuul to limit a pipeline to a specific job name or project. Change-Id: Ieab04a4d6c02b216a59c12ec8599e7d91f4fffb1
2020-02-05 16:25:29 +01:00
'label-PTL-Approved',
Create 'Review-Priority' for designate repos This allows anyone in the group "designate-release-manager" to set the priority of patches, and block non freeze patches during RC. This allows for more precise dashboard than relying on stars from PTLs, and allows the team to distingush between a procedural -2 and a release freeze -2. Change-Id: Id7b4c6b219899fa7ed86554257264af7efe20408
2016-03-21 12:08:57 +00:00
'label-Review-Priority',
Gerrit ACLs: Check for valid keys Add check for valid keys to find obvious typos in keys. Fix the one error found in openstack.config. Change-Id: I6a2af22db0b9425372e66dca93498a33a07275e9
2016-07-07 08:43:49 +02:00
'label-Rollcall-Vote',
'label-Workflow',
'label-Verified',
'mergeContent',
'push',
'pushMerge',
'requireChangeId',
'requireContributorAgreement',
'state',
gerrit: change retired.config acls This patch updates the retired.config ACL to allow for the technical commitee to be able to push changes into the repositories which are retired. The ACLs allows tech-committee group members to set all labels onto changes as well as allowing them exclusive rights to push (therefore not allowing any other members) and giving them access to submit changes (in order to skip our gating). The goal is to evenutally replace this group by another one once the ACLs are verified to be working. Change-Id: Ia6d516621ec405b02f3f97340d96d9938b605d8f
2020-06-23 18:21:30 -04:00
'submit',
gerrit/acl : handle submit requirements in normalise tool This adds the keys "applicableIf" and "submittableIf" that are used by submit-requirements [1]. [1] https://gerrit-review.googlesource.com/Documentation/config-submit-requirements.html Change-Id: Ic4dc5877d9326897839bbe62c02c0986c6e53e25
2023-03-02 09:25:15 +11:00
'submittableIf',
Enable tripleo core members to change WIP flag This change enables people that already had permission to abandon other changes to also toggle the WIP flag on them. Change-Id: I894df2e26c6927eac25dbfe596a93f4209ff92ee Reference: https://gerrit-review.googlesource.com/c/gerrit/+/212571/3/java/com/google/gerrit/common/data/Permission.java#49
2020-12-07 15:41:06 +00:00
'toggleWipState',
Fix flake8 fix a "bug" in that the flake8 configuration in tox.ini was exclusively selecting H231 as the only error it would report, so it was missing the errors in the python modules (such as submit_log_processor_jobs). Due to this being the case for a long time (since 2004) limit the more thorough linting to the roles/ and playbooks/ directories where we'll be adding ansible plugins/modules/etc. Also, lint in jenkins/script and nodepool. Fix problems found. We can lint everything with pep8 once the zuul v2 scripts are removed, not worth patching them right now. Change-Id: I479f010643cf3b67c183d763510f07a33400d38b Co-Authored-By: Jesse Keating <omgjlk@us.ibm.com>
2017-10-21 18:00:13 +02:00
'value'}
Gerrit ACLs: Check for valid keys Add check for valid keys to find obvious typos in keys. Fix the one error found in openstack.config. Change-Id: I6a2af22db0b9425372e66dca93498a33a07275e9
2016-07-07 08:43:49 +02:00
Add a script to normalize Gerrit ACLs * tools/normalize_acl.py: Script which can perform one or more of a list of normalizing transformations to an ACL file. Change-Id: I063ab91b6e786eccaee61c669f0e840c7af6be14
2014-05-09 14:53:14 +00:00
if '0' in transformations or not transformations:
dry_run = True
else:
dry_run = False
aclfd = open(aclfile)
for line in aclfd:
# condense whitespace to single spaces and get rid of leading/trailing
Update hacking, fix errors/warnings This version of hacking doesn't understand f-strings as usable in Python 3. Update to the latest and fix current issues, which are all just formatting fixes. Change-Id: I0a7d6f93f07477b6dd29ab143130dd9064c250be
