| OLD | NEW |
|---|
| 1 // Copyright 2016 The LUCI Authors. All rights reserved. | 1 // Copyright 2016 The LUCI Authors. All rights reserved. |
| 2 // Use of this source code is governed under the Apache License, Version 2.0 | 2 // Use of this source code is governed under the Apache License, Version 2.0 |
| 3 // that can be found in the LICENSE file. | 3 // that can be found in the LICENSE file. |
| 4 | 4 |
| 5 package buildbot | 5 package buildbot |
| 6 | 6 |
| 7 import ( | 7 import ( |
| 8 "bytes" | 8 "bytes" |
| 9 "compress/gzip" | 9 "compress/gzip" |
| 10 "encoding/json" | 10 "encoding/json" |
| (...skipping 18 matching lines...) Expand all Loading... |
| 29 if err != nil { | 29 if err != nil { |
| 30 return err | 30 return err |
| 31 } | 31 } |
| 32 defer reader.Close() | 32 defer reader.Close() |
| 33 if err = json.NewDecoder(reader).Decode(master); err != nil { | 33 if err = json.NewDecoder(reader).Decode(master); err != nil { |
| 34 return err | 34 return err |
| 35 } | 35 } |
| 36 return nil | 36 return nil |
| 37 } | 37 } |
| 38 | 38 |
| 39 // User not logged in, master found, master public: nil | 39 // canAccessMaster returns nil iff the currently logged in user is able to see |
| 40 // User not logged in, master not found: 401 | 40 // internal masters, or if the given master is a known public master. |
| 41 // User not logged in, master internal: 401 | 41 func canAccessMaster(c context.Context, name string) error { |
| 42 // User logged in, master found, master internal: nil | |
| 43 // User logged in, master not found: 404 | |
| 44 // User logged in, master found, master internal: 404 | |
| 45 // Other error: 500 | |
| 46 func checkAccess(c context.Context, err error, internal bool) error { | |
| 47 cu := auth.CurrentUser(c) | 42 cu := auth.CurrentUser(c) |
| 48 » switch { | 43 » if cu.Identity != identity.AnonymousIdentity { |
| 49 » case err == ds.ErrNoSuchEntity: | 44 » » // If we're logged in, and we can see internal stuff, return nil
. |
| 50 » » if cu.Identity == identity.AnonymousIdentity { | 45 » » // |
| 51 » » » return errNotAuth | 46 » » // getMasterEntry will maybe return 404 later if the master does
n't actually |
| 52 » » } | 47 » » // exist. |
| 53 » » return errMasterNotFound | 48 » » if allowed, err := common.IsAllowedInternal(c); err != nil || al
lowed { |
| 54 » case err != nil: | |
| 55 » » return err | |
| 56 » } | |
| 57 | |
| 58 » // Do the ACL check if the entry is internal. | |
| 59 » if internal { | |
| 60 » » allowed, err := common.IsAllowedInternal(c) | |
| 61 » » if err != nil { | |
| 62 return err | 49 return err |
| 63 } | 50 } |
| 64 if !allowed { | |
| 65 if cu.Identity == identity.AnonymousIdentity { | |
| 66 return errNotAuth | |
| 67 } | |
| 68 return errMasterNotFound | |
| 69 } | |
| 70 } | 51 } |
| 71 | 52 |
| 72 » return nil | 53 » // We're not logged in, or we can only see public stuff, so see if the m
aster |
| 54 » // is public. |
| 55 » if err := ds.Get(c, &buildbotMasterPublic{name}); err == nil { |
| 56 » » // It exists and is public |
| 57 » » return nil |
| 58 » } |
| 59 |
| 60 » // They need to log in before we can tell them more stuff. |
| 61 » return errNotAuth |
| 73 } | 62 } |
| 74 | 63 |
| 75 // getMasterEntry feches the named master and does an ACL check on the | 64 // getMasterEntry feches the named master and does an ACL check on the |
| 76 // current user. | 65 // current user. |
| 77 // It returns: | 66 // It returns: |
| 78 func getMasterEntry(c context.Context, name string) (*buildbotMasterEntry, error
) { | 67 func getMasterEntry(c context.Context, name string) (*buildbotMasterEntry, error
) { |
| 68 if err := canAccessMaster(c, name); err != nil { |
| 69 return nil, err |
| 70 } |
| 71 |
| 79 entry := buildbotMasterEntry{Name: name} | 72 entry := buildbotMasterEntry{Name: name} |
| 80 err := ds.Get(c, &entry) | 73 err := ds.Get(c, &entry) |
| 81 » err = checkAccess(c, err, entry.Internal) | 74 » if err == ds.ErrNoSuchEntity { |
| 75 » » err = errMasterNotFound |
| 76 » } |
| 82 return &entry, err | 77 return &entry, err |
| 83 } | 78 } |
| 84 | 79 |
| 85 // getMasterJSON fetches the latest known buildbot master data and returns | 80 // getMasterJSON fetches the latest known buildbot master data and returns |
| 86 // the buildbotMaster struct (if found), whether or not it is internal, | 81 // the buildbotMaster struct (if found), whether or not it is internal, |
| 87 // the last modified time, and an error if not found. | 82 // the last modified time, and an error if not found. |
| 88 func getMasterJSON(c context.Context, name string) ( | 83 func getMasterJSON(c context.Context, name string) ( |
| 89 master *buildbotMaster, internal bool, t time.Time, err error) { | 84 master *buildbotMaster, internal bool, t time.Time, err error) { |
| 90 master = &buildbotMaster{} | 85 master = &buildbotMaster{} |
| 91 entry, err := getMasterEntry(c, name) | 86 entry, err := getMasterEntry(c, name) |
| (...skipping 50 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 142 for _, bn := range sb { | 137 for _, bn := range sb { |
| 143 // Go templates escapes this for us, and also | 138 // Go templates escapes this for us, and also |
| 144 // slashes are not allowed in builder names. | 139 // slashes are not allowed in builder names. |
| 145 ml.Builders = append(ml.Builders, *resp.NewLink( | 140 ml.Builders = append(ml.Builders, *resp.NewLink( |
| 146 bn, fmt.Sprintf("/buildbot/%s/%s", entry.Name, b
n))) | 141 bn, fmt.Sprintf("/buildbot/%s/%s", entry.Name, b
n))) |
| 147 } | 142 } |
| 148 result.BuilderGroups = append(result.BuilderGroups, ml) | 143 result.BuilderGroups = append(result.BuilderGroups, ml) |
| 149 } | 144 } |
| 150 return result, nil | 145 return result, nil |
| 151 } | 146 } |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2974263002:
[milo] better ACL system for masters. (Closed)
