Commit Graph

287 Commits

Author SHA1 Message Date
Brian Rosmaita 154f0b2c3a Address TODO in acl normalization script
Minor refactoring to simplify the code.

Change-Id: I9467865bdf1950c1f35c5c3bd0361c6ae8466397
2023-11-30 11:43:50 -05:00
Zuul 7c915d64ce Merge "Implement openstack-unmaintained-core group" 2023-11-30 14:33:21 +00:00
Brian Rosmaita 60de765fa0 Implement openstack-unmaintained-core group
Create a gerrit group to handle branches in Unmaintained status
across all projects, as described in TC resolution 2023-11-14,
which is commit 90982cd in the governance repository.

Also adjust the acl file normalization tool so that it will guarantee
that the Release Managers group has 'abandon' permission on
Unmaintained branches if any project chooses to override the global
openstack-unmaintained-core group with a project-specific unmaintained
core team (as is allowed by TC resolution 2023-11-14).  This entails
a change in that script to require the acl file's namespace be passed
in so that the check doesn't affect non-OpenStack OpenInfra projects.

Change-Id: Ife8e5f175cb8a7d396dfe2a5d52fd6d524ae0b43
2023-11-29 21:48:10 -05:00
Jeremy Stanley 1c0f48cae1 Check proposed project names for problems
Today we discovered that Gitea doesn't allow creating projects with
"+" in their names (or that it needs special escaping in some way).
In order to avoid future incidents, let's be defensive and limit
organization/project names to only the characters which are
currently in use, since we know those work. If people want to use
characters outside that list in the future, we can test for
potential breakage before amending the filter.

Change-Id: I8b87ab6d52e0ec7da92f80a62c7d97e4f2245b29
2023-10-12 14:08:11 +00:00
Jeremy Stanley ebd6f60bb7 Catch missing "group" keywords in Gerrit ACL files
A recent change slipped through without the necessary "group"
keyword in some new ACL entries, resulting in a deployment failure
when Gerrit refused the push from manage-projects. Add a list of
options which need the "group" keyword so we catch this during
review in the future.

Change-Id: Ibf07cd63c3eea939728df4bd518681843f51bd37
2023-07-13 16:41:12 +00:00
Jeremy Stanley 7820745ba2 Make option indenting a selectable transformation
A previous change added indentation of Gerrit ACL options hard-coded
into the normalization script. Make that rule selectable instead,
like the prior transformations.

Change-Id: I57d33e2d3f55712f9ed46d740480a4ab6476d8bc
2023-05-02 15:49:00 +00:00
Jeremy Stanley f913313781 Add an "apply" transformation which applies all
The Gerrit ACL normalization script has an "all" transformation
which reports all transformation results to the screen. Add a
similar "apply" shortcut to directly transform the file being
operated on in a non dry run fashion.

Change-Id: I73a07a3542ca26ddfcf01eab1d7be11cec70da85
2023-05-02 15:48:44 +00:00
Ian Wienand ac1ef44843
tools/normalize_acl.py: Add some human readable output
Currently if your ACL fails the normalization pass you get a diff, but
no explaination of what that diff represents.

This is an attempt to make the situation better without having to
undertake some sort of major rewrite of the transformer.  We move the
current in-code comments into human-actionable strings, and add a
"-help" argument that prints this out.  If we have normalization
failures, we add a step to the driver script to print this string out.
This will appear in the job output and hopefully be easily seen when
scrolling the logs.

Change-Id: Ib07a10a25f35875afad21f77f545dc1cc207cecd
2023-04-27 16:52:57 +10:00
Jeremy Stanley 464f4f586a
Indent Gerrit ACL options
Gerrit very much wants its ACLs to indent option lines (but not
section headings) by a single hard tab.

The recent migration to schema 185 with Gerrit 3.7 has updated
copyConditions flags and re-written most of the ACL files to look like
this (c.f. I1f11c07e3786bd1a68b43d908d939fde42ddb99c).

