RepoHook: allow users to approve hooks via manifests

The constant prompting when registered hooks change can be tedious and has a large multiplication factor when the project is large (e.g. the AOSP). It gets worse as people want to write more checks, hooks, docs, and tests (or fix bugs), but every CL that goes in will trigger a new prompt to approve. Let's tweak our trust model when it comes to hooks. Since people start off by calling `repo init` with a URL to a manifest, and that manifest defines all the hooks, anchor trust in that. This requires that we get the manifest over a trusted link (e.g. https or ssh) so that it can't be MITM-ed. If the user chooses to use an untrusted link (e.g. git or http), then we'll fallback to the existing hash based approval. Bug: Issue 226 Change-Id: I77be9e4397383f264fcdaefb582e345ea4069a13
2025-06-19 12:34:17 +00:00 · 2016-08-15 21:23:44 -04:00
parent 69297c1b77
commit 40252c20f7
2 changed files with 84 additions and 23 deletions
--- a/subcmds/upload.py
+++ b/subcmds/upload.py
@ -456,7 +456,9 @@ Gerrit Code Review:  http://code.google.com/p/gerrit/

    if pending and (not opt.bypass_hooks):
      hook = RepoHook('pre-upload', self.manifest.repo_hooks_project,
-                      self.manifest.topdir, abort_if_user_denies=True)
+                      self.manifest.topdir,
+                      self.manifest.manifestProject.GetRemote('origin').url,
+                      abort_if_user_denies=True)
      pending_proj_names = [project.name for (project, avail) in pending]
      pending_worktrees = [project.worktree for (project, avail) in pending]
      try: