[scheduler]: ACLs phase 1 - per Job ACL specification and enforcement.

scheduler/appengine/catalog/catalog.go

 // Copyright 2015 The LUCI Authors.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //      http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
@@ skipping 15 matching lines @@
 
         "github.com/golang/protobuf/proto"
         "golang.org/x/net/context"
 
         "github.com/luci/gae/service/info"
         "github.com/luci/luci-go/common/logging"
         "github.com/luci/luci-go/luci_config/common/cfgtypes"
         "github.com/luci/luci-go/luci_config/server/cfgclient"
         "github.com/luci/luci-go/luci_config/server/cfgclient/textproto"
 
+        "github.com/luci/luci-go/common/errors"
+        "github.com/luci/luci-go/scheduler/appengine/acl"
         "github.com/luci/luci-go/scheduler/appengine/messages"
         "github.com/luci/luci-go/scheduler/appengine/schedule"
         "github.com/luci/luci-go/scheduler/appengine/task"
 )
 
 var (
         // jobIDRe is used to validate job ID field.
         jobIDRe = regexp.MustCompile(`^[0-9A-Za-z_\-\.]{1,100}$`)
 )
 
@@ skipping 59 matching lines @@
         //
         // Defined via 'trigger {...}' config stanza.
         JobFlavorTrigger
 )
 
 // Definition wraps definition of a scheduler job fetched from the config.
 type Definition struct {
         // JobID is globally unique job identifier: "<ProjectID>/<JobName>".
         JobID string
 
+        // Acls describes who can read and who owns this job.
+        Acls acl.GrantsByRole
+
         // Flavor describes what category of jobs this is, see the enum.
         Flavor JobFlavor
 
         // Revision is config revision this definition was fetched from.
         Revision string
 
         // RevisionURL is URL to human readable page with config file.
         RevisionURL string
 
         // Schedule is job's schedule in regular cron expression format.
@@ skipping 62 matching lines @@
                 if projectName == "" {
                         logging.Warningf(c, "Unexpected ConfigSet: %s", meta.ConfigSet)
                 } else {
                         out = append(out, string(projectName))
                 }
         }
         return out, nil
 }
 
 func (cat *catalog) GetProjectJobs(c context.Context, projectID string) ([]Definition, error) {
-        // TODO(vadimsh): This is a workaround for crbug.com/710619. Remove it once
-        // the bug is fixed.
+        // TODO(vadimsh): This is a workaround for http://crbug.com/710619. Remove it
+        // once the bug is fixed.
         projects, err := cat.GetAllProjects(c)
         if err != nil {
                 return nil, err
         }
         found := false
         for _, p := range projects {
                 if p == projectID {
                         found = true
                 }
         }
@@ skipping 21 matching lines @@
         case cfgclient.ErrNoConfig:
                 return nil, nil
         default:
                 return nil, err
         }
 
         revisionURL := getRevisionURL(&configSetURL, meta.Revision, meta.Path)
         if revisionURL != "" {
                 logging.Infof(c, "Importing %s", revisionURL)
         }
+        // TODO(tandrii): make use of https://godoc.org/github.com/luci/luci-go/common/config/validation
+        knownAclSets, err := acl.ValidateAclSets(cfg.GetAclSets())
+        if err != nil {
+                logging.Errorf(c, "Invalid aclsets definition %s: %s", projectID, err)
+                return nil, errors.Annotate(err, "invalid aclsets in a project %s", projectID).Err()
+        }
 
         out := make([]Definition, 0, len(cfg.Job)+len(cfg.Trigger))
 
         // Regular jobs, triggered jobs.
         for _, job := range cfg.Job {
                 if job.Disabled {
                         continue
                 }
                 id := "(empty)"
                 if job.Id != "" {
@@ skipping 10 matching lines @@
                         continue
                 }
                 schedule := job.Schedule
                 if schedule == "" {
                         schedule = defaultJobSchedule
                 }
                 flavor := JobFlavorTriggered
                 if schedule != "triggered" {
                         flavor = JobFlavorPeriodic
                 }
+                acls, err := acl.ValidateTaskAcls(knownAclSets, job.GetAclSets(), job.GetAcls())
+                if err != nil {
+                        logging.Errorf(c, "Failed to compute task ACLs: %s/%s: %s", projectID, id, err)
+                        continue
+                }
                 out = append(out, Definition{
                         JobID:       fmt.Sprintf("%s/%s", projectID, job.Id),
+                        Acls:        *acls,
                         Flavor:      flavor,
                         Revision:    meta.Revision,
                         RevisionURL: revisionURL,
                         Schedule:    schedule,
                         Task:        packed,
                 })
         }
 
         // Triggering jobs.
         for _, trigger := range cfg.Trigger {
@@ skipping 11 matching lines @@
                 }
                 packed, err := cat.marshalTask(task)
                 if err != nil {
                         logging.Errorf(c, "Failed to marshal the task: %s/%s: %s", projectID, id, err)
                         continue
                 }
                 schedule := trigger.Schedule
                 if schedule == "" {
                         schedule = defaultTriggerSchedule
                 }
+                acls, err := acl.ValidateTaskAcls(knownAclSets, trigger.GetAclSets(), trigger.GetAcls())
+                if err != nil {
+                        logging.Errorf(c, "Failed to compute task ACLs: %s/%s: %s", projectID, id, err)
+                        continue
+                }
                 out = append(out, Definition{
                         JobID:       fmt.Sprintf("%s/%s", projectID, trigger.Id),
+                        Acls:        *acls,
                         Flavor:      JobFlavorTrigger,
                         Revision:    meta.Revision,
                         RevisionURL: revisionURL,
                         Schedule:    schedule,
                         Task:        packed,
                 })
         }
 
         return out, nil
 }
@@ skipping 127 matching lines @@
                 field := v.Field(i)
                 if field.Type() == taskType {
                         field.Set(reflect.ValueOf(task))
                         return proto.Marshal(&wrapper)
                 }
         }
         // This can happen only if TaskDefWrapper wasn't updated when a new task type
         // was added. This is a developer's mistake, not a config mistake.
         return nil, fmt.Errorf("could not find a field of type %T in TaskDefWrapper", task)
 }