openstack/project-config
Code Issues Proposed changes

gerrit/acl : check for function/s-r in normalize

Browse Source 
This ensures that labels only use "function = NoBlock" and that every
label has a corresponding submit-requirement section.

We don't really have unit tests for this, but the first check actually
found some missed functions in
I557f3615d15eca899a262b0989986fb2754ac870.  I manually tested the
second by removing some submit-requirements, and it correctly failed.

Change-Id: I971f626bd7dbee012dc93a5807145d206b645cfd
This commit is contained in:
Ian Wienand 2023-03-02 11:17:23 +11:00
parent 2182282f60
commit a172d416d9
No known key found for this signature in database
1 changed files with 40 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

41
tools/normalize_acl.py
View File

@ -25,6 +25,9 @@
# 7 - add at least one core team, if no team is defined with special suffixes # 7 - add at least one core team, if no team is defined with special suffixes
# like core, admins, milestone or Users # like core, admins, milestone or Users
# 8 - fix All-Projects inheritance shadowed by exclusiveGroupPermissions # 8 - fix All-Projects inheritance shadowed by exclusiveGroupPermissions
# 9 - Ensure submit requirements
# * functions only noblock
# * each label has a s-r block
import re import re
import sys import sys
@ -34,7 +37,7 @@ aclfile = sys.argv[1]
try: try:
transformations = sys.argv[2:] transformations = sys.argv[2:]
if transformations and transformations[0] == 'all': if transformations and transformations[0] == 'all':
transformations = [str(x) for x in range(0, 9)] transformations = [str(x) for x in range(0, 10)]
except KeyError: except KeyError:
transformations = [] transformations = []
@ -212,6 +215,42 @@ if '8' in transformations:
'group Change Owner') 'group Change Owner')
acl[section] = newsection acl[section] = newsection
# submit-requirements have taken over the role of "function" in labels
# since Gerrit 3.6. We ensure that the only function in a label
# section now is the noop "NoBlock" function -- all labels now need to
# explicitly write their own submit-requirement. e.g. for any
# [label "Foo"]
# there should be a matching submit requirement section
# [submit-requirement "Foo"]
# We can't really decide what the rules will be, so we just add the
# section with a dummy comment.
if '9' in transformations:
missing_sr = {}
for section in acl.keys():
if section.startswith("label "):
label_name = section.split(' ')[1]
sr_found = False
for sr in acl.keys():
if sr == 'submit-requirement %s' % (label_name):
sr_found = True
break
if not sr_found:
msg = ('# You must have a submit-requirement section for %s'
% label_name)
missing_sr['submit-requirement %s' % label_name] = [msg]
# Insert an inline comment if the ACL uses an invalid function
newsection = []
for option in acl[section]:
key, value = [x.strip() for x in option.split('=', 1)]
if key == 'function':
if value != 'NoBlock':
newsection.append(
'# XXX: The only supported function type is NoBlock')
newsection.append(option)
acl[section] = newsection
acl.update(missing_sr)
for section in sorted(acl.keys()): for section in sorted(acl.keys()):
if acl[section]: if acl[section]:
out += '\n[%s]\n' % section out += '\n[%s]\n' % section