This updates the normalize tool to format like this, and modifies all
our ACL's to the new format.

This is intended to be a no-op with no functional change.  For future
upgrades, this will reduce the diffs of any updates Gerrit might make.

Change-Id: I3a0c0da1eb32f8afb31ffa0c24ea45aaca8da8cc
2023-04-26 05:19:02 +10:00
Clark Boylan 5fc22f27cf Require function = NoBlock to be set on Gerrit labels
A recent change to the openstack/releases ACLs pointed out that we don't
require function to be set on Gerrit label definitions. This would
result in the Gerrit default of MaxWithBlock which will interfere with
submit requirements.

Enforce that function is set and that the value is NoBlock via our
normalize script. This will add function = NoBlock entries to the file
if not set which results in a diff causing the test to fail.

In order to do this I refactored the submit-requirements and function
checking of the normalize script a bit. We now check the label section
independently of all other sections which allows us to reduce repetition
when dealing with label sections.

Change-Id: I9e83c1cde3fe20ea2c34cdf86cd2fd3006bfe62a
2023-04-03 10:07:07 -07:00
Ian Wienand b0963776f1
gerrit/acl : check for capital booleans in normalize
We got caught out with this in All-Projects; let's just make sure we
keep capital booleans everywhere for consistency.

Change-Id: I7a1e528c620c07ecbb2def3d743ab4bba46a20df
2023-03-21 10:49:23 +11:00
Ian Wienand a172d416d9
gerrit/acl : check for function/s-r in normalize
This ensures that labels only use "function = NoBlock" and that every
label has a corresponding submit-requirement section.

We don't really have unit tests for this, but the first check actually
found some missed functions in
I557f3615d15eca899a262b0989986fb2754ac870.  I manually tested the
second by removing some submit-requirements, and it correctly failed.

Change-Id: I971f626bd7dbee012dc93a5807145d206b645cfd
2023-03-21 10:49:19 +11:00
Ian Wienand f73a678945
gerrit/acl : handle key / values with multiple =
For things like submit-requirements, we have fields like submittableIf
which take a query string that may have "=" on the LHS.  Change the
key/value split so that it only takes the key up to the first "=".

Change-Id: Iada801bd1c38dd1e0502bebefd6a1421c746c90a
2023-03-08 10:12:23 +11:00
Ian Wienand f346b72eb6
gerrit/acl : handle submit requirements in normalise tool
This adds the keys "applicableIf" and "submittableIf" that are used by
submit-requirements [1].

[1] https://gerrit-review.googlesource.com/Documentation/config-submit-requirements.html
Change-Id: Ic4dc5877d9326897839bbe62c02c0986c6e53e25
2023-03-08 09:21:12 +11:00
Ian Wienand 6349f18d40
gerrit/acl : remove deprecated copy conditions
The copy conditions here have been replaced by the "copyCondition"
query tag.  This updates the deprecated values to a new query which
does the same thing -- i.e. this should be a noop.

Mostly these are setup to have votes on labels that should be copied
on a no code change/trivial rebase, and if they're -2/+2 (i.e. max
votes are sticky).  To be exact the group of

 copyallScoresIfNoCodeChange = true
 copyAllScoresOnTrivialRebase = true
 copyMaxScore = true
 copyMinScore = true

becomes

 changekind:NO_CODE_CHANGE or changekind:TRIVIAL_REBASE \
  or is:MAX or is:MIN

Note all but ocatvia.conf, octavia-dashboard, octavia-lib, and
python-octaviaclient are copying -2/+2 votes; I feel like this is
probably a bug but I have modified these 4 projects to maintain the
same behaviour of not copying the votes.

A small number of projects copy any vote; glance.config,
kayobe.config, kolla.config, nova-specs.config, nova.config,
os-vif.config, placement.config, python-novaclient.config -- they are
replaced with is:ANY.

The old conditions have been deprecated since gerrit 3.5 [1].
Although the old conditions have not been removed yet, this will help
as we think about also changing these to submission requirements for
Gerrit 3.7.

