diff --git a/manifests/site.pp b/manifests/site.pp index bdda1e1fed..088b3138c1 100644 --- a/manifests/site.pp +++ b/manifests/site.pp @@ -28,6 +28,8 @@ node "gerrit-dev.openstack.org", "review-dev.openstack.org" { mysql_password => hiera('gerrit_dev_mysql_password'), mysql_root_password => hiera('gerrit_dev_mysql_root_password'), email_private_key => hiera('gerrit_dev_email_private_key'), + contactstore_appsec => hiera('gerrit_dev_contactstore_appsec'), + contactstore_pubkey => hiera('gerrit_dev_contactstore_pubkey'), sysadmins => hiera('sysadmins'), } } diff --git a/modules/gerrit/manifests/init.pp b/modules/gerrit/manifests/init.pp index 219a6a9c51..860781aa78 100644 --- a/modules/gerrit/manifests/init.pp +++ b/modules/gerrit/manifests/init.pp @@ -42,6 +42,14 @@ # to: # http://tarballs.openstack.org/ci/gerrit-2.3.0.war # Gerrit will be upgraded on the next puppet run. +# contactstore: +# A boolean enabling the contact store feature +# contactstore_appsec: +# An application shared secret for the contact store protocol +# contactstore_pubkey: +# A public key with which to encrypt contact information +# contactstore_url: +# A URL for the remote contact store application # replicate_github: # A boolean enabling replication to github # replicate_local: @@ -73,6 +81,10 @@ class gerrit($vhost_name=$fqdn, $httpd_maxwait='', $commentlinks = [], $war, + $contactstore=false, + $contactstore_appsec='', + $contactstore_pubkey='', + $contactstore_url='', $projects_file = 'UNDEF', $enable_melody = 'false', $melody_session = 'false', @@ -390,4 +402,26 @@ class gerrit($vhost_name=$fqdn, "puppet:///modules/gerrit/scripts", ], } + + # Install Bouncy Castle's OpenPGP plugin and populate the contact store + # public key file if we're using that feature. + if ($contactstore == true) { + package { "libbcpg-java": + ensure => installed, + } + file { "/home/gerrit2/review_site/lib/bcpg.jar": + ensure => link, + target => "/usr/share/java/bcpg.jar", + require => File["/usr/share/java/bcpg.jar"], + } + file { '/home/gerrit2/review_site/etc/contact_information.pub': + owner => 'root', + group => 'root', + mode => 444, + ensure => 'present', + content => template('gerrit/contact_information.pub.erb'), + replace => 'true', + require => File["/home/gerrit2/review_site/etc"], + } + } } diff --git a/modules/gerrit/templates/contact_information.pub.erb b/modules/gerrit/templates/contact_information.pub.erb new file mode 100644 index 0000000000..2122bc484c --- /dev/null +++ b/modules/gerrit/templates/contact_information.pub.erb @@ -0,0 +1 @@ +<%= contactstore_pubkey %> diff --git a/modules/gerrit/templates/gerrit.config.erb b/modules/gerrit/templates/gerrit.config.erb index be8d16c1e0..ca86485fd4 100644 --- a/modules/gerrit/templates/gerrit.config.erb +++ b/modules/gerrit/templates/gerrit.config.erb @@ -82,3 +82,8 @@ [gitweb] revision = "?p=${project}.git;a=commitdiff;h=${commit}" <% end -%> +<% if contactstore == true -%> +[contactstore] + appsec = <%= contactstore_appsec %> + url = <%= contactstore_url %> +<% end -%> diff --git a/modules/openstack_project/files/gerrit/cla.html b/modules/openstack_project/files/gerrit/cla.html new file mode 100644 index 0000000000..7ec001ce45 --- /dev/null +++ b/modules/openstack_project/files/gerrit/cla.html @@ -0,0 +1,116 @@ +
+ +

OpenStack Project Individual Contributor License Agreement

+ +

Everyone should fill out an Individual Contributor License agreement. (If +you are covered by a Corporate Contributor License Agreement, you still need to +sign an individual CLA.)

+ +

If you are contributing on behalf of a company, an authorized representative +of your company should also sign a Corporate Contributor License Agreement.

+ +

In order to clarify the intellectual property license granted with +Contributions from any person or entity, the OpenStack Project (the "Project") +must have a Contributor License Agreement ("Agreement") on file that has been +signed by each Contributor, indicating agreement to the license terms below. +This license is for your protection as a Contributor as well as the protection +of OpenStack, LLC as Project manager (the "Project Manager") and the Project +users; it does not change your rights to use your own Contributions for any +other purpose. If you have not already done so, please complete and sign this +Individual License Agreement by following the instructions embedded below. +After you fill in the required information and apply your digital signature to +the Agreement, the signature service will generate an email to you. You must +confirm your digital signature as instructed in this email to complete the +signing process. The signature service will then send you a signed copy of this +Agreement for your records.

+ +

You accept and agree to the following terms and conditions for Your +present and future Contributions submitted to the Project Manager. Except for +the license granted herein to the Project Manager and recipients of software +distributed by the Project Manager, You reserve all right, title, and interest +in and to Your Contributions.

