Changeset View
Changeset View
Standalone View
Standalone View
contrib/source-control-tools/check-diff-trusted.sh
- This file was added.
Property | Old Value | New Value |
---|---|---|
File Mode | null | 100755 |
#!/usr/bin/env bash | |||||
# Copyright (c) 2020 The Bitcoin developers | |||||
# Distributed under the MIT software license, see the accompanying | |||||
# file COPYING or http://www.opensource.org/licenses/mit-license.php. | |||||
export LC_ALL=C.UTF-8 | |||||
set -euxo pipefail | |||||
DEFAULT_CURL_COMMAND=curl | |||||
help_message() { | |||||
cat <<EOF | |||||
Usage: | |||||
$0 [options] diff_id | |||||
Return success if the given Differential diff was produced by a trusted source. | |||||
diff_id The Differential diff ID (ex: 12345) | |||||
Options: | |||||
-h, --help Display this help message. | |||||
Environment Variables: | |||||
CONDUIT_TOKEN (required) Conduit token to use when landing the patch. This allows | |||||
landing a patch as a particular Phabricator user. | |||||
CURL_COMMAND (optional) Override the curl call used to fetch the diff status. | |||||
Default: ${DEFAULT_CURL_COMMAND} | |||||
EOF | |||||
} | |||||
if [ $# -ne 1 ]; then | |||||
echo "Error: Expected one argument" | |||||
help_message | |||||
exit 1 | |||||
fi | |||||
DIFF="$1" | |||||
case ${DIFF} in | |||||
-h|--help) | |||||
help_message | |||||
exit 0 | |||||
;; | |||||
esac | |||||
: "${CURL_COMMAND:=${DEFAULT_CURL_COMMAND}}" | |||||
TOPLEVEL=$(git rev-parse --show-toplevel) | |||||
# shellcheck source=sanitize-conduit-token.sh | |||||
source "${TOPLEVEL}"/contrib/source-control-tools/sanitize-conduit-token.sh | |||||
# Temporarily stop verbose logging to prevent leaking CONDUIT_TOKEN | |||||
set +x | |||||
# Fetch the diff and verify it was authored by a trusted source | |||||
DIFF_RESULT=$("${CURL_COMMAND}" "https://reviews.bitcoinabc.org/api/differential.diff.search" \ | |||||
-d "api.token=${CONDUIT_TOKEN}" \ | |||||
-d "constraints[ids][0]=${DIFF}") || { | |||||
echo "Error: Failed to fetch diff '${DIFF}'" | |||||
echo "curl output:" | |||||
echo "${DIFF_RESULT}" | |||||
exit 30 | |||||
} | |||||
set -x | |||||
ERROR_INFO=$(echo "${DIFF_RESULT}" | jq '.error_info') | |||||
if [ "${ERROR_INFO}" != "null" ]; then | |||||
echo "Conduit error while fetching '${DIFF}': ${ERROR_INFO}" | |||||
exit 31 | |||||
fi | |||||
DIFF_AUTHOR=$(echo "${DIFF_RESULT}" | jq '.result.data[].phid') || { | |||||
echo "Error: Failed to fetch author of diff '${DIFF}'" | |||||
echo "The 'phid' field may be missing or malformed." | |||||
exit 32 | |||||
} | |||||
# We trust the bot to author "safe" changes | |||||
if [ "${DIFF_AUTHOR}" != "\"PHID-USER-beifbbp7gsmklgam2wdn\"" ]; then | |||||
echo "Error: Diff '${DIFF}' was not authored by a trusted source" | |||||
exit 33 | |||||
fi |