[sysadmin/repo-management] hooks: Implement two additional checks as part of our hooks:

[Ben Cooksley]

Git commit 919f7163102835d46c81593251fd0689fea71640 by Ben Cooksley.
Committed on 08/03/2022 at 08:13.
Pushed by bcooksley into branch 'master'.

Implement two additional checks as part of our hooks:

1) Require that all *.knsrc file changes be reviewed by a Sysadmin if landing in a non-work branch
2) Alert Sysadmin if anyone mentions download.kde.org or files.kde.org in the text of their code.

CCMAIL: kde-frameworks-devel at kde.org
CCMAIL: plasma-devel at kde.org

M  +14   -0    hooks/hooklib.py
M  +16   -2    hooks/invent.pre-receive

https://invent.kde.org/sysadmin/repo-management/commit/919f7163102835d46c81593251fd0689fea71640

diff --git a/hooks/hooklib.py b/hooks/hooklib.py
index 062b0e3..df04d96 100644
--- a/hooks/hooklib.py
+++ b/hooks/hooklib.py
@@ -706,6 +706,10 @@ class CommitEmailNotifier:
         if self.checker and (self.checker.license_problem or self.checker.commit_problem):
             cc_addresses.append( self.commit.committer_email )
 
+        # Add Sysadmin if infrastructure problems have been found
+        if self.checker and self.checker.infra_problem):
+            cc_addresses.append( 'sysadmin at kde.org' )
+
         if self.keywords['email_gui']:
             cc_addresses.append( 'kde-doc-english at kde.org' )
 
@@ -1002,6 +1006,10 @@ class CommitChecker:
     def commit_problem(self):
         return self._commit_problem
 
+    @property
+    def infra_problem(self):
+        return self._infra_problem
+
     @property
     def commit_notes(self):
         return self._commit_notes
@@ -1219,6 +1227,7 @@ class CommitChecker:
 
         # Initialise
         self._license_problem = False
+        self._infra_problem = False
         self._commit_problem = False
         self._commit_notes = defaultdict(list)
 
@@ -1261,6 +1270,11 @@ class CommitChecker:
                     self._commit_notes[filename].append(note)
                     self._commit_problem = True
 
+            # Check for references to KDE.org infrastructure which are being added without permission
+            if re.search(".*(download|files)\.kde\.org.*", line) and line.startswith("+"):
+                self._commit_notes[filename].append( "[INFRASTRUCTURE]" )
+                self._infra_problem = True
+
             # Store the diff....
             filediff.append(line)
 
diff --git a/hooks/invent.pre-receive b/hooks/invent.pre-receive
index 75dda6a..537d104 100755
--- a/hooks/invent.pre-receive
+++ b/hooks/invent.pre-receive
@@ -99,6 +99,9 @@ translation_file_rules = [
     '^poqm/.*'
 ]
 
+# These users are authorised to review changes to *.knsrc files
+knsrc_reviewers = ['bcooksley', 'bshah', 'nalvarez']
+
 # For these users we always skip notifications
 notification_user_exceptions = ["scripty"]
 
@@ -355,8 +358,8 @@ for changeset in repository.changesets.values():
     if not os.path.exists(repository_config + "/skip-author-email-checks"):
         auditor.audit_emails_in_metadata( changeset, email_domains_blocked )
 
-   # Depending on who we are, we may also need to check to see whether we are changing translations that have been mirrored into the repository
-   # Only specific users are allowed to change these as they are maintained by scripty
+    # Depending on who we are, we may also need to check to see whether we are changing translations that have been mirrored into the repository
+    # Only specific users are allowed to change these as they are maintained by scripty
     if not os.path.exists(repository_config + "/skip-translation-protections") and push_user not in translation_mirror_maintainers:
         # Review each commit for changes to files...
         for commit in changeset.commits.values():
@@ -368,6 +371,17 @@ for changeset in repository.changesets.values():
                     if re.match(restriction, filename):
                         auditor.log_failure(commit.sha1, "Translations maintained separately: " + filename)
 
+    # Depending on who we are, we may also need to check to see whether we are impacting on a KNSRC file
+    # Only specific users are allowed to change these as they can have substantial infrastructure implications
+    if not os.path.exists(repository_config + "/skip-knsrc-protections") and push_user not in knsrc_reviewers and changeset.ref_type is not RefType.WorkBranch:
+        # Review each commit for changes to files...
+        for commit in changeset.commits.values():
+            # Now check each file that was changed in that commit...
+            for filename in commit.files_changed:
+                # Did we change a KNSRC file?
+                if re.match(".*knsrc.*", filename):
+                    auditor.log_failure(commit.sha1, "KNewStuff configuration must be Sysadmin reviewed: " + filename)
+
 # Did we have any commit audit failures?
 if auditor.audit_failed:
     print("Push declined - commits failed audit")