+ +

Definitions

+ +

"You" (or "Your") shall mean the copyright owner or legal entity authorized +by the copyright owner that is making this Agreement with the Project Manager. +For legal entities, the entity making a Contribution and all other entities +that control, are controlled by, or are under common control with that entity +are considered to be a single Contributor. For the purposes of this definition, +"control" means (i) the power, direct or indirect, to cause the direction or +management of such entity, whether by contract or otherwise, or (ii) ownership +of fifty percent (50%) or more of the outstanding shares, or (iii) beneficial +ownership of such entity.

+ +

"Contribution" shall mean any original work of authorship, including any +modifications or additions to an existing work, that is intentionally submitted +by You to the Project Manager for inclusion in, or documentation of, any of the +projects owned or managed by the Project Manager (the "Work"). For the purposes +of this definition, "submitted" means any form of electronic, verbal, or +written communication sent to the Project Manager or its representatives, +including but not limited to communication on electronic mailing lists, source +code control systems, and issue tracking systems that are managed by, or on +behalf of, the Project Manager for the purpose of discussing and improving the +Work, but excluding communication that is conspicuously marked or otherwise +designated in writing by You as "Not a Contribution."

+ +
    +
  1. Grant of Copyright License. Subject to the terms and + conditions of this Agreement, You hereby grant to the Project Manager and + to recipients of software distributed by the Project Manager a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright + license to reproduce, prepare derivative works of, publicly display, + publicly perform, sublicense, and distribute Your Contributions and such + derivative works.
    2. + +
  2. Grant of Patent License. Subject to the terms and + conditions of this Agreement, You hereby grant to the Project Manager and + to recipients of software distributed by the Project Manager a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as + stated in this section) patent license to make, have made, use, offer to + sell, sell, import, and otherwise transfer the Work, where such license + applies only to those patent claims licensable by You that are necessarily + infringed by Your Contribution(s) alone or by combination of Your + Contribution(s) with the Work to which such Contribution(s) was submitted. + If any entity institutes patent litigation against You or any other entity + (including a cross-claim or counterclaim in a lawsuit) alleging that Your + Contribution, or the Work to which You have contributed, constitutes direct + or contributory patent infringement, then any patent licenses granted to + that entity under this Agreement for that Contribution or Work shall + terminate as of the date such litigation is filed.
    3. + +
  3. You represent that you are legally entitled to grant the above license. + If your employer(s) has rights to intellectual property that you create + that includes your Contributions, You represent that you have received + permission to make Contributions on behalf of that employer, that your + employer has waived such rights for your Contributions to the Project + Manager, or that your employer has executed a separate Corporate + Contributor License Agreement with the Project Manager.
    4. + +
  4. You represent that each of Your Contributions is Your original creation + (see Section 7 for submissions on behalf other others). You represent that + Your Contribution submissions include complete details of any third-party + license or other restriction (including, but not limited to, related + patents and trademarks) of which you are personally aware and which are + associated with any part of Your Contributions.
    5. + +
  5. You are not expected to provide support for Your Contributions, except + to the extent You desire to provide support. You may provide support for + free, for a fee, or not at all. Unless required by applicable law or agreed + to in writing, You provide Your Contributions on as "AS IS" BASIS, WITHOUT + WARRANTIES OR CONDITIONS OR ANY KIND, either express or implied, including, + without limitation, any warranties or conditions of TITLE, NONINFRINGEMENT, + MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. 7. Should You wish to + submit work that is not Your original creation, You may submit it to the + Project Manager separately from any Contribution, identifying the complete + details of its source and of any license or other restriction (including, + but not limited to, related patents, trademarks, and license agreements) of + which you are personally aware, and conspicuously marking the work as + "Submitted on behalf of a third-party: [named here]".
    6. + +
  6. You agree to notify the Project Manager of any facts or circumstances + of which you become aware that would make these representations inaccurate + in any respect.
    7. +
+ +
