about summary refs log tree commit diff
path: root/ops/besadii/main.go2
// Copyright 2019-2020 Google LLC.
// SPDX-License-Identifier: Apache-2.0
//
// besadii is a small CLI tool that is invoked as a hook by various
// programs to cause CI-related actions.
//
// It supports the following modes & operations:
//
// Gerrit (ref-updated) hook:
// - Trigger Buildkite CI builds
// - Trigger SourceGraph (cs.tvl.fyi) repository index updates
//
// Buildkite (post-command) hook:
// - Submit CL verification status back to Gerrit
package main

import (
	"bytes"
	"encoding/json"
	"flag"
	"fmt"
	"io/ioutil"
	"log/syslog"
	"net/http"
	"os"
	"path"
	"regexp"
)

var branchRegexp = regexp.MustCompile(`^refs/heads/(.*)$`)
var metaRegexp = regexp.MustCompile(`^refs/changes/\d{0,2}/(\d+)/meta$`)
var patchsetRegexp = regexp.MustCompile(`^refs/changes/\d{0,2}/(\d+)/(\d+)$`)

// refUpdated is a struct representing the information passed to
// besadii when it is invoked as Gerrit's refUpdated hook.
//
// https://gerrit.googlesource.com/plugins/hooks/+/HEAD/src/main/resources/Documentation/hooks.md#ref_updated
type refUpdated struct {
	project   string
	ref       string
	commit    string
	submitter string
	email     string

	changeId *string
	patchset *string
}

type Author struct {
	Name  string `json:"name"`
	Email string `json:"email"`
}

// Build is the representation of a Buildkite build as described on
// https://buildkite.com/docs/apis/rest-api/builds#create-a-build
type Build struct {
	Commit  string            `json:"commit"`
	Branch  string            `json:"branch"`
	Message string            `json:"message"`
	Author  Author            `json:"author"`
	Env     map[string]string `json:"env"`
}

// Trigger a build of a given branch & commit on Buildkite
func triggerBuild(log *syslog.Writer, token string, update *refUpdated) error {
	var message string
	env := make(map[string]string)

	if update.changeId != nil && update.patchset != nil {
		env["GERRIT_CHANGE_ID"] = *update.changeId
		env["GERRIT_PATCHSET"] = *update.patchset
		message = fmt.Sprintf(":llama: depot @ https://cl.tvl.fyi/c/depot/+/%s/%s", *update.changeId, *update.patchset)
	} else {
		message = fmt.Sprintf(":llama: depot @ %s", update.commit)
	}

	build := Build{
		Commit:  update.commit,
		Branch:  update.ref,
		Message: message,
		Env:     env,
		Author: Author{
			Name:  update.submitter,
			Email: update.email,
		},
	}

	body, _ := json.Marshal(build)
	reader := ioutil.NopCloser(bytes.NewReader(body))

	req, err := http.NewRequest("POST", "https://api.buildkite.com/v2/organizations/tvl/pipelines/depot/builds", reader)
	if err != nil {
		return fmt.Errorf("failed to create an HTTP request: %w", err)
	}

	req.Header.Add("Authorization", "Bearer "+token)
	req.Header.Add("Content-Type", "application/json")

	resp, err := http.DefaultClient.Do(req)
	if err != nil {
		// This might indicate a temporary error on the Buildkite side.
		return fmt.Errorf("failed to send Buildkite request: %w", err)
	}
	defer resp.Body.Close()

	if resp.StatusCode != 201 {
		respBody, _ := ioutil.ReadAll(resp.Body)
		log.Err(fmt.Sprintf("received non-success response from Buildkite: %s (%v)", respBody, resp.Status))
	} else {
		fmt.Fprintf(log, "triggered Buildkite build for ref %q at commit %q", update.ref, update.commit)
	}

	return nil
}

// Trigger a Sourcegraph repository index update on cs.tvl.fyi.
//
// https://docs.sourcegraph.com/admin/repo/webhooks
func triggerIndexUpdate(token string) error {
	req, err := http.NewRequest("POST", "https://cs.tvl.fyi/.api/repos/depot/-/refresh", nil)
	if err != nil {
		return err
	}

	req.Header.Add("Authorization", "token "+token)

	_, err = http.DefaultClient.Do(req)
	return err
}

func refUpdatedFromFlags() (*refUpdated, error) {
	var update refUpdated

	flag.StringVar(&update.project, "project", "", "Gerrit project")
	flag.StringVar(&update.commit, "newrev", "", "new revision")
	flag.StringVar(&update.email, "submitter", "", "Submitter email")
	flag.StringVar(&update.submitter, "submitter-username", "", "Submitter username")
	flag.StringVar(&update.ref, "refname", "", "updated reference name")