[1] https://gerrit.googlesource.com/gerrit/+/c429ff33d944272b1f4da9f84f904f6403919ea3

Change-Id: Id13fdf588d07c1fec73978e7a69f1d9097989696
2022-12-16 16:33:09 +11:00
Artem Goncharov ef92cc7695 Add Allow-Post-Review flag to OpenStackSDK project
In order to implement post-check pipeline for dealing with secrets in
the check pipeline it is required to add additional flag to gerrit that
will be set as a prerequisite to start jobs.

Change-Id: I3f0d7fe7e0014c28465aaab060e74e39a527b745
2022-10-10 09:46:45 +02:00
Ian Wienand 826a79f50f linter: update ansible-lint; add auto-download of roles
This updates ansible-lint to the 6.x releases.  It also updates the
ansible installed to our current zuul version.

It cleans up the config file and marks it as yaml.  A few new
exceptions are added with explainations.

We don't need to fake the zuul_return by telling ansible-lint to mock
it.  This is added to the config, and we can remove the stub file.

A constant source of problems running this locally is that you have to
have the other role repos checked out so ansible-lint can do its
checks.  Add a smaller helper script for doing this locally.  In the
gate, ANSIBLE_ROLES_PATH is set to the Zuul checkouts of these
projects.  Locally, add a smaller helper "ansible-lint-roles-cache.sh"
that pulls the projects into a .cache directory.  If they are already
there, they get updated.  By default locally we will use these
checkouts.  This way, "tox -e linters" just works without having to do
anything else.

This also modifies the xargs to run the check all at once, instead of
fork for each file.  I did try autodetection but it seems like other
yaml files in the roles/playbook directories still confuse
ansible-lint.

Also I don't think we need a ansible-playbook --syntax-check step;
ansible-lint covers that.

Change-Id: I972f73037b9f904a555b81f3835ca5261639ed01
2022-08-12 09:29:11 +10:00
James Page 2c5223cf2d HTTP check existing repositories
Instead of using git to check whether an existing opendev.org
repository exists when and upstream source is specified, just
use a simple HTTP check using urllib.

This avoids any authentication style guesses git clients may
make when a repo is not visible.

Change-Id: Ibee29eee84ae3890a9017edf287de1415d658c39
2022-07-18 21:45:15 +01:00
Clark Boylan 81e58b7893 Allow default-branch in our projects.yaml checking
Some projects may not be created with a master branch and choose to use
a different default-branch value. There is support for this in jeepyb
and our gitea git repo management role but we don't allow it in linting.
Update our linting to accomodate projects making this change.

Change-Id: I57ef2c10d2c29142801ba134c8183bb0393771a8
2022-02-03 11:12:36 -08:00
Jeremy Stanley 0d066f954d Remove unsigned tagging permission from projects
Now that we have a fix in place for Gerrit's tag signature detection
regression, remove the unsafe permission for pushing unsigned tags
to return everything to the state we had prior to the 3.4 upgrade.

Change-Id: Ia9afb5fb4be311cca59d3e1cf3b7bc611184fe15
2022-01-25 17:41:19 +00:00
Jeremy Stanley 83ca7a97f9 Work around signed tag regression from Gerrit 3.4
Upon upgrading from Gerrit 3.3 to 3.4, a regression was observed in
which jgit no longer returns signatures in its tag messages, causing
Gerrit to misidentify signed tags as unsigned (annotated) tags.
Because our ACLs only allow signed tags to be pushed, this
regression prevents Gerrit from accepting them now.

Temporarily grant permission to push unsigned tags to anyone who
has permission to push signed ones. We will revert that as soon as a
fixed Gerrit is in place, but in the meantime users will be warned
to take care when pushing tags so that they don't accidentally push
actually unsigned tags to Gerrit.

