server/config: Service-side project access checks.

server/config/access/access.go

+// Copyright 2016 The LUCI Authors. All rights reserved.
+// Use of this source code is governed under the Apache License, Version 2.0
+// that can be found in the LICENSE file.
+
+// Package access implements a software config.Authority access check against a

[iannucci, 2017/01/07 20:29:23]

not sure `software` is the right adjective. maybe 'application local'. 'best
effort'?

[dnj, 2017/01/10 03:27:13]

Done.

+// project config.
+//
+// Note that this is a soft check, as the true access authority is the config
+// service, and this check is not hitting that service.
+//
+// If access is granted, this function will return nil. If access is explicitly
+// denied, this will return ErrNoAccess.
+//
+// This is a port of the ACL implementation from the config service:
+// https://chromium.googlesource.com/external/github.com/luci/luci-py/+/e3fbb1f5dafa59a2c57cf3a9fe3708f4309ab653/appengine/components/components/config/api.py
+package access
+
+import (
+        "strings"
+
+        "github.com/luci/luci-go/common/errors"
+        configPB "github.com/luci/luci-go/common/proto/config"
+        "github.com/luci/luci-go/server/auth"
+        "github.com/luci/luci-go/server/auth/identity"
+        "github.com/luci/luci-go/server/config"
+        "github.com/luci/luci-go/server/config/textproto"
+
+        "golang.org/x/net/context"
+)
+
+// ErrNoAccess is an error returned by CheckAccess if the supplied Authority
+// does not have access to the supplied config set.
+var ErrNoAccess = errors.New("no access")
+
+// Check tests if a given Authority can access the named config set.
+func Check(c context.Context, a config.Authority, configSet string) error {
+        if a == config.AsService {
+                return nil
+        }
+
+        _, projectConfigSet, _ := config.ParseProjectConfigSet(configSet)
+        if projectConfigSet == "" {
+                // Not a project config set, so neither remaining Authority can access.
+                return ErrNoAccess
+        }
+
+        // Load the project config. We execute this RPC as the service, not the user,
+        // so while this will recurse (and hopefully take advantage of the cache), it
+        // will not trigger an infinite access check loop.
+        var pcfg configPB.ProjectCfg
+        if err := config.Get(c, config.AsService, projectConfigSet, config.ProjectConfigPath,
+                textproto.Message(&pcfg), nil); err != nil {
+                return errors.Annotate(err).Reason("failed to load %(path)q in %(configSet)q").
+                        D("path", config.ProjectConfigPath).D("configSet", projectConfigSet).Err()
+        }
+
+        id := identity.AnonymousIdentity
+        if a == config.AsUser {
+                id = auth.CurrentIdentity(c)
+        }
+        checkGroups := make([]string, 0, len(pcfg.Access))
+        for _, access := range pcfg.Access {
+                if group, ok := trimPrefix(access, "group:"); ok {
+                        // If "group" is "all", then short-circuit to permitted.

[iannucci, 2017/01/07 20:29:23]

!!! but `all` is a valid group name!

can't we make this `group:*` instead, since * is not a valid group name?

[Vadim Sh., 2017/01/07 21:04:23]

We should just remove this short-circuit (if luci-py does it, there too). "all"
is valid group, it exists for real, and it is basically "*:*" -
https://chrome-infra-auth.appspot.com/auth/groups#all

(memberships checks are ~= free in terms of RPC cost, no need for short
circuits).

[dnj, 2017/01/10 03:27:13]

Done.

+                        if group == "all" {
+                                return nil
+                        }
+
+                        // Check group membership.
+                        checkGroups = append(checkGroups, group)
+                } else {
+                        // If there is no ":" in the access string, this is a user ACL.

[iannucci, 2017/01/07 20:29:23]

bummer that we couldn't have made the access string format the same as the
identity format (e.g. require `user:something@something.somewhere`)

[Vadim Sh., 2017/01/07 21:04:23]

It is the same. "user:" is just default prefix.

So one can use require: "abc@example.com" AND require: "user:abc@example.com"
(or whatever)

+                        if strings.IndexRune(access, ':') < 0 {
+                                access = "user:" + access
+                        }
+                        if identity.Identity(access) == id {
+                                return nil
+                        }
+                }
+        }
+
+        // No individual accesses, check groups if we're not anonymous.
+        if a != config.AsAnonymous && len(checkGroups) > 0 {
+                switch canAccess, err := auth.IsMember(c, checkGroups...); {
+                case err != nil:
+                        return errors.Annotate(err).Reason("failed to check group membership").Err()
+                case canAccess:
+                        return nil
+                }
+        }
+        return ErrNoAccess
+}
+
+func trimPrefix(v, pfx string) (string, bool) {
+        if strings.HasPrefix(v, pfx) {
+                return v[len(pfx):], true
+        }
+        return v, false
+}