From 3452569ddd32646ddb63fd0d99c463e1f81ab244 Mon Sep 17 00:00:00 2001 From: Vincent Ambo Date: Fri, 28 Jan 2022 13:26:22 +0300 Subject: feat(tools/crfo-approve): Add tool for CRFO depot-interventions In some cases we want to be able to "emergency approve" something on behalf of a different user. Example cases: * clean up of abandoned directories with restrictive OWNERS * security fixes blocked on people in different timezones This script can be used to perform these approvals if the user is a member of depot-interventions. Note that access to depot-interventions is audit logged. The user on behalf of whom approval is performed is always added to the attention set to ensure that they are made aware of the CRFO approval. Note: This depends on nixpkgs#156466. Keeping WIP until we have a channel with that patch. Change-Id: I16e5f9d7baa9daab49c88b629bb8f024aad9d94c Reviewed-on: https://cl.tvl.fyi/c/depot/+/5085 Tested-by: BuildkiteCI Reviewed-by: kn Reviewed-by: sterni --- tools/crfo-approve.nix | 52 ++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 52 insertions(+) create mode 100644 tools/crfo-approve.nix (limited to 'tools') diff --git a/tools/crfo-approve.nix b/tools/crfo-approve.nix new file mode 100644 index 000000000000..d4cff9e1b238 --- /dev/null +++ b/tools/crfo-approve.nix @@ -0,0 +1,52 @@ +# Helper script to run a CRFO approval using depot-interventions. +# +# Use as 'crfo-approve $CL_ID $PATCHSET $REAL_USER $ON_BEHALF_OF'. +# +# Set credential in GERRIT_TOKEN envvar. +{ pkgs, ... }: + +pkgs.writeShellScriptBin "crfo-approve" '' + set -ueo pipefail + + if (($# != 4)) || [[ -z ''${GERRIT_TOKEN-} ]]; then + cat >&2 <<'EOF' + crfo-approve - Helper script to CRFO approve a TVL CL + + Requires membership in depot-interventions to work. + + Gerrit HTTP credential must be set in GERRIT_TOKEN envvar. + + Usage: + crfo-approve $CL_ID $PATCHSET $REAL_USER $ON_BEHALF_OF + EOF + exit 1 + fi + + export PATH="${pkgs.lib.makeBinPath [ pkgs.httpie pkgs.jq ]}:''${PATH}" + + readonly CL_ID="''${1}" + readonly PATCHSET="''${2}" + readonly REAL_USER="''${3}" + readonly TOKEN="''${GERRIT_TOKEN}" + readonly ON_BEHALF_OF="''${4}" + readonly URL="https://cl.tvl.fyi/a/changes/''${CL_ID}/revisions/''${PATCHSET}/review" + + # First we need to find the account ID for the user + ACC_RESPONSE=$(http --check-status 'https://cl.tvl.fyi/accounts/' "q==name:''${ON_BEHALF_OF}" | tail -n +2) + ACC_LENGTH=$(echo "''${ACC_RESPONSE}" | jq 'length') + + if [[ ''${ACC_LENGTH} -ne 1 ]]; then + echo "Did not find a unique account ID for ''${ON_BEHALF_OF}" + exit 1 + fi + + ACC_ID=$(jq -n --argjson response "''${ACC_RESPONSE}" '$response[0]._account_id') + echo "using account ID ''${ACC_ID} for ''${ON_BEHALF_OF}" + + http --check-status -a "''${REAL_USER}:''${TOKEN}" POST "''${URL}" \ + message="CRFO on behalf of ''${ON_BEHALF_OF}" \ + 'labels[Code-Review]=+2' \ + on_behalf_of="''${ACC_ID}" \ + "add_to_attention_set[0][user]=''${ACC_ID}" \ + "add_to_attention_set[0][reason]=CRFO approval through depot-interventions" +'' -- cgit 1.4.1