From 4e23eb18a09fd3187599e8c00e5a84557b505109 Mon Sep 17 00:00:00 2001
From: Ian Wienand <iwienand@redhat.com>
Date: Thu, 2 Aug 2018 11:50:13 +1000
Subject: [PATCH] Add alumni to accessbot

By design, accessbot doesn't *remove* access when you remove yourself
from the access lists; you are just limited to a lower level.  This is
noted in the configuration file:

 # The label 'mask' is special: anyone with perms on a channel that
 # isn't otherwise listed for the channel or in the global list will
 # have their access limited to the mask but otherwise left alone.

However I'm feel like it's reasonable to assume that when you remove
yourself you are giving up your permissions; and in the *very*
unlikely case of a bad actor, we would want to know we did actually
remove them from all channels.

To make this clearer, but still allow for unlisted users to maintain
whatever permissions they have, this adds an "alumni" section to the
configuration, and allows for alumni to be set on individual channels.
If your nick appears in this list, your access is removed.

Obviously once this has run once, people could be removed from alumni
if there is a need to cater for something tricky like removing global
access but then adding permissions.  But in general I think it will
work to just keep a record of contributors in the common case of
"moved on from openstack work and no longer want to admin things".

Change-Id: I0858e963cdf4bc90c30f9d60ea524d778ae3d150
---
 files/accessbot.py | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/files/accessbot.py b/files/accessbot.py
index aa59b9e..15c1baf 100755
--- a/files/accessbot.py
+++ b/files/accessbot.py
@@ -92,6 +92,7 @@ class SetAccess(irc.client.SimpleIRCClient):
 
     def _get_access_list(self, channel_name):
         ret = {}
+        alumni = []
         channel = None
         for c in self.config['channels']:
             if c['name'] == channel_name:
@@ -104,12 +105,15 @@ class SetAccess(irc.client.SimpleIRCClient):
             if access == 'mask':
                 mask = self.config['access'].get(nicks)
                 continue
+            if access == 'alumni':
+                alumni += nicks
+                continue
             flags = self.config['access'].get(access)
             if flags is None:
                 continue
             for nick in nicks:
                 ret[nick] = flags
-        return mask, ret
+        return mask, ret, alumni
 
     def _get_access_change(self, current, target, mask):
         remove = ''
@@ -136,13 +140,18 @@ class SetAccess(irc.client.SimpleIRCClient):
         return change
 
     def _get_access_changes(self):
-        mask, target = self._get_access_list(self.current_channel)
+        mask, target, alumni = self._get_access_list(self.current_channel)
         self.log.debug("Mask for %s: %s" % (self.current_channel, mask))
         self.log.debug("Target for %s: %s" % (self.current_channel, target))
         all_nicks = set()
+        global_alumni = self.config.get('alumni', {})
         current = {}
         changes = []
         for nick, flags, msg in self.current_list:
+            if nick in global_alumni or nick in alumni :
+                self.log.debug("%s is an alumni; removing access", nick)
+                changes.append('access #%s del %s' % (self.current_channel, nick))
+                continue
             all_nicks.add(nick)
             current[nick] = flags
         for nick in target.keys():