server/config: Service-side project access checks.

luci_config/server/cfgclient/access/access.go

Index: luci_config/server/cfgclient/access/access.go
diff --git a/luci_config/server/cfgclient/access/access.go b/luci_config/server/cfgclient/access/access.go
new file mode 100644
index 0000000000000000000000000000000000000000..8f26f007ee1939506ffe4dd7cfd1336ef7623e6f
--- /dev/null
+++ b/luci_config/server/cfgclient/access/access.go
@@ -0,0 +1,96 @@
+// Copyright 2016 The LUCI Authors. All rights reserved.
+// Use of this source code is governed under the Apache License, Version 2.0
+// that can be found in the LICENSE file.
+
+// Package access implements a config service access check against a project
+// config client.
+//
+// Note that this is a soft check, as the true access authority is the config
+// service, and this check is not hitting that service.
+//
+// If access is granted, this function will return nil. If access is explicitly
+// denied, this will return ErrNoAccess.
+//
+// This is a port of the ACL implementation from the config service:
+// https://chromium.googlesource.com/external/github.com/luci/luci-py/+/e3fbb1f5dafa59a2c57cf3a9fe3708f4309ab653/appengine/components/components/config/api.py
+package access
+
+import (
+	"strings"
+
+	"github.com/luci/luci-go/common/errors"
+	configPB "github.com/luci/luci-go/common/proto/config"
+	"github.com/luci/luci-go/luci_config/common/cfgtypes"
+	"github.com/luci/luci-go/luci_config/server/cfgclient"
+	"github.com/luci/luci-go/luci_config/server/cfgclient/backend"
+	"github.com/luci/luci-go/luci_config/server/cfgclient/textproto"
+	"github.com/luci/luci-go/server/auth"
+	"github.com/luci/luci-go/server/auth/identity"
+
+	"golang.org/x/net/context"
+)
+
+// ErrNoAccess is an error returned by CheckAccess if the supplied Authority
+// does not have access to the supplied config set.
+var ErrNoAccess = errors.New("no access")
+
+// Check tests if a given Authority can access the named config set.
+func Check(c context.Context, a backend.Authority, configSet cfgtypes.ConfigSet) error {
+	if a == backend.AsService {
+		return nil
+	}
+
+	_, projectConfigSet, _ := configSet.SplitProject()
+	if projectConfigSet == "" {
+		// Not a project config set, so neither remaining Authority can access.
+		return ErrNoAccess
+	}
+
+	// Load the project config. We execute this RPC as the service, not the user,
+	// so while this will recurse (and hopefully take advantage of the cache), it
+	// will not trigger an infinite access check loop.
+	var pcfg configPB.ProjectCfg
+	if err := cfgclient.Get(c, cfgclient.AsService, projectConfigSet, cfgclient.ProjectConfigPath,
+		textproto.Message(&pcfg), nil); err != nil {
+		return errors.Annotate(err).Reason("failed to load %(path)q in %(configSet)q").
+			D("path", cfgclient.ProjectConfigPath).D("configSet", projectConfigSet).Err()
+	}
+
+	id := identity.AnonymousIdentity
+	if a == backend.AsUser {
+		id = auth.CurrentIdentity(c)
+	}
+	checkGroups := make([]string, 0, len(pcfg.Access))
+	for _, access := range pcfg.Access {
+		if group, ok := trimPrefix(access, "group:"); ok {
+			// Check group membership.
+			checkGroups = append(checkGroups, group)
+		} else {
+			// If there is no ":" in the access string, this is a user ACL.
+			if strings.IndexRune(access, ':') < 0 {
+				access = "user:" + access
+			}
+			if identity.Identity(access) == id {
+				return nil
+			}
+		}
+	}
+
+	// No individual accesses, check groups.
+	if len(checkGroups) > 0 {
+		switch canAccess, err := auth.IsMember(c, checkGroups...); {
+		case err != nil:
+			return errors.Annotate(err).Reason("failed to check group membership").Err()
+		case canAccess:
+			return nil
+		}
+	}
+	return ErrNoAccess
+}
+
+func trimPrefix(v, pfx string) (string, bool) {
+	if strings.HasPrefix(v, pfx) {
+		return v[len(pfx):], true
+	}
+	return v, false
+}