1876 lines
75 KiB
Python
1876 lines
75 KiB
Python
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
# not use this file except in compliance with the License. You may obtain
|
|
# a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
# License for the specific language governing permissions and limitations
|
|
# under the License.
|
|
|
|
import base64
|
|
import collections
|
|
from contextlib import contextmanager
|
|
import copy
|
|
import os
|
|
import logging
|
|
import textwrap
|
|
import io
|
|
import re
|
|
|
|
import voluptuous as vs
|
|
|
|
from zuul import model
|
|
from zuul.lib import yamlutil as yaml
|
|
import zuul.manager.dependent
|
|
import zuul.manager.independent
|
|
from zuul import change_matcher
|
|
from zuul.lib import encryption
|
|
|
|
|
|
# Several forms accept either a single item or a list, this makes
|
|
# specifying that in the schema easy (and explicit).
|
|
def to_list(x):
|
|
return vs.Any([x], x)
|
|
|
|
|
|
def as_list(item):
|
|
if not item:
|
|
return []
|
|
if isinstance(item, list):
|
|
return item
|
|
return [item]
|
|
|
|
|
|
class ConfigurationSyntaxError(Exception):
|
|
pass
|
|
|
|
|
|
class NodeFromGroupNotFoundError(Exception):
|
|
def __init__(self, nodeset, node, group):
|
|
message = textwrap.dedent("""\
|
|
In nodeset "{nodeset}" the group "{group}" contains a
|
|
node named "{node}" which is not defined in the nodeset.""")
|
|
message = textwrap.fill(message.format(nodeset=nodeset,
|
|
node=node, group=group))
|
|
super(NodeFromGroupNotFoundError, self).__init__(message)
|
|
|
|
|
|
class DuplicateNodeError(Exception):
|
|
def __init__(self, nodeset, node):
|
|
message = textwrap.dedent("""\
|
|
In nodeset "{nodeset}" the node "{node}" appears multiple times.
|
|
Node names must be unique within a nodeset.""")
|
|
message = textwrap.fill(message.format(nodeset=nodeset,
|
|
node=node))
|
|
super(DuplicateNodeError, self).__init__(message)
|
|
|
|
|
|
class MaxNodeError(Exception):
|
|
def __init__(self, job, tenant):
|
|
message = textwrap.dedent("""\
|
|
The job "{job}" exceeds tenant max-nodes-per-job {maxnodes}.""")
|
|
message = textwrap.fill(message.format(
|
|
job=job.name, maxnodes=tenant.max_nodes_per_job))
|
|
super(MaxNodeError, self).__init__(message)
|
|
|
|
|
|
class MaxTimeoutError(Exception):
|
|
def __init__(self, job, tenant):
|
|
message = textwrap.dedent("""\
|
|
The job "{job}" exceeds tenant max-job-timeout {maxtimeout}.""")
|
|
message = textwrap.fill(message.format(
|
|
job=job.name, maxtimeout=tenant.max_job_timeout))
|
|
super(MaxTimeoutError, self).__init__(message)
|
|
|
|
|
|
class DuplicateGroupError(Exception):
|
|
def __init__(self, nodeset, group):
|
|
message = textwrap.dedent("""\
|
|
In nodeset "{nodeset}" the group "{group}" appears multiple times.
|
|
Group names must be unique within a nodeset.""")
|
|
message = textwrap.fill(message.format(nodeset=nodeset,
|
|
group=group))
|
|
super(DuplicateGroupError, self).__init__(message)
|
|
|
|
|
|
class ProjectNotFoundError(Exception):
|
|
def __init__(self, project):
|
|
message = textwrap.dedent("""\
|
|
The project "{project}" was not found. All projects
|
|
referenced within a Zuul configuration must first be
|
|
added to the main configuration file by the Zuul
|
|
administrator.""")
|
|
message = textwrap.fill(message.format(project=project))
|
|
super(ProjectNotFoundError, self).__init__(message)
|
|
|
|
|
|
class TemplateNotFoundError(Exception):
|
|
def __init__(self, template):
|
|
message = textwrap.dedent("""\
|
|
The project template "{template}" was not found.
|
|
""")
|
|
message = textwrap.fill(message.format(template=template))
|
|
super(TemplateNotFoundError, self).__init__(message)
|
|
|
|
|
|
class SecretNotFoundError(Exception):
|
|
def __init__(self, secret):
|
|
message = textwrap.dedent("""\
|
|
The secret "{secret}" was not found.
|
|
""")
|
|
message = textwrap.fill(message.format(secret=secret))
|
|
super(SecretNotFoundError, self).__init__(message)
|
|
|
|
|
|
class NodesetNotFoundError(Exception):
|
|
def __init__(self, nodeset):
|
|
message = textwrap.dedent("""\
|
|
The nodeset "{nodeset}" was not found.
|
|
""")
|
|
message = textwrap.fill(message.format(nodeset=nodeset))
|
|
super(NodesetNotFoundError, self).__init__(message)
|
|
|
|
|
|
class PipelineNotPermittedError(Exception):
|
|
def __init__(self):
|
|
message = textwrap.dedent("""\
|
|
Pipelines may not be defined in untrusted repos,
|
|
they may only be defined in config repos.""")
|
|
message = textwrap.fill(message)
|
|
super(PipelineNotPermittedError, self).__init__(message)
|
|
|
|
|
|
class ProjectNotPermittedError(Exception):
|
|
def __init__(self):
|
|
message = textwrap.dedent("""\
|
|
Within an untrusted project, the only project definition
|
|
permitted is that of the project itself.""")
|
|
message = textwrap.fill(message)
|
|
super(ProjectNotPermittedError, self).__init__(message)
|
|
|
|
|
|
class YAMLDuplicateKeyError(ConfigurationSyntaxError):
|
|
def __init__(self, key, node, context, start_mark):
|
|
intro = textwrap.fill(textwrap.dedent("""\
|
|
Zuul encountered a syntax error while parsing its configuration in the
|
|
repo {repo} on branch {branch}. The error was:""".format(
|
|
repo=context.project.name,
|
|
branch=context.branch,
|
|
)))
|
|
|
|
e = textwrap.fill(textwrap.dedent("""\
|
|
The key "{key}" appears more than once; duplicate keys are not
|
|
permitted.
|
|
""".format(
|
|
key=key,
|
|
)))
|
|
|
|
m = textwrap.dedent("""\
|
|
{intro}
|
|
|
|
{error}
|
|
|
|
The error appears in the following stanza:
|
|
|
|
{content}
|
|
|
|
{start_mark}""")
|
|
|
|
m = m.format(intro=intro,
|
|
error=indent(str(e)),
|
|
content=indent(start_mark.snippet.rstrip()),
|
|
start_mark=str(start_mark))
|
|
super(YAMLDuplicateKeyError, self).__init__(m)
|
|
|
|
|
|
def indent(s):
|
|
return '\n'.join([' ' + x for x in s.split('\n')])
|
|
|
|
|
|
@contextmanager
|
|
def early_configuration_exceptions(context):
|
|
try:
|
|
yield
|
|
except ConfigurationSyntaxError:
|
|
raise
|
|
except Exception as e:
|
|
intro = textwrap.fill(textwrap.dedent("""\
|
|
Zuul encountered a syntax error while parsing its configuration in the
|
|
repo {repo} on branch {branch}. The error was:""".format(
|
|
repo=context.project.name,
|
|
branch=context.branch,
|
|
)))
|
|
|
|
m = textwrap.dedent("""\
|
|
{intro}
|
|
|
|
{error}""")
|
|
|
|
m = m.format(intro=intro,
|
|
error=indent(str(e)))
|
|
raise ConfigurationSyntaxError(m)
|
|
|
|
|
|
@contextmanager
|
|
def configuration_exceptions(stanza, conf):
|
|
try:
|
|
yield
|
|
except ConfigurationSyntaxError:
|
|
raise
|
|
except Exception as e:
|
|
conf = copy.deepcopy(conf)
|
|
context = conf.pop('_source_context')
|
|
start_mark = conf.pop('_start_mark')
|
|
intro = textwrap.fill(textwrap.dedent("""\
|
|
Zuul encountered a syntax error while parsing its configuration in the
|
|
repo {repo} on branch {branch}. The error was:""".format(
|
|
repo=context.project.name,
|
|
branch=context.branch,
|
|
)))
|
|
|
|
m = textwrap.dedent("""\
|
|
{intro}
|
|
|
|
{error}
|
|
|
|
The error appears in the following {stanza} stanza:
|
|
|
|
{content}
|
|
|
|
{start_mark}""")
|
|
|
|
m = m.format(intro=intro,
|
|
error=indent(str(e)),
|
|
stanza=stanza,
|
|
content=indent(start_mark.snippet.rstrip()),
|
|
start_mark=str(start_mark))
|
|
raise ConfigurationSyntaxError(m)
|
|
|
|
|
|
class ZuulMark(object):
