feat(tools/crfo-approve): Add tool for CRFO depot-interventions

In some cases we want to be able to "emergency approve" something on
behalf of a different user.

Example cases:

* clean up of abandoned directories with restrictive OWNERS
* security fixes blocked on people in different timezones

This script can be used to perform these approvals if the user is a
member of depot-interventions. Note that access to depot-interventions
is audit logged.

The user on behalf of whom approval is performed is always added to
the attention set to ensure that they are made aware of the CRFO
approval.

Note: This depends on nixpkgs#156466. Keeping WIP until we have a
channel with that patch.

Change-Id: I16e5f9d7baa9daab49c88b629bb8f024aad9d94c
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5085
Tested-by: BuildkiteCI
Reviewed-by: kn <klemens@posteo.de>
Reviewed-by: sterni <sternenseemann@systemli.org>
This commit is contained in:
Vincent Ambo 2022-01-28 13:26:22 +03:00 committed by tazjin
parent f82f459e2c
commit 3452569ddd

52
tools/crfo-approve.nix Normal file
View file

@ -0,0 +1,52 @@
# Helper script to run a CRFO approval using depot-interventions.
#
# Use as 'crfo-approve $CL_ID $PATCHSET $REAL_USER $ON_BEHALF_OF'.
#
# Set credential in GERRIT_TOKEN envvar.
{ pkgs, ... }:
pkgs.writeShellScriptBin "crfo-approve" ''
set -ueo pipefail
if (($# != 4)) || [[ -z ''${GERRIT_TOKEN-} ]]; then
cat >&2 <<'EOF'
crfo-approve - Helper script to CRFO approve a TVL CL
Requires membership in depot-interventions to work.
Gerrit HTTP credential must be set in GERRIT_TOKEN envvar.
Usage:
crfo-approve $CL_ID $PATCHSET $REAL_USER $ON_BEHALF_OF
EOF
exit 1
fi
export PATH="${pkgs.lib.makeBinPath [ pkgs.httpie pkgs.jq ]}:''${PATH}"
readonly CL_ID="''${1}"
readonly PATCHSET="''${2}"
readonly REAL_USER="''${3}"
readonly TOKEN="''${GERRIT_TOKEN}"
readonly ON_BEHALF_OF="''${4}"
readonly URL="https://cl.tvl.fyi/a/changes/''${CL_ID}/revisions/''${PATCHSET}/review"
# First we need to find the account ID for the user
ACC_RESPONSE=$(http --check-status 'https://cl.tvl.fyi/accounts/' "q==name:''${ON_BEHALF_OF}" | tail -n +2)
ACC_LENGTH=$(echo "''${ACC_RESPONSE}" | jq 'length')
if [[ ''${ACC_LENGTH} -ne 1 ]]; then
echo "Did not find a unique account ID for ''${ON_BEHALF_OF}"
exit 1
fi
ACC_ID=$(jq -n --argjson response "''${ACC_RESPONSE}" '$response[0]._account_id')
echo "using account ID ''${ACC_ID} for ''${ON_BEHALF_OF}"
http --check-status -a "''${REAL_USER}:''${TOKEN}" POST "''${URL}" \
message="CRFO on behalf of ''${ON_BEHALF_OF}" \
'labels[Code-Review]=+2' \
on_behalf_of="''${ACC_ID}" \
"add_to_attention_set[0][user]=''${ACC_ID}" \
"add_to_attention_set[0][reason]=CRFO approval through depot-interventions"
''