def test_bbb_worker():
"""Access to the Buildbot Bridge provisioner-id/worker-type allows
scheduling of BBB jobs (but only on non-restricted builders unless there
more scopes are also present)."""
assertPrincipalsWithScope("queue:define-task:buildbot-bridge/*", [
# root
'client-id:root',
# services
'client-id-alias:funsize-dev',
'client-id-alias:funsize-scheduler',
'client-id-alias:release-runner-dev',
'client-id-alias:scheduler-taskcluster-net', # Bug 1218541
'client-id-alias:mozilla-pulse-actions', # armen's thing
'client-id:bbb-scheduler',
# people
'client-id:adusca-development',
# user groups
principalsWith('mozilla-group:releng'),
principalsWith('mozilla-group:team_relops'),
principalsWith('mozilla-group:team_taskcluster'),
], omitTrusted=True)
def test_moco():
assertPrincipalsWithRole('mozilla-group:team_moco', [
'client-id-alias:temporary-credentials', # Bug 1233553
# everyone with a legacy permacred is considered an honorary moco
# employee
principalsWith('legacy-permacred'),
# taskcluster folks have *, hence matching this group
principalsWith('mozilla-group:team_taskcluster'),
], omitTrusted=True)
def test_releng():
assertPrincipalsWithRole('mozilla-group:releng', [
# all of the relengers
releng_permacreds,
# plus team_relops, because they're OK too
principalsWith('mozilla-group:team_relops'),
# taskcluster folks have *, hence matching this group
principalsWith('mozilla-group:team_taskcluster'),
], omitTrusted=True)
def test_bbb():
assertPrincipalsWithScope("buildbot-bridge:*", [
# root
'client-id:root',
# services
'client-id-alias:release-runner-dev',
'client-id-alias:scheduler-taskcluster-net', # Bug 1218541
# user groups
principalsWith('mozilla-group:releng'),
principalsWith('mozilla-group:team_relops'),
principalsWith('mozilla-group:team_taskcluster'),
], omitTrusted=True)
def test_relops():
assertPrincipalsWithRole('mozilla-group:team_relops', [
relops_permacreds,
# taskcluster folks have *, hence matching this group
principalsWith('mozilla-group:team_taskcluster'),
], omitTrusted=True)
def test_bbb_tasks():
"""Buildbot Bridge (BBB) allows Buildbot jobs to be run via a TaskCluster
task. Most BBB tasks run without the need for additional scopes, but some
more sensitive builders are restricted by `buildbot-bridge:..` scopes. """
assertPrincipalsWithScope("buildbot-bridge:*", [
# root
'client-id:root',
# services
'client-id-alias:release-runner-dev',
'client-id-alias:scheduler-taskcluster-net', # Bug 1218541
# user groups
principalsWith('mozilla-group:releng'),
principalsWith('mozilla-group:team_relops'),
principalsWith('mozilla-group:team_taskcluster'),
], omitTrusted=True)
def test_balrog_vpn():
"""Balrog is the administrative interface for Mozilla's update server, and
automation uses it to publish information about new updates for download by
end-users' updaters. The BalrogVpnProxy docker-worker feature allows
*network* access to Balrog. It does not include any Balrog credentials.
As such, it is but one layer of access control protecting Balrog, and is
distributed a little more broadly than full access would be."""
