From 3d46b4867e4d0533d78ab271e22a02105ba0ec10 Mon Sep 17 00:00:00 2001 From: MaksimmZZZhukoff Date: Wed, 16 Sep 2020 13:27:13 +0300 Subject: [PATCH] Add script to validate contributor permissions --- .../azure-pipelines/image-generation.yml | 24 +++---- images.CI/macos/validate-contributor.ps1 | 63 +++++++++++++++++++ 2 files changed, 75 insertions(+), 12 deletions(-) create mode 100644 images.CI/macos/validate-contributor.ps1 diff --git a/images.CI/macos/azure-pipelines/image-generation.yml b/images.CI/macos/azure-pipelines/image-generation.yml index b650fe0ae..5c2f562f1 100644 --- a/images.CI/macos/azure-pipelines/image-generation.yml +++ b/images.CI/macos/azure-pipelines/image-generation.yml @@ -9,22 +9,22 @@ jobs: - group: Mac-Cloud Image Generation Key Vault steps: - - pwsh: | - $allowedContributors = $env:CONTRIBUTOR_ALLOWLIST.Split(",").Trim() - $validСontributor = $allowedContributors | Where-Object { $_ -eq $env:BUILD_SOURCEVERSIONAUTHOR } ` - | Select-Object -First 1 - - if (-not $validСontributor) { - Write-Host "Failed to start this build. $env:BUILD_SOURCEVERSIONAUTHOR is an unknown contributor" - Write-Host "Please add $env:BUILD_SOURCEVERSIONAUTHOR to the allowed list to run builds" - exit 1 - } - displayName: Validate contributor permissions - - checkout: self clean: true fetchDepth: 1 + - task: PowerShell@2 + displayName: 'Validate contributor permissions' + condition: startsWith(variables['Build.SourceBranch'], 'refs/pull/') + inputs: + targetType: 'filePath' + filePath: ./images.CI/macos/validate-contributor.ps1 + pwsh: true + arguments: -RepositoryName "$(Build.Repository.Name)" ` + -AccessToken "$(GITHUB_FEED_TOKEN)" ` + -SourceBranch "$(Build.SourceBranch)" ` + -ContributorAllowList "$(CONTRIBUTOR_ALLOWLIST)" + - task: PowerShell@2 displayName: 'Download custom repository' condition: and(ne(variables['CUSTOM_REPOSITORY_URL'], ''), ne(variables['CUSTOM_REPOSITORY_BRANCH'], '')) diff --git a/images.CI/macos/validate-contributor.ps1 b/images.CI/macos/validate-contributor.ps1 new file mode 100644 index 000000000..312a9ef7e --- /dev/null +++ b/images.CI/macos/validate-contributor.ps1 @@ -0,0 +1,63 @@ +param( + [Parameter(Mandatory)] [string] $RepositoryName, + [Parameter(Mandatory)] [string] $AccessToken, + [Parameter(Mandatory)] [string] $SourceBranch, + [Parameter(Mandatory)] [string] $ContributorAllowList +) + +function Build-AuthHeader { + param( + [Parameter(Mandatory)] [string] $AccessToken + ) + + $base64AuthInfo = [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes("'':${AccessToken}")) + return "Basic ${base64AuthInfo}" +} + +function Get-PullRequest { + param( + [Parameter(Mandatory)] [string] $RepositoryName, + [Parameter(Mandatory)] [string] $AccessToken, + [Parameter(Mandatory)] [UInt32] $PullRequestNumber + ) + + $requestUrl = "https://api.github.com/repos/$RepositoryName/pulls/$PullRequestNumber" + $authHeader = Build-AuthHeader -AccessToken $AccessToken + + $params = @{ + Method = "GET" + ContentType = "application/json" + Uri = $requestUrl + Headers = @{ Authorization = $authHeader } + } + + return Invoke-RestMethod @params +} + +function Validate-ContributorPermissions { + param( + [Parameter(Mandatory)] [string] $ContributorAllowList, + [Parameter(Mandatory)] [string] $ContributorName + ) + + $allowedContributors = $ContributorAllowList.Split(",").Trim() + $validСontributor = $allowedContributors | Where-Object { $_ -eq $ContributorName } ` + | Select-Object -First 1 + + if (-not $validСontributor) { + Write-Host "Failed to start this build. '$ContributorName' is an unknown contributor" + Write-Host "Please add '$ContributorName' to the allowed list to run builds" + exit 1 + } +} + +$pullRequestNumber = $SourceBranch.Split("/")[2] + +$pullRequestInfo = Get-PullRequest -RepositoryName $RepositoryName ` + -AccessToken $AccessToken ` + -PullRequestNumber $pullRequestNumber + +$contributorName = $pullRequestInfo.user.login + +Validate-ContributorPermissions -ContributorAllowList $ContributorAllowList ` + -ContributorName $contributorName \ No newline at end of file