Also, the pushSignedTag keyword was deprecated in favor of the new
createSignedTag name, so go ahead and update to that while we're
doing this so that we can limit the amount of churn across all these
ACLs. Documentation will be corrected to recommend the new format in
a separate change, but update the ACL linter now to prevent the old
syntax from being used in new projects.

This workaround was already tested on opendev/bindep in the parent
Iad8c1f83e247c9a8bcf5b4f530f7b83663e1f793 change, and confirmed to
function as intended.

Change-Id: Ia426ea36b4e6877fdce5725ff1e00ae02c62e3f4
2022-01-25 17:40:31 +00:00
Jeremy Stanley 645ec7b07f Grant Create Annotated Tag perms on bindep
We're testing a potential workaround for a suspected regression in
Gerrit 3.4, where signed tags are rejected with the error "You need
'Create Tag' rights to push a normal tag." Temporarily grant this
for the opendev/bindep project, so we can see if it works around the
problem while we coordinate a fix with Gerrit upstream.

Change-Id: Iad8c1f83e247c9a8bcf5b4f530f7b83663e1f793
2022-01-25 15:57:35 +00:00
Jeremy Stanley 7e5aaec792 Update bindep ACL to use new createSignedTag perm
The pushSignedTag permission is deprecated, and has a new name:
createSignedTag. Update the opendev/bindep ACL accordingly, as we're
seeing a regression with the old name and would like to rule out
whether the new name has the same problem.

Change-Id: Ia95919bcfe71ce488096584c784fe7376f66f34a
2022-01-25 15:15:52 +00:00
James E. Blair 3bc3b18f4d Add REST api auth rules
This allows locally generated (by infra-root) tokens to be used
for admin commands.

Change-Id: I452fc7863985c0d94a98440823fd0aa1d454ec31
2021-12-02 15:54:43 -08:00
Zuul eea6a85bfb Merge "Add review priority label to nova deliverables" 2021-08-27 16:23:13 +00:00
Sean Mooney d41dfcd16f Add review priority label to nova deliverables
This change adds a Review Priority label to all nova deliverables
currently under acl control in the project config repo.

The ability set the new label is granted only to the core
and stable core teams for the updated repos.

Change-Id: I2fd7a6387d2f50eeeb8cef513df19b5696cce55b
2021-08-27 17:02:16 +01:00
Jeremy Stanley ef03e7fa36 Drop use of track-upstream
When upgrading from Gerrit 2.13 to 3.2 we stopped relying on a local
fork of its source and have been building from (more recently
completely unmolested) upstream source. This fork was the only place
we were relying on jeepyb's track-upstream feature, so we can stop
looking for it in our checks and normalization as well.

Remove the check_gerrit_projects_changed scripts as well, as they
only existed to run things where track-upstream was enabled.

Change-Id: I597c1a577c53e2db61413d9ec531378667691d2a
2021-07-06 16:45:22 +00:00
Jeremy Stanley e858068643 Switch the IRC access check to OFTC
Make some adjustments to the IRC access check script so that it
works in the OFTC network now. Also update the channel config to
reflect the new ACL paradigms there. Remove our volunteer operators
temporarily until we can confirm their nicks there. Also rip out the
channel forwarding for unregistered nicks, we can work on readding
it there later if we determine it's necessary after all, but it will
need implementing differently anyway if so.

Change-Id: Ib3c43ef5ba22191d869629cd01d3800f3e235ea4
2021-05-27 17:09:04 +00:00
Radosław Piliszek 79c298f51d Make gerritbot linter know all the supported events
So that it does not mark them as errors.

Change-Id: Ie649ee9373954bde98ece5d164cfa11fc961ffee
2021-04-25 17:26:25 +00:00
Jeremy Stanley e3e3ef6789 Allow inheritFrom in Gerrit configs
In order to utilize Gerrit's project configuration inheritance
mechanism, we need to support the inheritFrom option. Allow it in
the whitelist for our ACL normalization script.

