Disallow pushing to submodule branches that are tracking branches for

[invirt/scripts/git-hooks.git] / builder / invirtibuilder

#!/usr/bin/python

"""Process the Invirt build queue.

The Invirtibuilder handles package builds and uploads. On demand, it
attempts to build a particular package.

If the build succeeds, the new version of the package is uploaded to
the apt repository, tagged in its git repository, and the Invirt
superrepo is updated to point at the new version.

If the build fails, the Invirtibuilder sends mail with the build log.

The build queue is tracked via files in /var/lib/invirt-dev/queue. In
order to maintain ordering, all filenames in that directory are the
timestamp of their creation time.

Each queue file contains a file of the form

    pocket package hash principal

where pocket is one of the pockets globally configured in
git.pockets. For instance, the pockets in XVM are "prod" and "dev".

principal is the Kerberos principal that requested the build.
"""


import contextlib
import os
import re
import shutil
import subprocess

import pyinotify

from invirt.config import structs as config
from invirt import database


_QUEUE_DIR = '/var/lib/invirt-dev/queue'
_REPO_DIR = '/srv/git'
_LOG_DIR = '/var/log/invirt/builds'
_HOOKS_DIR = '/usr/share/invirt-dev/build.d'


DISTRIBUTION = 'hardy'


class InvalidBuild(ValueError):
    pass


def captureOutput(popen_args, stdin_str=None, *args, **kwargs):
    """Capture stdout from a command.

    This method will proxy the arguments to subprocess.Popen. It
    returns the output from the command if the call succeeded and
    raises an exception if the process returns a non-0 value.

    This is intended to be a variant on the subprocess.check_call
    function that also allows you access to the output from the
    command.
    """
    if 'stdin' not in kwargs:
        kwargs['stdin'] = subprocess.PIPE
    if 'stdout' not in kwargs:
        kwargs['stdout'] = subprocess.PIPE
    if 'stderr' not in kwargs:
        kwargs['stderr'] = subprocess.STDOUT
    p = subprocess.Popen(popen_args, *args, **kwargs)
    out, _ = p.communicate(stdin_str)
    if p.returncode:
        raise subprocess.CalledProcessError(p.returncode, popen_args, out)
    return out


def getRepo(package):
    """Return the path to the git repo for a given package."""
    return os.path.join(_REPO_DIR, 'packages', '%s.git' % package)


def pocketToGit(pocket):
    """Map a pocket in the configuration to a git branch."""
    return config.git.pockets[pocket].get('git', pocket)


def pocketToApt(pocket):
    """Map a pocket in the configuration to an apt repo pocket."""
    return config.git.pockets[pocket].get('apt', pocket)


def getGitFile(package, ref, path):
    """Return the contents of a path from a git ref in a package."""
    return captureOutput(['git', 'cat-file', 'blob', '%s:%s' % (ref, path)],
                         cwd=getRepo(package))


def getChangelog(package, ref):
    """Get a changelog object for a given ref in a given package.

    This returns a debian_bundle.changelog.Changelog object for a
    given ref of a given package.
    """
    return changelog.Changelog(getGitFile(package, ref, 'debian/changelog'))


def getVersion(package, ref):
    """Get the version of a given package at a particular ref."""
    return getChangelog(package, ref).get_version()


def getControl(package, ref):
    """Get the parsed debian/control file for a given package.

    This returns a list of debian_bundle.deb822.Deb822 objects, one
    for each section of the debian/control file. Each Deb822 object
    acts roughly like a dict.
    """
    return deb822.Deb822.iter_paragraphs(
        getGitFile(package, ref, 'debian/control').split('\n'))


def getBinaries(package, ref):
    """Get a list of binary packages in a package at a given ref."""
    return [p['Package'] for p in getControl(package, ref)
            if 'Package' in p]


def getArches(package, ref):
    """Get the set of all architectures in any binary package."""
    arches = set()
    for section in getControl(package, ref):
        if 'Architecture' in section:
            arches.update(section['Architecture'].split())
    return arches


def getDscName(package, ref):
    """Return the .dsc file that will be generated for this package."""
    v = getVersion(package, ref)
    return '%s_%s-%s.dsc' % (
        package,
        version.upstream_version,
        version.debian_version)


def validateBuild(pocket, package, commit):
    """Given the parameters of a new build, validate that build.

    The checks this function performs vary based on whether or not the
    pocket is configured with allow_backtracking.

    A build of a pocket without allow_backtracking set must be a
    fast-forward of the previous revision, and the most recent version
    in the changelog most be strictly greater than the version
    currently in the repository.

    In all cases, this revision of the package can only have the same
    version number as any other revision currently in the apt
    repository if they have the same commit ID.

    If it's unspecified, it is assumed that pocket do not
    allow_backtracking.

    If this build request fails validation, this function will raise a
    InvalidBuild exception, with information about why the validation
    failed.