	// Gerrit passes more flags than we want, but Rob Pike decided[0] in
	// 2013 that the Go art project will not allow users to ignore flags
	// because he "doesn't like it". The following code ignores the
	// flags.
	//
	// [0]: https://github.com/golang/go/issues/6112#issuecomment-66083768
	var _old string
	flag.StringVar(&_old, "oldrev", "", "")

	flag.Parse()

	if update.project == "" || update.ref == "" || update.commit == "" || update.submitter == "" {
		// If we get here, the user is probably being a dummy and invoking
		// this manually - but incorrectly.
		return nil, fmt.Errorf("'ref-updated' hook invoked without required arguments")
	}

	if update.project != "depot" || metaRegexp.MatchString(update.ref) {
		// this is not an error, but also not something we handle.
		return nil, nil
	}

	if branchRegexp.MatchString(update.ref) {
		// these refs don't need special handling, just move on
		return &update, nil
	}

	if matches := patchsetRegexp.FindStringSubmatch(update.ref); matches != nil {
		update.changeId = &matches[1]
		update.patchset = &matches[2]
		return &update, nil
	}

	return nil, fmt.Errorf("besadii does not support updates for this type of ref (%q)", update.ref)
}

func refUpdatedMain() {
	// Logging happens in syslog for Gerrit hooks because we don't want
	// the hook output to be intermingled with Gerrit's own output
	// stream
	log, err := syslog.New(syslog.LOG_INFO|syslog.LOG_USER, "besadii")
	if err != nil {
		fmt.Fprintf(os.Stderr, "failed to open syslog: %s\n", err)
		os.Exit(1)
	}

	update, err := refUpdatedFromFlags()
	if err != nil {
		log.Err(fmt.Sprintf("failed to parse ref update: %s", err))
		os.Exit(1)
	}

	if update == nil { // the project was not 'depot'
		log.Err("build triggers are only supported for the 'depot' project")
		os.Exit(0)
	}

	buildkiteToken, err := ioutil.ReadFile("/etc/secrets/buildkite-besadii")
	if err != nil {
		log.Alert(fmt.Sprintf("buildkite token could not be read: %s", err))
		os.Exit(1)
	}

	sourcegraphToken, err := ioutil.ReadFile("/etc/secrets/sourcegraph-token")
	if err != nil {
		log.Alert(fmt.Sprintf("sourcegraph token could not be read: %s", err))
		os.Exit(1)
	}

	err = triggerBuild(log, string(buildkiteToken), update)
	if err != nil {
		log.Err(fmt.Sprintf("failed to trigger Buildkite build: %s", err))
	}

	err = triggerIndexUpdate(string(sourcegraphToken))
	if err != nil {
		log.Err(fmt.Sprintf("failed to trigger sourcegraph index update: %s", err))
	}
	log.Info("triggered sourcegraph index update")
}

// reviewInput is a struct representing the data submitted to Gerrit
// to post a review on a CL.
//
// https://gerrit-review.googlesource.com/Documentation/rest-api-changes.html#review-input
type reviewInput struct {
	Message               string         `json:"message"`
	Labels                map[string]int `json:"labels"`
	OmitDuplicateComments bool           `json:"omit_duplicate_comments"`
}

func postCommandMain() {
	changeId := os.Getenv("GERRIT_CHANGE_ID")
	patchset := os.Getenv("GERRIT_PATCHSET")

	if changeId == "" || patchset == "" {
		// If these variables are unset, but the hook was invoked, the
		// build was most likely for a branch and not for a CL - no status
		// needs to be reported back to Gerrit!
		fmt.Println("This isn't a CL build, nothing to do. Have a nice day!")
		return
	}

	if os.Getenv("BUILDKITE_LABEL") != ":duck:" {
		// this is not the build stage, don't do anything.
		return
	}

	gerritPassword, err := ioutil.ReadFile("/etc/secrets/buildkite-gerrit")
	if err != nil {
		fmt.Fprintf(os.Stderr, "Gerrit password could not be read: %s", err)
		os.Exit(1)
	}

	var verified int
	var verb string

	if os.Getenv("BUILDKITE_COMMAND_EXIT_STATUS") == "0" {
		verified = 1 // Verified: +1 in Gerrit
		verb = "passed"
	} else {
		verified = -1
		verb = "failed"
	}

	msg := fmt.Sprintf("Build of patchset %s %s: %s", patchset, verb, os.Getenv("BUILDKITE_BUILD_URL"))
	review := reviewInput{
		Message:               msg,
		OmitDuplicateComments: true,
		Labels: map[string]int{
			"Verified": verified,
			// TODO(tazjin): The Code-Review label is only used here
			// temporarily, as our build rules do not check for 'Verified'
			// right now (because CI doesn't run 24/7).
			//
			// Having a Code-Review label lets us signal the build status on
			// the review, but without having to always require it.
			"Code-Review": verified,
		},
	}

	body, _ := json.Marshal(review)
	reader := ioutil.NopCloser(bytes.NewReader(body))

	url := fmt.Sprintf("https://cl.tvl.fyi/a/changes/%s/revisions/%s/review", changeId, patchset)
	req, err := http.NewRequest("POST", url, reader)
	if err != nil {
		fmt.Fprintf(os.Stderr, "failed to create an HTTP request: %w", err)
		os.Exit(1)
	}

	req.SetBasicAuth("buildkite", string(gerritPassword))
	req.Header.Add("Content-Type", "application/json")

	resp, err := http.DefaultClient.Do(req)
	if err != nil {
		fmt.Errorf("failed to update CL on Gerrit: %w", err)
	}
	defer resp.Body.Close()

	if resp.StatusCode != 200 {
		respBody, _ := ioutil.ReadAll(resp.Body)
		fmt.Fprintf(os.Stderr, "received non-success response from Gerrit: %s (%v)", respBody, resp.Status)
	} else {
		fmt.Printf("Updated CI status on https://cl.tvl.fyi/c/depot/+/%s/%s", changeId, patchset)
	}
}

func main() {
	bin := path.Base(os.Args[0])

	if bin == "ref-updated" {
		refUpdatedMain()
	} else if bin == "post-command" {
		postCommandMain()
	} else {
		fmt.Fprintf(os.Stderr, "besadii does not know how to be invoked as %q, sorry!", bin)
		os.Exit(1)
	}
}