Change-Id: Id23b348bf42d322d5c97903ad82101ac1dc01c27
2021-04-16 16:04:19 +00:00
Jeremy Stanley 4286aa0276 Allow delete permissions in Gerrit ACLs
We now have the option to assign delete permissions to groups in
Gerrit, which would grant them the ability to delete branches
through the WebUI or API. Since this is a new setting, it was not
previously recognized by our linter. Extend it so that we won't
raise an error if this appears in an ACL.

Change-Id: I2b182d31e3ca5809a53aec851015341f2e67825d
2021-04-13 18:30:24 +00:00
Riccardo Pittau 0a3e98f7b8 Add key editHashtags to normalize_acl script
The editHashtags key should be accepted as acl entry key as it's
required to define permissions to edit hashtags in the gerrit ui.

Change-Id: I2294d72ee36e33ea5d137eb4e0faeac69ea86625
2021-01-27 19:16:37 +01:00
Sorin Sbarnea 97cacc26cc Enable tripleo core members to change WIP flag
This change enables people that already had permission to abandon
other changes to also toggle the WIP flag on them.

Change-Id: I894df2e26c6927eac25dbfe596a93f4209ff92ee
Reference: https://gerrit-review.googlesource.com/c/gerrit/+/212571/3/java/com/google/gerrit/common/data/Permission.java#49
2020-12-07 15:59:25 +00:00
Mohammed Naser c15058c0bf gerrit: change retired.config acls
This patch updates the retired.config ACL to allow for the technical
commitee to be able to push changes into the repositories which are
retired.

The ACLs allows tech-committee group members to set all labels onto
changes as well as allowing them exclusive rights to push (therefore not
allowing any other members) and giving them access to submit changes (in
order to skip our gating).

The goal is to evenutally replace this group by another one once the
ACLs are verified to be working.

Change-Id: Ia6d516621ec405b02f3f97340d96d9938b605d8f
2020-06-24 09:58:10 -04:00
Clark Boylan 180cc6aeda Be more explicit about using python3 to run tools/
We have python scripts in the tools/ dir the vast majority of which we
run regularly with python3 via our python3 default basepython in tox.
However, most of these use a `python` shebang line which can be
confusing as to whether or not these scripts run under python3 or not.

To make this more clear set them to python3. I've confirmed the scripts
running under tox are happy with these changes. For the ones that don't
run under tox I've done a quick review and they look happy too.

Change-Id: I983d23c33f7780e5708aa728c829c3262fc99ea0
2020-06-08 16:40:44 -07:00
Thierry Carrez 7e896b57eb Add release-approval pipeline
Define a release-approval pipeline to run the check-release-approval
job on every comment added to a release request, and set a
PTL-Approved label accordingly.

This may be considered a bit resource-intensive, however the
check-release-approval job is a fast python script that runs on
the executor, and only release requests shall go in this pipeline.
If this generates too much load, we could configure it to only run
when the comment posted contains a magic "signoff" keyword.

Another concern is that jobs other than check-release-approval would
be added to this pipeline. There does not seem to be a way in Zuul to
limit a pipeline to a specific job name or project.

Change-Id: Ieab04a4d6c02b216a59c12ec8599e7d91f4fffb1
2020-02-05 16:46:24 +01:00
Dr. Jens Harbott 703f107788 Fix use of 'comment-added' event type
In [0] an event type of 'comments-added' was used for the ironic
channel, but the correct event type is 'comment-added'.

[0] https://review.opendev.org/698091

Change-Id: Idd0638357aa4ed751a7e862c0e514e10b468ee9a
2020-01-21 13:33:02 +00:00
Zuul 98402d34e3 Merge "IRC #openstack-ironic gerritbot CI failed messages" 2020-01-21 08:43:20 +00:00
Andreas Jaeger 398adb791f Bye, Bye, Trusty
This removes trusty from the repo and thus from OpenDev.

Afterwards the AFS volume mirror.wheel.trustyx64 can be deleted.

