Don't build any changes that touch bionicbb.

Right now any changes in here would be innocuous because I manually update bionicbb, but I'd like to check in the various job configurations. Once I have we don't want anyone to be able to make the buildbot run any untrusted code. Change-Id: Ic050859cd5017615f71c75f995ba21bb45407b05
2015-04-09 17:18:53 -07:00 · 2015-04-09 17:18:53 -07:00 · d032378790
commit d032378790
parent 0a92ac8848
2 changed files with 25 additions and 0 deletions
--- a/tools/bionicbb/gmail_listener.py
+++ b/tools/bionicbb/gmail_listener.py
@ -64,6 +64,11 @@ def contains_cleanspec(change_id, patch_set):
    return 'CleanSpec.mk' in [os.path.basename(f) for f in files]


+def contains_bionicbb(change_id, patch_set):
+    files = gerrit.get_files_for_revision(change_id, patch_set)
+    return any('tools/bionicbb' in f for f in files)
+
+
 def should_skip_build(info):
    if info['MessageType'] not in ('newchange', 'newpatchset', 'comment'):
        raise ValueError('should_skip_build() is only valid for new '
@ -75,6 +80,7 @@ def should_skip_build(info):
    checks = [
        is_untrusted_committer,
        contains_cleanspec,
+        contains_bionicbb,
    ]
    for check in checks:
        if check(change_id, patch_set):
--- a/tools/bionicbb/test_gmail_listener.py
+++ b/tools/bionicbb/test_gmail_listener.py
@ -4,6 +4,7 @@ import unittest


 class TestShouldSkipBuild(unittest.TestCase):
+    @mock.patch('gmail_listener.contains_bionicbb')
    @mock.patch('gmail_listener.contains_cleanspec')
    @mock.patch('gerrit.get_commit')
    def test_accepts_googlers(self, mock_commit, *other_checks):
@ -21,6 +22,7 @@ class TestShouldSkipBuild(unittest.TestCase):
                'PatchSet': '',
            }))

+    @mock.patch('gmail_listener.contains_bionicbb')
    @mock.patch('gmail_listener.contains_cleanspec')
    @mock.patch('gerrit.get_commit')
    def test_rejects_googlish_domains(self, mock_commit, *other_checks):
@ -38,6 +40,7 @@ class TestShouldSkipBuild(unittest.TestCase):
                'PatchSet': '',
            }))

+    @mock.patch('gmail_listener.contains_bionicbb')
    @mock.patch('gmail_listener.contains_cleanspec')
    @mock.patch('gerrit.get_commit')
    def test_rejects_non_googlers(self, mock_commit, *other_checks):
@ -55,6 +58,7 @@ class TestShouldSkipBuild(unittest.TestCase):
                'PatchSet': '',
            }))

+    @mock.patch('gmail_listener.contains_bionicbb')
    @mock.patch('gmail_listener.is_untrusted_committer')
    @mock.patch('gerrit.get_files_for_revision')
    def test_skips_cleanspecs(self, mock_files, *other_checks):
@ -69,6 +73,21 @@ class TestShouldSkipBuild(unittest.TestCase):
                'PatchSet': '',
            }))

+    @mock.patch('gmail_listener.contains_cleanspec')
+    @mock.patch('gmail_listener.is_untrusted_committer')
+    @mock.patch('gerrit.get_files_for_revision')
+    def test_skips_bionicbb(self, mock_files, *other_checks):
+        mock_files.return_value = ['tools/bionicbb/common.sh']
+        for other_check in other_checks:
+            other_check.return_value = False
+
+        for message_type in ('newchange', 'newpatchset', 'comment'):
+            self.assertTrue(gmail_listener.should_skip_build({
+                'MessageType': message_type,
+                'Change-Id': '',
+                'PatchSet': '',
+            }))
+

 if __name__ == '__main__':
    unittest.main()