Report ACL violations as issues by default
By default, the tool should report ACL violations rather than fix them in place. Add a --patch option to explicitly ask to fix the ACL files in place. Rename tool to aclissues.py to better reflect what it does by default (report issues instead of fixing them). Change-Id: I04744746b6492a1f3ab0790ebb565235f292caf9
This commit is contained in:
parent
8ba7eb9608
commit
fa30fbe25e
@ -58,11 +58,12 @@ def is_a_team_exception(team):
|
|||||||
return team in TEAM_EXCEPTIONS
|
return team in TEAM_EXCEPTIONS
|
||||||
|
|
||||||
|
|
||||||
def acl_patch(repo, fullfilename):
|
def issues_in_acl(repo, fullfilename, patch):
|
||||||
|
|
||||||
newcontent = ""
|
newcontent = ""
|
||||||
with open(fullfilename) as aclfile:
|
with open(fullfilename) as aclfile:
|
||||||
skip = False
|
skip = False
|
||||||
|
issues = False
|
||||||
for line in aclfile:
|
for line in aclfile:
|
||||||
# Skip until start of next section if in skip mode
|
# Skip until start of next section if in skip mode
|
||||||
if skip:
|
if skip:
|
||||||
@ -74,32 +75,38 @@ def acl_patch(repo, fullfilename):
|
|||||||
# Remove [access ref/tags/*] sections
|
# Remove [access ref/tags/*] sections
|
||||||
if line.startswith('[access "refs/tag'):
|
if line.startswith('[access "refs/tag'):
|
||||||
skip = True
|
skip = True
|
||||||
|
issues = True
|
||||||
continue
|
continue
|
||||||
|
|
||||||
# Remove 'create' lines
|
# Remove 'create' lines
|
||||||
if line.startswith('create ='):
|
if line.startswith('create ='):
|
||||||
|
issues = True
|
||||||
continue
|
continue
|
||||||
|
|
||||||
# Copy the current line over
|
# Copy the current line over
|
||||||
newcontent += line
|
newcontent += line
|
||||||
|
|
||||||
|
if patch:
|
||||||
with open(fullfilename, 'w') as aclfile:
|
with open(fullfilename, 'w') as aclfile:
|
||||||
aclfile.write(newcontent)
|
aclfile.write(newcontent)
|
||||||
|
|
||||||
|
return issues
|
||||||
|
|
||||||
|
|
||||||
def main(args=sys.argv[1:]):
|
def main(args=sys.argv[1:]):
|
||||||
parser = argparse.ArgumentParser()
|
parser = argparse.ArgumentParser()
|
||||||
parser.add_argument('project_config_repo')
|
parser.add_argument('project_config_repo')
|
||||||
parser.add_argument('governance_repo')
|
parser.add_argument('governance_repo')
|
||||||
parser.add_argument(
|
parser.add_argument(
|
||||||
'--dryrun',
|
'--patch',
|
||||||
default=False,
|
default=False,
|
||||||
help='do not actually do anything',
|
help='patch ACL files in project-config to fix violations',
|
||||||
action='store_true')
|
action='store_true')
|
||||||
args = parser.parse_args(args)
|
args = parser.parse_args(args)
|
||||||
|
|
||||||
# Load repo/aclfile mapping from Gerrit config
|
# Load repo/aclfile mapping from Gerrit config
|
||||||
projectsyaml = os.path.join(args.project_config_repo, 'gerrit', 'projects.yaml')
|
projectsyaml = os.path.join(args.project_config_repo,
|
||||||
|
'gerrit', 'projects.yaml')
|
||||||
acl = {}
|
acl = {}
|
||||||
config = yaml.load(open(projectsyaml))
|
config = yaml.load(open(projectsyaml))
|
||||||
for project in config:
|
for project in config:
|
||||||
@ -112,21 +119,18 @@ def main(args=sys.argv[1:]):
|
|||||||
acl[project['project']] = project['project'] + '.config'
|
acl[project['project']] = project['project'] + '.config'
|
||||||
|
|
||||||
aclbase = os.path.join(args.project_config_repo, 'gerrit', 'acls')
|
aclbase = os.path.join(args.project_config_repo, 'gerrit', 'acls')
|
||||||
governanceyaml = os.path.join(args.governance_repo, 'reference', 'projects.yaml')
|
governanceyaml = os.path.join(args.governance_repo,
|
||||||
|
'reference', 'projects.yaml')
|
||||||
teams = yaml.load(open(governanceyaml))
|
teams = yaml.load(open(governanceyaml))
|
||||||
for tname, team in teams.iteritems():
|
for tname, team in teams.iteritems():
|
||||||
if is_a_team_exception(tname):
|
if is_a_team_exception(tname):
|
||||||
print('--- %s --- (SKIPPED)' % tname)
|
|
||||||
continue
|
continue
|
||||||
print('=== %s ===' % tname)
|
|
||||||
for dname, deliverable in team['deliverables'].iteritems():
|
for dname, deliverable in team['deliverables'].iteritems():
|
||||||
for repo in deliverable.get('repos'):
|
for repo in deliverable.get('repos'):
|
||||||
if is_a_repo_exception(repo):
|
if not is_a_repo_exception(repo):
|
||||||
print('%s - Skipping' % repo)
|
aclpath = os.path.join(aclbase, acl[repo])
|
||||||
else:
|
if issues_in_acl(repo, aclpath, args.patch):
|
||||||
print('%s - Patching %s' % (repo, acl[repo]))
|
print('%s (%s) in %s' % (repo, tname, acl[repo]))
|
||||||
if not args.dryrun:
|
|
||||||
acl_patch(repo, os.path.join(aclbase, acl[repo]))
|
|
||||||
|
|
||||||
|
|
||||||
if __name__ == '__main__':
|
if __name__ == '__main__':
|
Loading…
Reference in New Issue
Block a user