From 8ca0f67b393b38a4ee01980233e343455bf4cbff Mon Sep 17 00:00:00 2001
From: Adam Ludvik <ludvik@bitwise.io>
Date: Tue, 7 Mar 2017 15:38:52 -0600
Subject: [PATCH] Add Jenkinsfile whitelist

This commit adds a stage to the pipeline to check whether the user who
submitted the PR is on a whitelist. If they are not, the pipeline stops
immediately to prevent execution of untrusted code. This step is in
addition to the Verify Scripts stage, which prevents execution of
certain scripts from untrusted users.

Signed-off-by: Adam Ludvik <ludvik@bitwise.io>
---
 Jenkinsfile   | 27 +++++++++++----------------
 bin/whitelist | 20 ++++++++++++++++++++
 2 files changed, 31 insertions(+), 16 deletions(-)
 create mode 100755 bin/whitelist

diff --git a/Jenkinsfile b/Jenkinsfile
index bb434f6f46..632155720e 100644
--- a/Jenkinsfile
+++ b/Jenkinsfile
@@ -23,10 +23,19 @@ properties([[$class: 'BuildDiscarderProperty', strategy:
 node ('master') {
     // Create a unique workspace so Jenkins doesn't reuse an existing one
     ws("workspace/${env.BUILD_TAG}") {
-
         stage("Clone Repo") {
             checkout scm
-            // Check commits for signed-off-by
+        }
+
+        if (!(env.BRANCH_NAME == 'master' && env.JOB_BASE_NAME == 'master')) {
+            stage("Check Whitelist") {
+                readTrusted 'bin/whitelist'
+                readTrusted 'MAINTAINERS'
+                sh './bin/whitelist "$CHANGE_AUTHOR" MAINTAINERS'
+            }
+        }
+
+        stage("Check for Signed-Off Commits") {
             sh '''#!/bin/bash -l
                 if [ -v CHANGE_URL ] ;
                 then
@@ -49,20 +58,6 @@ node ('master') {
             '''
         }
 
-        stage("Verify Scripts") {
-            readTrusted 'bin/build_all'
-            readTrusted 'bin/run_tests'
-            readTrusted 'bin/run_lint'
-            readTrusted 'bin/docker_build_all'
-            readTrusted 'bin/run_docker_test'
-            readTrusted 'bin/protogen'
-            readTrusted 'cli/setup.py'
-            readTrusted 'rest_api/setup.py'
-            readTrusted 'sdk/python/setup.py'
-            readTrusted 'signing/setup.py'
-            readTrusted 'validator/setup.py'
-        }
-
         // Use a docker container to build and protogen, so that the Jenkins
         // environment doesn't need all the dependencies.
         stage("Build Test Dependencies") {
diff --git a/bin/whitelist b/bin/whitelist
new file mode 100755
index 0000000000..2a865f5c48
--- /dev/null
+++ b/bin/whitelist
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+if [[ -z $1 || -z $2 ]]
+then
+    echo "USAGE: $0 [user] [whitelist]"
+    exit 1
+fi
+
+whitelist=$(cat $2 | grep user | sed 's#.*: \(.*$\)#\1#')
+for user in $whitelist
+do
+    if [[ $user == $1 ]]
+    then
+        echo "SUCCESS: User '$1' whitelisted"
+        exit 0
+    fi
+done
+
+echo "FAILED: User '$1' not whitelisted."
+exit 1