Gitiles
Code Review Sign In
gerrit.openfyde.cn / chromium.googlesource.com / chromiumos / infra / go / ba851c743ce452eaf7bff9d77d8e25b80c97f1b1^! / .
commitba851c743ce452eaf7bff9d77d8e25b80c97f1b1[log] [tgz]
authorJack Neus <jackneus@google.com>Fri Feb 19 19:40:14 2021 +0000
committerCommit Bot <commit-bot@chromium.org>Fri Feb 19 20:07:53 2021 +0000
treef5eff17545eee171a993f0c97557d4ed975ae54d
parent817a5f60ada3754fffa25c0ec7b5b2e86117413b [diff]
branch_util: Add --skip-group-check flag

Service accounts cannot be added to mdb groups, so we need a way to
skip the MDB membership check.

BUG=b:177903295
TEST=go test

Change-Id: Ic61551fdb9272fe60508375c28fef74ecafba93b
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/infra/go/+/2705613
Reviewed-by: Julio Hurtado <juahurta@google.com>
Commit-Queue: Jack Neus <jackneus@google.com>
Tested-by: Jack Neus <jackneus@google.com>
Auto-Submit: Jack Neus <jackneus@google.com>

diff --git a/cmd/branch_util/cli.go b/cmd/branch_util/cli.go
index 2452722..afa8226 100644
--- a/cmd/branch_util/cli.go
+++ b/cmd/branch_util/cli.go

@@ -54,11 +54,12 @@
 // Common flags
 type CommonFlags struct {
 	subcommands.CommandRunBase
-	Push        bool
-	Force       bool
-	Root        string
-	ManifestUrl string
-	authFlags   authcli.Flags
+	Push           bool
+	Force          bool
+	Root           string
+	ManifestUrl    string
+	SkipGroupCheck bool
+	authFlags      authcli.Flags
 }
 
 func (c *CommonFlags) InitFlags(authOpts auth.Options) {
@@ -76,6 +77,9 @@
 		"URL of the manifest to be checked out. Defaults to googlesource URL "+
 			"for manifest-internal.")
 	c.Flags.IntVar(&workerCount, "j", 1, "Number of jobs to run for parallel operations.")
+	c.Flags.BoolVar(&c.SkipGroupCheck, "skip-group-check", false,
+		"If set, skips checking if the invoker is in mdb/chromeos-branch-creators. "+
+			"ACLs will still be enforced.")
 	c.authFlags.Register(c.GetFlags(), authOpts)
 }
 

diff --git a/cmd/branch_util/create.go b/cmd/branch_util/create.go
index 4a865ee..baacf84 100644
--- a/cmd/branch_util/create.go
+++ b/cmd/branch_util/create.go

@@ -129,7 +129,11 @@
 		return 1
 	}
 
-	if c.Push {
+	// Check if the user is in mdb/chromeos-branch-creators, unless SkipGroupCheck is set.
+	// This is not to say that an unauthorized user can simply call the tool with --skip-group-check;
+	// ACLs will still be enforced. Skipping this check is necessary for bot invocations,
+	// as service accounts cannot be added to MDB groups.
+	if c.Push && !c.SkipGroupCheck {
 		inGroup, err := branch.CheckSelfGroupMembership(authedClient, "https://chromium-review.googlesource.com", branchCreatorGroup)
 		if err != nil {
 			branch.LogErr(errors.Annotate(err, "failed to confirm that the running user is in %v", branchCreatorGroup).Err().Error())