|
|
# The yaml mark class differs between the C and python versions.
|
|
# The C version does not provide a snippet, and also appears to
|
|
# lose data under some circumstances.
|
|
def __init__(self, start_mark, end_mark, stream):
|
|
self.name = start_mark.name
|
|
self.index = start_mark.index
|
|
self.line = start_mark.line
|
|
self.column = start_mark.column
|
|
self.snippet = stream[start_mark.index:end_mark.index]
|
|
|
|
def __str__(self):
|
|
return ' in "{name}", line {line}, column {column}'.format(
|
|
name=self.name,
|
|
line=self.line + 1,
|
|
column=self.column + 1,
|
|
)
|
|
|
|
|
|
class ZuulSafeLoader(yaml.SafeLoader):
|
|
zuul_node_types = frozenset(('job', 'nodeset', 'secret', 'pipeline',
|
|
'project', 'project-template',
|
|
'semaphore', 'pragma'))
|
|
|
|
def __init__(self, stream, context):
|
|
wrapped_stream = io.StringIO(stream)
|
|
wrapped_stream.name = str(context)
|
|
super(ZuulSafeLoader, self).__init__(wrapped_stream)
|
|
self.name = str(context)
|
|
self.zuul_context = context
|
|
self.zuul_stream = stream
|
|
|
|
def construct_mapping(self, node, deep=False):
|
|
keys = set()
|
|
for k, v in node.value:
|
|
if k.value in keys:
|
|
mark = ZuulMark(node.start_mark, node.end_mark,
|
|
self.zuul_stream)
|
|
raise YAMLDuplicateKeyError(k.value, node, self.zuul_context,
|
|
mark)
|
|
keys.add(k.value)
|
|
r = super(ZuulSafeLoader, self).construct_mapping(node, deep)
|
|
keys = frozenset(r.keys())
|
|
if len(keys) == 1 and keys.intersection(self.zuul_node_types):
|
|
d = list(r.values())[0]
|
|
if isinstance(d, dict):
|
|
d['_start_mark'] = ZuulMark(node.start_mark, node.end_mark,
|
|
self.zuul_stream)
|
|
d['_source_context'] = self.zuul_context
|
|
return r
|
|
|
|
|
|
def safe_load_yaml(stream, context):
|
|
loader = ZuulSafeLoader(stream, context)
|
|
try:
|
|
return loader.get_single_data()
|
|
except yaml.YAMLError as e:
|
|
m = """
|
|
Zuul encountered a syntax error while parsing its configuration in the
|
|
repo {repo} on branch {branch}. The error was:
|
|
|
|
{error}
|
|
"""
|
|
m = m.format(repo=context.project.name,
|
|
branch=context.branch,
|
|
error=str(e))
|
|
raise ConfigurationSyntaxError(m)
|
|
finally:
|
|
loader.dispose()
|
|
|
|
|
|
class EncryptedPKCS1_OAEP(yaml.YAMLObject):
|
|
yaml_tag = u'!encrypted/pkcs1-oaep'
|
|
yaml_loader = yaml.SafeLoader
|
|
|
|
def __init__(self, ciphertext):
|
|
if isinstance(ciphertext, list):
|
|
self.ciphertext = [base64.b64decode(x.value)
|
|
for x in ciphertext]
|
|
else:
|
|
self.ciphertext = base64.b64decode(ciphertext)
|
|
|
|
def __ne__(self, other):
|
|
return not self.__eq__(other)
|
|
|
|
def __eq__(self, other):
|
|
if not isinstance(other, EncryptedPKCS1_OAEP):
|
|
return False
|
|
return (self.ciphertext == other.ciphertext)
|
|
|
|
@classmethod
|
|
def from_yaml(cls, loader, node):
|
|
return cls(node.value)
|
|
|
|
def decrypt(self, private_key):
|
|
if isinstance(self.ciphertext, list):
|
|
return ''.join([
|
|
encryption.decrypt_pkcs1_oaep(chunk, private_key).
|
|
decode('utf8')
|
|
for chunk in self.ciphertext])
|
|
else:
|
|
return encryption.decrypt_pkcs1_oaep(self.ciphertext,
|
|
private_key).decode('utf8')
|
|
|
|
|
|
class PragmaParser(object):
|
|
pragma = {
|
|
'implied-branch-matchers': bool,
|
|
'implied-branches': to_list(str),
|
|
'_source_context': model.SourceContext,
|
|
'_start_mark': ZuulMark,
|
|
}
|
|
|
|
schema = vs.Schema(pragma)
|
|
|
|
def __init__(self):
|
|
self.log = logging.getLogger("zuul.PragmaParser")
|
|
|
|
def fromYaml(self, conf):
|
|
with configuration_exceptions('project-template', conf):
|
|
self.schema(conf)
|
|
|
|
bm = conf.get('implied-branch-matchers')
|
|
|
|
source_context = conf['_source_context']
|
|
if bm is not None:
|
|
source_context.implied_branch_matchers = bm
|
|
|
|
branches = conf.get('implied-branches')
|
|
if branches is not None:
|
|
source_context.implied_branches = as_list(branches)
|
|
|
|
|
|
class NodeSetParser(object):
|
|
def __init__(self, tenant, layout):
|
|
self.log = logging.getLogger("zuul.NodeSetParser")
|
|
self.tenant = tenant
|
|
self.layout = layout
|
|
|
|
def getSchema(self, anonymous=False):
|
|
node = {vs.Required('name'): to_list(str),
|
|
vs.Required('label'): str,
|
|
}
|
|
|
|
group = {vs.Required('name'): str,
|
|
vs.Required('nodes'): to_list(str),
|
|
}
|
|
|
|
nodeset = {vs.Required('nodes'): to_list(node),
|
|
'groups': to_list(group),
|
|
'_source_context': model.SourceContext,
|
|
'_start_mark': ZuulMark,
|
|
}
|
|
|
|
if not anonymous:
|
|
nodeset[vs.Required('name')] = str
|
|
return vs.Schema(nodeset)
|
|
|
|
def fromYaml(self, conf, anonymous=False):
|
|
self.getSchema(anonymous)(conf)
|
|
ns = model.NodeSet(conf.get('name'), conf.get('_source_context'))
|
|
node_names = set()
|
|
group_names = set()
|
|
for conf_node in as_list(conf['nodes']):
|
|
for name in as_list(conf_node['name']):
|
|
if name in node_names:
|
|
raise DuplicateNodeError(name, conf_node['name'])
|
|
node = model.Node(as_list(conf_node['name']), conf_node['label'])
|
|
ns.addNode(node)
|
|
for name in as_list(conf_node['name']):
|
|
node_names.add(name)
|
|
for conf_group in as_list(conf.get('groups', [])):
|
|
for node_name in as_list(conf_group['nodes']):
|
|
if node_name not in node_names:
|
|
raise NodeFromGroupNotFoundError(conf['name'], node_name,
|
|
conf_group['name'])
|
|
if conf_group['name'] in group_names:
|
|
raise DuplicateGroupError(conf['name'], conf_group['name'])
|
|
group = model.Group(conf_group['name'], conf_group['nodes'])
|
|
ns.addGroup(group)
|
|
group_names.add(conf_group['name'])
|
|
return ns
|
|
|
|
|
|
class SecretParser(object):
|
|
def __init__(self, tenant, layout):
|
|
self.log = logging.getLogger("zuul.SecretParser")
|
|
self.tenant = tenant
|
|
self.layout = layout
|
|
self.schema = self.getSchema()
|
|
|
|
def getSchema(self):
|
|
data = {str: vs.Any(str, EncryptedPKCS1_OAEP)}
|
|
|
|
secret = {vs.Required('name'): str,
|
|
vs.Required('data'): data,
|
|
'_source_context': model.SourceContext,
|
|
'_start_mark': ZuulMark,
|
|
}
|
|
|
|
return vs.Schema(secret)
|
|
|
|
def fromYaml(self, conf):
|
|
with configuration_exceptions('secret', conf):
|
|
self.schema(conf)
|
|
s = model.Secret(conf['name'], conf['_source_context'])
|
|
s.secret_data = conf['data']
|
|
return s
|
|
|
|
|
|
class JobParser(object):
|
|
ANSIBLE_ROLE_RE = re.compile(r'^(ansible[-_.+]*)*(role[-_.+]*)*')
|
|
|
|
zuul_role = {vs.Required('zuul'): str,
|
|
'name': str}
|
|
|
|
galaxy_role = {vs.Required('galaxy'): str,
|
|
'name': str}
|
|
|
|
role = vs.Any(zuul_role, galaxy_role)
|
|
|
|
job_project = {vs.Required('name'): str,
|
|
'override-branch': str,
|
|
'override-checkout': str}
|
|
|
|
secret = {vs.Required('name'): str,
|
|
vs.Required('secret'): str}
|
|
|
|
# Attributes of a job that can also be used in Project and ProjectTemplate
|
|
job_attributes = {'parent': vs.Any(str, None),
|
|
'final': bool,
|
|
'abstract': bool,
|
|
'protected': bool,
|
|
'failure-message': str,
|
|
'success-message': str,
|
|
'failure-url': str,
|
|
'success-url': str,
|
|
'hold-following-changes': bool,
|
|
'voting': bool,
|
|
'semaphore': str,
|
|
'tags': to_list(str),
|
|
'branches': to_list(str),
|
|
'files': to_list(str),
|
|
'secrets': to_list(vs.Any(secret, str)),
|
|
'irrelevant-files': to_list(str),
|
|
# validation happens in NodeSetParser
|
|
'nodeset': vs.Any(dict, str),
|
|
'timeout': int,
|
|
'post-timeout': int,
|
|
'attempts': int,
|
|
'pre-run': to_list(str),
|
|
'post-run': to_list(str),
|
|
'run': str,
|
|
'_source_context': model.SourceContext,
|
|
'_start_mark': ZuulMark,
|
|
'roles': to_list(role),
|
|
'required-projects': to_list(vs.Any(job_project, str)),
|
|
'vars': dict,
|
|
'host_vars': {str: dict},
|
|
'group_vars': {str: dict},
|
|
'dependencies': to_list(str),
|
|
'allowed-projects': to_list(str),
|
|
'override-branch': str,
|
|
'override-checkout': str,
|
|
'description': str,
|
|
'post-review': bool}
|
|
|
|
job_name = {vs.Required('name'): str}
|
|
|
|
job = dict(collections.ChainMap(job_name, job_attributes))
|
|
|
|
schema = vs.Schema(job)
|
|
|
|
simple_attributes = [
|
|
'final',
|
|
'abstract',
|
|
'protected',
|
|
'timeout',
|
|
'post-timeout',
|
|
'workspace',
|
|
'voting',
|
|
'hold-following-changes',
|
|
'semaphore',
|
|
'attempts',
|
|
'failure-message',
|
|
'success-message',
|
|
'failure-url',
|
|
'success-url',
|
|
'override-branch',
|
|
'override-checkout',
|
|
]
|
|
|
|
@staticmethod
|
|
def _getImpliedBranches(tenant, job):
