luci-config: fine-grained acls

appengine/config_service/acl.py

Index: appengine/config_service/acl.py
diff --git a/appengine/config_service/acl.py b/appengine/config_service/acl.py
index a63292385e53861670019db65bbd3f25c9991e8b..41a4100e4afd1f6ca7b2c79e97ce1ec3aac59fca 100644
--- a/appengine/config_service/acl.py
+++ b/appengine/config_service/acl.py
@@ -10,6 +10,7 @@ from components import utils
 
 from proto import service_config_pb2
 import common
+import projects
 import storage
 
 
@@ -19,7 +20,7 @@ def read_acl_cfg():
       common.ACL_FILENAME, service_config_pb2.AclCfg).get_result()
 
 
-def can_read_config_set(config_set, headers=None):
+def can_read_config_set(config_set):
   """Returns True if current requester has access to the |config_set|.
 
   Raise:
@@ -29,17 +30,17 @@ def can_read_config_set(config_set, headers=None):
     service_match = config.SERVICE_CONFIG_SET_RGX.match(config_set)
     if service_match:
       service_name = service_match.group(1)
-      return can_read_service_config(service_name, headers=headers)
+      return can_read_service_config(service_name)
 
     project_match = config.PROJECT_CONFIG_SET_RGX.match(config_set)
     if project_match:
       project_id = project_match.group(1)
-      return can_read_project_config(project_id)
+      return has_project_access(project_id)
 
     ref_match = config.REF_CONFIG_SET_RGX.match(config_set)
     if ref_match:
       project_id = ref_match.group(1)
-      return can_read_project_config(project_id)
+      return has_project_access(project_id)
 
   except ValueError:  # pragma: no cover
     # Make sure we don't let ValueError raise for a reason different than
@@ -49,32 +50,30 @@ def can_read_config_set(config_set, headers=None):
   raise ValueError()
 
 
-def can_read_service_config(service_id, headers=None):
+def can_read_service_config(service_id):
   """Returns True if current requester can read service configs.
 
-  If X-Appengine-Inbound-Appid header matches service_id, the permission is
-  granted.
+  An app <app-id> has access to configs of service with id <app-id>.
   """
   assert isinstance(service_id, basestring)
   assert service_id
 
   group = read_acl_cfg().service_access_group
+  trusted_identities = [

[Vadim Sh., 2015/07/08 14:20:34]

as I said in another CL, I don't like implicitly binding service ID to service
account email. Is it hard to put it into a config?

[nodir, 2015/07/08 16:35:58]

Implemented fine-grained acls for service configs and removed
service_access_group from acl.cfg

+      'user:%s@%s.gserviceaccount.com' % (service_id, subdomain)
+      for subdomain in ('appspot', 'googleplex')]
   return (
       auth.is_admin() or
       group and auth.is_group_member(group) or
-      (headers or {}).get('X-Appengine-Inbound-Appid') == service_id

[Vadim Sh., 2015/07/08 14:20:34]

it should have worked

does caller use follow_redirects=False? GAE adds X-Appengine-Inbound-Appid only
when follow_redirects=False.

[nodir, 2015/07/08 16:35:58]

yes, the caller is chrome-infra-auth-dev.appspot.com through
components.config.remote through components.net which uses
follow_redirects=False by default

+      auth.get_current_identity().to_bytes() in trusted_identities
   )
 
 
-# pylint: disable=W0613
-def can_read_project_config(project_id):  # pragma: no cover
-  return has_project_access()
-
-
-def can_read_project_list():  # pragma: no cover
-  return has_project_access()
-
-
-def has_project_access():
-  group = read_acl_cfg().project_access_group
-  return auth.is_admin() or (group and auth.is_group_member(group))
+def has_project_access(project_id):
+  metadata = projects.get_metadata(project_id)
+  super_group = read_acl_cfg().project_access_group
+  return (
+      auth.is_admin() or
+      super_group and auth.is_group_member(super_group) or
+      metadata and metadata.access and auth.is_group_member(metadata.access)
+  )