def get_available_buckets():
"""Returns buckets available to the current identity.
Results are memcached for 10 minutes per identity.
Returns:
Set of bucket names or None if all buckets are available.
"""
if auth.is_admin():
return None
identity = auth.get_current_identity().to_bytes()
cache_key = 'available_buckets/%s' % identity
available_buckets = memcache.get(cache_key)
if available_buckets is not None:
return available_buckets
logging.info(
'Computing a list of available buckets for %s' % identity)
group_buckets_map = collections.defaultdict(set)
available_buckets = set()
all_buckets = config.get_buckets_async().get_result()
for bucket in all_buckets:
for rule in bucket.acls:
if rule.identity == identity:
available_buckets.add(bucket.name)
if rule.group:
group_buckets_map[rule.group].add(bucket.name)
for group, buckets in group_buckets_map.iteritems():
if available_buckets.issuperset(buckets):
continue
if auth.is_group_member(group):
available_buckets.update(buckets)
# Cache for 10 min
memcache.set(cache_key, available_buckets, 10 * 60)
return available_buckets
def has_project_access(project_id):
metadata = projects.get_metadata(project_id)
super_group = read_acl_cfg().project_access_group
return (
auth.is_admin() or
super_group and auth.is_group_member(super_group) or
metadata and config.api._has_access(metadata.access)
)
def _has_access(access_list):
cur_ident = auth.get_current_identity().to_bytes()
for ac in access_list:
if ac.startswith('group:'):
if auth.is_group_member(ac.split(':', 2)[1]):
return True
else:
identity_str = ac
if ':' not in identity_str:
identity_str = 'user:%s' % identity_str
if cur_ident == identity_str:
return True
return False
def has_role(package_path, role, identity):
"""True if |identity| has |role| in some |package_path|."""
assert impl.is_valid_package_path(package_path), package_path
assert is_valid_role(role), role
if auth.is_admin(identity):
return True
for acl in get_package_acls(package_path, role):
if identity in acl.users:
return True
for group in acl.groups:
if auth.is_group_member(group, identity):
return True
return False
def get_current_backend():
"""Returns the backend associated with the current user.
Returns:
An rpc_messages.Backend instance representing the current user, or None if
the current user is not a recognized backend.
"""
for backend in rpc_messages.Backend:
backend_group = 'machine-provider-%s-backend' % backend.name.lower()
if auth.is_group_member(backend_group):
logging.info('User is %s backend', backend.name)
return backend
logging.info('User is not a recognized backend service')
def _has_access(access_list, identity=None):
identity = identity or auth.get_current_identity()
identity_str = identity.to_bytes()
for ac in access_list:
if ac.startswith('group:'):
group = ac.split(':', 2)[1]
if auth.is_group_member(group, identity):
return True
else:
ac_identity_str = ac
if ':' not in ac_identity_str:
ac_identity_str = 'user:%s' % ac_identity_str
if identity_str == ac_identity_str:
return True
return False
def get(self):
# Require users to be logged to see builder alerts from private/internal
# trees.
user = auth.get_current_identity()
if user.is_anonymous:
ret = {}
ret.update({
'date': datetime.datetime.utcnow(),
'redirect-url': self.create_login_url(self.request.uri)
})
data = self.generate_json_dump(ret)
self.send_json_headers()
self.response.write(data)
return
if not auth.is_group_member('googlers'):
self.response.set_status(403, 'Permission Denied')
return
super(InternalAlertsHandler, self).get()
def has_any_of_roles_async(bucket, roles):
"""True if current identity has any of |roles| in |bucket|."""
assert bucket
assert roles
errors.validate_bucket_name(bucket)
roles = set(roles)
assert roles.issubset(project_config_pb2.Acl.Role.values())
if auth.is_admin():
raise ndb.Return(True)
bucket_cfg = yield config.get_bucket_async(bucket)
identity_str = auth.get_current_identity().to_bytes()
if bucket_cfg:
for rule in bucket_cfg.acls:
if rule.role not in roles:
continue
if rule.identity == identity_str:
raise ndb.Return(True)
if rule.group and auth.is_group_member(rule.group):
raise ndb.Return(True)
raise ndb.Return(False)
def is_identity_in_principal_set(ident, principals):
"""True if Identity is in a set specified by principals.
Args:
ident: auth.Identity instance.
principals: string, one of 'group:<name>', identity glob string ('user:*'),
or just a single identity ('user:[email protected]').
Returns:
True or False. Also returns False if 'principals' is in unrecognized format.