|
|
# If the user has set a pragma directive for this, use the
|
|
# value (if unset, the value is None).
|
|
if job.source_context.implied_branch_matchers is True:
|
|
if job.source_context.implied_branches is not None:
|
|
return job.source_context.implied_branches
|
|
return [job.source_context.branch]
|
|
elif job.source_context.implied_branch_matchers is False:
|
|
return None
|
|
|
|
# If this is a trusted project, don't create implied branch
|
|
# matchers.
|
|
if job.source_context.trusted:
|
|
return None
|
|
|
|
# If this project only has one branch, don't create implied
|
|
# branch matchers. This way central job repos can work.
|
|
branches = tenant.getProjectBranches(job.source_context.project)
|
|
if len(branches) == 1:
|
|
return None
|
|
|
|
if job.source_context.implied_branches is not None:
|
|
return job.source_context.implied_branches
|
|
return [job.source_context.branch]
|
|
|
|
@staticmethod
|
|
def fromYaml(tenant, layout, conf, project_pipeline=False,
|
|
name=None, validate=True):
|
|
if validate:
|
|
with configuration_exceptions('job', conf):
|
|
JobParser.schema(conf)
|
|
|
|
if name is None:
|
|
name = conf['name']
|
|
|
|
# NB: The default detection system in the Job class requires
|
|
# that we always assign values directly rather than modifying
|
|
# them (e.g., "job.run = ..." rather than
|
|
# "job.run.append(...)").
|
|
|
|
job = model.Job(name)
|
|
job.description = conf.get('description')
|
|
job.source_context = conf.get('_source_context')
|
|
job.source_line = conf.get('_start_mark').line + 1
|
|
|
|
if 'parent' in conf:
|
|
if conf['parent'] is not None:
|
|
# Parent job is explicitly specified, so inherit from it.
|
|
job.parent = conf['parent']
|
|
else:
|
|
# Parent is explicitly set as None, so user intends
|
|
# this to be a base job. That's only okay if we're in
|
|
# a config project.
|
|
if not conf['_source_context'].trusted:
|
|
raise Exception(
|
|
"Base jobs must be defined in config projects")
|
|
job.parent = job.BASE_JOB_MARKER
|
|
|
|
# Secrets are part of the playbook context so we must establish
|
|
# them earlier than playbooks.
|
|
secrets = []
|
|
for secret_config in as_list(conf.get('secrets', [])):
|
|
if isinstance(secret_config, str):
|
|
secret_name = secret_config
|
|
secret = layout.secrets.get(secret_name)
|
|
else:
|
|
secret_name = secret_config['name']
|
|
secret = layout.secrets.get(secret_config['secret'])
|
|
if secret is None:
|
|
raise SecretNotFoundError(secret_name)
|
|
if secret_name == 'zuul' or secret_name == 'nodepool':
|
|
raise Exception("Secrets named 'zuul' or 'nodepool' "
|
|
"are not allowed.")
|
|
if not secret.source_context.isSameProject(job.source_context):
|
|
raise Exception(
|
|
"Unable to use secret %s. Secrets must be "
|
|
"defined in the same project in which they "
|
|
"are used" % secret_name)
|
|
# If the secret declares a different name, set it on the decrypted
|
|
# copy of the secret object
|
|
decrypted_secret = secret.decrypt(
|
|
job.source_context.project.private_key)
|
|
decrypted_secret.name = secret_name
|
|
secrets.append(decrypted_secret)
|
|
|
|
# A job in an untrusted repo that uses secrets requires
|
|
# special care. We must note this, and carry this flag
|
|
# through inheritance to ensure that we don't run this job in
|
|
# an unsafe check pipeline.
|
|
if secrets and not conf['_source_context'].trusted:
|
|
job.post_review = True
|
|
|
|
if conf.get('timeout') and tenant.max_job_timeout != -1 and \
|
|
int(conf['timeout']) > tenant.max_job_timeout:
|
|
raise MaxTimeoutError(job, tenant)
|
|
|
|
if conf.get('post-timeout') and tenant.max_job_timeout != -1 and \
|
|
int(conf['post-timeout']) > tenant.max_job_timeout:
|
|
raise MaxTimeoutError(job, tenant)
|
|
|
|
if 'post-review' in conf:
|
|
if conf['post-review']:
|
|
job.post_review = True
|
|
else:
|
|
raise Exception("Once set, the post-review attribute "
|
|
"may not be unset")
|
|
|
|
# Roles are part of the playbook context so we must establish
|
|
# them earlier than playbooks.
|
|
roles = []
|
|
if 'roles' in conf:
|
|
for role in conf.get('roles', []):
|
|
if 'zuul' in role:
|
|
r = JobParser._makeZuulRole(tenant, job, role)
|
|
if r:
|
|
roles.append(r)
|
|
# A job's repo should be an implicit role source for that job,
|
|
# but not in a project-pipeline variant.
|
|
if not project_pipeline:
|
|
r = JobParser._makeImplicitRole(job)
|
|
roles.insert(0, r)
|
|
job.addRoles(roles)
|
|
|
|
for pre_run_name in as_list(conf.get('pre-run')):
|
|
pre_run = model.PlaybookContext(job.source_context,
|
|
pre_run_name, job.roles,
|
|
secrets)
|
|
job.pre_run = job.pre_run + (pre_run,)
|
|
# NOTE(pabelanger): Reverse the order of our post-run list. We prepend
|
|
# post-runs for inherits however, we want to execute post-runs in the
|
|
# order they are listed within the job.
|
|
for post_run_name in reversed(as_list(conf.get('post-run'))):
|
|
post_run = model.PlaybookContext(job.source_context,
|
|
post_run_name, job.roles,
|
|
secrets)
|
|
job.post_run = (post_run,) + job.post_run
|
|
if 'run' in conf:
|
|
run = model.PlaybookContext(job.source_context, conf['run'],
|
|
job.roles, secrets)
|
|
job.run = (run,)
|
|
|
|
for k in JobParser.simple_attributes:
|
|
a = k.replace('-', '_')
|
|
if k in conf:
|
|
setattr(job, a, conf[k])
|
|
if 'nodeset' in conf:
|
|
nodeset_parser = NodeSetParser(tenant, layout)
|
|
conf_nodeset = conf['nodeset']
|
|
if isinstance(conf_nodeset, str):
|
|
# This references an existing named nodeset in the layout.
|
|
ns = layout.nodesets.get(conf_nodeset)
|
|
if ns is None:
|
|
raise NodesetNotFoundError(conf_nodeset)
|
|
else:
|
|
ns = nodeset_parser.fromYaml(conf_nodeset, anonymous=True)
|
|
if tenant.max_nodes_per_job != -1 and \
|
|
len(ns) > tenant.max_nodes_per_job:
|
|
raise MaxNodeError(job, tenant)
|
|
job.nodeset = ns
|
|
|
|
if 'required-projects' in conf:
|
|
new_projects = {}
|
|
projects = as_list(conf.get('required-projects', []))
|
|
for project in projects:
|
|
if isinstance(project, dict):
|
|
project_name = project['name']
|
|
project_override_branch = project.get('override-branch')
|
|
project_override_checkout = project.get(
|
|
'override-checkout')
|
|
else:
|
|
project_name = project
|
|
project_override_branch = None
|
|
project_override_checkout = None
|
|
(trusted, project) = tenant.getProject(project_name)
|
|
if project is None:
|
|
raise Exception("Unknown project %s" % (project_name,))
|
|
job_project = model.JobProject(project.canonical_name,
|
|
project_override_branch,
|
|
project_override_checkout)
|
|
new_projects[project.canonical_name] = job_project
|
|
job.required_projects = new_projects
|
|
|
|
tags = conf.get('tags')
|
|
if tags:
|
|
job.tags = set(tags)
|
|
|
|
job.dependencies = frozenset(as_list(conf.get('dependencies')))
|
|
|
|
variables = conf.get('vars', None)
|
|
if variables:
|
|
if 'zuul' in variables or 'nodepool' in variables:
|
|
raise Exception("Variables named 'zuul' or 'nodepool' "
|
|
"are not allowed.")
|
|
job.variables = variables
|
|
host_variables = conf.get('host_vars', None)
|
|
if host_variables:
|
|
for host, hvars in host_variables.items():
|
|
if 'zuul' in hvars or 'nodepool' in hvars:
|
|
raise Exception("Variables named 'zuul' or 'nodepool' "
|
|
"are not allowed.")
