Chromium Code Reviews Chromium Code Reviews
Issue 2984843002:
swarming: switch to a 'capability focused' ACL system (Closed)
| OLD | NEW |
|---|---|
| 1 # Copyright 2013 The LUCI Authors. All rights reserved. | 1 # Copyright 2013 The LUCI Authors. All rights reserved. |
| 2 # Use of this source code is governed under the Apache License, Version 2.0 | 2 # Use of this source code is governed under the Apache License, Version 2.0 |
| 3 # that can be found in the LICENSE file. | 3 # that can be found in the LICENSE file. |
| 4 | 4 |
| 5 """Main entry point for Swarming service. | 5 """Main entry point for Swarming service. |
| 6 | 6 |
| 7 This file contains the URL handlers for all the Swarming service URLs, | 7 This file contains the URL handlers for all the Swarming service URLs, |
| 8 implemented using the webapp2 framework. | 8 implemented using the webapp2 framework. |
| 9 """ | 9 """ |
| 10 | 10 |
| (...skipping 18 matching lines...) Expand all Loading... | |
| 29 | 29 |
| 30 # Helper class for displaying the sort options in html templates. | 30 # Helper class for displaying the sort options in html templates. |
| 31 SortOptions = collections.namedtuple('SortOptions', ['key', 'name']) | 31 SortOptions = collections.namedtuple('SortOptions', ['key', 'name']) |
| 32 | 32 |
| 33 | 33 |
| 34 ### is_admin pages. | 34 ### is_admin pages. |
| 35 | 35 |
| 36 | 36 |
| 37 class RestrictedConfigHandler(auth.AuthenticatingHandler): | 37 class RestrictedConfigHandler(auth.AuthenticatingHandler): |
| 38 @auth.autologin | 38 @auth.autologin |
| 39 @auth.require(acl.is_admin) | 39 @auth.require(acl.can_view_config) |
| 40 def get(self): | 40 def get(self): |
| 41 # Template parameters schema matches settings_info() return value. | 41 # Template parameters schema matches settings_info() return value. |
| 42 self.response.write(template.render( | 42 self.response.write(template.render( |
| 43 'swarming/restricted_config.html', config.settings_info())) | 43 'swarming/restricted_config.html', config.settings_info())) |
| 44 | 44 |
| 45 | 45 |
| 46 class UploadBotConfigHandler(auth.AuthenticatingHandler): | 46 class UploadBotConfigHandler(auth.AuthenticatingHandler): |
| 47 """Stores a new bot_config.py script.""" | 47 """Stores a new bot_config.py script.""" |
| 48 | 48 |
| 49 @auth.autologin | 49 @auth.autologin |
| 50 @auth.require(acl.is_admin) | 50 @auth.require(acl.can_view_config) |
| 51 def get(self): | 51 def get(self): |
| 52 bot_config = bot_code.get_bot_config() | 52 bot_config = bot_code.get_bot_config() |
| 53 params = { | 53 params = { |
| 54 'content': bot_config.content.decode('utf-8'), | 54 'content': bot_config.content.decode('utf-8'), |
| 55 'path': self.request.path, | 55 'path': self.request.path, |
| 56 'version': bot_config.version, | 56 'version': bot_config.version, |
| 57 'when': bot_config.when, | 57 'when': bot_config.when, |
| 58 'who': bot_config.who or 'N/A', | 58 'who': bot_config.who or 'N/A', |
| 59 'xsrf_token': self.generate_xsrf_token(), | 59 'xsrf_token': self.generate_xsrf_token(), |
| 60 } | 60 } |
| 61 self.response.write( | 61 self.response.write( |
| 62 template.render('swarming/restricted_upload_bot_config.html', params)) | 62 template.render('swarming/restricted_upload_bot_config.html', params)) |
| 63 | 63 |
| 64 @auth.require(acl.is_admin) | 64 @auth.require(acl.can_edit_config) |
| 65 def post(self): | 65 def post(self): |
| 66 script = self.request.get('script', '') | 66 script = self.request.get('script', '') |
| 67 if not script: | 67 if not script: |
| 68 self.abort(400, 'No script uploaded') | 68 self.abort(400, 'No script uploaded') |
| 69 | 69 |
| 70 # Make sure the script is valid utf-8. For some odd reason, the script | 70 # Make sure the script is valid utf-8. For some odd reason, the script |
| 71 # instead may or may not be an unicode instance. This depends if it is on | 71 # instead may or may not be an unicode instance. This depends if it is on |
| 72 # AppEngine production or not. | 72 # AppEngine production or not. |
| 73 if isinstance(script, str): | 73 if isinstance(script, str): |
| 74 script = script.decode('utf-8', 'replace') | 74 script = script.decode('utf-8', 'replace') |
| 75 script = script.encode('utf-8') | 75 script = script.encode('utf-8') |
| 76 bot_code.store_bot_config(self.request.host_url, script) | 76 bot_code.store_bot_config(self.request.host_url, script) |
| 77 self.get() | 77 self.get() |
| 78 | 78 |
| 79 | 79 |
| 80 class UploadBootstrapHandler(auth.AuthenticatingHandler): | 80 class UploadBootstrapHandler(auth.AuthenticatingHandler): |
| 81 """Stores a new bootstrap.py script.""" | 81 """Stores a new bootstrap.py script.""" |
| 82 | 82 |
| 83 @auth.autologin | 83 @auth.autologin |
| 84 @auth.require(acl.is_admin) | 84 @auth.require(acl.can_view_config) |