diff --git a/modules/openstack_project/manifests/gerrit.pp b/modules/openstack_project/manifests/gerrit.pp index eb09bb797b..f4b48b374f 100644 --- a/modules/openstack_project/manifests/gerrit.pp +++ b/modules/openstack_project/manifests/gerrit.pp @@ -23,6 +23,14 @@ class openstack_project::gerrit ( $httpd_maxthreads='', $httpd_maxwait='', $war, + $contactstore, + $contactstore_appsec, + $contactstore_pubkey, + $contactstore_url, + $cla_description='OpenStack Individual Contributor License Agreement', + $cla_file='static/cla.html', + $cla_id='2', + $cla_name='ICLA', $script_user='update', $script_key_file='/home/gerrit2/.ssh/id_rsa', $script_logging_conf='/home/gerrit2/.sync_logging.conf', @@ -76,6 +84,10 @@ class openstack_project::gerrit ( link => 'https://blueprints.launchpad.net/openstack/?searchtext=$2' }, ], war => $war, + contactstore => $contactstore, + contactstore_appsec => $contactstore_appsec, + contactstore_pubkey => $contactstore_pubkey, + contactstore_url => $contactstore_url, mysql_password => $mysql_password, mysql_root_password => $mysql_root_password, email_private_key => $email_private_key, @@ -106,6 +118,16 @@ class openstack_project::gerrit ( require => Class['::gerrit'], } + file { '/home/gerrit2/review_site/static/cla.html': + owner => 'root', + group => 'root', + mode => 444, + ensure => 'present', + source => 'puppet:///modules/openstack_project/gerrit/cla.html', + replace => 'true', + require => Class['::gerrit'], + } + file { '/home/gerrit2/review_site/static/title.png': ensure => 'present', source => "puppet:///modules/openstack_project/openstack.png", diff --git a/modules/openstack_project/manifests/review_dev.pp b/modules/openstack_project/manifests/review_dev.pp index 0630a88e0d..cdfa08cef9 100644 --- a/modules/openstack_project/manifests/review_dev.pp +++ b/modules/openstack_project/manifests/review_dev.pp @@ -3,6 +3,8 @@ class openstack_project::review_dev ( $mysql_password, $mysql_root_password, $email_private_key, + $contactstore_appsec, + $contactstore_pubkey, $sysadmins = [] ) { class { 'openstack_project::gerrit': @@ -12,7 +14,11 @@ class openstack_project::review_dev ( ssl_key_file => '/etc/ssl/private/ssl-cert-snakeoil.key', ssl_chain_file => '', email => "review-dev@openstack.org", - war => 'http://tarballs.openstack.org/ci/gerrit-2.4.2-11-gb5a28fb.war', + war => 'http://tarballs.openstack.org/ci/test/gerrit-2.4.2-13-g69c8fa6.war', + contactstore => true, + contactstore_appsec => $contactstore_appsec, + contactstore_pubkey => $contactstore_pubkey, + contactstore_url => 'https://www.yuggoth.org/gerrit_test', script_user => 'launchpadsync', script_key_file => '/home/gerrit2/.ssh/launchpadsync_rsa', script_logging_conf => '/home/gerrit2/.sync_logging.conf', @@ -41,4 +47,19 @@ class openstack_project::review_dev ( source => 'puppet:///modules/openstack_project/gerrit/launchpad_sync_logging.conf', require => User['gerrit2'] } + file { '/home/gerrit2/review_site/bin/set_agreements.sh': + ensure => present, + owner => root, + group => root, + mode => 0755, + content => template('openstack_project/gerrit_set_agreements.sh.erb'), + replace => 'true', + require => Class['::gerrit'] + } + exec { 'set_contributor_agreements': + path => ['/bin', '/usr/bin'], + command => '/home/gerrit2/review_site/bin/set_agreements.sh', + require => [Class['mysql'], + File['/home/gerrit2/review_site/bin/set_agreements.sh']] + } } diff --git a/modules/openstack_project/templates/gerrit_set_agreements.sh.erb b/modules/openstack_project/templates/gerrit_set_agreements.sh.erb new file mode 100644 index 0000000000..9aafde0f13 --- /dev/null +++ b/modules/openstack_project/templates/gerrit_set_agreements.sh.erb @@ -0,0 +1,48 @@ +#!/bin/sh + +# The point of this script is to update the list of contributor license +# agreements Gerrit knows about. More specifically, in its current form, +# it's being used by Puppet to perform database-specific parts of a +# migration for OpenStack's development and production Gerrit servers +# from Echosign to a Gerrit-managed CLA. As such, a lot of this code can +# be ripped out once that migration is complete (though it doesn't +# necessarily need to be, and can be left in place more or less +# indefinitely without impact). + +# This function takes a contributor agreement ID and returns 0 if Y +# (active), 1 if N (inactive) or anything else (including if the CLA +# does not exist). It would be nice to implement this by short name +# instead, but Gerrit does not create the id column with auto_increment +# so we have to know what ID integers we want when creating anyway. +is_active () { + ACTIVE=$( + mysql --defaults-file=/etc/mysql/debian.cnf --batch \ + --skip-column-names --execute ' + SELECT active FROM contributor_agreements WHERE id='$1'; + ' reviewdb + ) + if test "$ACTIVE" = "Y" ; then + return 0 + else + return 1 + fi +} + +# The old Echosign CLA needs to be invalidated, so if it's active then +# update it to an inactive state. +is_active 1 \ +&& mysql --defaults-file=/etc/mysql/debian.cnf --execute ' + UPDATE contributor_agreements SET active="N" WHERE id=1; + ' reviewdb + +# The new Gerrit-managed CLA should be created if it does not yet exist. +# It's added as ID 2 to accomodate the existence of the old Echosign CLA +# occupying ID 1. +is_active 2 \ +|| mysql --defaults-file=/etc/mysql/debian.cnf --execute ' + INSERT INTO contributor_agreements VALUES ( + "Y", "Y", "Y", "<%= cla_name %>", + "<%= cla_description %>", + "<%= cla_file %>", <%= cla_id %> + ); + ' reviewdb