gerrit: Add initial access control rules

These are implemented mostly using an Ansible playbook built on these
Ansible Gerrit modules I wrote: https://github.com/ssssam/ansible-gerrit

4 files changed, 286 insertions, 0 deletions

diff --git a/README.mdwn b/README.mdwn
index c4a23628..6d9bfa61 100644
--- a/README.mdwn
+++ b/README.mdwn
@@ -232,6 +232,42 @@ Administrators group.
 You can add more users into the Administrators group later on using the [gerrit
 set-members] command, or the web interface.
 
+Go to the settings page, 'HTTP Password' and generate a HTTP password for
+yourself. You'll need it in the next step. The password can take a long time to
+appear for some reason, or it might not work at all. Click off the page and
+come back to it and it might suddenly have appeared. I've not investigated why
+this happens.
+
+#### Access control rules
+
+Now set up the Gerrit access configuration. You'll need to have cloned 
+<https://github.com/ssssam/ansible-gerrit> alongside infrastructure.git, and ran
+`make` in that directory. You'll also need 'pygerrit' installed somewhere
+Python can find it.
+
+    export GERRIT_URL=http://gerrit.baserock.org
+    export GERRIT_ADMIN_USERNAME=your username
+    export GERRIT_ADMIN_PASSWORD=your generated HTTP password
+
+    ANSIBLE_LIBRARY=../ansible-gerrit \
+    ansible-playbook baserock_gerrit/gerrit-access-config.yml
+
+As well as creating all the groups and initial users in the new Gerrit
+instance, Ansible should update the file baserock_gerrit/All-Projects/groups,
+which will be needed in the next step.
+
+    git clone ssh://$GERRIT_ADMIN_USERNAME@gerrit.baserock.org:29418/All-Projects.git /tmp/All-Projects
+    cp -a baserock_gerrit/All-Projects/*  /tmp/All-Projects
+    cd /tmp/All-Projects
+    git checkout -b config
+    git commit -a -m "Set up initial access controls."
+    git push origin config:refs/meta/config
+    cd -
+
+#### Mirroring
+
+TO DO: link to document on setting up mirroring.
+
 [gerrit set-members]: https://gerrit-documentation.storage.googleapis.com/Documentation/2.9.4/cmd-set-members.html
 