    If this build request can be satisfied by copying the package from
    another pocket, then this function returns that pocket. Otherwise,
    it returns True.
    """
    package_repo = getRepo(package)
    new_version = getVersion(package, commit)

    for p in config.git.pockets:
        if p == pocket:
            continue

        b = pocketToGit(p)
        current_commit = captureOutput(['git', 'rev-parse', b],
                                       cwd=package_repo)
        current_version = getVersion(package, b)

        if current_version == new_version:
            if current_commit == commit:
                return p
            else:
                raise InvalidBuild('Version %s of %s already available in '
                                   'pocket %s from commit %s' %
                                   (new_version, package, p, current_commit))

    if config.git.pockets[pocket].get('allow_backtracking', False):
        branch = pocketToGit(pocket)
        current_version = getVersion(package, branch)
        if new_version <= current_version:
            raise InvalidBuild('New version %s of %s is not newer than '
                               'version %s currently in pocket %s' %
                               (new_version, package, current_version, pocket))

        # Almost by definition, A is a fast-forward of B if B..A is
        # empty
        if not captureOutput(['git', 'rev-list', '%s..%s' % (commit, branch)]):
            raise InvalidBuild('New commit %s of %s is not a fast-forward of'
                               'commit currently in pocket %s' %
                               (commit, package, pocket))


def sanitizeVersion(version):
    """Sanitize a Debian package version for use as a git tag.

    This function strips the epoch from the version number and
    replaces any tildes with periods."""
    v = '%s-%s' % (version.upstream_version,
                   version.debian_version)
    return v.replace('~', '.')


def aptCopy(packages, dst_pocket, src_pocket):
    """Copy a package from one pocket to another."""
    binaries = []
    for line in getGitFile(package, commit, 'debian/control').split('\n'):
        m = re.match('Package: (.*)$')
        if m:
            binaries.append(m.group(1))

    cpatureOutput(['reprepro-env', 'copy',
                   pocketToApt(dst_pocket),
                   pocketToApt(src_pocket),
                   package] + binaries)


def sbuild(package, ref, arch, workdir, arch_all=False):
    """Build a package for a particular architecture."""
    args = ['sbuild', '-d', DISTRIBUTION, '--arch', arch]
    if arch_all:
        args.append('-A')
    args.append(getDscName(package, ref))
    captureOutput(args, cwd=workdir, stdout=None)


def sbuildAll(package, ref, workdir):
    """Build a package for all architectures it supports."""
    arches = getArches(package, ref)
    if 'all' in arches or 'any' in arches or 'amd64' in arches:
        sbuild(package, ref, 'amd64', workdir, arch_all=True)
    if 'any' in arches or 'i386' in arches:
        sbuild(package, ref, 'i386', workdir)


def tagSubmodule(pocket, package, ref, principal):
    """Tag a new version of a submodule.

    If this pocket does not allow_backtracking, then this will create
    a new tag of the version at ref.

    This function doesn't need to care about lock
    contention. git-receive-pack updates one ref at a time, and only
    takes out a lock for that ref after it's passed the update
    hook. Because we reject pushes to tags in the update hook, no push
    can ever take out a lock on any tags.

    I'm sure that long description gives you great confidence in teh
    legitimacy of my reasoning.
    """
    if config.git.pockets[pocket].get('allow_backtracking', False):
        env = dict(os.environ)
        branch = pocketToGit(pocket)
        version = getVersion(package, ref)

        env['GIT_COMMITTER_NAME'] = config.git.tagger.name
        env['GIT_COMMITTER_EMAIL'] = config.git.tagger.email
        tag_msg = ('Tag %s of %s\n\n'
                   'Requested by %s' % (version.full_version,
                                        package,
                                        principal))

        captureOutput(
            ['git', 'tag', '-m', tag_msg, commit],
            stdout=None,
            env=env)


def updateSubmoduleBranch(pocket, package, ref):
    """Update the appropriately named branch in the submodule."""
    branch = pocketToGit(pocket)
    captureOutput(
        ['git', 'update-ref', 'refs/heads/%s' % branch, ref])


def uploadBuild(pocket, workdir):
    """Upload all build products in the work directory."""
    apt = pocketToApt(pocket)
    for changes in glob.glob(os.path.join(workdir, '*.changes')):
        captureOutput(['reprepro-env',
                       'include',
                       '--ignore=wrongdistribution',
                       apt,
                       changes])


def updateSuperrepo(pocket, package, commit, principal):
    """Update the superrepo.

    This will create a new commit on the branch for the given pocket
    that sets the commit for the package submodule to commit.

    Note that there's no locking issue here, because we disallow all
    pushes to the superrepo.
    """
    superrepo = os.path.join(_REPO_DIR, 'packages.git')
    branch = pocketToGit(pocket)
    tree = captureOutput(['git', 'ls-tree', branch],
                         cwd=superrepo)

    new_tree = re.compile(
        r'^(160000 commit )[0-9a-f]*(\t%s)$' % package, re.M).sub(
        r'\1%s\2' % commit,
        tree)

    new_tree_id = captureOutput(['git', 'mktree'],
                                cwd=superrepo,
                                stdin_str=new_tree)

    commit_msg = ('Update %s to version %s\n\n'
                  'Requested by %s' % (package,
                                       version.full_version,
                                       principal))
    new_commit = captureOutput(
        ['git', 'commit-tree', new_tree_hash, '-p', branch],
        cwd=superrepo,
        env=env,
        stdin_str=commit_msg)

    captureOutput(
        ['git', 'update-ref', 'refs/heads/%s' % branch, new_commit],
        cwd=superrepo)


@contextlib.contextmanager
def packageWorkdir(package):
    """Checkout the package in a temporary working directory.

