diff --git a/gitlab/configuration.yml b/gitlab/configuration.yml new file mode 100644 --- /dev/null +++ b/gitlab/configuration.yml @@ -0,0 +1,283 @@ +# Owner +# Maintainer +# Developer +# Reporter +# Guest + +groups: + teams/staff: + users: + phabricator-migration: Owner + anlambert: Maintainer + ardumont: Maintainer + bchauvet: Owner + douardda: Maintainer + jayeshv: Maintainer + lunar: Maintainer + marla.dasilva: Maintainer + moranegg: Maintainer + olasd: Maintainer + rdicosmo: Owner + sgranger: Maintainer + vlorentz: Maintainer + vsellier: Maintainer + zack: Owner + remove_extra_memberships: true + teams/developers: + users: + phabricator-migration: Owner + anlambert: Maintainer + ardumont: Maintainer + bchauvet: Maintainer + douardda: Maintainer + jayeshv: Maintainer + lunar: Maintainer + moranegg: Maintainer + olasd: Maintainer + rdicosmo: Maintainer + vlorentz: Maintainer + vsellier: Maintainer + zack: Maintainer + remove_extra_memberships: true + teams/sysadmin: + users: + phabricator-migration: Owner + ardumont: Owner + olasd: Owner + vsellier: Owner + remove_extra_memberships: true + teams/interns: + users: + phabricator-migration: Owner + remove_extra_memberships: true + teams/management: + users: + phabricator-migration: Owner + bchauvet: Owner + douardda: Maintainer + rdicosmo: Owner + vsellier: Maintainer + zack: Owner + remove_extra_memberships: true + infra: + users: + phabricator-migration: Owner + remove_extra_memberships: true + share_with_groups: + teams/sysadmin: Owner + modules: + users: + phabricator-migration: Owner + share_with_groups: + teams/developers: Maintainer + remove_extra_memberships: true + migrated: + users: + phabricator-migration: Owner + share_with_groups: + teams/sysadmin: Owner + teams/developers: Maintainer + remove_extra_memberships: true + +projects: + # [1] https://docs.gitlab.com/ee/api/projects.html#edit-project + + # List of namespaces managed by the script (It should be the first level of the + # project namespace). Other unmanaged projects will be skipped during the script + # execution. + managed_namespaces: + - infra + + namespace_settings: + # Dict[str, Any] of key the project namespace, and value a dict of any of the global + # settings keys above and value, whatever we want to set. + infra/puppet/3rdparty: + issues_access_level: disabled + infra/ci-cd/debs: + issues_access_level: disabled + + # Dict[str, Any] of key the project with its path namespace, and value a dict of any of + # the global settings keys above (e.g. visibility) and value, whatever we want to set + # (e.g. assuming the key 'visibility', some credentials repositories, we want to set it + # 'private'). + project_settings: + infra/ci-cd/k8s-swh-private-data: + visibility: private + infra/puppet/puppet-swh-private-data: + visibility: private + # staging extra repositories + infra/websites/www.softwareheritage.org-gandi: + visibility: private + infra/credentials: + visibility: private + infra/k8s-swh-private-data: + visibility: private + infra/annex/annex-private: + visibility: private + infra/iFWCFG: + visibility: private + + # Dict[str, Any] of key the setting to change (e.g. 'merge_method') and as value + # whatever we want to set (e.g. assuming the 'merge_method', 'ff' as in fast-forward). + # The keys were determined out of the gitlab api documentation [1]. Some were not + # supported. Those are located after the 'unsupported' comment. + global_settings: + # string (optional): See project visibility level. + visibility: public + # string (optional): Set the merge method used. + merge_method: ff + # boolean (optional): Enable Delete source branch option by default for all new merge + # requests. + remove_source_branch_after_merge: true + # string (optional): One of disabled, private, or enabled. + # releases_access_level: enabled + # boolean: Set whether or not merge requests can be merged with skipped jobs. + # allow_merge_on_skipped_pipeline: false + # string: One of disabled, private or enabled + # analytics_access_level: enabled + # boolean: Enable Auto DevOps for this project. + # auto_devops_enabled: false + # boolean: Set whether auto-closing referenced issues on default branch. + # autoclose_referenced_issues: true + # string (optional): The Git strategy. Defaults to fetch. + # build_git_strategy: fetch + # integer (optional): The maximum amount of time, in seconds, that a job can run. + # build_timeout: 3600 + # string (optional): One of disabled, private, or enabled. + # builds_access_level: enabled + # string (optional): The path to CI configuration file. + # ci_config_path: "" + # integer (optional): Default number of revisions for shallow cloning. + # ci_default_git_depth: 20 + # boolean (optional): Enable or disable prevent outdated deployment jobs. + # ci_forward_deployment_enabled: true + # boolean (optional): Enable or disable running pipelines in the parent project for + # merge requests from forks. (Introduced in GitLab 15.3.) + # ci_allow_fork_pipelines_to_run_in_parent_project: true + # boolean (optional): Set whether or not caches should be separated by branch + # protection status. + # ci_separated_caches: true + # string (optional): Set visibility of container registry, for this project, to one of + # disabled, private or enabled. + # container_registry_access_level: disabled + # string (optional): The default branch name. + # default_branch: master + # string (optional): Short project description. + # description: "" + # boolean (optional): Disable email notifications. + # emails_disabled: true + # boolean (optional): Enforce auth checks on uploads. + # enforce_auth_checks_on_uploads: true + # string (optional): One of disabled, private, or enabled. + # forking_access_level: enabled + # string (optional): One of disabled, private, or enabled. + # issues_access_level: enabled + # boolean (optional): Disable or enable the ability to keep the latest artifact for + # this project. + # keep_latest_artifact: True + # boolean (optional): Enable LFS. + # lfs_enabled: True + # string (optional): Template used to create merge commit message in merge requests. + # (Introduced in GitLab 14.5.) + # merge_commit_template: "" + # string (optional): One of disabled, private, or enabled. + # merge_requests_access_level: enabled + # boolean (optional): Set whether merge requests can only be merged when all the + # discussions are resolved. + # only_allow_merge_if_all_discussions_are_resolved: False + # boolean (optional): Set whether merge requests can only be merged with successful + # jobs. + # only_allow_merge_if_pipeline_succeeds: False + # string (optional): One of disabled, private, or enabled. + # operations_access_level: disabled + # boolean (optional): Enable or disable packages repository feature. + # packages_enabled: False + # string (optional): One of disabled, private, enabled, or public. + # pages_access_level: disabled + # boolean (optional): Show link to create/view merge request when pushing from the + # command line. + # printing_merge_request_link_enabled: true + # string (optional): One of disabled, private, or enabled. + # repository_access_level: enabled + # string (optional): Which storage shard the repository is on. (administrators only) + # repository_storage: default + # boolean (optional): Allow users to request member access. + # request_access_enabled: true + # boolean (optional): Automatically resolve merge request diffs discussions on lines + # changed with a push. + # resolve_outdated_diff_discussions: false + # boolean (optional): Allow only users with the Maintainer role to pass user-defined + # variables when triggering a pipeline. For example when the pipeline is triggered in + # the UI, with the API, or by a trigger token. + # restrict_user_defined_variables: false + # string (optional): (GitLab 14.9 and later) Security and compliance access level. One + # of disabled, private, or enabled. + # security_and_compliance_access_level: private + # boolean (optional): Enable or disable Service Desk feature. + # service_desk_enabled: false + # boolean (optional): Enable shared runners for this project. + # shared_runners_enabled: true + # string (optional): One of disabled, private, or enabled. + # snippets_access_level: enabled + # string (optional): Template used to create squash commit message in merge requests. + # (Introduced in GitLab 14.6.) + # squash_commit_template: "" + # string (optional): One of never, always, default_on, or default_off. + # squash_option: default_on + # string (optional): The commit message used to apply merge request suggestions. + # suggestion_commit_message: "" + # string (optional): One of disabled, private, or enabled. + # wiki_access_level: enabled + # ------------------------------------------------------- + # Following keys are documented but somehow not supported + # ------------------------------------------------------- + # boolean: Indicates that merges of merge requests should be blocked unless all status + # checks have passed. Defaults to false. Introduced in GitLab 15.5 with feature flag + # only_allow_merge_if_all_status_checks_passed disabled by default. + # only_allow_merge_if_all_status_checks_passed: ? + # integer: How many approvers should approve merge request by default. To configure + # approval rules, see Merge request approvals API. + # approvals_before_merge: ? + # string: Auto-cancel pending pipelines. This isn’t a boolean, but enabled/disabled. + # auto_cancel_pending_auto: ? + # string: Auto Deploy strategy (continuous, manual, or timed_incremental). + # pipelines_devops_deploy_strategy: ? + # mixed (optional): Image file for avatar of the project. + # avatar: ? + # hash (optional): Update the image cleanup policy for this project. Accepts: cadence + # (string), keep_n (integer), older_than (string), name_regex (string), + # name_regex_delete (string), name_regex_keep (string), enabled (boolean). + # container_expiration_policy_attributes: ? + # string (optional): The classification label for the project. + # external_authorization_classification_label: ? + # string (optional): Default description for Issues. Description is parsed with GitLab + # Flavored Markdown. See Templates for issues and merge requests. + # issues_template: ? + # boolean (optional): Enable or disable merge pipelines. + # merge_pipelines_enabled: ? + # string (optional): Default description for merge requests. Description is parsed + # with GitLab Flavored Markdown. See Templates for issues and merge requests. + # merge_requests_template: ? + # boolean (optional): Enable or disable merge trains. + # merge_trains_enabled: ? + # boolean (optional): Pull mirror overwrites diverged branches. + # mirror_overwrites_diverged_branches: ? + # boolean (optional): Pull mirroring triggers builds. + # mirror_trigger_builds: ? + # integer (optional): User responsible for all the activity surrounding a pull mirror + # event. (administrators only) + # mirror_user_id: ? + # boolean (optional): Enables pull mirroring in a project. + # mirror: ? + # boolean (optional): For forked projects, target merge requests to this project. If + # false, the target will be the upstream project. + # mr_default_target_self: ? + # boolean (optional): Only mirror protected branches. + # only_mirror_protected_branches: ? + # boolean (optional): If true, jobs can be viewed by non-project members. + # public_builds: ? + # string (optional): One of disabled, private, enabled or public + # requirements_access_level: ? + # string (optional): Template used to suggest names for branches created from issues. + # (Introduced in GitLab 15.6.) + # issue_branch_template: ? diff --git a/gitlab/manage_users_groups.py b/gitlab/manage_users_groups.py deleted file mode 100755 --- a/gitlab/manage_users_groups.py +++ /dev/null @@ -1,150 +0,0 @@ -#!/usr/bin/env python3 - -import logging - -import click -import yaml - -import gitlab - -logger = logging.getLogger(__name__) - - -@click.command() -@click.option( - "--gitlab", - "-g", - "gitlab_instance", - help="Which GitLab instance to use, as configured in the python-gitlab config", -) -@click.option( - "--do-it", - "do_it", - is_flag=True, - help="Actually perform the operations", -) -@click.argument("config_file") -def cli(gitlab_instance, do_it, config_file): - """Ensure that GitLab users and group memberships match the structure defined in the - configuration file. This uses the python-gitlab configuration parsing.""" - gl = gitlab.Gitlab.from_config(gitlab_instance) - gl.auth() - - with open(config_file, "r") as f: - config = yaml.safe_load(f) - - if not do_it: - logger.info( - "Will not perform any actions, please use --do-it once you're satisfied" - " with the expected actions." - ) - - for group_path, group_conf in config["groups"].items(): - group = gl.groups.get(group_path, with_projects=False) - expected_members = { - username: gitlab.const.AccessLevel[access_level.upper()] - for username, access_level in group_conf["users"].items() - } - recorded_members = set() - - expected_group_shares = { - other_path: gitlab.const.AccessLevel[access_level.upper()] - for other_path, access_level in group_conf.get( - "share_with_groups", {} - ).items() - } - recorded_members = set() - - remove_extra_memberships = group_conf.get("remove_extra_memberships", False) - for member in group.members.list(): - username = member.username - expected_access_level = expected_members.get(member.username) - if expected_access_level and member.access_level != expected_access_level: - logger.info( - "Adjusting membership for %s in %s to %s (was %s)", - username, - group_path, - expected_access_level.name, - member.access_level, - ) - if do_it: - member.access_level = expected_access_level - member.save() - - if remove_extra_memberships