"""
try:
# Group?
if principals.startswith('group:'):
return auth.is_group_member(principals.lstrip('group:'), ident)
# Glob?
if '*' in principals:
return auth.IdentityGlob.from_bytes(principals).match(ident)
# Identity?
return auth.Identity.from_bytes(principals) == ident
except ValueError as ex:
logging.error('Unrecognized principal string "%s": %s', principals, ex)
return False
def isolate_readable():
"""Returns True if current user can read from isolate."""
return auth.is_group_member(READONLY_ACCESS_GROUP) or isolate_writable()
def is_catalog_admin():
"""Returns whether the current user is a catalog administrator."""
if auth.is_group_member('machine-provider-catalog-administrators'):
logging.info('User is Catalog administrator')
return True
return False
def is_admin(): return auth.is_group_member(ADMINS_GROUP) or auth.is_admin()
def is_ereporter2_editor(): """Only auth admins or recipients can edit the silencing filters.""" return auth.is_admin() or auth.is_group_member(RECIPIENTS_AUTH_GROUP)
def is_bot(): return auth.is_group_member(BOTS_GROUP) or is_admin()
def is_privileged_user(): return auth.is_group_member(PRIVILEGED_USERS_GROUP) or is_admin()
def isolate_readable(): """Returns True if current user can read from isolate.""" return auth.is_group_member(READONLY_ACCESS_GROUP) or isolate_writable()
def _is_admin():
"""Full administrative access."""
group = config.settings().auth.admins_group
return auth.is_group_member(group) or auth.is_admin()
def isolate_writable(): """Returns True if current user can write to isolate.""" full_access = auth.is_group_member(config.settings().auth.full_access_group) return full_access or auth.is_admin()
def is_catalog_admin():
"""Returns whether the current user is a catalog administrator."""
if auth.is_group_member('machine-provider-catalog-administrators'):
logging.info('User is Catalog administrator')
return True
return False
def can_update_build_async(): # pragma: no cover
"""Returns if the current identity is whitelisted to update builds."""
raise ndb.Return(auth.is_group_member(UPDATE_BUILD_ALLOWED_USERS))
def has_project_access(project_id):
metadata = projects.get_metadata(project_id)
super_group = read_acl_cfg().project_access_group
return (auth.is_admin()
or super_group and auth.is_group_member(super_group)
or metadata and config.api._has_access(metadata.access))
def is_admin():
if auth.is_superuser():
return True
acl_cfg = _get_acl_cfg()
return auth.is_group_member(
acl_cfg and acl_cfg.admin_group or auth.ADMIN_GROUP)
def is_user(): return auth.is_group_member(USERS_GROUP) or is_privileged_user()
def is_trooper_or_admin():
return (auth.is_group_member("mdb/chrome-troopers") or
users.is_current_user_admin())
def is_trusted_service(identity=None):
"""Returns True if caller is in 'auth-trusted-services' group."""
return auth.is_group_member('auth-trusted-services', identity)
def _is_privileged_user():
"""Can edit all bots and tasks."""
group = config.settings().auth.privileged_users_group
return auth.is_group_member(group) or _is_admin()
def is_bot(): return auth.is_group_member(BOTS_GROUP) or is_admin()
def is_user(): return auth.is_group_member(USERS_GROUP) or is_privileged_user()
def _is_user():
group = config.settings().auth.users_group
return auth.is_group_member(group) or _is_privileged_user()
def isolate_writable(): """Returns True if current user can write to isolate.""" return auth.is_group_member(FULL_ACCESS_GROUP) or auth.is_admin()
def is_admin(): return auth.is_group_member(ADMINS_GROUP) or auth.is_admin()
def is_ereporter2_viewer():
"""True if current user is in recipients list, viewer list or is an admin."""
if auth.is_admin() or auth.is_group_member(VIEWERS_AUTH_GROUP):
return True
ident = auth.get_current_identity()
return ident.is_user and ident.name in get_ereporter2_recipients()
def _is_bootstrapper():
"""Returns True if current user have access to bot code (for bootstrap)."""
bot_group = config.settings().auth.bot_bootstrap_group
return auth.is_group_member(bot_group) or _is_admin()
def is_privileged_user(): return auth.is_group_member(PRIVILEGED_USERS_GROUP) or is_admin()
def is_ereporter2_viewer():
"""True if current user is in recipients list, viewer list or is an admin."""
if auth.is_admin() or auth.is_group_member(VIEWERS_AUTH_GROUP):
return True
ident = auth.get_current_identity()
return ident.is_user and ident.name in get_ereporter2_recipients()
def is_ereporter2_editor():
"""Only auth admins or recipients can edit the silencing filters."""
return auth.is_admin() or auth.is_group_member(RECIPIENTS_AUTH_GROUP)
def isolate_writable():
"""Returns True if current user can write to isolate."""
return auth.is_group_member(FULL_ACCESS_GROUP) or auth.is_admin()
def _is_view_all_tasks():
group = config.settings().auth.view_all_tasks_group
return auth.is_group_member(group) or _is_privileged_user()
def isolate_readable(): """Returns True if current user can read from isolate.""" read_only = config.settings().auth.readonly_access_group return auth.is_group_member(read_only) or isolate_writable()
