OLD | NEW |
1 // Copyright 2017 The LUCI Authors. | 1 // Copyright 2017 The LUCI Authors. |
2 // | 2 // |
3 // Licensed under the Apache License, Version 2.0 (the "License"); | 3 // Licensed under the Apache License, Version 2.0 (the "License"); |
4 // you may not use this file except in compliance with the License. | 4 // you may not use this file except in compliance with the License. |
5 // You may obtain a copy of the License at | 5 // You may obtain a copy of the License at |
6 // | 6 // |
7 // http://www.apache.org/licenses/LICENSE-2.0 | 7 // http://www.apache.org/licenses/LICENSE-2.0 |
8 // | 8 // |
9 // Unless required by applicable law or agreed to in writing, software | 9 // Unless required by applicable law or agreed to in writing, software |
10 // distributed under the License is distributed on an "AS IS" BASIS, | 10 // distributed under the License is distributed on an "AS IS" BASIS, |
11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
12 // See the License for the specific language governing permissions and | 12 // See the License for the specific language governing permissions and |
13 // limitations under the License. | 13 // limitations under the License. |
14 | 14 |
15 package acl | 15 package acl |
16 | 16 |
17 import ( | 17 import ( |
18 "fmt" | 18 "fmt" |
19 "regexp" | 19 "regexp" |
20 "sort" | 20 "sort" |
21 "strings" | 21 "strings" |
22 | 22 |
23 "github.com/luci/luci-go/common/data/stringset" | 23 "github.com/luci/luci-go/common/data/stringset" |
24 "github.com/luci/luci-go/common/errors" | 24 "github.com/luci/luci-go/common/errors" |
| 25 "github.com/luci/luci-go/common/logging" |
25 "github.com/luci/luci-go/common/retry/transient" | 26 "github.com/luci/luci-go/common/retry/transient" |
26 "github.com/luci/luci-go/scheduler/appengine/messages" | 27 "github.com/luci/luci-go/scheduler/appengine/messages" |
27 "github.com/luci/luci-go/server/auth" | 28 "github.com/luci/luci-go/server/auth" |
28 "github.com/luci/luci-go/server/auth/identity" | 29 "github.com/luci/luci-go/server/auth/identity" |
29 "golang.org/x/net/context" | 30 "golang.org/x/net/context" |
30 ) | 31 ) |
31 | 32 |
32 // GrantsByRole can answer questions who can READ and who OWNS the task. | 33 // GrantsByRole can answer questions who can READ and who OWNS the task. |
33 type GrantsByRole struct { | 34 type GrantsByRole struct { |
34 Owners []string `gae:",noindex"` | 35 Owners []string `gae:",noindex"` |
35 Readers []string `gae:",noindex"` | 36 Readers []string `gae:",noindex"` |
36 } | 37 } |
37 | 38 |
38 func (g *GrantsByRole) IsOwner(c context.Context) (bool, error) { | 39 func (g *GrantsByRole) IsOwner(c context.Context) (bool, error) { |
39 return hasGrant(c, g.Owners, groupsAdministrators) | 40 return hasGrant(c, g.Owners, groupsAdministrators) |
40 } | 41 } |
41 | 42 |
42 func (g *GrantsByRole) IsReader(c context.Context) (bool, error) { | 43 func (g *GrantsByRole) IsReader(c context.Context) (bool, error) { |
43 if len(g.Readers) == 0 && len(g.Owners) == 0 { | 44 if len(g.Readers) == 0 && len(g.Owners) == 0 { |
44 // This is here for backwards compatiblity before ACLs were intr
oduced. | 45 // This is here for backwards compatiblity before ACLs were intr
oduced. |
45 // If Job doesn't specify READERs nor OWNERS explicitely, everyb
ody can read. | 46 // If Job doesn't specify READERs nor OWNERS explicitely, everyb
ody can read. |
46 // TODO(tAndrii): remove once every Job/Trigger has ACLs specifi
ed. | 47 // TODO(tAndrii): remove once every Job/Trigger has ACLs specifi
ed. |
| 48 logging.Warningf(c, "Granting READ rights to all because no ACLs
specified") |
47 return true, nil | 49 return true, nil |
48 } | 50 } |
49 return hasGrant(c, g.Owners, g.Readers, groupsAdministrators) | 51 return hasGrant(c, g.Owners, g.Readers, groupsAdministrators) |
50 } | 52 } |
51 | 53 |
52 func (g *GrantsByRole) Equal(o *GrantsByRole) bool { | 54 func (g *GrantsByRole) Equal(o *GrantsByRole) bool { |
53 eqSlice := func(a, b []string) bool { | 55 eqSlice := func(a, b []string) bool { |
54 if len(a) != len(b) { | 56 if len(a) != len(b) { |
55 return false | 57 return false |
56 } | 58 } |
(...skipping 118 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
175 if strings.HasPrefix(grant, "group:") { | 177 if strings.HasPrefix(grant, "group:") { |
176 groups = append(groups, grant[len("group:"):]) | 178 groups = append(groups, grant[len("group:"):]) |
177 continue | 179 continue |
178 } | 180 } |
179 grantedIdentity := identity.Identity(grant) | 181 grantedIdentity := identity.Identity(grant) |
180 if !strings.ContainsRune(grant, ':') { | 182 if !strings.ContainsRune(grant, ':') { |
181 // Just email. | 183 // Just email. |
182 grantedIdentity = identity.Identity("user:" + gr
ant) | 184 grantedIdentity = identity.Identity("user:" + gr
ant) |
183 } | 185 } |
184 if grantedIdentity == currentIdentity { | 186 if grantedIdentity == currentIdentity { |
| 187 logging.Debugf(c, "Found grant %s for %s", curre
ntIdentity) |
185 return true, nil | 188 return true, nil |
186 } | 189 } |
187 } | 190 } |
188 } | 191 } |
189 if isMember, err := auth.IsMember(c, groups...); err != nil { | 192 if isMember, err := auth.IsMember(c, groups...); err != nil { |
190 return false, transient.Tag.Apply(err) | 193 return false, transient.Tag.Apply(err) |
191 } else { | 194 } else { |
| 195 logging.Debugf(c, "Result of group membership of %s in %s: %t",
currentIdentity, groups, isMember) |
192 return isMember, nil | 196 return isMember, nil |
193 } | 197 } |
194 } | 198 } |
OLD | NEW |