OLD | NEW |
1 // Copyright 2017 The LUCI Authors. | 1 // Copyright 2017 The LUCI Authors. |
2 // | 2 // |
3 // Licensed under the Apache License, Version 2.0 (the "License"); | 3 // Licensed under the Apache License, Version 2.0 (the "License"); |
4 // you may not use this file except in compliance with the License. | 4 // you may not use this file except in compliance with the License. |
5 // You may obtain a copy of the License at | 5 // You may obtain a copy of the License at |
6 // | 6 // |
7 // http://www.apache.org/licenses/LICENSE-2.0 | 7 // http://www.apache.org/licenses/LICENSE-2.0 |
8 // | 8 // |
9 // Unless required by applicable law or agreed to in writing, software | 9 // Unless required by applicable law or agreed to in writing, software |
10 // distributed under the License is distributed on an "AS IS" BASIS, | 10 // distributed under the License is distributed on an "AS IS" BASIS, |
(...skipping 23 matching lines...) Expand all Loading... |
34 type GrantsByRole struct { | 34 type GrantsByRole struct { |
35 Owners []string `gae:",noindex"` | 35 Owners []string `gae:",noindex"` |
36 Readers []string `gae:",noindex"` | 36 Readers []string `gae:",noindex"` |
37 } | 37 } |
38 | 38 |
39 func (g *GrantsByRole) IsOwner(c context.Context) (bool, error) { | 39 func (g *GrantsByRole) IsOwner(c context.Context) (bool, error) { |
40 return hasGrant(c, g.Owners, groupsAdministrators) | 40 return hasGrant(c, g.Owners, groupsAdministrators) |
41 } | 41 } |
42 | 42 |
43 func (g *GrantsByRole) IsReader(c context.Context) (bool, error) { | 43 func (g *GrantsByRole) IsReader(c context.Context) (bool, error) { |
44 if len(g.Readers) == 0 && len(g.Owners) == 0 { | |
45 // This is here for backwards compatiblity before ACLs were intr
oduced. | |
46 // If Job doesn't specify READERs nor OWNERS explicitely, everyb
ody can read. | |
47 // TODO(tAndrii): remove once every Job/Trigger has ACLs specifi
ed. | |
48 logging.Warningf(c, "Granting READ rights to all because no ACLs
specified") | |
49 return true, nil | |
50 } | |
51 return hasGrant(c, g.Owners, g.Readers, groupsAdministrators) | 44 return hasGrant(c, g.Owners, g.Readers, groupsAdministrators) |
52 } | 45 } |
53 | 46 |
54 func (g *GrantsByRole) Equal(o *GrantsByRole) bool { | 47 func (g *GrantsByRole) Equal(o *GrantsByRole) bool { |
55 eqSlice := func(a, b []string) bool { | 48 eqSlice := func(a, b []string) bool { |
56 if len(a) != len(b) { | 49 if len(a) != len(b) { |
57 return false | 50 return false |
58 } | 51 } |
59 for i := range a { | 52 for i := range a { |
60 if a[i] != b[i] { | 53 if a[i] != b[i] { |
(...skipping 40 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
101 grantsList, exists := pSets[set] | 94 grantsList, exists := pSets[set] |
102 if !exists { | 95 if !exists { |
103 return nil, fmt.Errorf("referencing AclSet '%s' which do
esn't exist", set) | 96 return nil, fmt.Errorf("referencing AclSet '%s' which do
esn't exist", set) |
104 } | 97 } |
105 grantsLists = append(grantsLists, grantsList) | 98 grantsLists = append(grantsLists, grantsList) |
106 } | 99 } |
107 mg := mergeGrants(grantsLists...) | 100 mg := mergeGrants(grantsLists...) |
108 if n := len(mg.Owners) + len(mg.Readers); n > maxGrantsPerJob { | 101 if n := len(mg.Owners) + len(mg.Readers); n > maxGrantsPerJob { |
109 return nil, fmt.Errorf("Job or Trigger can have at most %d acls,
but %d given", maxGrantsPerJob, n) | 102 return nil, fmt.Errorf("Job or Trigger can have at most %d acls,
but %d given", maxGrantsPerJob, n) |
110 } | 103 } |
| 104 if len(mg.Owners) == 0 { |
| 105 return nil, fmt.Errorf("Job or Trigger must have OWNER acl set") |
| 106 } |
| 107 if len(mg.Readers) == 0 { |
| 108 return nil, fmt.Errorf("Job or Trigger must have READER acl set"
) |
| 109 } |
111 return mg, nil | 110 return mg, nil |
112 } | 111 } |
113 | 112 |
114 //////////////////////////////////////////////////////////////////////////////// | 113 //////////////////////////////////////////////////////////////////////////////// |
115 | 114 |
116 var ( | 115 var ( |
117 // aclSetNameRe is used to validate AclSet Name field. | 116 // aclSetNameRe is used to validate AclSet Name field. |
118 aclSetNameRe = regexp.MustCompile(`^[0-9A-Za-z_\-\.]{1,100}$`) | 117 aclSetNameRe = regexp.MustCompile(`^[0-9A-Za-z_\-\.]{1,100}$`) |
119 // maxGrantsPerJob is how many different grants are specified for a job. | 118 // maxGrantsPerJob is how many different grants are specified for a job. |
120 maxGrantsPerJob = 32 | 119 maxGrantsPerJob = 32 |
(...skipping 68 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
189 } | 188 } |
190 } | 189 } |
191 } | 190 } |
192 if isMember, err := auth.IsMember(c, groups...); err != nil { | 191 if isMember, err := auth.IsMember(c, groups...); err != nil { |
193 return false, transient.Tag.Apply(err) | 192 return false, transient.Tag.Apply(err) |
194 } else { | 193 } else { |
195 logging.Debugf(c, "Result of group membership of %s in %s: %t",
currentIdentity, groups, isMember) | 194 logging.Debugf(c, "Result of group membership of %s in %s: %t",
currentIdentity, groups, isMember) |
196 return isMember, nil | 195 return isMember, nil |
197 } | 196 } |
198 } | 197 } |
OLD | NEW |