Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
C
configuration
Overview
Overview
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
OpenEdx
configuration
Commits
185149ba
Commit
185149ba
authored
9 years ago
by
Jesse Zoldak
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Remove old code for jenkins whitelisting
parent
feb91538
Hide whitespace changes
Inline
Side-by-side
Showing
3 changed files
with
0 additions
and
148 deletions
+0
-148
playbooks/roles/jenkins_worker/tasks/python.yml
+0
-5
playbooks/roles/jenkins_worker/tasks/test.yml
+0
-18
playbooks/roles/jenkins_worker/templates/github_pr_auth.py.j2
+0
-125
No files found.
playbooks/roles/jenkins_worker/tasks/python.yml
View file @
185149ba
...
...
@@ -7,11 +7,6 @@
-
fail
:
OAuth token not defined
when
:
github_oauth_token is not defined
-
name
:
Install Python GitHub PR auth script
template
:
src="github_pr_auth.py.j2" dest="/usr/local/bin/github_pr_auth.py"
owner=root group=root
mode=755
-
name
:
Install Python GitHub post status script
template
:
src="github_post_status.py.j2" dest="/usr/local/bin/github_post_status.py"
owner=root group=root
...
...
This diff is collapsed.
Click to expand it.
playbooks/roles/jenkins_worker/tasks/test.yml
View file @
185149ba
...
...
@@ -30,24 +30,6 @@
dddac0b5dddf00c0950daf324e603e4935994954
success
https://jenkins.testeng.edx.org/
\"
Tests
Passed
\"
\"
CI
Test
Results
\"
"
# Run the github_pr_auth script to confirm it reports
# An expected error when there is nothing in the whitelist
-
name
:
ensure github_pr_auth fails as expected
shell
:
"
github_pr_auth.py
edx
edx-platform
2498"
ignore_errors
:
True
register
:
pr_auth_result
-
assert
:
that
:
-
"
'You
can
update
the
whitelist
by'
in
'{{
pr_auth_result.stdout_lines[1]
}}'"
# Run the github_pr_auth script with a value in the whitelist
# to ensure a passing run
-
name
:
ensure github_pr_auth fails as expected
shell
:
"
export
GITHUB_OWNER_WHITELIST=edx
&&
github_pr_auth.py
edx
edx-platform
2498"
# Verify the virtualenv tar is newly-built
-
name
:
Get info on virtualenv tar
stat
:
path={{ jenkins_home }}/edx-venv_clean.tar.gz
...
...
This diff is collapsed.
Click to expand it.
playbooks/roles/jenkins_worker/templates/github_pr_auth.py.j2
deleted
100644 → 0
View file @
feb91538
#!/usr/bin/env python
"""
Determine whether we allow a GitHub PR to be
built automatically. Checks a whitelist
of repo owners and compares to the HEAD
repo of the pull request.
Uses an environment variable `GITHUB_OWNER_WHITELIST`
to check whether the owner of the PR repo is whitelisted.
This is a comma-separated list of organizations and
users. For example, a bash script might define:
export GITHUB_OWNER_WHITELIST="edx,a_user,another_user"
to allow PRs from repos owned by "edx", "a_usr", and "another_user"
"""
import
sys
import
os
import
requests
from
textwrap
import
dedent
# The Ansible script will fill in the GitHub OAuth token.
# That way, we can give the jenkins user on the worker
# execute-only access to this script, ensuring that
# the jenkins user cannot retrieve the token.
GITHUB_OAUTH_TOKEN
=
"{{ github_oauth_token }}"
USAGE
=
"Usage: {0} ORG REPO PULL_REQUEST_NUM"
def
parse_args
(
arg_list
):
"""
Parse the list of arguments, returning a dict of the form
{
'org': GITHUB_ORG,
'repo': GITHUB_REPO,
'pr_num': GITHUB_PR_NUM
}
Prints an error message and exits if the arguments are invalid.
"""
if
len
(
arg_list
)
!=
4
:
print
USAGE
.
format
(
arg_list
[
0
])
exit
(
1
)
# Retrieve the PR number and check that it's an integer
try
:
pr_num
=
int
(
arg_list
[
3
])
except
TypeError
:
print
"'{0}' is not a number"
.
format
(
arg_list
[
3
])
return
{
'org'
:
arg_list
[
1
],
'repo'
:
arg_list
[
2
],
'pr_num'
:
pr_num
}
def
pr_repo_owner
(
org
,
repo
,
pr_num
):
"""
Return the name of the owner of the repo from the
HEAD of the PR.
"""
# Query GitHub for information about the pull request
url
=
"https://api.github.com/repos/{0}/{1}/pulls/{2}?access_token={3}"
.
format
(
org
,
repo
,
pr_num
,
GITHUB_OAUTH_TOKEN
)
response
=
requests
.
get
(
url
)
if
response
.
status_code
!=
200
:
print
dedent
(
"""
Could not retrieve info for pull request #{0}.
HTTP status code: {1}
"""
.
format
(
pr_num
,
response
.
status_code
))
.
strip
()
exit
(
1
)
# Parse the response as json
try
:
pr_data
=
response
.
json
()
except
TypeError
:
print
"Could not parse info for pull request #{0}"
.
format
(
pr_num
)
exit
(
1
)
# Retrieve the owner of the repo
try
:
return
pr_data
[
'head'
][
'repo'
][
'owner'
][
'login'
]
except
KeyError
:
print
"Could not get repo owner from PR info"
exit
(
1
)
def
main
():
"""
Exits with code 0 (success) if the PR is from a whitelisted
repo; otherwise, exits with status 1 (failure).
"""
if
not
GITHUB_OAUTH_TOKEN
:
print
"No GitHub Oauth token configured."
exit
(
1
)
arg_dict
=
parse_args
(
sys
.
argv
)
owner
=
pr_repo_owner
(
arg_dict
[
'org'
],
arg_dict
[
'repo'
],
arg_dict
[
'pr_num'
])
# Check that the owner is whitelisted
whitelist_owners
=
os
.
environ
.
get
(
'GITHUB_OWNER_WHITELIST'
,
''
)
.
split
(
','
)
if
owner
not
in
whitelist_owners
:
print
dedent
(
"""
Owner '{0}' is not in the whitelist.
You can update the whitelist by setting the environment variable
`GITHUB_OWNER_WHITELIST` to a comma-separated list of organizations
and users.
"""
.
format
(
owner
))
.
strip
()
exit
(
1
)
else
:
print
"Owner '{0}' is authorized"
.
format
(
owner
)
exit
(
0
)
if
__name__
==
"__main__"
:
main
()
This diff is collapsed.
Click to expand it.
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment