def test_bbb_worker(): """Access to the Buildbot Bridge provisioner-id/worker-type allows scheduling of BBB jobs (but only on non-restricted builders unless there more scopes are also present).""" assertPrincipalsWithScope("queue:define-task:buildbot-bridge/*", [ # root 'client-id:root', # services 'client-id-alias:funsize-dev', 'client-id-alias:funsize-scheduler', 'client-id-alias:release-runner-dev', 'client-id-alias:scheduler-taskcluster-net', # Bug 1218541 'client-id-alias:mozilla-pulse-actions', # armen's thing 'client-id:bbb-scheduler', # people 'client-id:adusca-development', # user groups principalsWith('mozilla-group:releng'), principalsWith('mozilla-group:team_relops'), principalsWith('mozilla-group:team_taskcluster'), ], omitTrusted=True)
def test_bbb(): assertPrincipalsWithScope("buildbot-bridge:*", [ # root 'client-id:root', # services 'client-id-alias:release-runner-dev', 'client-id-alias:scheduler-taskcluster-net', # Bug 1218541 # user groups principalsWith('mozilla-group:releng'), principalsWith('mozilla-group:team_relops'), principalsWith('mozilla-group:team_taskcluster'), ], omitTrusted=True)
def test_balrog(): # TODO: https://bugzilla.mozilla.org/show_bug.cgi?id=1220692 assertPrincipalsWithScope("docker-worker:feature:balrogVPNProxy", [ # root 'client-id:root', # CI testing 'client-id-alias:worker-ci-tests', # XXX ?? # repos 'mozilla-group:scm_level_3', 'moz-tree:level:3', 'repo:*', # TODO: don't list this, somehow 'repo:hg.mozilla.org/integration/b2g-inbound:*', 'repo:hg.mozilla.org/integration/fx-team:*', 'repo:hg.mozilla.org/integration/mozilla-inbound:*', 'repo:hg.mozilla.org/mozilla-central:*', 'repo:hg.mozilla.org/releases/mozilla-b2g34_v2_1s:*', 'repo:hg.mozilla.org/releases/mozilla-b2g44_v2_5:*', # all AWS workers 'worker-type:aws-provisioner-v1/*', # XXX ?? 'client-id-alias:testdroid-worker', # XXX ?? # services 'client-id-alias:release-runner-dev', 'client-id:tc-login', 'client-id:tc-queue', 'client-id-alias:scheduler-taskcluster-net', 'client-id-alias:funsize-dev', 'client-id-alias:funsize-scheduler', 'client-id:aws-provisioner', # people releng_permacreds, taskcluster_permacreds, 'client-id-alias:permacred-armenzg', 'client-id-alias:permacred-armenzg-testing', 'client-id-alias:permacred-nhirata', 'client-id-alias:permacred-ted', 'client-id-alias:temporary-credentials', 'client-id:gandalf', # user groups 'mozilla-group:releng', 'mozilla-group:team_relops', 'mozilla-group:team_taskcluster', ], omitTrusted=True)
def test_bbb_tasks(): """Buildbot Bridge (BBB) allows Buildbot jobs to be run via a TaskCluster task. Most BBB tasks run without the need for additional scopes, but some more sensitive builders are restricted by `buildbot-bridge:..` scopes. """ assertPrincipalsWithScope("buildbot-bridge:*", [ # root 'client-id:root', # services 'client-id-alias:release-runner-dev', 'client-id-alias:scheduler-taskcluster-net', # Bug 1218541 # user groups principalsWith('mozilla-group:releng'), principalsWith('mozilla-group:team_relops'), principalsWith('mozilla-group:team_taskcluster'), ], omitTrusted=True)
def test_balrog_vpn(): """Balrog is the administrative interface for Mozilla's update server, and automation uses it to publish information about new updates for download by end-users' updaters. The BalrogVpnProxy docker-worker feature allows *network* access to Balrog. It does not include any Balrog credentials. As such, it is but one layer of access control protecting Balrog, and is distributed a little more broadly than full access would be.""" assertPrincipalsWithScope("docker-worker:feature:balrogVPNProxy", [ # root 'client-id:root', # CI testing 'client-id-alias:worker-ci-tests', # docker-worker integration tests # repos 'moz-tree:level:3', 'repo:hg.mozilla.org/integration/b2g-inbound:*', 'repo:hg.mozilla.org/integration/fx-team:*', 'repo:hg.mozilla.org/integration/mozilla-inbound:*', 'repo:hg.mozilla.org/mozilla-central:*', 'repo:hg.mozilla.org/releases/b2g-ota:*', 'repo:hg.mozilla.org/releases/mozilla-b2g34_v2_1s:*', 'repo:hg.mozilla.org/releases/mozilla-b2g44_v2_5:*', # AWS workers 'worker-type:aws-provisioner-v1/*', # Bug 1233555 'worker-type:aws-provisioner-v1/gaia-decision', # Bug 1233555 'worker-type:aws-provisioner-v1/gecko-decision', # Bug 1233555 'client-id-alias:testdroid-worker', # Bug 1218549 # services 'client-id-alias:funsize-dev', 'client-id-alias:funsize-scheduler', 'client-id-alias:release-runner-dev', 'client-id-alias:scheduler-taskcluster-net', # Bug 1218541 # people 'client-id:dustin-docker-dev', # user groups principalsWith('mozilla-group:scm_level_3'), principalsWith('mozilla-group:releng'), principalsWith('mozilla-group:team_relops'), principalsWith('mozilla-group:team_taskcluster'), ], omitTrusted=True)
def test_bbb(): assertPrincipalsWithScope("buildbot-bridge:*", [ # root 'client-id:root', # services 'client-id-alias:release-runner-dev', 'client-id:tc-login', 'client-id:tc-queue', 'client-id-alias:scheduler-taskcluster-net', # people releng_permacreds, taskcluster_permacreds, # user groups 'mozilla-group:releng', 'mozilla-group:team_relops', 'mozilla-group:team_taskcluster', ], omitTrusted=True)
def test_relengapi_tooltool_download(): """Docker-worker allows tooltool download permissions, for public or internal files, to repositories at all SCM levels including SCM level 1 (try). This is necessary to build Firefox for Android, which requires non-public SDK and NDK bits.""" print principalsWith('mozilla-group:scm_level_1'), 'moz-tree:level:1', for lvl in 'public', 'internal': assertPrincipalsWithScope("docker-worker:relengapi-proxy:tooltool.download." + lvl, [ # trees principalsWith('moz-tree:level:1'), principalsWith('moz-tree:level:2'), principalsWith('moz-tree:level:3'), # permacreds used to download builds on bitbar 'client-id-alias:testdroid-worker', # user groups that list the permission explicitly principalsWith('mozilla-group:releng'), # services 'client-id-alias:funsize-dev', 'client-id-alias:funsize-scheduler', 'client-id-alias:release-runner-dev', 'client-id-alias:scheduler-taskcluster-net', # Bug 1218541 # worker types 'worker-type:aws-provisioner-v1/*', # Bug 1233555 'worker-type:aws-provisioner-v1/gaia-decision', # Bug 1233555 'worker-type:aws-provisioner-v1/gecko-decision', # Bug 1233555 # root 'client-id:root', # CI testing 'client-id:dustin-docker-dev', 'client-id-alias:worker-ci-tests', # docker-worker integration tests ], omitTrusted=True)