feat(tools/crfo-approve): Add tool for CRFO depot-interventions
In some cases we want to be able to "emergency approve" something on behalf of a different user. Example cases: * clean up of abandoned directories with restrictive OWNERS * security fixes blocked on people in different timezones This script can be used to perform these approvals if the user is a member of depot-interventions. Note that access to depot-interventions is audit logged. The user on behalf of whom approval is performed is always added to the attention set to ensure that they are made aware of the CRFO approval. Note: This depends on nixpkgs#156466. Keeping WIP until we have a channel with that patch. Change-Id: I16e5f9d7baa9daab49c88b629bb8f024aad9d94c Reviewed-on: https://cl.tvl.fyi/c/depot/+/5085 Tested-by: BuildkiteCI Reviewed-by: kn <klemens@posteo.de> Reviewed-by: sterni <sternenseemann@systemli.org>
This commit is contained in:
		
							parent
							
								
									f82f459e2c
								
							
						
					
					
						commit
						3452569ddd
					
				
					 1 changed files with 52 additions and 0 deletions
				
			
		
							
								
								
									
										52
									
								
								tools/crfo-approve.nix
									
										
									
									
									
										Normal file
									
								
							
							
						
						
									
										52
									
								
								tools/crfo-approve.nix
									
										
									
									
									
										Normal file
									
								
							|  | @ -0,0 +1,52 @@ | ||||||
|  | # Helper script to run a CRFO approval using depot-interventions. | ||||||
|  | # | ||||||
|  | # Use as 'crfo-approve $CL_ID $PATCHSET $REAL_USER $ON_BEHALF_OF'. | ||||||
|  | # | ||||||
|  | # Set credential in GERRIT_TOKEN envvar. | ||||||
|  | { pkgs, ... }: | ||||||
|  | 
 | ||||||
|  | pkgs.writeShellScriptBin "crfo-approve" '' | ||||||
|  |   set -ueo pipefail | ||||||
|  | 
 | ||||||
|  |   if (($# != 4)) || [[ -z ''${GERRIT_TOKEN-} ]]; then | ||||||
|  |     cat >&2 <<'EOF' | ||||||
|  |   crfo-approve - Helper script to CRFO approve a TVL CL | ||||||
|  | 
 | ||||||
|  |   Requires membership in depot-interventions to work. | ||||||
|  | 
 | ||||||
|  |   Gerrit HTTP credential must be set in GERRIT_TOKEN envvar. | ||||||
|  | 
 | ||||||
|  |   Usage: | ||||||
|  |     crfo-approve $CL_ID $PATCHSET $REAL_USER $ON_BEHALF_OF | ||||||
|  |   EOF | ||||||
|  |     exit 1 | ||||||
|  |   fi | ||||||
|  | 
 | ||||||
|  |   export PATH="${pkgs.lib.makeBinPath [ pkgs.httpie pkgs.jq ]}:''${PATH}" | ||||||
|  | 
 | ||||||
|  |   readonly CL_ID="''${1}" | ||||||
|  |   readonly PATCHSET="''${2}" | ||||||
|  |   readonly REAL_USER="''${3}" | ||||||
|  |   readonly TOKEN="''${GERRIT_TOKEN}" | ||||||
|  |   readonly ON_BEHALF_OF="''${4}" | ||||||
|  |   readonly URL="https://cl.tvl.fyi/a/changes/''${CL_ID}/revisions/''${PATCHSET}/review" | ||||||
|  | 
 | ||||||
|  |   # First we need to find the account ID for the user | ||||||
|  |   ACC_RESPONSE=$(http --check-status 'https://cl.tvl.fyi/accounts/' "q==name:''${ON_BEHALF_OF}" | tail -n +2) | ||||||
|  |   ACC_LENGTH=$(echo "''${ACC_RESPONSE}" | jq 'length') | ||||||
|  | 
 | ||||||
|  |   if [[ ''${ACC_LENGTH} -ne 1 ]]; then | ||||||
|  |       echo "Did not find a unique account ID for ''${ON_BEHALF_OF}" | ||||||
|  |       exit 1 | ||||||
|  |   fi | ||||||
|  | 
 | ||||||
|  |   ACC_ID=$(jq -n --argjson response "''${ACC_RESPONSE}" '$response[0]._account_id') | ||||||
|  |   echo "using account ID ''${ACC_ID} for ''${ON_BEHALF_OF}" | ||||||
|  | 
 | ||||||
|  |   http --check-status -a "''${REAL_USER}:''${TOKEN}" POST "''${URL}" \ | ||||||
|  |     message="CRFO on behalf of ''${ON_BEHALF_OF}" \ | ||||||
|  |     'labels[Code-Review]=+2' \ | ||||||
|  |     on_behalf_of="''${ACC_ID}" \ | ||||||
|  |     "add_to_attention_set[0][user]=''${ACC_ID}" \ | ||||||
|  |     "add_to_attention_set[0][reason]=CRFO approval through depot-interventions" | ||||||
|  | '' | ||||||
		Loading…
	
	Add table
		Add a link
		
	
		Reference in a new issue