2020-01-14 09:39:30 +11:00
line = re.sub(r'\s+', ' ', line).strip()
Add a script to normalize Gerrit ACLs * tools/normalize_acl.py: Script which can perform one or more of a list of normalizing transformations to an ACL file. Change-Id: I063ab91b6e786eccaee61c669f0e840c7af6be14
2014-05-09 14:53:14 +00:00
# skip empty lines
if not line:
continue
# this is a section heading
if line.startswith('['):
section = line.strip(' []')
# use a list for this because some options can have the same "key"
acl[section] = []
# key=value lines
elif '=' in line:
acl[section].append(line)
Gerrit ACLs: Check for valid keys Add check for valid keys to find obvious typos in keys. Fix the one error found in openstack.config. Change-Id: I6a2af22db0b9425372e66dca93498a33a07275e9
2016-07-07 08:43:49 +02:00
# Check for valid keys
key = line.split('=')[0].strip()
if key not in valid_keys:
gerrit/acl : remove deprecated copy conditions The copy conditions here have been replaced by the "copyCondition" query tag. This updates the deprecated values to a new query which does the same thing -- i.e. this should be a noop. Mostly these are setup to have votes on labels that should be copied on a no code change/trivial rebase, and if they're -2/+2 (i.e. max votes are sticky). To be exact the group of copyallScoresIfNoCodeChange = true copyAllScoresOnTrivialRebase = true copyMaxScore = true copyMinScore = true becomes changekind:NO_CODE_CHANGE or changekind:TRIVIAL_REBASE \ or is:MAX or is:MIN Note all but ocatvia.conf, octavia-dashboard, octavia-lib, and python-octaviaclient are copying -2/+2 votes; I feel like this is probably a bug but I have modified these 4 projects to maintain the same behaviour of not copying the votes. A small number of projects copy any vote; glance.config, kayobe.config, kolla.config, nova-specs.config, nova.config, os-vif.config, placement.config, python-novaclient.config -- they are replaced with is:ANY. The old conditions have been deprecated since gerrit 3.5 [1]. Although the old conditions have not been removed yet, this will help as we think about also changing these to submission requirements for Gerrit 3.7. [1] https://gerrit.googlesource.com/gerrit/+/c429ff33d944272b1f4da9f84f904f6403919ea3 Change-Id: Id13fdf588d07c1fec73978e7a69f1d9097989696
2022-12-16 14:31:41 +11:00
raise Exception('(%s) Unrecognized key "%s" in line: "%s"'
% (aclfile, key, line))
Add a script to normalize Gerrit ACLs * tools/normalize_acl.py: Script which can perform one or more of a list of normalizing transformations to an ACL file. Change-Id: I063ab91b6e786eccaee61c669f0e840c7af6be14
2014-05-09 14:53:14 +00:00
# WTF
else:
Make the unrecognized exception more verbose If the gerrit config normalizer comes across an unrecognized line, add the bad line to the exception message for debugging. Change-Id: I60e77a0b50718fb331bad0836ca769f685e6ce93
2015-03-31 14:15:26 -07:00
raise Exception('Unrecognized line: "%s"' % line)
Add a script to normalize Gerrit ACLs * tools/normalize_acl.py: Script which can perform one or more of a list of normalizing transformations to an ACL file. Change-Id: I063ab91b6e786eccaee61c669f0e840c7af6be14
2014-05-09 14:53:14 +00:00
aclfd.close()
if '2' in transformations:
Remove unneeded 'create' from all tags sections Look for all keys that begin with 'refs/tags' rather than just the string literal 'refs/tags/*' when removing unneeded create permissions from tag access sections. Change-Id: I6dc226065166038700ffd324d354e617596888cb
2015-04-01 10:40:26 -07:00
for key in acl:
if key.startswith('access "refs/tags/'):
acl[key] = [
x for x in acl[key]
if not x.startswith('create = ')]
Add a script to normalize Gerrit ACLs * tools/normalize_acl.py: Script which can perform one or more of a list of normalizing transformations to an ACL file. Change-Id: I063ab91b6e786eccaee61c669f0e840c7af6be14