Depends-On: https://review.opendev.org/702771
Depends-On: https://review.opendev.org/702818
Change-Id: I3fa4c26b0c8aeacf1af76f9046ea98edb2fcdbd0
2020-01-19 16:00:55 +01:00
Steve Baker abefaaea44 IRC #openstack-ironic gerritbot CI failed messages
When a gerrit comment of type Verified with value -2 is posted, send a
message to the #openstack-ironic channel.

This will raise awareness of CI job failures preventing changes from
landing, and is proposed as a trial for later refinement.

Update irc_tests.py for the dependend change to pass tests.

Change-Id: I251e9e5ea760fe5da1a8fbca7cee365dd3ae563b
Depends-On: https://review.opendev.org/#/c/698089/
2020-01-17 20:53:20 +01:00
Ian Wienand 4f6629021e Update hacking, fix errors/warnings
This version of hacking doesn't understand f-strings as usable in
Python 3.  Update to the latest and fix current issues, which are all
just formatting fixes.

Change-Id: I0a7d6f93f07477b6dd29ab143130dd9064c250be
2020-01-14 09:40:45 +11:00
Clark Boylan 4a94d0debf Fix the zuul main.yaml config checks
It is possible to have two different types of dict listings for zuul
tenant project lists. The first (which we handled fine) is a dict per
project where we list which items we include from that project. The
other is a dict with global settings and a list of projects. Handle this
second case.

Change-Id: I03969da4595f4c66db36cab35ef96a33c6766002
2019-09-17 15:40:03 -07:00
Andreas Jaeger 7114e79485 Check ACLs for all namespaces
Remove hardcoded list of namespaces with iterating over all directories
in the check of valid ACLs.

Remove parameter, we don't need to pass it in.

Be more verbose and report directories scanned and number of ACL files
read.

Change-Id: I4193ac59b431d31f3ce835c93950745e5b742418
2019-05-31 21:53:03 +02:00
Andreas Jaeger ef188ee2f6 Fix gerrit/projects.yaml sort order
Our linters fail due to wrong sorting, fix it.

Also, fix tools/check_valid_gerrit_config.sh, openstack-dev is dead now.
(the file needs a better fix, will do a followup)

Change-Id: Iaa330a3f9507cb065ee8b3a11d91abdadb455cf2
2019-05-31 20:02:26 +02:00
Zuul ad3d06c920 Merge "Create 'Backport-Candidate' for Octavia repos" 2019-05-23 21:28:22 +00:00
Zuul bd06273806 Merge "Update hacking to version 1.1" 2019-05-20 01:00:09 +00:00
Andreas Jaeger 10de11d7a9 Check zuul/main.yaml projects
Check that projects in zuul/main.yaml exist in gerrit.
This would have avoided https://review.opendev.org/659697.

Use yaml.safe_load in one case.

Depends-On: https://review.opendev.org/659735
Change-Id: I6fb3d90c18b57c004caf02dd6e5d5c34b1ce1ff9
2019-05-17 11:12:45 +02:00
Andreas Jaeger ecc2997769 Update hacking to version 1.1
Update hacking, fix a couple of problems found.

Change-Id: Ie903e3ddf13e78d758b26e884bb1fb0e1a6ed73c
2019-05-17 09:31:30 +02:00
Michael Johnson c49fb365ff Create 'Backport-Candidate' for Octavia repos
The Octavia team would like to enabled passive voting on patches
for backport candidates. This means that backport candidate votes
will not block a patch from merging, but will allow the team to
better track patches that should be backported.

Change-Id: Ib75714649848538e9fed171abd0b11f6fbc55503
2019-05-07 11:16:21 -07:00
Andreas Jaeger 945a586f65 Check groups entry in gerrit/projects
Following Icbef648e9948e0fa636dd0d15039b6fc229541ca, check that groups
are a list if defined.

Change-Id: I3a647c6b2debc7bb0a3a06b3f3407c4ea7e3f3e5
2019-05-03 09:22:02 +02:00