| OLD | NEW |
|---|
| 1 // Copyright 2017 The LUCI Authors. | 1 // Copyright 2017 The LUCI Authors. |
| 2 // | 2 // |
| 3 // Licensed under the Apache License, Version 2.0 (the "License"); | 3 // Licensed under the Apache License, Version 2.0 (the "License"); |
| 4 // you may not use this file except in compliance with the License. | 4 // you may not use this file except in compliance with the License. |
| 5 // You may obtain a copy of the License at | 5 // You may obtain a copy of the License at |
| 6 // | 6 // |
| 7 // http://www.apache.org/licenses/LICENSE-2.0 | 7 // http://www.apache.org/licenses/LICENSE-2.0 |
| 8 // | 8 // |
| 9 // Unless required by applicable law or agreed to in writing, software | 9 // Unless required by applicable law or agreed to in writing, software |
| 10 // distributed under the License is distributed on an "AS IS" BASIS, | 10 // distributed under the License is distributed on an "AS IS" BASIS, |
| 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 12 // See the License for the specific language governing permissions and | 12 // See the License for the specific language governing permissions and |
| 13 // limitations under the License. | 13 // limitations under the License. |
| 14 | 14 |
| 15 package acl | 15 package acl |
| 16 | 16 |
| 17 import ( | 17 import ( |
| 18 "fmt" | 18 "fmt" |
| 19 "regexp" | 19 "regexp" |
| 20 "sort" | 20 "sort" |
| 21 "strings" | 21 "strings" |
| 22 | 22 |
| 23 "github.com/luci/luci-go/common/data/stringset" | 23 "github.com/luci/luci-go/common/data/stringset" |
| 24 "github.com/luci/luci-go/common/errors" | 24 "github.com/luci/luci-go/common/errors" |
| 25 "github.com/luci/luci-go/common/logging" |
| 25 "github.com/luci/luci-go/common/retry/transient" | 26 "github.com/luci/luci-go/common/retry/transient" |
| 26 "github.com/luci/luci-go/scheduler/appengine/messages" | 27 "github.com/luci/luci-go/scheduler/appengine/messages" |
| 27 "github.com/luci/luci-go/server/auth" | 28 "github.com/luci/luci-go/server/auth" |
| 28 "github.com/luci/luci-go/server/auth/identity" | 29 "github.com/luci/luci-go/server/auth/identity" |
| 29 "golang.org/x/net/context" | 30 "golang.org/x/net/context" |
| 30 ) | 31 ) |
| 31 | 32 |
| 32 // GrantsByRole can answer questions who can READ and who OWNS the task. | 33 // GrantsByRole can answer questions who can READ and who OWNS the task. |
| 33 type GrantsByRole struct { | 34 type GrantsByRole struct { |
| 34 Owners []string `gae:",noindex"` | 35 Owners []string `gae:",noindex"` |
| 35 Readers []string `gae:",noindex"` | 36 Readers []string `gae:",noindex"` |
| 36 } | 37 } |
| 37 | 38 |
| 38 func (g *GrantsByRole) IsOwner(c context.Context) (bool, error) { | 39 func (g *GrantsByRole) IsOwner(c context.Context) (bool, error) { |
| 39 return hasGrant(c, g.Owners, groupsAdministrators) | 40 return hasGrant(c, g.Owners, groupsAdministrators) |
| 40 } | 41 } |
| 41 | 42 |
| 42 func (g *GrantsByRole) IsReader(c context.Context) (bool, error) { | 43 func (g *GrantsByRole) IsReader(c context.Context) (bool, error) { |
| 43 if len(g.Readers) == 0 && len(g.Owners) == 0 { | 44 if len(g.Readers) == 0 && len(g.Owners) == 0 { |
| 44 // This is here for backwards compatiblity before ACLs were intr
oduced. | 45 // This is here for backwards compatiblity before ACLs were intr
oduced. |
| 45 // If Job doesn't specify READERs nor OWNERS explicitely, everyb
ody can read. | 46 // If Job doesn't specify READERs nor OWNERS explicitely, everyb
ody can read. |
| 46 // TODO(tAndrii): remove once every Job/Trigger has ACLs specifi
ed. | 47 // TODO(tAndrii): remove once every Job/Trigger has ACLs specifi
ed. |
| 48 logging.Warningf(c, "Granting READ rights to all because no ACLs
specified") |
| 47 return true, nil | 49 return true, nil |
| 48 } | 50 } |
| 49 return hasGrant(c, g.Owners, g.Readers, groupsAdministrators) | 51 return hasGrant(c, g.Owners, g.Readers, groupsAdministrators) |
| 50 } | 52 } |
| 51 | 53 |
| 52 func (g *GrantsByRole) Equal(o *GrantsByRole) bool { | 54 func (g *GrantsByRole) Equal(o *GrantsByRole) bool { |
| 53 eqSlice := func(a, b []string) bool { | 55 eqSlice := func(a, b []string) bool { |
| 54 if len(a) != len(b) { | 56 if len(a) != len(b) { |
| 55 return false | 57 return false |
| 56 } | 58 } |
| (...skipping 118 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 175 if strings.HasPrefix(grant, "group:") { | 177 if strings.HasPrefix(grant, "group:") { |
| 176 groups = append(groups, grant[len("group:"):]) | 178 groups = append(groups, grant[len("group:"):]) |
| 177 continue | 179 continue |
| 178 } | 180 } |
| 179 grantedIdentity := identity.Identity(grant) | 181 grantedIdentity := identity.Identity(grant) |
| 180 if !strings.ContainsRune(grant, ':') { | 182 if !strings.ContainsRune(grant, ':') { |
| 181 // Just email. | 183 // Just email. |
| 182 grantedIdentity = identity.Identity("user:" + gr
ant) | 184 grantedIdentity = identity.Identity("user:" + gr
ant) |
| 183 } | 185 } |
| 184 if grantedIdentity == currentIdentity { | 186 if grantedIdentity == currentIdentity { |
| 187 logging.Debugf(c, "Found grant %s for %s", curre
ntIdentity) |
| 185 return true, nil | 188 return true, nil |
| 186 } | 189 } |
| 187 } | 190 } |
| 188 } | 191 } |
| 189 if isMember, err := auth.IsMember(c, groups...); err != nil { | 192 if isMember, err := auth.IsMember(c, groups...); err != nil { |
| 190 return false, transient.Tag.Apply(err) | 193 return false, transient.Tag.Apply(err) |
| 191 } else { | 194 } else { |
| 195 logging.Debugf(c, "Result of group membership of %s in %s: %t",
currentIdentity, groups, isMember) |
| 192 return isMember, nil | 196 return isMember, nil |
| 193 } | 197 } |
| 194 } | 198 } |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 3000513002:
scheduler ACLs: Add debug lines. (Closed)