2014-05-09 14:53:14 +00:00
if '3' in transformations:
try:
acl['project'] = [x for x in acl['project'] if x not in
('state = active', 'status = active')]
except KeyError:
pass
if '4' in transformations:
for section in acl.keys():
Update hacking, fix errors/warnings This version of hacking doesn't understand f-strings as usable in Python 3. Update to the latest and fix current issues, which are all just formatting fixes. Change-Id: I0a7d6f93f07477b6dd29ab143130dd9064c250be
2020-01-14 09:39:30 +11:00
acl[section] = [x for x in acl[section]
if x != 'owner = group Administrators']
Add a script to normalize Gerrit ACLs * tools/normalize_acl.py: Script which can perform one or more of a list of normalizing transformations to an ACL file. Change-Id: I063ab91b6e786eccaee61c669f0e840c7af6be14
2014-05-09 14:53:14 +00:00
if '5' in transformations:
for section in acl.keys():
newsection = []
for option in acl[section]:
gerrit/acl : handle key / values with multiple = For things like submit-requirements, we have fields like submittableIf which take a query string that may have "=" on the LHS. Change the key/value split so that it only takes the key up to the first "=". Change-Id: Iada801bd1c38dd1e0502bebefd6a1421c746c90a
2023-03-02 11:09:40 +11:00
key, value = [x.strip() for x in option.split('=', 1)]
Add a script to normalize Gerrit ACLs * tools/normalize_acl.py: Script which can perform one or more of a list of normalizing transformations to an ACL file. Change-Id: I063ab91b6e786eccaee61c669f0e840c7af6be14
2014-05-09 14:53:14 +00:00
if key == 'exclusiveGroupPermissions':
newsection.append('%s = %s' % (
key, ' '.join(sorted(value.split()))))
else:
newsection.append(option)
acl[section] = newsection
Combine infra/ci core/admin gerrit groups This is the result of running: find modules/openstack_project/files/gerrit/acls/ -type f \ -name "*.config" -exec ./tools/normalize_acl.py {} 6 \; Change-Id: I7aa27b859529b2bc8a990d6272334222996cbbc4
2014-06-30 17:30:45 +00:00
if '6' in transformations:
for section in acl.keys():
newsection = []
for option in acl[section]:
for group in ('openstack-ci-admins', 'openstack-ci-core'):
option = option.replace('group %s' % group, 'group infra-core')
newsection.append(option)
acl[section] = newsection
Check that Gerrit ACL files are normalized Enhance Gerrit ACL check to check that the files are properly normalized. Co-Authored-By: Armando Migliaccio <armamig@gmail.com> Change-Id: I9cdee60e77dab9c6943626d5fa1eda0402840277
2014-12-10 20:37:09 +01:00
if '7' in transformations:
Extend ACL checks to OpenStack namespace. Change-Id: I0ac6ee99391f218fa467b58bf39934c6c68d1808
2014-12-16 13:43:26 -08:00
special_projects = (
'ossa',
Add openstack-infra to the list of namespaces to check. Change-Id: I8ff59dccc06df7ab23d13eca6990418f3a547d34
2014-12-19 11:34:50 -08:00
'reviewday',
Extend ACL checks to OpenStack namespace. Change-Id: I0ac6ee99391f218fa467b58bf39934c6c68d1808
2014-12-16 13:43:26 -08:00
)
special_teams = (
'admins',
There is no Project Bootstrappers-core... ...only Project Bootstrappers. Correct the ACL normalization script oversight which led to this unfortunate mistake, and clean up the resulting mess. Change-Id: I391ead734d0cd28277581d54f254718c3e36d4b0
2015-04-24 01:06:04 +00:00
'Bootstrappers',
Extend ACL checks to OpenStack namespace. Change-Id: I0ac6ee99391f218fa467b58bf39934c6c68d1808
2014-12-16 13:43:26 -08:00
'committee',
'core',
'maint',
'Managers',
'milestone',
Add openstack-infra to the list of namespaces to check. Change-Id: I8ff59dccc06df7ab23d13eca6990418f3a547d34
2014-12-19 11:34:50 -08:00
'packagers',
Allow ACL sections to use .*-release group names These are what the old .*-ptl groups were renamed to last year, for better clarity. Change-Id: I4764f6ab7c74adfbdcaba0a12d81a062beb9dc40