|
|
job.host_variables = host_variables
|
|
group_variables = conf.get('group_vars', None)
|
|
if group_variables:
|
|
for group, gvars in group_variables.items():
|
|
if 'zuul' in group_variables or 'nodepool' in gvars:
|
|
raise Exception("Variables named 'zuul' or 'nodepool' "
|
|
"are not allowed.")
|
|
job.group_variables = group_variables
|
|
|
|
allowed_projects = conf.get('allowed-projects', None)
|
|
if allowed_projects:
|
|
allowed = []
|
|
for p in as_list(allowed_projects):
|
|
(trusted, project) = tenant.getProject(p)
|
|
if project is None:
|
|
raise Exception("Unknown project %s" % (p,))
|
|
allowed.append(project.name)
|
|
job.allowed_projects = frozenset(allowed)
|
|
|
|
branches = None
|
|
if ('branches' not in conf):
|
|
branches = JobParser._getImpliedBranches(tenant, job)
|
|
if (not branches) and ('branches' in conf):
|
|
branches = as_list(conf['branches'])
|
|
if branches:
|
|
job.setBranchMatcher(branches)
|
|
if 'files' in conf:
|
|
matchers = []
|
|
for fn in as_list(conf['files']):
|
|
matchers.append(change_matcher.FileMatcher(fn))
|
|
job.file_matcher = change_matcher.MatchAny(matchers)
|
|
if 'irrelevant-files' in conf:
|
|
matchers = []
|
|
for fn in as_list(conf['irrelevant-files']):
|
|
matchers.append(change_matcher.FileMatcher(fn))
|
|
job.irrelevant_file_matcher = change_matcher.MatchAllFiles(
|
|
matchers)
|
|
return job
|
|
|
|
@staticmethod
|
|
def _makeZuulRole(tenant, job, role):
|
|
name = role['zuul'].split('/')[-1]
|
|
|
|
(trusted, project) = tenant.getProject(role['zuul'])
|
|
if project is None:
|
|
return None
|
|
|
|
return model.ZuulRole(role.get('name', name),
|
|
project.connection_name,
|
|
project.name)
|
|
|
|
@staticmethod
|
|
def _makeImplicitRole(job):
|
|
project = job.source_context.project
|
|
name = project.name.split('/')[-1]
|
|
name = JobParser.ANSIBLE_ROLE_RE.sub('', name)
|
|
return model.ZuulRole(name,
|
|
project.connection_name,
|
|
project.name,
|
|
implicit=True)
|
|
|
|
|
|
class ProjectTemplateParser(object):
|
|
def __init__(self, tenant, layout):
|
|
self.log = logging.getLogger("zuul.ProjectTemplateParser")
|
|
self.tenant = tenant
|
|
self.layout = layout
|
|
self.schema = self.getSchema()
|
|
|
|
def getSchema(self):
|
|
project_template = {
|
|
vs.Required('name'): str,
|
|
'description': str,
|
|
'merge-mode': vs.Any(
|
|
'merge', 'merge-resolve',
|
|
'cherry-pick'),
|
|
'_source_context': model.SourceContext,
|
|
'_start_mark': ZuulMark,
|
|
}
|
|
|
|
job = {str: vs.Any(str, JobParser.job_attributes)}
|
|
job_list = [vs.Any(str, job)]
|
|
pipeline_contents = {
|
|
'queue': str,
|
|
'debug': bool,
|
|
'jobs': job_list,
|
|
}
|
|
|
|
for p in self.layout.pipelines.values():
|
|
project_template[p.name] = pipeline_contents
|
|
return vs.Schema(project_template)
|
|
|
|
def fromYaml(self, conf, validate=True):
|
|
if validate:
|
|
with configuration_exceptions('project-template', conf):
|
|
self.schema(conf)
|
|
source_context = conf['_source_context']
|
|
project_template = model.ProjectConfig(conf['name'], source_context)
|
|
start_mark = conf['_start_mark']
|
|
for pipeline in self.layout.pipelines.values():
|
|
conf_pipeline = conf.get(pipeline.name)
|
|
if not conf_pipeline:
|
|
continue
|
|
project_pipeline = model.ProjectPipelineConfig()
|
|
project_template.pipelines[pipeline.name] = project_pipeline
|
|
project_pipeline.queue_name = conf_pipeline.get('queue')
|
|
project_pipeline.debug = conf_pipeline.get('debug')
|
|
self.parseJobList(
|
|
conf_pipeline.get('jobs', []),
|
|
source_context, start_mark, project_pipeline.job_list)
|
|
return project_template
|
|
|
|
def parseJobList(self, conf, source_context, start_mark, job_list):
|
|
for conf_job in conf:
|
|
if isinstance(conf_job, str):
|
|
jobname = conf_job
|
|
attrs = {}
|
|
elif isinstance(conf_job, dict):
|
|
# A dictionary in a job tree may override params
|
|
jobname, attrs = list(conf_job.items())[0]
|
|
else:
|
|
raise Exception("Job must be a string or dictionary")
|
|
attrs['_source_context'] = source_context
|
|
attrs['_start_mark'] = start_mark
|
|
|
|
# validate that the job is existing
|
|
with configuration_exceptions('project or project-template',
|
|
attrs):
|
|
self.layout.getJob(jobname)
|
|
|
|
job_list.addJob(JobParser.fromYaml(self.tenant, self.layout,
|
|
attrs, project_pipeline=True,
|
|
name=jobname, validate=False))
|
|
|
|
|
|
class ProjectParser(object):
|
|
def __init__(self, tenant, layout, project_template_parser):
|
|
self.log = logging.getLogger("zuul.ProjectParser")
|
|
self.tenant = tenant
|
|
self.layout = layout
|
|
self.project_template_parser = project_template_parser
|
|
self.schema = self.getSchema()
|
|
|
|
def getSchema(self):
|
|
project = {
|
|
'name': str,
|
|
'description': str,
|
|
'templates': [str],
|
|
'merge-mode': vs.Any('merge', 'merge-resolve',
|
|
'cherry-pick'),
|
|
'default-branch': str,
|
|
'_source_context': model.SourceContext,
|
|
'_start_mark': ZuulMark,
|
|
}
|
|
|
|
job = {str: vs.Any(str, JobParser.job_attributes)}
|
|
job_list = [vs.Any(str, job)]
|
|
pipeline_contents = {
|
|
'queue': str,
|
|
'debug': bool,
|
|
'jobs': job_list
|
|
}
|
|
|
|
for p in self.layout.pipelines.values():
|
|
project[p.name] = pipeline_contents
|
|
return vs.Schema(project)
|
|
|
|
def fromYaml(self, conf_list):
|
|
for conf in conf_list:
|
|
with configuration_exceptions('project', conf):
|
|
self.schema(conf)
|
|
|
|
with configuration_exceptions('project', conf_list[0]):
|
|
project_name = conf_list[0]['name']
|
|
(trusted, project) = self.tenant.getProject(project_name)
|
|
if project is None:
|
|
raise ProjectNotFoundError(project_name)
|
|
project_config = model.ProjectConfig(project.canonical_name)
|
|
|
|
configs = []
|
|
for conf in conf_list:
|
|
implied_branch = None
|
|
with configuration_exceptions('project', conf):
|
|
if not conf['_source_context'].trusted:
|
|
if project != conf['_source_context'].project:
|
|
raise ProjectNotPermittedError()
|
|
|
|
conf_templates = conf.get('templates', [])
|
|
# The way we construct a project definition is by
|
|
# parsing the definition as a template, then applying
|
|
# all of the templates, including the newly parsed
|
|
# one, in order.
|
|
project_template = self.project_template_parser.fromYaml(
|
|
conf, validate=False)
|
|
# If this project definition is in a place where it
|
|
# should get implied branch matchers, set it.
|
|
if (not conf['_source_context'].trusted):
|
|
implied_branch = conf['_source_context'].branch
|
|
for name in conf_templates:
|
|
if name not in self.layout.project_templates:
|
|
raise TemplateNotFoundError(name)
|
|
configs.extend([(self.layout.project_templates[name],
|
|
implied_branch)
|
|
for name in conf_templates])
|
|
configs.append((project_template, implied_branch))
|
|
# Set the following values to the first one that we
|
|
# find and ignore subsequent settings.
|
|
mode = conf.get('merge-mode')
|
|
if mode and project_config.merge_mode is None:
|
|
project_config.merge_mode = model.MERGER_MAP[mode]
|
|
default_branch = conf.get('default-branch')
|
|
if default_branch and project_config.default_branch is None:
|
|
project_config.default_branch = default_branch
|
|
if project_config.merge_mode is None:
|
|
# If merge mode was not specified in any project stanza,
|
|
# set it to the default.
|
|
project_config.merge_mode = model.MERGER_MAP['merge-resolve']
|
|
if project_config.default_branch is None:
|
|
project_config.default_branch = 'master'
|
|
for pipeline in self.layout.pipelines.values():
|
|
project_pipeline = model.ProjectPipelineConfig()
