def register_subtoken(subtoken, rule, intent, caller_ip):
"""Creates new AuthDelegationSubtoken entity in the datastore, returns its ID.
Args:
subtoken: delegation_pb2.Subtoken describing the token.
intent: intent supplied when creating the token.
rule: config_pb2.DelegationConfig.Rule that allows the operation
caller_ip: ipaddr.IP of the caller.
Returns:
int64 with ID of the new entity.
"""
entity = AuthDelegationSubtoken(
subtoken=subtoken.SerializeToString(),
rule=rule.SerializeToString(),
intent=intent,
caller_ip=ipaddr.ip_to_string(caller_ip),
auth_service_version=utils.get_app_version(),
delegated_identity=subtoken.delegated_identity,
creation_time=utils.timestamp_to_datetime(subtoken.creation_time *
1e6),
services=list(subtoken.services),
requestor_identity=subtoken.requestor_identity)
entity.put(use_cache=False, use_memcache=False)
subtoken_id = entity.key.integer_id()
# Keep a logging entry (extractable via BigQuery) too.
logging.info(
'subtoken: subtoken_id=%d caller_ip=%s '
'delegated_identity=%s requestor_identity=%s', subtoken_id,
entity.caller_ip, entity.delegated_identity, entity.requestor_identity)
return subtoken_id
def test_ip_to_string_v6_ok(self):
call = lambda val: ipaddr.ip_to_string(ipaddr.IP(128, val))
self.assertEqual('0:0:0:0:0:0:0:0', call(0))
self.assertEqual('ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff', call(2**128-1))
self.assertEqual('0:0:0:0:0:0:0:ffff', call(0xffff))
self.assertEqual(
'ffff:0:0:0:0:0:0:0', call(0xffff0000000000000000000000000000L))
def validate_bot_id_and_fetch_config(bot_id):
"""Verifies ID reported by a bot matches the credentials being used.
Expected to be called in a context of some bot API request handler. Uses
bots.cfg config to look up what credentials are expected to be used by the bot
with given ID.
Raises auth.AuthorizationError if bot_id is unknown or bot is using invalid
credentials.
On success returns the configuration for this bot (BotGroupConfig tuple), as
defined in bots.cfg
"""
cfg = bot_groups_config.get_bot_group_config(bot_id)
if not cfg:
logging.error(
'bot_auth: unknown bot_id, not in the config\nbot_id: "%s"',
bot_id)
raise auth.AuthorizationError('Unknown bot ID, not in config')
peer_ident = auth.get_peer_identity()
if cfg.require_luci_machine_token:
if not _is_valid_ident_for_bot(peer_ident, bot_id):
logging.error(
'bot_auth: bot ID doesn\'t match the machine token used\n'
'bot_id: "%s", peer_ident: "%s"', bot_id,
peer_ident.to_bytes())
raise auth.AuthorizationError(
'Bot ID doesn\'t match the token used')
elif cfg.require_service_account:
expected_id = auth.Identity(auth.IDENTITY_USER,
cfg.require_service_account)
if peer_ident != expected_id:
logging.error(
'bot_auth: bot is not using expected service account\n'
'bot_id: "%s", expected_id: "%s", peer_ident: "%s"', bot_id,
expected_id.to_bytes(), peer_ident.to_bytes())
raise auth.AuthorizationError(
'bot is not using expected service account')
elif not cfg.ip_whitelist:
# This branch should not be hit for validated configs.
logging.error(
'bot_auth: invalid bot group config, no auth method defined\n'
'bot_id: "%s"', bot_id)
raise auth.AuthorizationError('Invalid bot group config')
# Check that IP whitelist applies (in addition to credentials).
if cfg.ip_whitelist:
ip = auth.get_peer_ip()
if not auth.is_in_ip_whitelist(cfg.ip_whitelist, ip):
logging.error(
'bot_auth: bot IP is not whitelisted\n'
'bot_id: "%s", peer_ip: "%s", ip_whitelist: "%s"', bot_id,
ipaddr.ip_to_string(ip), cfg.ip_whitelist)
raise auth.AuthorizationError('Not IP whitelisted')
return cfg
def check_ip_and_finish(auth_method, condition):
if bot_auth.ip_whitelist:
if not auth.is_in_ip_whitelist(bot_auth.ip_whitelist, ip):
error(
'bot_auth: bot IP is not whitelisted\n'
'bot_id: "%s", peer_ip: "%s", ip_whitelist: "%s"', bot_id,
ipaddr.ip_to_string(ip), bot_auth.ip_whitelist)
return 'Not IP whitelisted', errors
ts_mon_metrics.on_bot_auth_success(auth_method, condition)
return None, []
def test_ip_to_string_v6_bad(self):
with self.assertRaises(ValueError):
ipaddr.ip_to_string(ipaddr.IP(128, 2**128))
def test_ip_to_string_v4_bad(self):
with self.assertRaises(ValueError):
ipaddr.ip_to_string(ipaddr.IP(8, 0))
with self.assertRaises(ValueError):
ipaddr.ip_to_string(ipaddr.IP(32, 2**32))
def test_ip_to_string_v4_ok(self):
call = lambda val: ipaddr.ip_to_string(ipaddr.IP(32, val))
self.assertEqual('0.0.0.0', call(0))
self.assertEqual('255.255.255.255', call(2**32 - 1))
self.assertEqual('0.0.0.255', call(255))
self.assertEqual('127.0.0.1', call(0x7f000001))
def get(self):
self.response.write(ipaddr.ip_to_string(api.get_peer_ip()))
def get(self): self.response.write(ipaddr.ip_to_string(api.get_current_identity_ip()))
def test_ip_to_string_v6_bad(self):
with self.assertRaises(ValueError):
ipaddr.ip_to_string(ipaddr.IP(128, 2 ** 128))
def test_ip_to_string_v6_ok(self):
call = lambda val: ipaddr.ip_to_string(ipaddr.IP(128, val))
self.assertEqual("0:0:0:0:0:0:0:0", call(0))
self.assertEqual("ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff", call(2 ** 128 - 1))
self.assertEqual("0:0:0:0:0:0:0:ffff", call(0xFFFF))
self.assertEqual("ffff:0:0:0:0:0:0:0", call(0xFFFF0000000000000000000000000000L))
def test_ip_to_string_v4_bad(self):
with self.assertRaises(ValueError):
ipaddr.ip_to_string(ipaddr.IP(8, 0))
with self.assertRaises(ValueError):
ipaddr.ip_to_string(ipaddr.IP(32, 2 ** 32))
def test_ip_to_string_v4_ok(self):
call = lambda val: ipaddr.ip_to_string(ipaddr.IP(32, val))
self.assertEqual("0.0.0.0", call(0))
self.assertEqual("255.255.255.255", call(2 ** 32 - 1))
self.assertEqual("0.0.0.255", call(255))
self.assertEqual("127.0.0.1", call(0x7F000001))
def test_ip_to_string_v4_ok(self):
call = lambda val: ipaddr.ip_to_string(ipaddr.IP(32, val))
self.assertEqual('0.0.0.0', call(0))
self.assertEqual('255.255.255.255', call(2**32 - 1))
self.assertEqual('0.0.0.255', call(255))
self.assertEqual('127.0.0.1', call(0x7f000001))
def get(self): self.response.write(ipaddr.ip_to_string(api.get_peer_ip()))