2015-04-21 21:22:35 +00:00
'release',
Extend ACL checks to OpenStack namespace. Change-Id: I0ac6ee99391f218fa467b58bf39934c6c68d1808
2014-12-16 13:43:26 -08:00
'Users',
)
Check that Gerrit ACL files are normalized Enhance Gerrit ACL check to check that the files are properly normalized. Co-Authored-By: Armando Migliaccio <armamig@gmail.com> Change-Id: I9cdee60e77dab9c6943626d5fa1eda0402840277
2014-12-10 20:37:09 +01:00
for section in acl.keys():
newsection = []
for option in acl[section]:
Extend ACL checks to OpenStack namespace. Change-Id: I0ac6ee99391f218fa467b58bf39934c6c68d1808
2014-12-16 13:43:26 -08:00
if ('refs/heads' in section and 'group' in option
and '-2..+2' in option
and not any(x in option for x in special_teams)
and not any(x in aclfile for x in special_projects)):
option = '%s%s' % (option, '-core')
Check that Gerrit ACL files are normalized Enhance Gerrit ACL check to check that the files are properly normalized. Co-Authored-By: Armando Migliaccio <armamig@gmail.com> Change-Id: I9cdee60e77dab9c6943626d5fa1eda0402840277
2014-12-10 20:37:09 +01:00
newsection.append(option)
acl[section] = newsection
Unshadow All-Projects in exclusiveGroupPermissions Whenever a project-specific ACL declares exclusiveGroupPermissions on some permission, it can block other valid uses of that permission which would otherwise be inherited from the All-Projects pseudoACL. Make sure that Project Bootstrappers retains access to abandon, -2..+2 on label-Code-Review and -1..+1 on label-Workflow. Also make sure Change Owners can still abandon and add -1..0 on label-Workflow, and that Registered Users can always -1..+1 on label-Code-Review. This change corrects existing ACLs to meet the above criteria, and also introduces a normalization rule to prevent regression. Change-Id: I2eecb7028bcab7d5d82ad4155a775a9b2daa441f
2016-02-17 22:39:03 +00:00
if '8' in transformations:
for section in acl.keys():
newsection = []
for option in acl[section]:
newsection.append(option)
gerrit/acl : handle key / values with multiple = For things like submit-requirements, we have fields like submittableIf which take a query string that may have "=" on the LHS. Change the key/value split so that it only takes the key up to the first "=". Change-Id: Iada801bd1c38dd1e0502bebefd6a1421c746c90a
2023-03-02 11:09:40 +11:00
key, value = [x.strip() for x in option.split('=', 1)]
Unshadow All-Projects in exclusiveGroupPermissions Whenever a project-specific ACL declares exclusiveGroupPermissions on some permission, it can block other valid uses of that permission which would otherwise be inherited from the All-Projects pseudoACL. Make sure that Project Bootstrappers retains access to abandon, -2..+2 on label-Code-Review and -1..+1 on label-Workflow. Also make sure Change Owners can still abandon and add -1..0 on label-Workflow, and that Registered Users can always -1..+1 on label-Code-Review. This change corrects existing ACLs to meet the above criteria, and also introduces a normalization rule to prevent regression. Change-Id: I2eecb7028bcab7d5d82ad4155a775a9b2daa441f
2016-02-17 22:39:03 +00:00
if key == 'exclusiveGroupPermissions':
exclusives = value.split()
# It's safe for these to be duplicates since we de-dup later
if 'abandon' in exclusives:
newsection.append('abandon = group Change Owner')
newsection.append('abandon = group Project Bootstrappers')
if 'label-Code-Review' in exclusives:
newsection.append('label-Code-Review = -2..+2 '
'group Project Bootstrappers')
newsection.append('label-Code-Review = -1..+1 '
'group Registered Users')
if 'label-Workflow' in exclusives:
newsection.append('label-Workflow = -1..+1 '
'group Project Bootstrappers')
newsection.append('label-Workflow = -1..+0 '
'group Change Owner')
acl[section] = newsection
