Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(96)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: appengine/config_service/acl.py

Issue 1224913002: luci-config: fine-grained acls (Closed) Base URL: git@github.com:luci/luci-py.git@master
Patch Set: fine-grained acls for service configs Created 5 years, 5 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « appengine/config_service/README.md ('k') | appengine/config_service/acl_test.py » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 # Copyright 2015 The Swarming Authors. All rights reserved. 1 # Copyright 2015 The Swarming Authors. All rights reserved.
2 # Use of this source code is governed by the Apache v2.0 license that can be 2 # Use of this source code is governed by the Apache v2.0 license that can be
3 # found in the LICENSE file. 3 # found in the LICENSE file.
4 4
5 import re 5 import re
6 6
7 from components import auth 7 from components import auth
8 from components import config 8 from components import config
9 from components import utils 9 from components import utils
10 10
11 from proto import service_config_pb2 11 from proto import service_config_pb2
12 import common 12 import common
13 import projects
14 import services
13 import storage 15 import storage
14 16
15 17
16 @utils.memcache('acl.cfg', time=60) 18 @utils.memcache('acl.cfg', time=60)
17 def read_acl_cfg(): 19 def read_acl_cfg():
18 return storage.get_self_config_async( 20 return storage.get_self_config_async(
19 common.ACL_FILENAME, service_config_pb2.AclCfg).get_result() 21 common.ACL_FILENAME, service_config_pb2.AclCfg).get_result()
20 22
21 23
22 def can_read_config_set(config_set, headers=None): 24 def can_read_config_set(config_set):
23 """Returns True if current requester has access to the |config_set|. 25 """Returns True if current requester has access to the |config_set|.
24 26
25 Raise: 27 Raise:
26 ValueError if config_set is malformed. 28 ValueError if config_set is malformed.
27 """ 29 """
28 try: 30 try:
29 service_match = config.SERVICE_CONFIG_SET_RGX.match(config_set) 31 service_match = config.SERVICE_CONFIG_SET_RGX.match(config_set)
30 if service_match: 32 if service_match:
31 service_name = service_match.group(1) 33 service_name = service_match.group(1)
32 return can_read_service_config(service_name, headers=headers) 34 return has_service_access(service_name)
33 35
34 project_match = config.PROJECT_CONFIG_SET_RGX.match(config_set) 36 project_match = config.PROJECT_CONFIG_SET_RGX.match(config_set)
35 if project_match: 37 if project_match:
36 project_id = project_match.group(1) 38 project_id = project_match.group(1)
37 return can_read_project_config(project_id) 39 return has_project_access(project_id)
38 40
39 ref_match = config.REF_CONFIG_SET_RGX.match(config_set) 41 ref_match = config.REF_CONFIG_SET_RGX.match(config_set)
40 if ref_match: 42 if ref_match:
41 project_id = ref_match.group(1) 43 project_id = ref_match.group(1)
42 return can_read_project_config(project_id) 44 return has_project_access(project_id)
43 45
44 except ValueError: # pragma: no cover 46 except ValueError: # pragma: no cover
45 # Make sure we don't let ValueError raise for a reason different than 47 # Make sure we don't let ValueError raise for a reason different than
46 # malformed config_set. 48 # malformed config_set.
47 logging.exception('Unexpected ValueError in can_read_config_set()') 49 logging.exception('Unexpected ValueError in can_read_config_set()')
48 return False 50 return False
49 raise ValueError() 51 raise ValueError()
50 52
51 53
52 def can_read_service_config(service_id, headers=None): 54 def has_service_access(service_id):
53 """Returns True if current requester can read service configs. 55 """Returns True if current requester can read service configs.
54 56
55 If X-Appengine-Inbound-Appid header matches service_id, the permission is 57 An app <app-id> has access to configs of service with id <app-id>.
56 granted.
57 """ 58 """
58 assert isinstance(service_id, basestring) 59 assert isinstance(service_id, basestring)
59 assert service_id 60 assert service_id
60 61
61 group = read_acl_cfg().service_access_group 62 if auth.is_admin():
63 return True
64
65 service_cfg = services.get_service_async(service_id).get_result()
66 if service_cfg and service_cfg.access:
67 if auth.is_group_member(service_cfg.access):
Vadim Sh. 2015/07/08 19:57:56 Why not support both groups and individual account
nodir 2015/07/08 21:08:48 Done.
68 return True
69
70 return False
71
72
73 def has_project_access(project_id):
74 metadata = projects.get_metadata(project_id)
75 super_group = read_acl_cfg().project_access_group
62 return ( 76 return (
63 auth.is_admin() or 77 auth.is_admin() or
64 group and auth.is_group_member(group) or 78 super_group and auth.is_group_member(super_group) or
65 (headers or {}).get('X-Appengine-Inbound-Appid') == service_id 79 metadata and metadata.access and auth.is_group_member(metadata.access)
66 ) 80 )
67
68
69 # pylint: disable=W0613
70 def can_read_project_config(project_id): # pragma: no cover
71 return has_project_access()
72
73
74 def can_read_project_list(): # pragma: no cover
75 return has_project_access()
76
77
78 def has_project_access():
79 group = read_acl_cfg().project_access_group
80 return auth.is_admin() or (group and auth.is_group_member(group))
OLDNEW
« no previous file with comments | « appengine/config_service/README.md ('k') | appengine/config_service/acl_test.py » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698