assertPrincipalsWithScope("docker-worker:feature:balrogVPNProxy", [
# root
'client-id:root',
# CI testing
'client-id-alias:worker-ci-tests', # docker-worker integration tests
# repos
'moz-tree:level:3',
'repo:hg.mozilla.org/integration/b2g-inbound:*',
'repo:hg.mozilla.org/integration/fx-team:*',
'repo:hg.mozilla.org/integration/mozilla-inbound:*',
'repo:hg.mozilla.org/mozilla-central:*',
'repo:hg.mozilla.org/releases/b2g-ota:*',
'repo:hg.mozilla.org/releases/mozilla-b2g34_v2_1s:*',
'repo:hg.mozilla.org/releases/mozilla-b2g44_v2_5:*',
# AWS workers
'worker-type:aws-provisioner-v1/*', # Bug 1233555
'worker-type:aws-provisioner-v1/gaia-decision', # Bug 1233555
'worker-type:aws-provisioner-v1/gecko-decision', # Bug 1233555
'client-id-alias:testdroid-worker', # Bug 1218549
# services
'client-id-alias:funsize-dev',
'client-id-alias:funsize-scheduler',
'client-id-alias:release-runner-dev',
'client-id-alias:scheduler-taskcluster-net', # Bug 1218541
# people
'client-id:dustin-docker-dev',
# user groups
principalsWith('mozilla-group:scm_level_3'),
principalsWith('mozilla-group:releng'),
principalsWith('mozilla-group:team_relops'),
principalsWith('mozilla-group:team_taskcluster'),
], omitTrusted=True)
def test_scm_level_3():
assertPrincipalsWithRole('mozilla-group:scm_level_3', [
# a whole bunch of people "manually" granted this role
'client-id-alias:permacred-armenzg',
'client-id-alias:permacred-armenzg-testing',
'client-id-alias:permacred-bhearsum',
'client-id-alias:permacred-jlund',
'client-id-alias:permacred-mrrrgn',
'client-id-alias:permacred-mshal',
'client-id-alias:permacred-nhirata',
'client-id-alias:permacred-rail',
'client-id-alias:permacred-ted',
'client-id-alias:temporary-credentials',
'client-id:gandalf',
# taskcluster folks have *, hence matching this group
principalsWith('mozilla-group:team_taskcluster'),
], omitTrusted=True)
def test_tree_level_3():
assertPrincipalsWithRole('moz-tree:level:3', [
# level-3 people and repos
principalsWith('mozilla-group:scm_level_3'), l3_repos,
# CI testing
'client-id:dustin-docker-dev',
'client-id-alias:worker-ci-tests', # docker-worker integration tests
# permacreds used to download builds on bitbar
'client-id-alias:testdroid-worker', # Bug 1218549
# services
'client-id:aws-provisioner',
# worker types
'worker-type:aws-provisioner-v1/*', # Bug 1233555
], omitTrusted=True)
def test_scm_level_1():
assertPrincipalsWithRole('mozilla-group:scm_level_1', [
# a whole bunch of people "manually" granted this role
'client-id-alias:brson',
'client-id-alias:drs',
'client-id-alias:gerard-majax',
'client-id-alias:kgrandon',
'client-id-alias:mihneadb',
'client-id-alias:npark',
'client-id-alias:nullaus',
'client-id-alias:permacred-rthijssen',
'client-id-alias:russn',
'client-id-alias:rwood',
'client-id-alias:shako',
'client-id-alias:sousmangoosta',
# taskcluster folks have *, hence matching this group
principalsWith('mozilla-group:team_taskcluster'),
], omitTrusted=True)
def test_relengapi_tooltool_download():
"""Docker-worker allows tooltool download permissions, for public or internal files, to repositories
at all SCM levels including SCM level 1 (try). This is necessary to build Firefox for Android, which
requires non-public SDK and NDK bits."""
print principalsWith('mozilla-group:scm_level_1'), 'moz-tree:level:1',
for lvl in 'public', 'internal':
assertPrincipalsWithScope("docker-worker:relengapi-proxy:tooltool.download." + lvl, [
# trees
principalsWith('moz-tree:level:1'),
principalsWith('moz-tree:level:2'),
principalsWith('moz-tree:level:3'),
# permacreds used to download builds on bitbar
'client-id-alias:testdroid-worker',
# user groups that list the permission explicitly
principalsWith('mozilla-group:releng'),
# services
'client-id-alias:funsize-dev',
'client-id-alias:funsize-scheduler',
'client-id-alias:release-runner-dev',
'client-id-alias:scheduler-taskcluster-net', # Bug 1218541
# worker types
'worker-type:aws-provisioner-v1/*', # Bug 1233555
'worker-type:aws-provisioner-v1/gaia-decision', # Bug 1233555
'worker-type:aws-provisioner-v1/gecko-decision', # Bug 1233555
# root
'client-id:root',
# CI testing
'client-id:dustin-docker-dev',
'client-id-alias:worker-ci-tests', # docker-worker integration tests
], omitTrusted=True)
def test_scm_level_2():
assertPrincipalsWithRole('mozilla-group:scm_level_2', [
# taskcluster folks have *, hence matching this group
principalsWith('mozilla-group:team_taskcluster'),
], omitTrusted=True)
def test_tree_level_1():
assertPrincipalsWithRole('moz-tree:level:1', [
# level 2, plus level-2 people and repos
principalsWith('mozilla-group:scm_level_1'), l1_repos,
principalsWith('moz-tree:level:2'),
], omitTrusted=True)
