Milo: ACL support

milo/appengine/settings/acl.go

Index: milo/appengine/settings/acl.go
diff --git a/milo/appengine/settings/acl.go b/milo/appengine/settings/acl.go
new file mode 100644
index 0000000000000000000000000000000000000000..82fb26677096c49de03123bf374bfeb2c24d04a2
--- /dev/null
+++ b/milo/appengine/settings/acl.go
@@ -0,0 +1,68 @@
+// Copyright 2016 The LUCI Authors. All rights reserved.
+// Use of this source code is governed under the Apache License, Version 2.0
+// that can be found in the LICENSE file.
+
+package settings
+
+import (
+	"github.com/luci/luci-go/common/logging"
+	"github.com/luci/luci-go/server/auth"
+	"github.com/luci/luci-go/server/auth/identity"
+	"golang.org/x/net/context"
+)
+
+// Helper functions for ACL checking.
+
+// IsAllowed checks to see if the user in the context is allowed to access
+// the given project.  If write is true, this checks Writer permissions instead
+// of Reader.  Note that Writer permissions imply Reader.
+func IsAllowed(c context.Context, project string, write bool) bool {

[Vadim Sh., 2016/08/15 22:04:52]

is 'write' used anywhere currently (or going to be used very soon)? If not,
let's keep it out for now. I have a feeling it may end up as a dead code.

[Ryan Tseng, 2016/08/16 00:03:56]

Removing for now.  It's not currently used anywhere.  Will add back in if it's
required somehow.

+	p, err := GetProject(c, project)
+	if err != nil {
+		logging.WithError(err).Errorf(c,
+			"Encountered error while fetching project %s", project)
+		return false

[Vadim Sh., 2016/08/15 22:04:52]

the function should return (bool, error) tuple and return (false, error) in this
case.

"No access" is not the same as "failed to check access". When access check
fails, the user should see HTTP 500 (not HTTP 403 as in the case of "no
access").

[Ryan Tseng, 2016/08/16 00:03:56]

Done.

+	}
+
+	// This is the list of users to check against.  Since writers are implicitly
+	// readers, we populate this list first, and then tack on readers if we're
+	// in readers mode.
+	users := map[string]bool{}
+	for _, u := range p.Writers {
+		users[u] = true
+	}
+	if !write {
+		for _, u := range p.Readers {
+			users[u] = true
+		}
+	}
+
+	// Alright, so who's our user?
+	cu := auth.CurrentUser(c)
+
+	// First, check the anonomyous case.  We just need to see if _any_ of the entries
+	// are "public", and we're done.
+	if cu.Identity == identity.AnonymousIdentity {
+		if _, ok := users["public"]; ok {

[Vadim Sh., 2016/08/15 22:04:52]

no need for this:
1) We have group "all", that includes anonymous users. Here's logdog using it:
https://chromium.googlesource.com/infra/infra/+/infra/config/luci-logdog.cfg#9
2) The check, as it is now, will prevent logged in users to view public entries.
(Because they won't pass check on line 45).

[Ryan Tseng, 2016/08/16 00:03:56]

Done.

+			return true
+		}
+		return false
+	}
+
+	// Ok, now check to see if the user is listed explicitly in any of the entries.
+	if _, ok := users[cu.Email]; ok {
+		return true
+	}
+
+	// Now check for group memberhsip.
+	for entry := range users {
+		ok, err := auth.IsMember(c, entry)
+		if err != nil {
+			logging.WithError(err).Errorf(c,
+				"Could not check if user is a member of %s", entry)
+		} else if ok {
+			return true
+		}
+	}
+	return false
+}