| 85 def get(self): | 85 def get(self): |
| 86 bootstrap = bot_code.get_bootstrap(self.request.host_url) | 86 bootstrap = bot_code.get_bootstrap(self.request.host_url) |
| 87 params = { | 87 params = { |
| 88 'content': bootstrap.content.decode('utf-8'), | 88 'content': bootstrap.content.decode('utf-8'), |
| 89 'path': self.request.path, | 89 'path': self.request.path, |
| 90 'version': bootstrap.version, | 90 'version': bootstrap.version, |
| 91 'when': bootstrap.when, | 91 'when': bootstrap.when, |
| 92 'who': bootstrap.who or 'N/A', | 92 'who': bootstrap.who or 'N/A', |
| 93 'xsrf_token': self.generate_xsrf_token(), | 93 'xsrf_token': self.generate_xsrf_token(), |
| 94 } | 94 } |
| 95 self.response.write( | 95 self.response.write( |
| 96 template.render('swarming/restricted_upload_bootstrap.html', params)) | 96 template.render('swarming/restricted_upload_bootstrap.html', params)) |
| 97 | 97 |
| 98 @auth.require(acl.is_admin) | 98 @auth.require(acl.can_edit_config) |
| 99 def post(self): | 99 def post(self): |
| 100 script = self.request.get('script', '') | 100 script = self.request.get('script', '') |
| 101 if not script: | 101 if not script: |
| 102 self.abort(400, 'No script uploaded') | 102 self.abort(400, 'No script uploaded') |
| 103 | 103 |
| 104 # Make sure the script is valid utf-8. For some odd reason, the script | 104 # Make sure the script is valid utf-8. For some odd reason, the script |
| 105 # instead may or may not be an unicode instance. This depends if it is on | 105 # instead may or may not be an unicode instance. This depends if it is on |
| 106 # AppEngine production or not. | 106 # AppEngine production or not. |
| 107 if isinstance(script, str): | 107 if isinstance(script, str): |
| 108 script = script.decode('utf-8', 'replace') | 108 script = script.decode('utf-8', 'replace') |
| 109 script = script.encode('utf-8') | 109 script = script.encode('utf-8') |
| 110 bot_code.store_bootstrap(script) | 110 bot_code.store_bootstrap(script) |
| 111 self.get() | 111 self.get() |
| 112 | 112 |
| 113 | 113 |
| 114 ### Mapreduce related handlers | 114 ### Mapreduce related handlers |
| 115 | 115 |
| 116 | 116 |
| 117 class RestrictedLaunchMapReduceJob(auth.AuthenticatingHandler): | 117 class RestrictedLaunchMapReduceJob(auth.AuthenticatingHandler): |
| 118 """Enqueues a task to start a map reduce job on the backend module. | 118 """Enqueues a task to start a map reduce job on the backend module. |
| 119 | 119 |
| 120 A tree of map reduce jobs inherits module and version of a handler that | 120 A tree of map reduce jobs inherits module and version of a handler that |
| 121 launched it. All UI handlers are executes by 'default' module. So to run a | 121 launched it. All UI handlers are executes by 'default' module. So to run a |
| 122 map reduce on a backend module one needs to pass a request to a task running | 122 map reduce on a backend module one needs to pass a request to a task running |
| 123 on backend module. | 123 on backend module. |
| 124 """ | 124 """ |
| 125 | 125 |
| 126 @auth.require(acl.is_admin) | 126 @auth.require(acl.can_edit_config) |
|
Vadim Sh.
2017/07/24 23:07:25
:-/
| |
| 127 def post(self): | 127 def post(self): |
| 128 job_id = self.request.get('job_id') | 128 job_id = self.request.get('job_id') |
| 129 assert job_id in mapreduce_jobs.MAPREDUCE_JOBS | 129 assert job_id in mapreduce_jobs.MAPREDUCE_JOBS |
| 130 success = utils.enqueue_task( | 130 success = utils.enqueue_task( |
| 131 url='/internal/taskqueue/mapreduce/launch/%s' % job_id, | 131 url='/internal/taskqueue/mapreduce/launch/%s' % job_id, |
| 132 queue_name=mapreduce_jobs.MAPREDUCE_TASK_QUEUE, | 132 queue_name=mapreduce_jobs.MAPREDUCE_TASK_QUEUE, |
| 133 use_dedicated_module=False) | 133 use_dedicated_module=False) |
| 134 # New tasks should show up on the status page. | 134 # New tasks should show up on the status page. |
| 135 if success: | 135 if success: |
| 136 self.redirect('/restricted/mapreduce/status') | 136 self.redirect('/restricted/mapreduce/status') |
| (...skipping 141 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 278 ] | 278 ] |
| 279 return [webapp2.Route(*i) for i in routes] | 279 return [webapp2.Route(*i) for i in routes] |
| 280 | 280 |
| 281 | 281 |
| 282 def create_application(debug): | 282 def create_application(debug): |
| 283 routes = [] | 283 routes = [] |
| 284 routes.extend(get_routes()) | 284 routes.extend(get_routes()) |
| 285 routes.extend(handlers_bot.get_routes()) | 285 routes.extend(handlers_bot.get_routes()) |
| 286 routes.extend(handlers_endpoints.get_routes()) | 286 routes.extend(handlers_endpoints.get_routes()) |
| 287 return webapp2.WSGIApplication(routes, debug=debug) | 287 return webapp2.WSGIApplication(routes, debug=debug) |
| OLD | NEW |