gerrit/acl : check for function/s-r in normalize This ensures that labels only use "function = NoBlock" and that every label has a corresponding submit-requirement section. We don't really have unit tests for this, but the first check actually found some missed functions in I557f3615d15eca899a262b0989986fb2754ac870. I manually tested the second by removing some submit-requirements, and it correctly failed. Change-Id: I971f626bd7dbee012dc93a5807145d206b645cfd
2023-03-02 11:17:23 +11:00
# submit-requirements have taken over the role of "function" in labels
# since Gerrit 3.6. We ensure that the only function in a label
# section now is the noop "NoBlock" function -- all labels now need to
# explicitly write their own submit-requirement. e.g. for any
# [label "Foo"]
# there should be a matching submit requirement section
# [submit-requirement "Foo"]
# We can't really decide what the rules will be, so we just add the
# section with a dummy comment.
if '9' in transformations:
missing_sr = {}
for section in acl.keys():
Require function = NoBlock to be set on Gerrit labels A recent change to the openstack/releases ACLs pointed out that we don't require function to be set on Gerrit label definitions. This would result in the Gerrit default of MaxWithBlock which will interfere with submit requirements. Enforce that function is set and that the value is NoBlock via our normalize script. This will add function = NoBlock entries to the file if not set which results in a diff causing the test to fail. In order to do this I refactored the submit-requirements and function checking of the normalize script a bit. We now check the label section independently of all other sections which allows us to reduce repetition when dealing with label sections. Change-Id: I9e83c1cde3fe20ea2c34cdf86cd2fd3006bfe62a
2023-04-03 09:23:17 -07:00
newsection = []
gerrit/acl : check for function/s-r in normalize This ensures that labels only use "function = NoBlock" and that every label has a corresponding submit-requirement section. We don't really have unit tests for this, but the first check actually found some missed functions in I557f3615d15eca899a262b0989986fb2754ac870. I manually tested the second by removing some submit-requirements, and it correctly failed. Change-Id: I971f626bd7dbee012dc93a5807145d206b645cfd
2023-03-02 11:17:23 +11:00
if section.startswith("label "):
label_name = section.split(' ')[1]
sr_found = False
for sr in acl.keys():
if sr == 'submit-requirement %s' % (label_name):
sr_found = True
break
if not sr_found:
msg = ('# You must have a submit-requirement section for %s'
% label_name)
missing_sr['submit-requirement %s' % label_name] = [msg]
Require function = NoBlock to be set on Gerrit labels A recent change to the openstack/releases ACLs pointed out that we don't require function to be set on Gerrit label definitions. This would result in the Gerrit default of MaxWithBlock which will interfere with submit requirements. Enforce that function is set and that the value is NoBlock via our normalize script. This will add function = NoBlock entries to the file if not set which results in a diff causing the test to fail. In order to do this I refactored the submit-requirements and function checking of the normalize script a bit. We now check the label section independently of all other sections which allows us to reduce repetition when dealing with label sections. Change-Id: I9e83c1cde3fe20ea2c34cdf86cd2fd3006bfe62a
2023-04-03 09:23:17 -07:00
keys = []
for option in acl[section]:
key, value = [x.strip() for x in option.split('=', 1)]
keys.append(key)
# Insert an inline comment if the ACL uses an invalid function
if key == 'function':
if value != 'NoBlock':
newsection.append(
'# XXX: The only supported function type is '
'NoBlock')
newsection.append(normalize_boolean_ops(key, value))