|
|
queue_name = None
|
|
debug = False
|
|
# For every template, iterate over the job tree and replace or
|
|
# create the jobs in the final definition as needed.
|
|
pipeline_defined = False
|
|
for (template, implied_branch) in configs:
|
|
if pipeline.name in template.pipelines:
|
|
pipeline_defined = True
|
|
template_pipeline = template.pipelines[pipeline.name]
|
|
project_pipeline.job_list.inheritFrom(
|
|
template_pipeline.job_list,
|
|
implied_branch)
|
|
if template_pipeline.queue_name:
|
|
queue_name = template_pipeline.queue_name
|
|
if template_pipeline.debug is not None:
|
|
debug = template_pipeline.debug
|
|
if queue_name:
|
|
project_pipeline.queue_name = queue_name
|
|
if debug:
|
|
project_pipeline.debug = True
|
|
if pipeline_defined:
|
|
project_config.pipelines[pipeline.name] = project_pipeline
|
|
return project_config
|
|
|
|
|
|
class PipelineParser(object):
|
|
log = logging.getLogger("zuul.PipelineParser")
|
|
|
|
# A set of reporter configuration keys to action mapping
|
|
reporter_actions = {
|
|
'start': 'start_actions',
|
|
'success': 'success_actions',
|
|
'failure': 'failure_actions',
|
|
'merge-failure': 'merge_failure_actions',
|
|
'disabled': 'disabled_actions',
|
|
}
|
|
|
|
@staticmethod
|
|
def getDriverSchema(dtype, connections):
|
|
methods = {
|
|
'trigger': 'getTriggerSchema',
|
|
'reporter': 'getReporterSchema',
|
|
'require': 'getRequireSchema',
|
|
'reject': 'getRejectSchema',
|
|
}
|
|
|
|
schema = {}
|
|
# Add the configured connections as available layout options
|
|
for connection_name, connection in connections.connections.items():
|
|
method = getattr(connection.driver, methods[dtype], None)
|
|
if method:
|
|
schema[connection_name] = to_list(method())
|
|
|
|
return schema
|
|
|
|
@staticmethod
|
|
def getSchema(layout, connections):
|
|
manager = vs.Any('independent',
|
|
'dependent')
|
|
|
|
precedence = vs.Any('normal', 'low', 'high')
|
|
|
|
window = vs.All(int, vs.Range(min=0))
|
|
window_floor = vs.All(int, vs.Range(min=1))
|
|
window_type = vs.Any('linear', 'exponential')
|
|
window_factor = vs.All(int, vs.Range(min=1))
|
|
|
|
pipeline = {vs.Required('name'): str,
|
|
vs.Required('manager'): manager,
|
|
'precedence': precedence,
|
|
'description': str,
|
|
'success-message': str,
|
|
'failure-message': str,
|
|
'merge-failure-message': str,
|
|
'footer-message': str,
|
|
'dequeue-on-new-patchset': bool,
|
|
'ignore-dependencies': bool,
|
|
'post-review': bool,
|
|
'disable-after-consecutive-failures':
|
|
vs.All(int, vs.Range(min=1)),
|
|
'window': window,
|
|
'window-floor': window_floor,
|
|
'window-increase-type': window_type,
|
|
'window-increase-factor': window_factor,
|
|
'window-decrease-type': window_type,
|
|
'window-decrease-factor': window_factor,
|
|
'_source_context': model.SourceContext,
|
|
'_start_mark': ZuulMark,
|
|
}
|
|
pipeline['require'] = PipelineParser.getDriverSchema('require',
|
|
connections)
|
|
pipeline['reject'] = PipelineParser.getDriverSchema('reject',
|
|
connections)
|
|
pipeline['trigger'] = vs.Required(
|
|
PipelineParser.getDriverSchema('trigger', connections))
|
|
for action in ['start', 'success', 'failure', 'merge-failure',
|
|
'disabled']:
|
|
pipeline[action] = PipelineParser.getDriverSchema('reporter',
|
|
connections)
|
|
return vs.Schema(pipeline)
|
|
|
|
@staticmethod
|
|
def fromYaml(layout, connections, scheduler, conf):
|
|
with configuration_exceptions('pipeline', conf):
|
|
PipelineParser.getSchema(layout, connections)(conf)
|
|
pipeline = model.Pipeline(conf['name'], layout)
|
|
pipeline.description = conf.get('description')
|
|
|
|
precedence = model.PRECEDENCE_MAP[conf.get('precedence')]
|
|
pipeline.precedence = precedence
|
|
pipeline.failure_message = conf.get('failure-message',
|
|
"Build failed.")
|
|
pipeline.merge_failure_message = conf.get(
|
|
'merge-failure-message', "Merge Failed.\n\nThis change or one "
|
|
"of its cross-repo dependencies was unable to be "
|
|
"automatically merged with the current state of its "
|
|
"repository. Please rebase the change and upload a new "
|
|
"patchset.")
|
|
pipeline.success_message = conf.get('success-message',
|
|
"Build succeeded.")
|
|
pipeline.footer_message = conf.get('footer-message', "")
|
|
pipeline.start_message = conf.get('start-message',
|
|
"Starting {pipeline.name} jobs.")
|
|
pipeline.dequeue_on_new_patchset = conf.get(
|
|
'dequeue-on-new-patchset', True)
|
|
pipeline.ignore_dependencies = conf.get(
|
|
'ignore-dependencies', False)
|
|
pipeline.post_review = conf.get(
|
|
'post-review', False)
|
|
|
|
for conf_key, action in PipelineParser.reporter_actions.items():
|
|
reporter_set = []
|
|
if conf.get(conf_key):
|
|
for reporter_name, params \
|
|
in conf.get(conf_key).items():
|
|
reporter = connections.getReporter(reporter_name,
|
|
params)
|
|
reporter.setAction(conf_key)
|
|
reporter_set.append(reporter)
|
|
setattr(pipeline, action, reporter_set)
|
|
|
|
# If merge-failure actions aren't explicit, use the failure actions
|
|
if not pipeline.merge_failure_actions:
|
|
pipeline.merge_failure_actions = pipeline.failure_actions
|
|
|
|
pipeline.disable_at = conf.get(
|
|
'disable-after-consecutive-failures', None)
|
|
|
|
pipeline.window = conf.get('window', 20)
|
|
pipeline.window_floor = conf.get('window-floor', 3)
|
|
pipeline.window_increase_type = conf.get(
|
|
'window-increase-type', 'linear')
|
|
pipeline.window_increase_factor = conf.get(
|
|
'window-increase-factor', 1)
|
|
pipeline.window_decrease_type = conf.get(
|
|
'window-decrease-type', 'exponential')
|
|
pipeline.window_decrease_factor = conf.get(
|
|
'window-decrease-factor', 2)
|
|
|
|
manager_name = conf['manager']
|
|
if manager_name == 'dependent':
|
|
manager = zuul.manager.dependent.DependentPipelineManager(
|
|
scheduler, pipeline)
|
|
elif manager_name == 'independent':
|
|
manager = zuul.manager.independent.IndependentPipelineManager(
|
|
scheduler, pipeline)
|
|
|
|
pipeline.setManager(manager)
|
|
layout.pipelines[conf['name']] = pipeline
|
|
|
|
for source_name, require_config in conf.get('require', {}).items():
|
|
source = connections.getSource(source_name)
|
|
manager.ref_filters.extend(
|
|
source.getRequireFilters(require_config))
|
|
|
|
for source_name, reject_config in conf.get('reject', {}).items():
|
|
source = connections.getSource(source_name)
|
|
manager.ref_filters.extend(
|
|
source.getRejectFilters(reject_config))
|
|
|
|
for trigger_name, trigger_config in conf.get('trigger').items():
|
|
trigger = connections.getTrigger(trigger_name, trigger_config)
|
|
pipeline.triggers.append(trigger)
|
|
manager.event_filters.extend(
|
|
trigger.getEventFilters(conf['trigger'][trigger_name]))
|
|
|
|
return pipeline
|
|
|
|
|
|
class SemaphoreParser(object):
|
|
@staticmethod
|
|
def getSchema():
|
|
semaphore = {vs.Required('name'): str,
|
|
'max': int,
|
|
'_source_context': model.SourceContext,
|
|
'_start_mark': ZuulMark,
|
|
}
|
|
|
|
return vs.Schema(semaphore)
|
|
|
|
@staticmethod
|
|
def fromYaml(conf):
|
|
SemaphoreParser.getSchema()(conf)
|
|
semaphore = model.Semaphore(conf['name'], conf.get('max', 1))
|
|
semaphore.source_context = conf.get('_source_context')
|
|
return semaphore
|
|
|
|
|
|
class TenantParser(object):
|
|
log = logging.getLogger("zuul.TenantParser")
|
|
|
|
classes = vs.Any('pipeline', 'job', 'semaphore', 'project',
|
|
'project-template', 'nodeset', 'secret')
|
|
|
|
project_dict = {str: {
|
|
'include': to_list(classes),
|
|
'exclude': to_list(classes),
|
|
'shadow': to_list(str),
|
|
'exclude-unprotected-branches': bool,
|
|
}}
|
|
|
|
project = vs.Any(str, project_dict)
|
|
|
|
group = {
|
|
'include': to_list(classes),
|
|
'exclude': to_list(classes),
|
|
vs.Required('projects'): to_list(project),
|
|
}
|
|
|
|
project_or_group = vs.Any(project, group)
|
|
|
|
tenant_source = vs.Schema({
|
|
'config-projects': to_list(project_or_group),
|
|
'untrusted-projects': to_list(project_or_group),
|
|
})
|
|
|
|
@staticmethod
|
|
def validateTenantSources(connections):
|
|
def v(value, path=[]):
|
|
if isinstance(value, dict):
|
|
for k, val in value.items():
|
|
connections.getSource(k)
|
|
TenantParser.validateTenantSource(val, path + [k])
|
|
else:
|
|
raise vs.Invalid("Invalid tenant source", path)
|
|
return v
|
|
|
|
@staticmethod
|
|
def validateTenantSource(value, path=[]):
|
|
TenantParser.tenant_source(value)
|
|
|
|
@staticmethod
|
|
def getSchema(connections=None):
|
|
tenant = {vs.Required('name'): str,
