Fix permission distributed

Signed-off-by: Jose Luis Rivero <jrivero@osrfoundation.org>
gazebo-tooling · Nov 22, 2024 · 314e0b8 · 314e0b8
1 parent 51754f3
commit 314e0b8
Show file tree

Hide file tree

Showing 2 changed files with 55 additions and 4 deletions.
diff --git a/jenkins-scripts/dsl/_configs_/JenkinsAPICredentials.groovy b/jenkins-scripts/dsl/_configs_/JenkinsAPICredentials.groovy
@@ -0,0 +1,19 @@
+package _configs_
+
+import javaposse.jobdsl.dsl.Job
+
+class JenkinsAPICredentials
+{
+  static void createOsrfbuildJenkinsAPIToken(Job job)
+  {
+    job.with
+    {
+      wrappers {
+        // Credential name needs to be in sync with provision code at infra/osrf-chef repo
+        credentialsBinding {
+          usernamePassword('OSRFBUILD_JENKINS_USER', 'OSRFBUILD_JENKINS_TOKEN', 'jenkins-osrfbuild-apitoken')
+        }
+      }
+    }
+  }
+}
diff --git a/jenkins-scripts/dsl/test.dsl b/jenkins-scripts/dsl/test.dsl
@@ -128,14 +128,18 @@ test_credentials_token_job.with
     stringParam('TEST_JOB_TO_BUILD', '_test_dummy_callable', 'Name of the job to build for checking server crendentials')
   }
 
-  steps {
     shell("""\
           #!/bin/bash -xe
 
           URL_TO_BUILD="\${JENKINS_URL}/job/\${TEST_JOB_TO_BUILD}/build"
-          echo "Testing the login into the Jenkins server:"
-          echo " calling job \${URL_TO_BUILD}"
-          curl --silent --fail --write '\\nReturn code: %{http_code}\\n' --user "\${OSRFBUILD_USER}:\${OSRFBUILD_TOKEN}" \${URL_TO_BUILD} --output /dev/null
+
+          echo " + Testing OSRFBUILD_JENKINS_TOKEN ability for calling jobs:"
+          echo "   - \${URL_TO_BUILD}"
+
+          # Warning: using verbose -v will reveal the token
+          # If the node permissions are blocking the trigger, be sure of enabling AGENT:BUILD permissions
+          # for OSRFBUILD_JENKINS_USER at Global security.
+          curl -X POST --silent --fail --write '\\nReturn code: %{http_code}\\n' --user "\${OSRFBUILD_JENKINS_USER}:\${OSRFBUILD_JENKINS_TOKEN}" \${URL_TO_BUILD} --output /dev/null
           """.stripIndent())
 
     shell("""\
@@ -157,6 +161,26 @@ test_credentials_token_job.with
           """.stripIndent())
     }
 
+
+    shell("""\
+          #!/bin/bash -xe
+
+          # Checking push permissions
+          # See https://github.com/osrf/chef-osrf/issues/282 for restrictions on using new fine-grained tokens
+          echo " + Testing OSRFBUILD_GITHUB_TOKEN ability to push into the fork osrfbuild/homebrew-simulation"
+          echo "   (out of the test is the ability to create pull requests into osrf/homebrew-simulation)"
+          rm -fr homebrew-simulation
+          git clone https://github.com/\${OSRFBUILD_USER}/homebrew-simulation.git
+          cd homebrew-simulation
+          git config user.name \${OSRFBUILD_USER} --replace-all
+          git config user.email "\${OSRFBUILD_USER}@openrobotics.org" --replace-all
+          set +x
+          git config url."https://osrfbuild:\${OSRFBUILD_TOKEN}@github.com/osrfbuild/homebrew-simulation.git".InsteadOf https://github.com/osrfbuild/homebrew-simulation.git
+          set -x
+          GIT_TERMINAL_PROMPT=0 git push -u origin master --dry-run
+          """.stripIndent())
+    }
+
     publishers
     {
       postBuildScripts {
@@ -186,3 +210,11 @@ test_dummy_job.with {
 }
 
 def test_dummy_job = job("_test_dummy_callable")
+test_dummy_job.with {
+  label Globals.nontest_label("docker")
+
+  authorization {
+      permission('hudson.model.Item.Read', 'osrfbuild')
+      permission('hudson.model.Item.Build', 'osrfbuild')
+  }
+}