# Add function = NoBlock to label sections if not set as the
# default is MaxWithBlock which will interfere with submit
# requirements.
if 'function' not in keys:
newsection.append('function = NoBlock')
else:
for option in acl[section]:
key, value = [x.strip() for x in option.split('=', 1)]
newsection.append(normalize_boolean_ops(key, value))
gerrit/acl : check for capital booleans in normalize We got caught out with this in All-Projects; let's just make sure we keep capital booleans everywhere for consistency. Change-Id: I7a1e528c620c07ecbb2def3d743ab4bba46a20df
2023-03-16 13:36:26 +11:00
gerrit/acl : check for function/s-r in normalize This ensures that labels only use "function = NoBlock" and that every label has a corresponding submit-requirement section. We don't really have unit tests for this, but the first check actually found some missed functions in I557f3615d15eca899a262b0989986fb2754ac870. I manually tested the second by removing some submit-requirements, and it correctly failed. Change-Id: I971f626bd7dbee012dc93a5807145d206b645cfd
2023-03-02 11:17:23 +11:00
acl[section] = newsection
acl.update(missing_sr)
Add a script to normalize Gerrit ACLs * tools/normalize_acl.py: Script which can perform one or more of a list of normalizing transformations to an ACL file. Change-Id: I063ab91b6e786eccaee61c669f0e840c7af6be14
2014-05-09 14:53:14 +00:00
for section in sorted(acl.keys()):
if acl[section]:
out += '\n[%s]\n' % section
Keep Gerrit ACL lines deduplicated Gerrit ACLs can have multiple duplicate option keys in a section, but completely duplicate lines (key and value together) have no use so make sure they're collapsed into at most 1 copy. Change-Id: I6bf43e860dcc8c3d7b2846d4e058b6c8ac7243eb
2016-02-17 22:31:54 +00:00
lastoption = ''
Add a script to normalize Gerrit ACLs * tools/normalize_acl.py: Script which can perform one or more of a list of normalizing transformations to an ACL file. Change-Id: I063ab91b6e786eccaee61c669f0e840c7af6be14
2014-05-09 14:53:14 +00:00
for option in sorted(acl[section], key=tokens):
Keep Gerrit ACL lines deduplicated Gerrit ACLs can have multiple duplicate option keys in a section, but completely duplicate lines (key and value together) have no use so make sure they're collapsed into at most 1 copy. Change-Id: I6bf43e860dcc8c3d7b2846d4e058b6c8ac7243eb
2016-02-17 22:31:54 +00:00
if option != lastoption:
Indent Gerrit ACL options Gerrit very much wants its ACLs to indent option lines (but not section headings) by a single hard tab. The recent migration to schema 185 with Gerrit 3.7 has updated copyConditions flags and re-written most of the ACL files to look like this (c.f. I1f11c07e3786bd1a68b43d908d939fde42ddb99c). This updates the normalize tool to format like this, and modifies all our ACL's to the new format. This is intended to be a no-op with no functional change. For future upgrades, this will reduce the diffs of any updates Gerrit might make. Change-Id: I3a0c0da1eb32f8afb31ffa0c24ea45aaca8da8cc
2023-04-07 17:07:51 +00:00
# Gerrit prefers all option lines indented by a single
# hard tab; this minimises diffs if things like
# upgrades need to modify the acls
out += '\t%s\n' % option
Keep Gerrit ACL lines deduplicated Gerrit ACLs can have multiple duplicate option keys in a section, but completely duplicate lines (key and value together) have no use so make sure they're collapsed into at most 1 copy. Change-Id: I6bf43e860dcc8c3d7b2846d4e058b6c8ac7243eb
2016-02-17 22:31:54 +00:00
lastoption = option
Add a script to normalize Gerrit ACLs * tools/normalize_acl.py: Script which can perform one or more of a list of normalizing transformations to an ACL file. Change-Id: I063ab91b6e786eccaee61c669f0e840c7af6be14
2014-05-09 14:53:14 +00:00
if dry_run:
print(out[1:-1])
else:
aclfd = open(aclfile, 'w')
aclfd.write(out[1:])
aclfd.close()
Copy Permalink