|
|
'max-nodes-per-job': int,
|
|
'max-job-timeout': int,
|
|
'source': TenantParser.validateTenantSources(connections),
|
|
'exclude-unprotected-branches': bool,
|
|
'default-parent': str,
|
|
}
|
|
return vs.Schema(tenant)
|
|
|
|
@staticmethod
|
|
def fromYaml(base, project_key_dir, connections, scheduler, merger, conf,
|
|
old_tenant):
|
|
TenantParser.getSchema(connections)(conf)
|
|
tenant = model.Tenant(conf['name'])
|
|
if conf.get('max-nodes-per-job') is not None:
|
|
tenant.max_nodes_per_job = conf['max-nodes-per-job']
|
|
if conf.get('max-job-timeout') is not None:
|
|
tenant.max_job_timeout = int(conf['max-job-timeout'])
|
|
if conf.get('exclude-unprotected-branches') is not None:
|
|
tenant.exclude_unprotected_branches = \
|
|
conf['exclude-unprotected-branches']
|
|
tenant.default_base_job = conf.get('default-parent', 'base')
|
|
|
|
tenant.unparsed_config = conf
|
|
unparsed_config = model.UnparsedTenantConfig()
|
|
# tpcs is TenantProjectConfigs
|
|
config_tpcs, untrusted_tpcs = \
|
|
TenantParser._loadTenantProjects(
|
|
project_key_dir, connections, conf)
|
|
for tpc in config_tpcs:
|
|
tenant.addConfigProject(tpc)
|
|
for tpc in untrusted_tpcs:
|
|
tenant.addUntrustedProject(tpc)
|
|
|
|
for tpc in config_tpcs + untrusted_tpcs:
|
|
TenantParser._getProjectBranches(tenant, tpc, old_tenant)
|
|
TenantParser._resolveShadowProjects(tenant, tpc)
|
|
|
|
if old_tenant:
|
|
cached = True
|
|
else:
|
|
cached = False
|
|
tenant.config_projects_config, tenant.untrusted_projects_config = \
|
|
TenantParser._loadTenantInRepoLayouts(merger, connections,
|
|
tenant.config_projects,
|
|
tenant.untrusted_projects,
|
|
cached, tenant)
|
|
unparsed_config.extend(tenant.config_projects_config, tenant)
|
|
unparsed_config.extend(tenant.untrusted_projects_config, tenant)
|
|
tenant.layout = TenantParser._parseLayout(base, tenant,
|
|
unparsed_config,
|
|
scheduler,
|
|
connections)
|
|
return tenant
|
|
|
|
@staticmethod
|
|
def _resolveShadowProjects(tenant, tpc):
|
|
shadow_projects = []
|
|
for sp in tpc.shadow_projects:
|
|
shadow_projects.append(tenant.getProject(sp)[1])
|
|
tpc.shadow_projects = frozenset(shadow_projects)
|
|
|
|
@staticmethod
|
|
def _getProjectBranches(tenant, tpc, old_tenant):
|
|
# If we're performing a tenant reconfiguration, we will have
|
|
# an old_tenant object, however, we may be doing so because of
|
|
# a branch creation event, so if we don't have any cached
|
|
# data, query the branches again as well.
|
|
if old_tenant and tpc.project.unparsed_config:
|
|
branches = old_tenant.getProjectBranches(tpc.project)[:]
|
|
else:
|
|
branches = sorted(tpc.project.source.getProjectBranches(
|
|
tpc.project, tenant))
|
|
if 'master' in branches:
|
|
branches.remove('master')
|
|
branches = ['master'] + branches
|
|
tpc.branches = branches
|
|
|
|
@staticmethod
|
|
def _loadProjectKeys(project_key_dir, connection_name, project):
|
|
project.private_key_file = (
|
|
os.path.join(project_key_dir, connection_name,
|
|
project.name + '.pem'))
|
|
|
|
TenantParser._generateKeys(project)
|
|
TenantParser._loadKeys(project)
|
|
|
|
@staticmethod
|
|
def _generateKeys(project):
|
|
if os.path.isfile(project.private_key_file):
|
|
return
|
|
|
|
key_dir = os.path.dirname(project.private_key_file)
|
|
if not os.path.isdir(key_dir):
|
|
os.makedirs(key_dir, 0o700)
|
|
|
|
TenantParser.log.info(
|
|
"Generating RSA keypair for project %s" % (project.name,)
|
|
)
|
|
private_key, public_key = encryption.generate_rsa_keypair()
|
|
pem_private_key = encryption.serialize_rsa_private_key(private_key)
|
|
|
|
# Dump keys to filesystem. We only save the private key
|
|
# because the public key can be constructed from it.
|
|
TenantParser.log.info(
|
|
"Saving RSA keypair for project %s to %s" % (
|
|
project.name, project.private_key_file)
|
|
)
|
|
with open(project.private_key_file, 'wb') as f:
|
|
f.write(pem_private_key)
|
|
|
|
# Ensure private key is read/write for zuul user only.
|
|
os.chmod(project.private_key_file, 0o600)
|
|
|
|
@staticmethod
|
|
def _loadKeys(project):
|
|
# Check the key files specified are there
|
|
if not os.path.isfile(project.private_key_file):
|
|
raise Exception(
|
|
'Private key file {0} not found'.format(
|
|
project.private_key_file))
|
|
|
|
# Load keypair
|
|
with open(project.private_key_file, "rb") as f:
|
|
(project.private_key, project.public_key) = \
|
|
encryption.deserialize_rsa_keypair(f.read())
|
|
|
|
@staticmethod
|
|
def _getProject(source, conf, current_include):
|
|
if isinstance(conf, str):
|
|
# Return a project object whether conf is a dict or a str
|
|
project = source.getProject(conf)
|
|
project_include = current_include
|
|
shadow_projects = []
|
|
project_exclude_unprotected_branches = None
|
|
else:
|
|
project_name = list(conf.keys())[0]
|
|
project = source.getProject(project_name)
|
|
shadow_projects = as_list(conf[project_name].get('shadow', []))
|
|
|
|
project_include = frozenset(
|
|
as_list(conf[project_name].get('include', [])))
|
|
if not project_include:
|
|
project_include = current_include
|
|
project_exclude = frozenset(
|
|
as_list(conf[project_name].get('exclude', [])))
|
|
if project_exclude:
|
|
project_include = frozenset(project_include - project_exclude)
|
|
project_exclude_unprotected_branches = conf[project_name].get(
|
|
'exclude-unprotected-branches', None)
|
|
|
|
tenant_project_config = model.TenantProjectConfig(project)
|
|
tenant_project_config.load_classes = frozenset(project_include)
|
|
tenant_project_config.shadow_projects = shadow_projects
|
|
tenant_project_config.exclude_unprotected_branches = \
|
|
project_exclude_unprotected_branches
|
|
|
|
return tenant_project_config
|
|
|
|
@staticmethod
|
|
def _getProjects(source, conf, current_include):
|
|
# Return a project object whether conf is a dict or a str
|
|
projects = []
|
|
if isinstance(conf, str):
|
|
# A simple project name string
|
|
projects.append(TenantParser._getProject(
|
|
source, conf, current_include))
|
|
elif len(conf.keys()) > 1 and 'projects' in conf:
|
|
# This is a project group
|
|
if 'include' in conf:
|
|
current_include = set(as_list(conf['include']))
|
|
else:
|
|
current_include = current_include.copy()
|
|
if 'exclude' in conf:
|
|
exclude = set(as_list(conf['exclude']))
|
|
current_include = current_include - exclude
|
|
for project in conf['projects']:
|
|
sub_projects = TenantParser._getProjects(
|
|
source, project, current_include)
|
|
projects.extend(sub_projects)
|
|
elif len(conf.keys()) == 1:
|
|
# A project with overrides
|
|
projects.append(TenantParser._getProject(
|
|
source, conf, current_include))
|
|
else:
|
|
raise Exception("Unable to parse project %s", conf)
|
|
return projects
|
|
|
|
@staticmethod
|
|
def _loadTenantProjects(project_key_dir, connections, conf_tenant):
|
|
config_projects = []
|
|
untrusted_projects = []
|
|
|
|
default_include = frozenset(['pipeline', 'job', 'semaphore', 'project',
|
|
'secret', 'project-template', 'nodeset'])
|
|
|
|
for source_name, conf_source in conf_tenant.get('source', {}).items():
|
|
source = connections.getSource(source_name)
|
|
|
|
current_include = default_include
|
|
for conf_repo in conf_source.get('config-projects', []):
|
|
# tpcs = TenantProjectConfigs
|
|
tpcs = TenantParser._getProjects(source, conf_repo,
|
|
current_include)
|
|
for tpc in tpcs:
|
|
TenantParser._loadProjectKeys(
|
|
project_key_dir, source_name, tpc.project)
|
|
config_projects.append(tpc)
|
|
|
|
current_include = frozenset(default_include - set(['pipeline']))
|
|
for conf_repo in conf_source.get('untrusted-projects', []):
|
|
tpcs = TenantParser._getProjects(source, conf_repo,
|
|
current_include)
|
|
for tpc in tpcs:
|
|
TenantParser._loadProjectKeys(
|
|
project_key_dir, source_name, tpc.project)
|
|
untrusted_projects.append(tpc)
|
|
|
|
return config_projects, untrusted_projects
|
|
|
|
@staticmethod
|
|
def _loadTenantInRepoLayouts(merger, connections, config_projects,
|
|
untrusted_projects, cached, tenant):
|
|
config_projects_config = model.UnparsedTenantConfig()
|
|
untrusted_projects_config = model.UnparsedTenantConfig()
|
|
# project -> config; these will replace
|
|
# project.unparsed_config if this method succesfully
|
|
# completes
|
|
new_project_unparsed_config = {}
|
|
# project -> branch -> config; these will replace
|
|
# project.unparsed_branch_config if this method succesfully
|
|
# completes
|
|
new_project_unparsed_branch_config = {}
|
|
jobs = []
