Add Jenkinsfile whitelist

This commit adds a stage to the pipeline to check whether the user who submitted the PR is on a whitelist. If they are not, the pipeline stops immediately to prevent execution of untrusted code. This step is in addition to the Verify Scripts stage, which prevents execution of certain scripts from untrusted users. Signed-off-by: Adam Ludvik <[email protected]>
hyperledger-archives · Mar 8, 2017 · 8ca0f67 · 8ca0f67
1 parent b5f5445
commit 8ca0f67
Show file tree

Hide file tree

Showing 2 changed files with 31 additions and 16 deletions.
diff --git a/Jenkinsfile b/Jenkinsfile
@@ -23,10 +23,19 @@ properties([[$class: 'BuildDiscarderProperty', strategy:
 node ('master') {
     // Create a unique workspace so Jenkins doesn't reuse an existing one
     ws("workspace/${env.BUILD_TAG}") {
-
         stage("Clone Repo") {
             checkout scm
-            // Check commits for signed-off-by
+        }
+
+        if (!(env.BRANCH_NAME == 'master' && env.JOB_BASE_NAME == 'master')) {
+            stage("Check Whitelist") {
+                readTrusted 'bin/whitelist'
+                readTrusted 'MAINTAINERS'
+                sh './bin/whitelist "$CHANGE_AUTHOR" MAINTAINERS'
+            }
+        }
+
+        stage("Check for Signed-Off Commits") {
             sh '''#!/bin/bash -l
                 if [ -v CHANGE_URL ] ;
                 then
@@ -49,20 +58,6 @@ node ('master') {
             '''
         }
 
-        stage("Verify Scripts") {
-            readTrusted 'bin/build_all'
-            readTrusted 'bin/run_tests'
-            readTrusted 'bin/run_lint'
-            readTrusted 'bin/docker_build_all'
-            readTrusted 'bin/run_docker_test'
-            readTrusted 'bin/protogen'
-            readTrusted 'cli/setup.py'
-            readTrusted 'rest_api/setup.py'
-            readTrusted 'sdk/python/setup.py'
-            readTrusted 'signing/setup.py'
-            readTrusted 'validator/setup.py'
-        }
-
         // Use a docker container to build and protogen, so that the Jenkins
         // environment doesn't need all the dependencies.
         stage("Build Test Dependencies") {

diff --git a/bin/whitelist b/bin/whitelist
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+if [[ -z $1 || -z $2 ]]
+then
+    echo "USAGE: $0 [user] [whitelist]"
+    exit 1
+fi
+
+whitelist=$(cat $2 | grep user | sed 's#.*: \(.*$\)#\1#')
+for user in $whitelist
+do
+    if [[ $user == $1 ]]
+    then
+        echo "SUCCESS: User '$1' whitelisted"
+        exit 0
+    fi
+done
+
+echo "FAILED: User '$1' not whitelisted."
+exit 1