From c87a709ed067ddd8bc4d70ba82cc7eaeccfcc5ed Mon Sep 17 00:00:00 2001 From: David Lawrence Date: Fri, 7 Aug 2015 18:26:17 +0000 Subject: Bug 1191888: Create security_remove.pl script to remove user from all visibility roles in secure bugs --- scripts/security_remove.pl | 189 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 189 insertions(+) create mode 100755 scripts/security_remove.pl (limited to 'scripts') diff --git a/scripts/security_remove.pl b/scripts/security_remove.pl new file mode 100755 index 000000000..90099e387 --- /dev/null +++ b/scripts/security_remove.pl @@ -0,0 +1,189 @@ +#!/usr/bin/perl +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# This Source Code Form is "Incompatible With Secondary Licenses", as +# defined by the Mozilla Public License, v. 2.0. + +use 5.10.1; +use strict; +use warnings; + +use FindBin '$RealBin'; +use lib "$RealBin/../..", "$RealBin/../../lib"; + +use Bugzilla; +use Bugzilla::Constants; +use Bugzilla::Field; +use Bugzilla::User; + +use Pod::Usage; + +# Load extensions for monkeypatched $user->clear_last_statistics_ts() +BEGIN { Bugzilla->extensions(); } + +Bugzilla->usage_mode(USAGE_MODE_CMDLINE); + +if (scalar @ARGV < 1) { + die < + +E.g.: security_remove.pl foo\@bar.com + +will remove the specified user from the following roles on private only bugs: + +- Set reporter_accessible to false if user is the reporter +- Remove from the cc list +- Clear qa_contact if the user is qa_contact +- Re-assign to nobody\@mozilla.org if user is the assignee + +This script should not touch user's membership or default assignee, qa contact, +or cc settings for components. + +Script should not send any email about the changes. +USAGE +} + +my ($login_name) = @ARGV; + +# Load nobody user and set as current +my $auto_user = Bugzilla::User->check({ name => 'automation@bmo.tld' }); +Bugzilla->set_user($auto_user); + +# Check target user +my $target_user = Bugzilla::User->check({ name => $login_name }); + +my $dbh = Bugzilla->dbh; +my $timestamp = $dbh->selectrow_array('SELECT LOCALTIMESTAMP(0)'); + +# Gather bug ids +my $reporter_bugs = $dbh->selectcol_arrayref( + q{SELECT bugs.bug_id + FROM bugs, bug_group_map + WHERE bugs.bug_id = bug_group_map.bug_id + AND bugs.reporter_accessible = 1 + AND bugs.reporter = ?}, + undef, $target_user->id) || []; + +my $assignee_bugs = $dbh->selectcol_arrayref( + q{SELECT bugs.bug_id + FROM bugs, bug_group_map + WHERE bugs.bug_id = bug_group_map.bug_id + AND bugs.assigned_to = ?}, + undef, $target_user->id) || []; + +my $qa_bugs = $dbh->selectcol_arrayref( + q{SELECT bugs.bug_id + FROM bugs, bug_group_map + WHERE bugs.bug_id = bug_group_map.bug_id + AND bugs.qa_contact = ?}, + undef, $target_user->id) || []; + +my $cc_bugs = $dbh->selectcol_arrayref( + q{SELECT cc.bug_id + FROM cc, bug_group_map + WHERE cc.bug_id = bug_group_map.bug_id + AND cc.who = ?}, + undef, $target_user->id) || []; + +my $reporter_count = scalar @$reporter_bugs; +my $assignee_count = scalar @$assignee_bugs; +my $qa_count = scalar @$qa_bugs; +my $cc_count = scalar @$cc_bugs; + +if (!$reporter_count + && !$assignee_count + && !$qa_count + && !$cc_count) +{ + warn "There are no bugs to update.\n"; + exit 1; +} + +warn < to stop or to continue... +EOF +getc(); + +$dbh->bz_start_transaction; + +# Reporter - set reporter_accessible to false +my $field_id = get_field_id('reporter_accessible'); +foreach my $bug_id (@$reporter_bugs) { + warn "Updating bug $bug_id\n"; + $dbh->do( + q{INSERT INTO bugs_activity (bug_id, who, bug_when, fieldid, removed, added) + VALUES (?, ?, ?, ?, ?, ?)}, + undef, $bug_id, $auto_user->id, $timestamp, $field_id, 1, 0); + $dbh->do( + q{UPDATE bugs SET reporter_accessible = 0, delta_ts = ?, lastdiffed = ? + WHERE bug_id = ?}, + undef, $timestamp, $timestamp, $bug_id); +} + +# Assignee +$field_id = get_field_id('assigned_to'); +foreach my $bug_id (@$assignee_bugs) { + warn "Updating bug $bug_id\n"; + $dbh->do( + q{INSERT INTO bugs_activity (bug_id, who, bug_when, fieldid, removed, added) + VALUES (?, ?, ?, ?, ?, ?)}, + undef, $bug_id, $auto_user->id, $timestamp, $field_id, + $target_user->login, $auto_user->login); + $dbh->do( + q{UPDATE bugs SET assigned_to = ?, delta_ts = ?, lastdiffed = ? + WHERE bug_id = ?}, + undef, $auto_user->id, $timestamp, $timestamp, $bug_id); +} + +# QA Contact +$field_id = get_field_id('qa_contact'); +foreach my $bug_id (@$qa_bugs) { + warn "Updating bug $bug_id\n"; + $dbh->do( + q{INSERT INTO bugs_activity (bug_id, who, bug_when, fieldid, removed, added) + VALUES (?, ?, ?, ?, ?, '')}, + undef, $bug_id, $auto_user->id, $timestamp, $field_id, $target_user->login); + $dbh->do( + q{UPDATE bugs SET qa_contact = NULL, delta_ts = ?, lastdiffed = ? + WHERE bug_id = ?}, + undef, $timestamp, $timestamp, $bug_id); +} + +# CC list +$field_id = get_field_id('cc'); +foreach my $bug_id (@$cc_bugs) { + warn "Updating bug $bug_id\n"; + $dbh->do( + q{INSERT INTO bugs_activity (bug_id, who, bug_when, fieldid, removed, added) + VALUES (?, ?, ?, ?, ?, '')}, + undef, $bug_id, $auto_user->id, $timestamp, $field_id, $target_user->login); + $dbh->do(q{DELETE FROM cc WHERE bug_id = ? AND who = ?}, + undef, $bug_id, $target_user->id); +} + +$target_user->clear_last_statistics_ts(); + +$dbh->bz_commit_transaction; + +# It's complex to determine which items now need to be flushed from memcached. +# As this is expected to be a rare event, we just flush the entire cache. +Bugzilla->memcached->clear_all(); + +__END__ + +=head1 NAME + +security_remove.pl - Remove user from any role associated with private bugs. + +=head1 SYNOPSIS + + security_remove.pl foo@bar.com -- cgit v1.2.3-24-g4f1b