and not expected_access_level: - logger.info("Removing member %s from %s", username, group_path) - if do_it: - member.delete() - - recorded_members.add(username) - - for username, access_level in expected_members.items(): - if username in recorded_members: - continue - - users = gl.users.list(username=username) - if not users: - logger.warning( - "User %s not found, cannot add them to %s!", username, group_path - ) - continue - - user_id = users[0].id - - logger.info( - "Adding member %s in %s at level %s", username, group_path, access_level - ) - if do_it: - group.members.create({"user_id": user_id, "access_level": access_level}) - - recorded_group_shares = set() - - for group_share in group.shared_with_groups: - other_path = group_share["group_full_path"] - other_id = group_share["group_id"] - other_access_level = group_share["group_access_level"] - expected_access_level = expected_group_shares.get(other_path) - if expected_access_level and other_access_level != expected_access_level: - logger.info( - "Adjusting group_share for %s in %s to %s (was %s)", - other_path, - group_path, - expected_access_level, - other_access_level, - ) - if do_it: - group.share(other_id, expected_access_level) - - if remove_extra_memberships and not expected_access_level: - logger.info("Removing group %s from %s", other_path, group_path) - if do_it: - group.unshare(other_id) - - recorded_group_shares.add(other_path) - - for other_path, access_level in expected_group_shares.items(): - if other_path in recorded_group_shares: - continue - - other_group = gl.groups.get(other_path) - if not other_group: - logger.warning( - "Group %s not found, cannot add them to %s!", other_path, group_path - ) - continue - - logger.info( - "Adding group %s in %s at level %s", - other_path, - group_path, - access_level, - ) - if do_it: - group.share(other_group.id, access_level) - - -if __name__ == "__main__": - logging.basicConfig( - level=logging.INFO, format="%(asctime)s %(name)s:%(levelname)s %(message)s" - ) - cli() diff --git a/gitlab/projects.yml b/gitlab/projects.yml deleted file mode 100644 --- a/gitlab/projects.yml +++ /dev/null @@ -1,201 +0,0 @@ -# [1] https://docs.gitlab.com/ee/api/projects.html#edit-project - -# List of namespaces managed by the script (It should be the first level of the -# project namespace). Other unmanaged projects will be skipped during the script -# execution. -managed_project_namespaces: - - infra - -namespace_settings: - # Dict[str, Any] of key the project namespace, and value a dict of any of the global - # settings keys above and value, whatever we want to set. - infra/puppet/3rdparty: - issues_access_level: disabled - infra/ci-cd/debs: - issues_access_level: disabled - -# Dict[str, Any] of key the project with its path namespace, and value a dict of any of -# the global settings keys above (e.g. visibility) and value, whatever we want to set -# (e.g. assuming the key 'visibility', some credentials repositories, we want to set it -# 'private'). -project_settings: - infra/ci-cd/k8s-swh-private-data: - visibility: private - infra/puppet/puppet-swh-private-data: - visibility: private - # staging extra repositories - infra/websites/www.softwareheritage.org-gandi: - visibility: private - infra/credentials: - visibility: private - infra/k8s-swh-private-data: - visibility: private - infra/annex/annex-private: - visibility: private - infra/iFWCFG: - visibility: private - -# Dict[str, Any] of key the setting to change (e.g. 'merge_method') and as value -# whatever we want to set (e.g. assuming the 'merge_method', 'ff' as in fast-forward). -# The keys were determined out of the gitlab api documentation [1]. Some were not -# supported. Those are located after the 'unsupported' comment. -global_settings: - # string (optional): See project visibility level. - visibility: public - # string (optional): Set the merge method used. - merge_method: ff - # boolean (optional): Enable Delete source branch option by default for all new merge - # requests. - remove_source_branch_after_merge: true - # string (optional): One of disabled, private, or enabled. - # releases_access_level: enabled - # boolean: Set whether or not merge requests can be merged with skipped jobs. - # allow_merge_on_skipped_pipeline: false - # string: One of disabled, private or enabled - # analytics_access_level: enabled - # boolean: Enable Auto DevOps for this project. - # auto_devops_enabled: false - # boolean: Set whether auto-closing referenced issues on default branch. - # autoclose_referenced_issues: true - # string (optional): The Git strategy. Defaults