    This context manager returns that working directory. The requested
    package is checked out into a subdirectory of the working
    directory with the same name as the package.

    When the context wrapped with this context manager is exited, the
    working directory is automatically deleted.
    """
    workdir = tempfile.mkdtemp()
    try:
        p_archive = subprocess.Popen(
            ['git', 'archive',
             '--remote=file://%s' % getRepo(package),
             '--prefix=%s' % package,
             commit,
             ],
            stdout=subprocess.PIPE,
            )
        p_tar = subprocess.Popen(
            ['tar', '-x'],
            stdin=p_archive.stdout,
            cwd=workdir,
            )
        p_archive.wait()
        p_tar.wait()

        yield workdir
    finally:
        shutil.rmtree(workdir)


def reportBuild(build):
    """Run hooks to report the results of a build attempt."""

    captureOutput(['run-parts',
                   '--arg=%s' % build.build_id,
                   '--',
                   _HOOKS_DIR])


def build():
    """Deal with items in the build queue.

    When triggered, iterate over build queue items one at a time,
    until there are no more pending build jobs.
    """
    while True:
        stage = 'processing incoming job'
        queue = os.listdir(_QUEUE_DIR)
        if not queue:
            break

        build = min(queue)
        job = open(os.path.join(_QUEUE_DIR, build)).read().strip()
        pocket, package, commit, principal = job.split()

        database.session.begin()
        db = database.Build()
        db.package = package
        db.pocket = pocket
        db.commit = commit
        db.principal = principal
        database.session.save_or_update(db)
        database.commit()

        database.begin()

        try:
            db.failed_stage = 'validating job'
            src = validateBuild(pocket, package, commit)

            db.version = str(getVersion(package, commit))

            # If validateBuild returns something other than True, then
            # it means we should copy from that pocket to our pocket.
            #
            # (If the validation failed, validateBuild would have
            # raised an exception)
            if src != True:
                db.failed_stage = 'copying package from another pocket'
                aptCopy(packages, pocket, src)
            # If we can't copy the package from somewhere, but
            # validateBuild didn't raise an exception, then we need to
            # do the build ourselves
            else:
                db.failed_stage = 'checking out package source'
                with packageWorkdir(package) as workdir:
                    db.failed_stage = 'preparing source package'
                    packagedir = os.path.join(workdir, package)

                    # We should be more clever about dealing with
                    # things like non-Debian-native packages than we
                    # are.
                    #
                    # If we were, we could use debuild and get nice
                    # environment scrubbing. Since we're not, debuild
                    # complains about not having an orig.tar.gz
                    captureOutput(['dpkg-buildpackage', '-us', '-uc', '-S'],
                                  cwd=packagedir,
                                  stdout=None)

                    try:
                        db.failed_stage = 'building binary packages'
                        sbuildAll(package, commit, workdir)
                    finally:
                        logdir = os.path.join(_LOG_DIR, db.build_id)
                        if not os.path.exists(logdir):
                            os.makedirs(logdir)

                        for log in glob.glob(os.path.join(workdir, '*.build')):
                            os.copy2(log, logdir)
                    db.failed_stage = 'tagging submodule'
                    tagSubmodule(pocket, package, commit, principal)
                    db.failed_stage = 'updating submodule branches'
                    updateSubmoduleBranch(pocket, package, commit)
                    db.failed_stage = 'updating superrepo'
                    updateSuperrepo(pocket, package, commit, principal)
                    db.failed_stage = 'uploading packages to apt repo'
                    uploadBuild(pocket, workdir)

                    db.failed_stage = 'cleaning up'

                # Finally, now that everything is done, remove the
                # build queue item
                os.unlink(os.path.join(_QUEUE_DIR, build))
        except:
            db.traceback = traceback.format_exc()
        else:
            db.succeeded = True
            db.failed_stage = None
        finally:
            database.session.save_or_update(db)
            database.session.commit()

            reportBuild(db)


class Invirtibuilder(pyinotify.ProcessEvent):
    """Process inotify triggers to build new packages."""
    def process_IN_CREATE(self, event):
        """Handle a created file or directory.

        When an IN_CREATE event comes in, trigger the builder.
        """
        build()


def main():
    """Initialize the inotifications and start the main loop."""
    database.connect()

    watch_manager = pyinotify.WatchManager()
    invirtibuilder = Invirtibuilder()
    notifier = pyinotify.Notifier(watch_manager, invirtibuilder)
    watch_manager.add_watch(_QUEUE_DIR,
                            pyinotify.EventsCodes.ALL_FLAGS['IN_CREATE'])

    # Before inotifying, run any pending builds; otherwise we won't
    # get notified for them.
    build()

    while True:
        notifier.process_events()
        if notifier.check_events():
            notifier.read_events()


if __name__ == '__main__':
    main()