def check_bot_terminate_acl(bot_id):
"""Checks if the caller is allowed to terminate the bot.
Checks if the caller has global permission using acl.can_edit_bot().
If the caller doesn't have any global permissions,
It checks realm permission 'swarming.pools.terminateBot'.
The caller is required to have the permissions in *any* pools.
Args:
bot_id: ID of the bot.
Returns:
None
Raises:
auth.AuthorizationError: if the caller is not allowed.
"""
# check global permission.
if acl.can_edit_bot():
return
# check Realm permission 'swarming.pools.terminateBot'
_check_bot_acl(realms_pb2.REALM_PERMISSION_POOLS_TERMINATE_BOT, bot_id)
def permissions(self, _request):
"""Returns the caller's permissions."""
return swarming_rpcs.ClientPermissions(
delete_bot=acl.can_delete_bot(),
terminate_bot=acl.can_edit_bot(),
get_configs=acl.can_view_config(),
put_configs=acl.can_edit_config(),
cancel_task=acl._is_user() or acl.is_ip_whitelisted_machine(),
cancel_tasks=acl.can_edit_all_tasks(),
get_bootstrap_token=acl.can_create_bot())
def can_terminate_bot(bot_id):
"""Checks if the caller is allowed to terminate the bot.
Args:
bot_id: ID of the bot.
Returns:
allowed: True if allowed, False otherwise.
"""
if not bot_id:
return acl.can_edit_bot()
try:
check_bot_terminate_acl(bot_id)
return True
except auth.AuthorizationError:
return False
def test_ip_whitelisted(self):
self.mock(auth, 'is_in_ip_whitelist', lambda _name, _ip, _warn: True)
self.assertTrue(acl.is_ip_whitelisted_machine())
self.assertTrue(acl.can_access())
self.assertFalse(acl.can_view_config())
self.assertFalse(acl.can_edit_config())
self.assertFalse(acl.can_create_bot())
self.assertTrue(acl.can_edit_bot())
self.assertTrue(acl.can_delete_bot())
self.assertTrue(acl.can_view_bot())
self.assertTrue(acl.can_create_task())
self.assertFalse(acl.can_schedule_high_priority_tasks())
self.assertTrue(acl.can_edit_task(self._task_owned))
self.assertTrue(acl.can_edit_task(self._task_other))
self.assertFalse(acl.can_edit_all_tasks())
self.assertTrue(acl.can_view_task(self._task_owned))
self.assertTrue(acl.can_view_task(self._task_other))
self.assertFalse(acl.can_view_all_tasks())
def test_instance_admin(self):
auth_testing.mock_is_admin(self, True)
self.assertFalse(acl.is_ip_whitelisted_machine())
self.assertTrue(acl.can_access())
self.assertTrue(acl.can_view_config())
self.assertTrue(acl.can_edit_config())
self.assertTrue(acl.can_create_bot())
self.assertTrue(acl.can_edit_bot())
self.assertTrue(acl.can_delete_bot())
self.assertTrue(acl.can_view_bot())
self.assertTrue(acl.can_create_task())
self.assertTrue(acl.can_schedule_high_priority_tasks())
self.assertTrue(acl.can_edit_task(self._task_owned))
self.assertTrue(acl.can_edit_task(self._task_other))
self.assertTrue(acl.can_edit_all_tasks())
self.assertTrue(acl.can_view_task(self._task_owned))
self.assertTrue(acl.can_view_task(self._task_other))
self.assertTrue(acl.can_view_all_tasks())
def test_nobody(self):
auth_testing.mock_get_current_identity(self, auth.Anonymous)
self.assertFalse(acl.is_ip_whitelisted_machine())
self.assertFalse(acl.can_access())
self.assertFalse(acl.can_view_config())
self.assertFalse(acl.can_edit_config())
self.assertFalse(acl.can_create_bot())
self.assertFalse(acl.can_edit_bot())
self.assertFalse(acl.can_delete_bot())
self.assertFalse(acl.can_view_bot())
self.assertFalse(acl.can_create_task())
self.assertFalse(acl.can_schedule_high_priority_tasks())
self.assertFalse(acl.can_edit_task(self._task_owned))
self.assertFalse(acl.can_edit_task(self._task_other))
self.assertFalse(acl.can_edit_all_tasks())
self.assertFalse(acl.can_view_task(self._task_owned))
self.assertFalse(acl.can_view_task(self._task_other))
self.assertFalse(acl.can_view_all_tasks())
def test_view_all_tasks(self):
self._add_to_group('view_all_tasks')
self.assertFalse(acl.is_ip_whitelisted_machine())
self.assertTrue(acl.can_access())
self.assertFalse(acl.can_view_config())
self.assertFalse(acl.can_edit_config())
self.assertFalse(acl.can_create_bot())
self.assertFalse(acl.can_edit_bot())
self.assertFalse(acl.can_delete_bot())
self.assertFalse(acl.can_view_bot())
self.assertFalse(acl.can_create_task())
self.assertFalse(acl.can_schedule_high_priority_tasks())
self.assertTrue(acl.can_edit_task(self._task_owned))
self.assertFalse(acl.can_edit_task(self._task_other))
self.assertFalse(acl.can_edit_all_tasks())
self.assertTrue(acl.can_view_task(self._task_owned))
self.assertTrue(acl.can_view_task(self._task_other))
self.assertTrue(acl.can_view_all_tasks())
def test_nobody(self):
self.mock(auth, 'get_current_identity',
lambda: auth.IDENTITY_ANONYMOUS)
self.assertFalse(acl.is_ip_whitelisted_machine())
self.assertFalse(acl.can_access())
self.assertFalse(acl.can_view_config())
self.assertFalse(acl.can_edit_config())
self.assertFalse(acl.can_create_bot())
self.assertFalse(acl.can_edit_bot())
self.assertFalse(acl.can_delete_bot())
self.assertFalse(acl.can_view_bot())
self.assertFalse(acl.can_create_task())
self.assertFalse(acl.can_schedule_high_priority_tasks())
self.assertFalse(acl.can_edit_task(self._task_owned))
self.assertFalse(acl.can_edit_task(self._task_other))
self.assertFalse(acl.can_edit_all_tasks())
self.assertFalse(acl.can_view_task(self._task_owned))
self.assertFalse(acl.can_view_task(self._task_other))
self.assertFalse(acl.can_view_all_tasks())