 ### Storyboard
diff --git a/baserock_gerrit/All-Projects/groups b/baserock_gerrit/All-Projects/groups
new file mode 100644
index 00000000..f0d26cc9
--- /dev/null
+++ b/baserock_gerrit/All-Projects/groups
@@ -0,0 +1,8 @@
+# UUID                                  	Group Name
+#
+global:Anonymous-Users                  	Anonymous Users
+global:Project-Owners                   	Project Owners
+global:Registered-Users                 	Registered Users
+
+# This file is filled in with the other group IDs by the
+# gerrit-access-config.yml Ansible playbook.
diff --git a/baserock_gerrit/All-Projects/project.config b/baserock_gerrit/All-Projects/project.config
new file mode 100644
index 00000000..6fc2d815
--- /dev/null
+++ b/baserock_gerrit/All-Projects/project.config
@@ -0,0 +1,101 @@
+# Top-level access controls for projects on Baserock Gerrit.
+
+# These can be overridden by a project's own project.config file. They are also
+# overridden by the config of a project's parent repo, if it is set to something
+# other than the default parent project 'All-Projects'.
+
+# Useful references:
+#
+#   https://gerrit-documentation.storage.googleapis.com/Documentation/2.11/access-control.html
+#   https://git.openstack.org/cgit/openstack-infra/system-config/tree/doc/source/gerrit.rst
+
+[project]
+	description = Access inherited by all other projects.
+
+[receive]
+	requireContributorAgreement = false
+	requireSignedOffBy = false
+	requireChangeId = true
+
+[submit]
+	mergeContent = true
+
+[capability]
+	administrateServer = group Administrators
+	priority = batch group Non-Interactive Users
+	streamEvents = group Non-Interactive Users
+
+	createProject = group Mirroring Tools
+
+# Everyone can read everything.
+[access "refs/*"]
+	read = group Administrators
+	read = group Anonymous Users
+
+
+# Developers can propose changes. All 'Registered Users' are 'Developers'.
+[access "refs/for/refs/*"]
+	push       = group Developers
+	pushMerge  = group Developers
+
+
+[access "refs/heads/*"]
+	forgeAuthor       = group Developers
+	rebase            = group Developers
+	label-Code-Review = -2..+2 group Mergers
+	submit            = group Mergers
+	label-Code-Review = -1..+1 group Reviewers
+	label-Verified    = -1..+1 group Testers
+
+	create            = group Administrators
+	forgeCommitter    = group Administrators
+	push              = group Administrators
+	create            = group Project Owners
+	forgeCommitter    = group Project Owners
+	push              = group Project Owners
+
+	create            = group Mirroring Tools
+	forgeAuthor       = group Mirroring Tools
+	forgeCommitter    = group Mirroring Tools
+	push              = +force group Mirroring Tools
+
+[access "refs/tags/*"]
+	pushTag       = group Release Team
+	pushSignedTag = group Release Team
+
+	pushTag       = group Administrators
+	pushSignedTag = group Administrators
+	pushTag       = group Project Owners
+	pushSignedTag = group Project Owners
+
+	create        = group Mirroring Tools
+	push          = +force group Mirroring Tools
+	pushTag       = +force group Mirroring Tools
+	pushSignedTag = +force group Mirroring Tools
+
+
+# Changing project configuration is allowed for Administrators only. (In theory
+# anyone who owns a project can change its permissions, but right now all
+# projects should be owned by the Administrators group).
+[access "refs/meta/config"]
+	exclusiveGroupPermissions = read
+
+	read = group Administrators
+	push = group Administrators
+	read = group Project Owners
+	push = group Project Owners
+
+[label "Code-Review"]
+	function = MaxWithBlock
+	copyMinScore = true
+	value = -2 Do not merge
+	value = -1 This patch needs further work before it can be merged
+	value =  0 No score
+	value = +1 Looks good to me, but someone else must approve
+	value = +2 Looks good to me, approved
+
+[label "Verified"]
+	function = MaxWithBlock
+	value = -1 Failed
+	value =  0 No score
+	value = +1 Verified
diff --git a/baserock_gerrit/gerrit-access-config.yml b/baserock_gerrit/gerrit-access-config.yml
new file mode 100644
index 00000000..a321e421
--- /dev/null
+++ b/baserock_gerrit/gerrit-access-config.yml
@@ -0,0 +1,141 @@
+# Baserock Gerrit access controls, and predefined users, groups and projects.
+#
+# This Ansible playbook requires the ansible-gerrit modules:
+#
+#   https://www.github.com/ssssam/ansible-gerrit
+#
+# These modules depend on pygerrit:
+#
+#   https://www.github.com/sonyxperiadev/pygerrit/
+
+#   -
+- hosts: localhost
+  tasks:
+    # System groups:
+    #   - Anonymous Users
+    #   - Change Owner
+    #   - Project Owners
+    #   - Registered Users
+
+    # Prefined groups:
+    #   - Administrators
+    #   - Non-Interactive Users
+
+    - gerrit_group:
+        name: Administrators
+      register: administrators_group
+
+    - gerrit_group:
+        name: Non-Interactive Users
+      register: non_interactive_users_group
+
+    # The 'owner' of a group defines who can modify that group. Users
+    # who are in the 'owner' group for a group 'Groupies' can add and remove
+    # people (and other groups) from 'Groupies' and can change the name,
+    # description and owner of 'Groupies.' Since we don't want the
+    # names, descriptions or owners of these predefined groups being
+    # changed, they are all left owned by the Administrators group.
+
+    - gerrit_group:
+        name: Developers
+        description: Registered users who choose to submit changes for consideration.
+        owner: Administrators
+        included_groups:
+            - Registered Users
+      register: developers_group
+
+    # Right now all Mergers are in the Release Team by default.
+    - gerrit_group:
+        name: Release Team
+        description: Developers who can tag releases
+        owner: Administrators
+      register: release_team_group
+
+    - gerrit_group:
+        name: Mergers
+        description: Developers who can trigger the actual merging of a change.
+        owner: Administrators
+        included_groups:
+            - Release Team
+      register: mergers_group
+
+    - gerrit_group:
+        name: Mirroring Tools
+        description: Programs that pull changes from external repositories into Gerrit's Git server
+        owner: Administrators
+      register: mirroring_tools_group
+
+    - gerrit_group:
+        name: Reviewers
+        description: Registered users who choose to give +1 / -1 reviews to proposed changes.
+        owner: Administrators
+        included_groups:
+            - Registered Users
+      register: reviewers_group
+
+    - gerrit_group:
+        name: Testers
+        description: Testers that can give +1 / -1 Verified to proposed changes.
+        owner: Administrators
+      register: testers_group
+
+    # Non-interactive accounts.
+
+    - gerrit_account:
+        username: firehose
+        fullname: Firehose integration bot
+        email: firehose@baserock.org
+        groups:
+            - Non-Interactive Users
+            - Developers
+        #ssh_key: xx
+
+    - gerrit_account:
+        username: lorry
+        fullname: Lorry mirroring service
+        email: lorry@baserock.org
+        groups:
+            - Mirroring Tools
+            - Non-Interactive Users
+        #ssh_key: xx
+
+    - gerrit_account:
+        username: mason
+        fullname: Mason automated tester
+        email: mason@baserock.org
+        groups:
+            - Non-Interactive Users
+            - Testers
+        #ssh_key: xx
+
+    - name: create 'groups' mapping required by Gerrit
+      lineinfile:
+        create: yes
+        dest: All-Projects/groups
+        line: "{{ item.group_info.id }}\t{{ item.group_info.name }}"
+      with_items:
+          - "{{ administrators_group }}"
+          - "{{ non_interactive_users_group }}"
+          - "{{ developers_group }}"
+          - "{{ mergers_group }}"
+          - "{{ mirroring_tools_group }}"
+          - "{{ release_team_group }}"
+          - "{{ reviewers_group }}"
+          - "{{ testers_group }}"
+
+
+# it'd be nice if this module existed... but it doesn't right now. You'll have
+# to commit the files manually.
+#
+#    - name: push access configuration for all repos
+#      git_commit_in_branch:
+#        repo: ssh://{{ env.GERRIT_ADMIN_USERNAME }}@{{ env.GERRIT_URL}}:29418/All-Projects
+#        ref: refs/meta/config
+#        source: All-Projects
+#        committer_name: Baserock Gerrit configuration scripts
+#        committer_email: admin@baserock.org
+#        commit_message: >
+#            Update global configuration.
+#
+#            This commit was made by an Ansible playbook living in
+#            git://git.baserock.org/baserock/baserock/infrastructure.