to fetch. - # build_git_strategy: fetch - # integer (optional): The maximum amount of time, in seconds, that a job can run. - # build_timeout: 3600 - # string (optional): One of disabled, private, or enabled. - # builds_access_level: enabled - # string (optional): The path to CI configuration file. - # ci_config_path: "" - # integer (optional): Default number of revisions for shallow cloning. - # ci_default_git_depth: 20 - # boolean (optional): Enable or disable prevent outdated deployment jobs. - # ci_forward_deployment_enabled: true - # boolean (optional): Enable or disable running pipelines in the parent project for - # merge requests from forks. (Introduced in GitLab 15.3.) - # ci_allow_fork_pipelines_to_run_in_parent_project: true - # boolean (optional): Set whether or not caches should be separated by branch - # protection status. - # ci_separated_caches: true - # string (optional): Set visibility of container registry, for this project, to one of - # disabled, private or enabled. - # container_registry_access_level: disabled - # string (optional): The default branch name. - # default_branch: master - # string (optional): Short project description. - # description: "" - # boolean (optional): Disable email notifications. - # emails_disabled: true - # boolean (optional): Enforce auth checks on uploads. - # enforce_auth_checks_on_uploads: true - # string (optional): One of disabled, private, or enabled. - # forking_access_level: enabled - # string (optional): One of disabled, private, or enabled. - # issues_access_level: enabled - # boolean (optional): Disable or enable the ability to keep the latest artifact for - # this project. - # keep_latest_artifact: True - # boolean (optional): Enable LFS. - # lfs_enabled: True - # string (optional): Template used to create merge commit message in merge requests. - # (Introduced in GitLab 14.5.) - # merge_commit_template: "" - # string (optional): One of disabled, private, or enabled. - # merge_requests_access_level: enabled - # boolean (optional): Set whether merge requests can only be merged when all the - # discussions are resolved. - # only_allow_merge_if_all_discussions_are_resolved: False - # boolean (optional): Set whether merge requests can only be merged with successful - # jobs. - # only_allow_merge_if_pipeline_succeeds: False - # string (optional): One of disabled, private, or enabled. - # operations_access_level: disabled - # boolean (optional): Enable or disable packages repository feature. - # packages_enabled: False - # string (optional): One of disabled, private, enabled, or public. - # pages_access_level: disabled - # boolean (optional): Show link to create/view merge request when pushing from the - # command line. - # printing_merge_request_link_enabled: true - # string (optional): One of disabled, private, or enabled. - # repository_access_level: enabled - # string (optional): Which storage shard the repository is on. (administrators only) - # repository_storage: default - # boolean (optional): Allow users to request member access. - # request_access_enabled: true - # boolean (optional): Automatically resolve merge request diffs discussions on lines - # changed with a push. - # resolve_outdated_diff_discussions: false - # boolean (optional): Allow only users with the Maintainer role to pass user-defined - # variables when triggering a pipeline. For example when the pipeline is triggered in - # the UI, with the API, or by a trigger token. - # restrict_user_defined_variables: false - # string (optional): (GitLab 14.9 and later) Security and compliance access level. One - # of disabled, private, or enabled. - # security_and_compliance_access_level: private - # boolean (optional): Enable or disable Service Desk feature. - # service_desk_enabled: false - # boolean (optional): Enable shared runners for this project. - # shared_runners_enabled: true - # string (optional): One of disabled, private, or enabled. - # snippets_access_level: enabled - # string (optional): Template used to create squash commit message in merge requests. - # (Introduced in GitLab 14.6.) - # squash_commit_template: "" - # string (optional): One of never, always, default_on, or default_off. - # squash_option: default_on - # string (optional): The commit message used to apply merge request suggestions. - # suggestion_commit_message: "" - # string (optional): One of disabled, private, or enabled. - # wiki_access_level: enabled - # ------------------------------------------------------- - # Following keys are documented but somehow not supported - # ------------------------------------------------------- - # boolean: Indicates that merges of merge requests should be blocked unless all status - # checks have passed. Defaults to false. Introduced in GitLab 15.5 with feature flag - # only_allow_merge_if_all_status_checks_passed disabled by default. - # only_allow_merge_if_all_status_checks_passed: ? - # integer: How many approvers should approve merge request by default. To configure - # approval rules, see Merge request approvals API. - # approvals_before_merge: ? - # string: Auto-cancel pending pipelines. This isn’t a boolean, but enabled/disabled. - # auto_cancel_pending_auto: ? - # string: Auto Deploy strategy (continuous, manual, or timed_incremental). - # pipelines_devops_deploy_strategy: ? - # mixed (optional): Image file for avatar of the project. - # avatar: ? - # hash (optional): Update the image cleanup policy for this project. Accepts: cadence - # (string), keep_n (integer), older_than (string), name_regex (string), - # name_regex_delete (string), name_regex_keep (string), enabled (boolean). - # container_expiration_policy_attributes: ? - # string (optional): The classification label for the project. - # external_authorization_classification_label: ? - # string (optional): Default description for Issues. Description is parsed with GitLab - # Flavored Markdown. See Templates for issues and merge requests. - # issues_template: ? - # boolean (optional): Enable or disable merge pipelines. - # merge_pipelines_enabled: ? - # string (optional): Default description for merge requests. Description is parsed - # with GitLab Flavored Markdown. See Templates for issues and merge requests. - # merge_requests_template: ? - # boolean (optional): Enable or disable merge trains. - # merge_trains_enabled: ? - # boolean (optional): Pull mirror overwrites diverged branches. - # mirror_overwrites_diverged_branches: ? - # boolean (optional): Pull mirroring triggers builds. - # mirror_trigger_builds: ? - # integer (optional): User responsible for all the activity surrounding a pull mirror - # event. (administrators only) - # mirror_user_id: ? - # boolean (optional): Enables pull mirroring in a project. - # mirror: ? - # boolean (optional): For forked projects, target merge requests to this project. If - # false, the target will be the upstream project. - # mr_default_target_self: ? - # boolean (optional): Only mirror protected branches. - # only_mirror_protected_branches: ? - # boolean (optional): If true, jobs can be viewed by non-project members. - # public_builds: ? - # string (optional): One of disabled, private, enabled or public - # requirements_access_level: ? - # string (optional): Template used to suggest names for branches created from issues. - # (Introduced in GitLab 15.6.) - # issue_branch_template: ? diff --git a/gitlab/users_groups.yml b/gitlab/users_groups.yml --- a/gitlab/users_groups.yml +++ b/gitlab/users_groups.yml @@ -1,80 +0,0 @@ -# Owner -# Maintainer -# Developer -# Reporter -# Guest - -groups: - teams/staff: - users: - phabricator-migration: Owner - anlambert: Maintainer - ardumont: Maintainer - bchauvet: Owner - douardda: Maintainer - jayeshv: Maintainer - lunar: Maintainer - marla.dasilva: Maintainer - moranegg: Maintainer - olasd: Maintainer - rdicosmo: Owner - sgranger: Maintainer - vlorentz: Maintainer - vsellier: Maintainer - zack: Owner - remove_extra_memberships: true - teams/developers: - users: - phabricator-migration: Owner - anlambert: Maintainer - ardumont: Maintainer - bchauvet: Maintainer - douardda: Maintainer - jayeshv: Maintainer - lunar: Maintainer - moranegg: Maintainer - olasd: Maintainer - rdicosmo: Maintainer - vlorentz: Maintainer - vsellier: Maintainer - zack: Maintainer - remove_extra_memberships: true - teams/sysadmin: - users: - phabricator-migration: Owner - ardumont: Owner - olasd: Owner - vsellier: Owner - remove_extra_memberships: true - teams/interns: - users: - phabricator-migration: Owner - remove_extra_memberships: true - teams/management: - users: - phabricator-migration: Owner - bchauvet: Owner - douardda: Maintainer - rdicosmo: Owner - vsellier: Maintainer - zack: Owner - remove_extra_memberships: true - infra: - users: - phabricator-migration: Owner - remove_extra_memberships: true - share_with_groups: - teams/sysadmin: Owner - modules: - users: - phabricator-migration: Owner - share_with_groups: - teams/developers: Maintainer - remove_extra_memberships: true - migrated: - users: - phabricator-migration: Owner - share_with_groups: - teams/sysadmin: Owner - teams/developers: Maintainer - remove_extra_memberships: true