Add test for validating certain gerrit ACL rules
This patch adds a check for Gerrit ACL configs. In this initial version, the test being added checks that the config defines at least one team that acts as a core/admin one. The current check is intentially pretty loose to ensure some flexibility. Currently the check applies to stackforge and openstack-dev only. Change-Id: I2b04f2d94130699d6fd1c16a9b00b9c81d1ba07d
This commit is contained in:
parent
93e4547577
commit
e6573ea752
@ -10,6 +10,20 @@
|
||||
publishers:
|
||||
- zuul-swift-upload-console-log
|
||||
|
||||
- job:
|
||||
name: project-config-gerrit
|
||||
node: 'bare-precise || bare-trusty'
|
||||
|
||||
builders:
|
||||
- revoke-sudo
|
||||
- gerrit-git-prep
|
||||
- tox:
|
||||
envlist: 'gerrit'
|
||||
|
||||
publishers:
|
||||
- console-log
|
||||
- zuul-swift-upload-console-log
|
||||
|
||||
- job:
|
||||
name: gate-project-config-irc-access
|
||||
node: 'bare-precise || bare-trusty'
|
||||
|
38
tools/check_valid_gerrit_config.sh
Executable file
38
tools/check_valid_gerrit_config.sh
Executable file
@ -0,0 +1,38 @@
|
||||
#!/bin/bash -e
|
||||
|
||||
# It checks that *.config files respect certain gerrit ACL rules
|
||||
|
||||
export TMPDIR=`/bin/mktemp -d`
|
||||
trap "rm -rf $TMPDIR" EXIT
|
||||
|
||||
pushd $TMPDIR
|
||||
CONFIGS_LIST_BASE=$OLDPWD/$1
|
||||
|
||||
function check_team_acl {
|
||||
local configs_dir="$1"
|
||||
local configs_list=$(find $configs_dir -name "*.config")
|
||||
local failure=0
|
||||
|
||||
for config in $configs_list; do
|
||||
echo "Checking $config file..."
|
||||
|
||||
if ! grep -q '\>-core\|\>-admins' $config;
|
||||
then
|
||||
echo "$config does not have a core/admins team defined!" >>config_failures
|
||||
fi
|
||||
done
|
||||
}
|
||||
|
||||
# Add more namespaces here, if necessary
|
||||
for namespace in stackforge openstack-dev; do
|
||||
check_team_acl "${CONFIGS_LIST_BASE}${namespace}"
|
||||
done
|
||||
|
||||
if [ -f config_failures ]; then
|
||||
echo -e; cat config_failures
|
||||
exit 1
|
||||
fi
|
||||
|
||||
echo "Gerrit ACL configs are valid!"
|
||||
|
||||
popd
|
6
tox.ini
6
tox.ini
@ -1,6 +1,6 @@
|
||||
[tox]
|
||||
minversion = 1.6
|
||||
envlist = pep8,projects,jjb,jenkins-project,zuul
|
||||
envlist = pep8,gerrit,projects,jjb,jenkins-project,zuul
|
||||
skipsdist = True
|
||||
|
||||
[testenv]
|
||||
@ -9,6 +9,10 @@ deps = -r{toxinidir}/test-requirements.txt
|
||||
[testenv:pep8]
|
||||
commands = flake8
|
||||
|
||||
[testenv:gerrit]
|
||||
commands =
|
||||
{toxinidir}/tools/check_valid_gerrit_config.sh gerrit/acls/
|
||||
|
||||
[testenv:projects]
|
||||
deps = PyYAML
|
||||
commands =
|
||||
|
@ -628,6 +628,10 @@ jobs:
|
||||
success-message: XML output is unchanged.
|
||||
- name: project-config-compare-xml
|
||||
voting: false
|
||||
# TODO(armax): This job is not evaluating all ACL files yet. Make
|
||||
# it voting once we evaluate all files and the test passes cleanly.
|
||||
- name: project-config-gerrit
|
||||
voting: false
|
||||
failure-message: Jenkins XML output has changed.
|
||||
success-message: Jenkins XML output is unchanged.
|
||||
- name: gate-git-review-python34
|
||||
@ -3309,6 +3313,7 @@ projects:
|
||||
- name: infra-puppet-apply-jobs
|
||||
check:
|
||||
- project-config-compare-xml
|
||||
- project-config-gerrit
|
||||
- gate-project-config-layout
|
||||
- gate-project-config-pep8
|
||||
- gate-project-config-bashate
|
||||
|
Loading…
Reference in New Issue
Block a user