|
|
|
|
# In some cases, we can use cached data, but it's still
|
|
# important that we process that in the same order along with
|
|
# any jobs that we run. This class is used to hold the cached
|
|
# data and is inserted in the ordered jobs list for later
|
|
# processing.
|
|
class CachedDataJob(object):
|
|
def __init__(self, config_project, project):
|
|
self.config_project = config_project
|
|
self.project = project
|
|
|
|
for project in config_projects:
|
|
# If we have cached data (this is a reconfiguration) use it.
|
|
if cached and project.unparsed_config:
|
|
jobs.append(CachedDataJob(True, project))
|
|
continue
|
|
# Otherwise, prepare an empty unparsed config object to
|
|
# hold cached data later.
|
|
new_project_unparsed_config[project] = model.UnparsedTenantConfig()
|
|
# Get main config files. These files are permitted the
|
|
# full range of configuration.
|
|
job = merger.getFiles(
|
|
project.source.connection.connection_name,
|
|
project.name, 'master',
|
|
files=['zuul.yaml', '.zuul.yaml'],
|
|
dirs=['zuul.d', '.zuul.d'])
|
|
job.source_context = model.SourceContext(project, 'master',
|
|
'', True)
|
|
jobs.append(job)
|
|
|
|
for project in untrusted_projects:
|
|
tpc = tenant.project_configs[project.canonical_name]
|
|
# If all config classes are excluded then does not request a
|
|
# getFiles jobs.
|
|
if not tpc.load_classes:
|
|
continue
|
|
# If we have cached data (this is a reconfiguration) use it.
|
|
if cached and project.unparsed_config:
|
|
jobs.append(CachedDataJob(False, project))
|
|
continue
|
|
# Otherwise, prepare an empty unparsed config object to
|
|
# hold cached data later.
|
|
new_project_unparsed_config[project] = model.UnparsedTenantConfig()
|
|
new_project_unparsed_branch_config[project] = {}
|
|
# Get in-project-repo config files which have a restricted
|
|
# set of options.
|
|
# For each branch in the repo, get the zuul.yaml for that
|
|
# branch. Remember the branch and then implicitly add a
|
|
# branch selector to each job there. This makes the
|
|
# in-repo configuration apply only to that branch.
|
|
branches = tenant.getProjectBranches(project)
|
|
for branch in branches:
|
|
new_project_unparsed_branch_config[project][branch] = \
|
|
model.UnparsedTenantConfig()
|
|
job = merger.getFiles(
|
|
project.source.connection.connection_name,
|
|
project.name, branch,
|
|
files=['zuul.yaml', '.zuul.yaml'],
|
|
dirs=['zuul.d', '.zuul.d'])
|
|
job.source_context = model.SourceContext(
|
|
project, branch, '', False)
|
|
jobs.append(job)
|
|
|
|
for job in jobs:
|
|
# Note: this is an ordered list -- we wait for cat jobs to
|
|
# complete in the order they were executed which is the
|
|
# same order they were defined in the main config file.
|
|
# This is important for correct inheritance.
|
|
if isinstance(job, CachedDataJob):
|
|
TenantParser.log.info(
|
|
"Loading previously parsed configuration from %s" %
|
|
(job.project,))
|
|
if job.config_project:
|
|
config_projects_config.extend(
|
|
job.project.unparsed_config, tenant)
|
|
else:
|
|
untrusted_projects_config.extend(
|
|
job.project.unparsed_config, tenant)
|
|
continue
|
|
TenantParser.log.debug("Waiting for cat job %s" % (job,))
|
|
job.wait()
|
|
if not job.updated:
|
|
raise Exception("Cat job %s failed" % (job,))
|
|
TenantParser.log.debug("Cat job %s got files %s" %
|
|
(job, job.files.keys()))
|
|
loaded = False
|
|
files = sorted(job.files.keys())
|
|
for conf_root in ['zuul.yaml', 'zuul.d', '.zuul.yaml', '.zuul.d']:
|
|
for fn in files:
|
|
fn_root = fn.split('/')[0]
|
|
if fn_root != conf_root or not job.files.get(fn):
|
|
continue
|
|
# Don't load from more than configuration in a repo-branch
|
|
if loaded and loaded != conf_root:
|
|
TenantParser.log.warning(
|
|
"Multiple configuration files in %s" %
|
|
(job.source_context,))
|
|
continue
|
|
loaded = conf_root
|
|
source_context = job.source_context.copy()
|
|
source_context.path = fn
|
|
TenantParser.log.info(
|
|
"Loading configuration from %s" %
|
|
(source_context,))
|
|
project = source_context.project
|
|
branch = source_context.branch
|
|
if source_context.trusted:
|
|
incdata = TenantParser._parseConfigProjectLayout(
|
|
job.files[fn], source_context, tenant)
|
|
config_projects_config.extend(incdata, tenant)
|
|
else:
|
|
incdata = TenantParser._parseUntrustedProjectLayout(
|
|
job.files[fn], source_context, tenant)
|
|
untrusted_projects_config.extend(incdata, tenant)
|
|
new_project_unparsed_config[project].extend(
|
|
incdata, tenant)
|
|
if branch in new_project_unparsed_branch_config.get(
|
|
project, {}):
|
|
new_project_unparsed_branch_config[project][branch].\
|
|
extend(incdata, tenant)
|
|
# Now that we've sucessfully loaded all of the configuration,
|
|
# cache the unparsed data on the project objects.
|
|
for project, data in new_project_unparsed_config.items():
|
|
project.unparsed_config = data
|
|
for project, branch_config in \
|
|
new_project_unparsed_branch_config.items():
|
|
project.unparsed_branch_config = branch_config
|
|
return config_projects_config, untrusted_projects_config
|
|
|
|
@staticmethod
|
|
def _parseConfigProjectLayout(data, source_context, tenant):
|
|
# This is the top-level configuration for a tenant.
|
|
config = model.UnparsedTenantConfig()
|
|
with early_configuration_exceptions(source_context):
|
|
config.extend(safe_load_yaml(data, source_context), tenant)
|
|
return config
|
|
|
|
@staticmethod
|
|
def _parseUntrustedProjectLayout(data, source_context, tenant):
|
|
config = model.UnparsedTenantConfig()
|
|
with early_configuration_exceptions(source_context):
|
|
config.extend(safe_load_yaml(data, source_context), tenant)
|
|
if config.pipelines:
|
|
with configuration_exceptions('pipeline', config.pipelines[0]):
|
|
raise PipelineNotPermittedError()
|
|
return config
|
|
|
|
@staticmethod
|
|
def _getLoadClasses(tenant, conf_object):
|
|
project = conf_object['_source_context'].project
|
|
tpc = tenant.project_configs[project.canonical_name]
|
|
return tpc.load_classes
|
|
|
|
@staticmethod
|
|
def _parseLayoutItems(layout, tenant, data, scheduler, connections,
|
|
skip_pipelines=False, skip_semaphores=False):
|
|
# Handle pragma items first since they modify the source context
|
|
# used by other classes.
|
|
pragma_parser = PragmaParser()
|
|
for config_pragma in data.pragmas:
|
|
pragma_parser.fromYaml(config_pragma)
|
|
|
|
if not skip_pipelines:
|
|
for config_pipeline in data.pipelines:
|
|
classes = TenantParser._getLoadClasses(
|
|
tenant, config_pipeline)
|
|
if 'pipeline' not in classes:
|
|
continue
|
|
layout.addPipeline(PipelineParser.fromYaml(
|
|
layout, connections,
|
|
scheduler, config_pipeline))
|
|
|
|
nodeset_parser = NodeSetParser(tenant, layout)
|
|
for config_nodeset in data.nodesets:
|
|
classes = TenantParser._getLoadClasses(tenant, config_nodeset)
|
|
if 'nodeset' not in classes:
|
|
continue
|
|
with configuration_exceptions('nodeset', config_nodeset):
|
|
layout.addNodeSet(nodeset_parser.fromYaml(
|
|
config_nodeset))
|
|
|
|
secret_parser = SecretParser(tenant, layout)
|
|
for config_secret in data.secrets:
|
|
classes = TenantParser._getLoadClasses(tenant, config_secret)
|
|
if 'secret' not in classes:
|
|
continue
|
|
with configuration_exceptions('secret', config_secret):
|
|
layout.addSecret(secret_parser.fromYaml(config_secret))
|
|
|
|
for config_job in data.jobs:
|
|
classes = TenantParser._getLoadClasses(tenant, config_job)
|
|
if 'job' not in classes:
|
|
continue
|
|
with configuration_exceptions('job', config_job):
|
|
job = JobParser.fromYaml(tenant, layout, config_job)
|
|
added = layout.addJob(job)
|
|
if not added:
|
|
TenantParser.log.debug(
|
|
"Skipped adding job %s which shadows an existing job" %
|
|
(job,))
|
|
|
|
# Now that all the jobs are loaded, verify their parents exist
|
|
for config_job in data.jobs:
|
|
classes = TenantParser._getLoadClasses(tenant, config_job)
|
|
if 'job' not in classes:
|
|
continue
|
|
with configuration_exceptions('job', config_job):
|
|
parent = config_job.get('parent')
|
|
if parent:
|
|
layout.getJob(parent)
|
|
|
|
if skip_semaphores:
