about summary refs log tree commit diff
path: root/tools
diff options
context:
space:
mode:
authorVincent Ambo <mail@tazj.in>2022-01-28T10·26+0300
committertazjin <tazjin@tvl.su>2022-02-07T19·12+0000
commit3452569ddd32646ddb63fd0d99c463e1f81ab244 (patch)
treeaf64eba65d4d38bd7ed9f72e81dd2377c605aae8 /tools
parentf82f459e2cacd18c6a0c9235129d1b9a69f34c90 (diff)
feat(tools/crfo-approve): Add tool for CRFO depot-interventions r/3782
In some cases we want to be able to "emergency approve" something on
behalf of a different user.

Example cases:

* clean up of abandoned directories with restrictive OWNERS
* security fixes blocked on people in different timezones

This script can be used to perform these approvals if the user is a
member of depot-interventions. Note that access to depot-interventions
is audit logged.

The user on behalf of whom approval is performed is always added to
the attention set to ensure that they are made aware of the CRFO
approval.

Note: This depends on nixpkgs#156466. Keeping WIP until we have a
channel with that patch.

Change-Id: I16e5f9d7baa9daab49c88b629bb8f024aad9d94c
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5085
Tested-by: BuildkiteCI
Reviewed-by: kn <klemens@posteo.de>
Reviewed-by: sterni <sternenseemann@systemli.org>
Diffstat (limited to 'tools')
-rw-r--r--tools/crfo-approve.nix52
1 files changed, 52 insertions, 0 deletions
diff --git a/tools/crfo-approve.nix b/tools/crfo-approve.nix
new file mode 100644
index 000000000000..d4cff9e1b238
--- /dev/null
+++ b/tools/crfo-approve.nix
@@ -0,0 +1,52 @@
+# Helper script to run a CRFO approval using depot-interventions.
+#
+# Use as 'crfo-approve $CL_ID $PATCHSET $REAL_USER $ON_BEHALF_OF'.
+#
+# Set credential in GERRIT_TOKEN envvar.
+{ pkgs, ... }:
+
+pkgs.writeShellScriptBin "crfo-approve" ''
+  set -ueo pipefail
+
+  if (($# != 4)) || [[ -z ''${GERRIT_TOKEN-} ]]; then
+    cat >&2 <<'EOF'
+  crfo-approve - Helper script to CRFO approve a TVL CL
+
+  Requires membership in depot-interventions to work.
+
+  Gerrit HTTP credential must be set in GERRIT_TOKEN envvar.
+
+  Usage:
+    crfo-approve $CL_ID $PATCHSET $REAL_USER $ON_BEHALF_OF
+  EOF
+    exit 1
+  fi
+
+  export PATH="${pkgs.lib.makeBinPath [ pkgs.httpie pkgs.jq ]}:''${PATH}"
+
+  readonly CL_ID="''${1}"
+  readonly PATCHSET="''${2}"
+  readonly REAL_USER="''${3}"
+  readonly TOKEN="''${GERRIT_TOKEN}"
+  readonly ON_BEHALF_OF="''${4}"
+  readonly URL="https://cl.tvl.fyi/a/changes/''${CL_ID}/revisions/''${PATCHSET}/review"
+
+  # First we need to find the account ID for the user
+  ACC_RESPONSE=$(http --check-status 'https://cl.tvl.fyi/accounts/' "q==name:''${ON_BEHALF_OF}" | tail -n +2)
+  ACC_LENGTH=$(echo "''${ACC_RESPONSE}" | jq 'length')
+
+  if [[ ''${ACC_LENGTH} -ne 1 ]]; then
+      echo "Did not find a unique account ID for ''${ON_BEHALF_OF}"
+      exit 1
+  fi
+
+  ACC_ID=$(jq -n --argjson response "''${ACC_RESPONSE}" '$response[0]._account_id')
+  echo "using account ID ''${ACC_ID} for ''${ON_BEHALF_OF}"
+
+  http --check-status -a "''${REAL_USER}:''${TOKEN}" POST "''${URL}" \
+    message="CRFO on behalf of ''${ON_BEHALF_OF}" \
+    'labels[Code-Review]=+2' \
+    on_behalf_of="''${ACC_ID}" \
+    "add_to_attention_set[0][user]=''${ACC_ID}" \
+    "add_to_attention_set[0][reason]=CRFO approval through depot-interventions"
+''