Don't build any changes that touch bionicbb.
Right now any changes in here would be innocuous because I manually
update bionicbb, but I'd like to check in the various job
configurations. Once I have we don't want anyone to be able to make
the buildbot run any untrusted code.
Change-Id: Ic050859cd5017615f71c75f995ba21bb45407b05
diff --git a/tools/bionicbb/gmail_listener.py b/tools/bionicbb/gmail_listener.py
index 3e501cc..632426b 100644
--- a/tools/bionicbb/gmail_listener.py
+++ b/tools/bionicbb/gmail_listener.py
@@ -64,6 +64,11 @@
return 'CleanSpec.mk' in [os.path.basename(f) for f in files]
+def contains_bionicbb(change_id, patch_set):
+ files = gerrit.get_files_for_revision(change_id, patch_set)
+ return any('tools/bionicbb' in f for f in files)
+
+
def should_skip_build(info):
if info['MessageType'] not in ('newchange', 'newpatchset', 'comment'):
raise ValueError('should_skip_build() is only valid for new '
@@ -75,6 +80,7 @@
checks = [
is_untrusted_committer,
contains_cleanspec,
+ contains_bionicbb,
]
for check in checks:
if check(change_id, patch_set):
diff --git a/tools/bionicbb/test_gmail_listener.py b/tools/bionicbb/test_gmail_listener.py
index af9eda0..f8b9ab6 100644
--- a/tools/bionicbb/test_gmail_listener.py
+++ b/tools/bionicbb/test_gmail_listener.py
@@ -4,6 +4,7 @@
class TestShouldSkipBuild(unittest.TestCase):
+ @mock.patch('gmail_listener.contains_bionicbb')
@mock.patch('gmail_listener.contains_cleanspec')
@mock.patch('gerrit.get_commit')
def test_accepts_googlers(self, mock_commit, *other_checks):
@@ -21,6 +22,7 @@
'PatchSet': '',
}))
+ @mock.patch('gmail_listener.contains_bionicbb')
@mock.patch('gmail_listener.contains_cleanspec')
@mock.patch('gerrit.get_commit')
def test_rejects_googlish_domains(self, mock_commit, *other_checks):
@@ -38,6 +40,7 @@
'PatchSet': '',
}))
+ @mock.patch('gmail_listener.contains_bionicbb')
@mock.patch('gmail_listener.contains_cleanspec')
@mock.patch('gerrit.get_commit')
def test_rejects_non_googlers(self, mock_commit, *other_checks):
@@ -55,6 +58,7 @@
'PatchSet': '',
}))
+ @mock.patch('gmail_listener.contains_bionicbb')
@mock.patch('gmail_listener.is_untrusted_committer')
@mock.patch('gerrit.get_files_for_revision')
def test_skips_cleanspecs(self, mock_files, *other_checks):
@@ -69,6 +73,21 @@
'PatchSet': '',
}))
+ @mock.patch('gmail_listener.contains_cleanspec')
+ @mock.patch('gmail_listener.is_untrusted_committer')
+ @mock.patch('gerrit.get_files_for_revision')
+ def test_skips_bionicbb(self, mock_files, *other_checks):
+ mock_files.return_value = ['tools/bionicbb/common.sh']
+ for other_check in other_checks:
+ other_check.return_value = False
+
+ for message_type in ('newchange', 'newpatchset', 'comment'):
+ self.assertTrue(gmail_listener.should_skip_build({
+ 'MessageType': message_type,
+ 'Change-Id': '',
+ 'PatchSet': '',
+ }))
+
if __name__ == '__main__':
unittest.main()