|
|
# We should not actually update the layout with new
|
|
# semaphores, but so that we can validate that the config
|
|
# is correct, create a shadow layout here to which we add
|
|
# new semaphores so validation is complete.
|
|
semaphore_layout = model.Layout(tenant)
|
|
else:
|
|
semaphore_layout = layout
|
|
for config_semaphore in data.semaphores:
|
|
classes = TenantParser._getLoadClasses(
|
|
tenant, config_semaphore)
|
|
if 'semaphore' not in classes:
|
|
continue
|
|
with configuration_exceptions('semaphore', config_semaphore):
|
|
semaphore = SemaphoreParser.fromYaml(config_semaphore)
|
|
semaphore_layout.addSemaphore(semaphore)
|
|
|
|
project_template_parser = ProjectTemplateParser(tenant, layout)
|
|
for config_template in data.project_templates:
|
|
classes = TenantParser._getLoadClasses(tenant, config_template)
|
|
if 'project-template' not in classes:
|
|
continue
|
|
with configuration_exceptions('project-template', config_template):
|
|
layout.addProjectTemplate(project_template_parser.fromYaml(
|
|
config_template))
|
|
|
|
project_parser = ProjectParser(tenant, layout, project_template_parser)
|
|
for config_projects in data.projects.values():
|
|
# Unlike other config classes, we expect multiple project
|
|
# stanzas with the same name, so that a config repo can
|
|
# define a project-pipeline and the project itself can
|
|
# augment it. To that end, config_project is a list of
|
|
# each of the project stanzas. Each one may be (should
|
|
# be!) from a different repo, so filter them according to
|
|
# the include/exclude rules before parsing them.
|
|
filtered_projects = []
|
|
for config_project in config_projects:
|
|
classes = TenantParser._getLoadClasses(tenant, config_project)
|
|
if 'project' in classes:
|
|
filtered_projects.append(config_project)
|
|
|
|
if not filtered_projects:
|
|
continue
|
|
|
|
layout.addProjectConfig(project_parser.fromYaml(
|
|
filtered_projects))
|
|
|
|
@staticmethod
|
|
def _parseLayout(base, tenant, data, scheduler, connections):
|
|
# Don't call this method from dynamic reconfiguration because
|
|
# it interacts with drivers and connections.
|
|
layout = model.Layout(tenant)
|
|
TenantParser.log.debug("Created layout id %s", layout.uuid)
|
|
|
|
TenantParser._parseLayoutItems(layout, tenant, data,
|
|
scheduler, connections)
|
|
|
|
for pipeline in layout.pipelines.values():
|
|
pipeline.manager._postConfig(layout)
|
|
|
|
return layout
|
|
|
|
|
|
class ConfigLoader(object):
|
|
log = logging.getLogger("zuul.ConfigLoader")
|
|
|
|
def expandConfigPath(self, config_path):
|
|
if config_path:
|
|
config_path = os.path.expanduser(config_path)
|
|
if not os.path.exists(config_path):
|
|
raise Exception("Unable to read tenant config file at %s" %
|
|
config_path)
|
|
return config_path
|
|
|
|
def loadConfig(self, config_path, project_key_dir, scheduler, merger,
|
|
connections):
|
|
abide = model.Abide()
|
|
|
|
config_path = self.expandConfigPath(config_path)
|
|
with open(config_path) as config_file:
|
|
self.log.info("Loading configuration from %s" % (config_path,))
|
|
data = yaml.safe_load(config_file)
|
|
config = model.UnparsedAbideConfig()
|
|
config.extend(data)
|
|
base = os.path.dirname(os.path.realpath(config_path))
|
|
|
|
for conf_tenant in config.tenants:
|
|
# When performing a full reload, do not use cached data.
|
|
tenant = TenantParser.fromYaml(
|
|
base, project_key_dir, connections, scheduler, merger,
|
|
conf_tenant, old_tenant=None)
|
|
abide.tenants[tenant.name] = tenant
|
|
return abide
|
|
|
|
def reloadTenant(self, config_path, project_key_dir, scheduler,
|
|
merger, connections, abide, tenant):
|
|
new_abide = model.Abide()
|
|
new_abide.tenants = abide.tenants.copy()
|
|
|
|
config_path = self.expandConfigPath(config_path)
|
|
base = os.path.dirname(os.path.realpath(config_path))
|
|
|
|
# When reloading a tenant only, use cached data if available.
|
|
new_tenant = TenantParser.fromYaml(
|
|
base, project_key_dir, connections, scheduler, merger,
|
|
tenant.unparsed_config, old_tenant=tenant)
|
|
new_abide.tenants[tenant.name] = new_tenant
|
|
return new_abide
|
|
|
|
def _loadDynamicProjectData(self, config, project, files, trusted, tenant):
|
|
if trusted:
|
|
branches = ['master']
|
|
else:
|
|
# Use the cached branch list; since this is a dynamic
|
|
# reconfiguration there should not be any branch changes.
|
|
branches = sorted(project.unparsed_branch_config.keys())
|
|
if 'master' in branches:
|
|
branches.remove('master')
|
|
branches = ['master'] + branches
|
|
|
|
for branch in branches:
|
|
fns1 = []
|
|
fns2 = []
|
|
files_entry = files.connections.get(
|
|
project.source.connection.connection_name, {}).get(
|
|
project.name, {}).get(branch)
|
|
# If there is no files entry at all for this
|
|
# project-branch, then use the cached config.
|
|
if files_entry is None:
|
|
if trusted:
|
|
incdata = project.unparsed_config
|
|
else:
|
|
incdata = project.unparsed_branch_config.get(branch)
|
|
if incdata:
|
|
config.extend(incdata, tenant)
|
|
continue
|
|
# Otherwise, do not use the cached config (even if the
|
|
# files are empty as that likely means they were deleted).
|
|
files_list = files_entry.keys()
|
|
for fn in files_list:
|
|
if fn.startswith("zuul.d/"):
|
|
fns1.append(fn)
|
|
if fn.startswith(".zuul.d/"):
|
|
fns2.append(fn)
|
|
fns = ["zuul.yaml"] + sorted(fns1) + [".zuul.yaml"] + sorted(fns2)
|
|
incdata = None
|
|
loaded = None
|
|
for fn in fns:
|
|
data = files.getFile(project.source.connection.connection_name,
|
|
project.name, branch, fn)
|
|
if data:
|
|
source_context = model.SourceContext(project, branch,
|
|
fn, trusted)
|
|
# Prevent mixing configuration source
|
|
conf_root = fn.split('/')[0]
|
|
if loaded and loaded != conf_root:
|
|
TenantParser.log.warning(
|
|
"Multiple configuration in %s" % source_context)
|
|
continue
|
|
loaded = conf_root
|
|
|
|
if trusted:
|
|
incdata = TenantParser._parseConfigProjectLayout(
|
|
data, source_context, tenant)
|
|
else:
|
|
incdata = TenantParser._parseUntrustedProjectLayout(
|
|
data, source_context, tenant)
|
|
|
|
config.extend(incdata, tenant)
|
|
|
|
def createDynamicLayout(self, tenant, files,
|
|
include_config_projects=False,
|
|
scheduler=None, connections=None):
|
|
if include_config_projects:
|
|
config = model.UnparsedTenantConfig()
|
|
for project in tenant.config_projects:
|
|
self._loadDynamicProjectData(
|
|
config, project, files, True, tenant)
|
|
else:
|
|
config = tenant.config_projects_config.copy()
|
|
for project in tenant.untrusted_projects:
|
|
self._loadDynamicProjectData(config, project, files, False, tenant)
|
|
|
|
layout = model.Layout(tenant)
|
|
self.log.debug("Created layout id %s", layout.uuid)
|
|
if not include_config_projects:
|
|
# NOTE: the actual pipeline objects (complete with queues
|
|
# and enqueued items) are copied by reference here. This
|
|
# allows our shadow dynamic configuration to continue to
|
|
# interact with all the other changes, each of which may
|
|
# have their own version of reality. We do not support
|
|
# creating, updating, or deleting pipelines in dynamic
|
|
# layout changes.
|
|
layout.pipelines = tenant.layout.pipelines
|
|
|
|
# NOTE: the semaphore definitions are copied from the
|
|
# static layout here. For semaphores there should be no
|
|
# per patch max value but exactly one value at any
|
|
# time. So we do not support dynamic semaphore
|
|
# configuration changes.
|
|
layout.semaphores = tenant.layout.semaphores
|
|
skip_pipelines = skip_semaphores = True
|
|
else:
|
|
skip_pipelines = skip_semaphores = False
|
|
|
|
TenantParser._parseLayoutItems(layout, tenant, config,
|
|
scheduler, connections,
|
|
skip_pipelines=skip_pipelines,
|
|
skip_semaphores=skip_semaphores)
|
|
|
|
return layout
|