LogDog: Project READ access for user endpoints.

appengine/logdog/coordinator/auth.go

 // Copyright 2015 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 package coordinator
 
 import (
-        "errors"
         "fmt"
+        "strings"
 
         "github.com/luci/gae/service/info"
-        "github.com/luci/luci-go/appengine/logdog/coordinator/config"
         log "github.com/luci/luci-go/common/logging"
         "github.com/luci/luci-go/common/proto/logdog/svcconfig"
         "github.com/luci/luci-go/server/auth"
         "github.com/luci/luci-go/server/auth/identity"
         "golang.org/x/net/context"
 )
 
-// ErrNoAccess is returned if the user has no access to the requested project.
-var ErrNoAccess = config.ErrNoAccess
-
 // IsAdminUser tests whether the current user belongs to the administrative
-// users group. It will return an error if the user does not.
+// users group.
+//

[nodir, 2016/05/19 17:17:20]

I think separating these two paragraphs is unnecessary now

[dnj (Google), 2016/05/19 20:10:46]

I'm okay with it. I like to separate the purpose of the function from its
behavior details.

+// If the user is not, a MembershipError will be returned.
 func IsAdminUser(c context.Context) error {
-        return isMember(c, func(cfg *svcconfig.Coordinator) string {
-                return cfg.AdminAuthGroup
-        })
+        cfg, err := GetServices(c).Config(c)
+        if err != nil {
+                return err
+        }
+        return checkMember(c, cfg.Coordinator.AdminAuthGroup)
 }
 
 // IsServiceUser tests whether the current user belongs to the backend services
-// users group. It will return an error if the user does not.
+// users group.
+//
+// If the user is not, a MembershipError will be returned.
 func IsServiceUser(c context.Context) error {
-        return isMember(c, func(cfg *svcconfig.Coordinator) string {
-                return cfg.ServiceAuthGroup
-        })
+        cfg, err := GetServices(c).Config(c)
+        if err != nil {
+                return err
+        }
+        return checkMember(c, cfg.Coordinator.ServiceAuthGroup)
 }
 
-func isMember(c context.Context, groupNameFunc func(*svcconfig.Coordinator) string) error {
+// IsProjectReader tests whether the current user belongs to one of the
+// project's declared reader groups.
+//
+// If the user is not, a MembershipError will be returned.
+func IsProjectReader(c context.Context, pcfg *svcconfig.ProjectConfig) error {
+        return checkMember(c, pcfg.ReaderAuthGroups...)
+}
+
+func checkMember(c context.Context, groups ...string) error {
         // On dev-appserver, the superuser has implicit group membership to
         // everything.
         if info.Get(c).IsDevAppServer() {
                 if u := auth.CurrentUser(c); u.Superuser {
                         log.Fields{
                                 "identity": u.Identity,
+                                "groups":   groups,
                         }.Infof(c, "Granting superuser implicit group membership on development server.")
                         return nil
                 }
         }
 
-        cfg, err := GetServices(c).Config(c)
-        if err != nil {
-                return err
+        id := auth.CurrentIdentity(c)
+        for _, group := range groups {
+                is, err := auth.IsMember(c, group)
+                if err != nil {
+                        return err
+                }
+                if is {
+                        log.Fields{
+                                "identity": id,
+                                "group":    group,
+                        }.Debugf(c, "User access granted.")
+                        return nil
+                }
         }
 
-        if cfg.Coordinator == nil {
-                return errors.New("no coordinator configuration")
+        return &MembershipError{
+                Identity: id,
+                Groups:   groups,
         }
-
-        groupName := groupNameFunc(cfg.Coordinator)
-        if groupName == "" {
-                return errors.New("no auth group is configured")
-        }
-
-        is, err := auth.IsMember(c, groupName)
-        if err != nil {
-                return err
-        }
-        if !is {
-                return &MembershipError{
-                        Identity: auth.CurrentIdentity(c),
-                        Group:    groupName,
-                }
-        }
-        return nil
 }
 
 // MembershipError is an error returned by group membership checking functions
 // if the current identity is not a member of the requested group.
 type MembershipError struct {
         Identity identity.Identity
-        Group    string
+        Groups   []string
 }
 
 func (e *MembershipError) Error() string {
-        return fmt.Sprintf("user %q is not a member of group %q", e.Identity, e.Group)
+        return fmt.Sprintf("user %q is not a member of [%s]", e.Identity, strings.Join(e.Groups, ", "))
 }
 
 // IsMembershipError returns whether a given error is a membership error.
 func IsMembershipError(e error) bool {
         _, ok := e.(*MembershipError)
         return ok
 }