[scheduler]: ACLs phase 1 - per Job ACL specification and enforcement.

scheduler/appengine/catalog/catalog.go

Index: scheduler/appengine/catalog/catalog.go
diff --git a/scheduler/appengine/catalog/catalog.go b/scheduler/appengine/catalog/catalog.go
index 4d3901a4c07b5b84b4c1de3231065244ef8b566d..985ac940ac1733e4c6c65b892c3b3b8599bfca7d 100644
--- a/scheduler/appengine/catalog/catalog.go
+++ b/scheduler/appengine/catalog/catalog.go
@@ -33,6 +33,8 @@ import (
 	"github.com/luci/luci-go/luci_config/server/cfgclient"
 	"github.com/luci/luci-go/luci_config/server/cfgclient/textproto"
 
+	"github.com/luci/luci-go/common/errors"
+	"github.com/luci/luci-go/scheduler/appengine/acl"
 	"github.com/luci/luci-go/scheduler/appengine/messages"
 	"github.com/luci/luci-go/scheduler/appengine/schedule"
 	"github.com/luci/luci-go/scheduler/appengine/task"
@@ -40,7 +42,8 @@ import (
 
 var (
 	// jobIDRe is used to validate job ID field.

[Vadim Sh., 2017/08/01 01:56:19]

remove this comment or add a similar one to aclSetIdRe

[tandrii(chromium), 2017/08/01 22:50:01]

Done.

-	jobIDRe = regexp.MustCompile(`^[0-9A-Za-z_\-\.]{1,100}$`)
+	jobIDRe    = regexp.MustCompile(`^[0-9A-Za-z_\-\.]{1,100}$`)
+	aclSetIdRe = jobIDRe

[Vadim Sh., 2017/08/01 01:56:19]

nit: aclSetIDRe

[tandrii(chromium), 2017/08/01 22:50:01]

This isn't used actually, and name was wrong anyway. Removed.
FTR, it's defined in acl.go.

 )
 
 const (
@@ -112,6 +115,9 @@ type Definition struct {
 	// JobID is globally unique job identifier: "<ProjectID>/<JobName>".
 	JobID string
 
+	// Acls describes who can read and who owns this job.
+	Acls acl.GrantsByRole
+
 	// Flavor describes what category of jobs this is, see the enum.
 	Flavor JobFlavor
 
@@ -194,8 +200,8 @@ func (cat *catalog) GetAllProjects(c context.Context) ([]string, error) {
 }
 
 func (cat *catalog) GetProjectJobs(c context.Context, projectID string) ([]Definition, error) {
-	// TODO(vadimsh): This is a workaround for crbug.com/710619. Remove it once
-	// the bug is fixed.
+	// TODO(vadimsh): This is a workaround for http://crbug.com/710619. Remove it
+	// once the bug is fixed.
 	projects, err := cat.GetAllProjects(c)
 	if err != nil {
 		return nil, err
@@ -238,6 +244,12 @@ func (cat *catalog) GetProjectJobs(c context.Context, projectID string) ([]Defin
 		logging.Infof(c, "Importing %s", revisionURL)
 	}
 
+	knownAclSets, err := acl.ValidateAclSets(cfg.GetAclSets())
+	if err != nil {
+		logging.Errorf(c, "Invalid aclsets definition %s: %s", projectID, err)
+		return nil, errors.Annotate(err, "Invalid aclsets in a project %s", projectID).Err()

[Vadim Sh., 2017/08/01 01:56:19]

I think we annotate with lower case

[tandrii(chromium), 2017/08/01 22:50:01]

OK, fixed.

+	}
+
 	out := make([]Definition, 0, len(cfg.Job)+len(cfg.Trigger))
 
 	// Regular jobs, triggered jobs.
@@ -267,8 +279,14 @@ func (cat *catalog) GetProjectJobs(c context.Context, projectID string) ([]Defin
 		if schedule != "triggered" {
 			flavor = JobFlavorPeriodic
 		}
+		acls, err := acl.ValidateTaskAcls(knownAclSets, job.GetAclSets(), job.GetAcls())
+		if err != nil {
+			logging.Errorf(c, "Failed to compute task ACLs: %s/%s: %s", projectID, id, err)
+			continue
+		}
 		out = append(out, Definition{
 			JobID:       fmt.Sprintf("%s/%s", projectID, job.Id),
+			Acls:        *acls,
 			Flavor:      flavor,
 			Revision:    meta.Revision,
 			RevisionURL: revisionURL,
@@ -300,8 +318,14 @@ func (cat *catalog) GetProjectJobs(c context.Context, projectID string) ([]Defin
 		if schedule == "" {
 			schedule = defaultTriggerSchedule
 		}
+		acls, err := acl.ValidateTaskAcls(knownAclSets, trigger.GetAclSets(), trigger.GetAcls())
+		if err != nil {
+			logging.Errorf(c, "Failed to compute task ACLs: %s/%s: %s", projectID, id, err)
+			continue
+		}
 		out = append(out, Definition{
 			JobID:       fmt.Sprintf("%s/%s", projectID, trigger.Id),
+			Acls:        *acls,
 			Flavor:      JobFlavorTrigger,
 			Revision:    meta.Revision,
 			RevisionURL: revisionURL,