def test_ip_whitelisted(self): self.mock(auth, 'is_in_ip_whitelist', lambda _name, _ip, _warn: True) self.assertTrue(acl.is_ip_whitelisted_machine()) self.assertTrue(acl.can_access()) self.assertFalse(acl.can_view_config()) self.assertFalse(acl.can_edit_config()) self.assertFalse(acl.can_create_bot()) self.assertTrue(acl.can_edit_bot()) self.assertTrue(acl.can_delete_bot()) self.assertTrue(acl.can_view_bot()) self.assertTrue(acl.can_create_task()) self.assertFalse(acl.can_schedule_high_priority_tasks()) self.assertTrue(acl.can_edit_task(self._task_owned)) self.assertTrue(acl.can_edit_task(self._task_other)) self.assertFalse(acl.can_edit_all_tasks()) self.assertTrue(acl.can_view_task(self._task_owned)) self.assertTrue(acl.can_view_task(self._task_other)) self.assertFalse(acl.can_view_all_tasks())
def test_instance_admin(self): auth_testing.mock_is_admin(self, True) self.assertFalse(acl.is_ip_whitelisted_machine()) self.assertTrue(acl.can_access()) self.assertTrue(acl.can_view_config()) self.assertTrue(acl.can_edit_config()) self.assertTrue(acl.can_create_bot()) self.assertTrue(acl.can_edit_bot()) self.assertTrue(acl.can_delete_bot()) self.assertTrue(acl.can_view_bot()) self.assertTrue(acl.can_create_task()) self.assertTrue(acl.can_schedule_high_priority_tasks()) self.assertTrue(acl.can_edit_task(self._task_owned)) self.assertTrue(acl.can_edit_task(self._task_other)) self.assertTrue(acl.can_edit_all_tasks()) self.assertTrue(acl.can_view_task(self._task_owned)) self.assertTrue(acl.can_view_task(self._task_other)) self.assertTrue(acl.can_view_all_tasks())
def test_nobody(self): auth_testing.mock_get_current_identity(self, auth.Anonymous) self.assertFalse(acl.is_ip_whitelisted_machine()) self.assertFalse(acl.can_access()) self.assertFalse(acl.can_view_config()) self.assertFalse(acl.can_edit_config()) self.assertFalse(acl.can_create_bot()) self.assertFalse(acl.can_edit_bot()) self.assertFalse(acl.can_delete_bot()) self.assertFalse(acl.can_view_bot()) self.assertFalse(acl.can_create_task()) self.assertFalse(acl.can_schedule_high_priority_tasks()) self.assertFalse(acl.can_edit_task(self._task_owned)) self.assertFalse(acl.can_edit_task(self._task_other)) self.assertFalse(acl.can_edit_all_tasks()) self.assertFalse(acl.can_view_task(self._task_owned)) self.assertFalse(acl.can_view_task(self._task_other)) self.assertFalse(acl.can_view_all_tasks())
def test_view_all_tasks(self): self._add_to_group('view_all_tasks') self.assertFalse(acl.is_ip_whitelisted_machine()) self.assertTrue(acl.can_access()) self.assertFalse(acl.can_view_config()) self.assertFalse(acl.can_edit_config()) self.assertFalse(acl.can_create_bot()) self.assertFalse(acl.can_edit_bot()) self.assertFalse(acl.can_delete_bot()) self.assertFalse(acl.can_view_bot()) self.assertFalse(acl.can_create_task()) self.assertFalse(acl.can_schedule_high_priority_tasks()) self.assertTrue(acl.can_edit_task(self._task_owned)) self.assertFalse(acl.can_edit_task(self._task_other)) self.assertFalse(acl.can_edit_all_tasks()) self.assertTrue(acl.can_view_task(self._task_owned)) self.assertTrue(acl.can_view_task(self._task_other)) self.assertTrue(acl.can_view_all_tasks())
def test_nobody(self): self.mock(auth, 'get_current_identity', lambda: auth.IDENTITY_ANONYMOUS) self.assertFalse(acl.is_ip_whitelisted_machine()) self.assertFalse(acl.can_access()) self.assertFalse(acl.can_view_config()) self.assertFalse(acl.can_edit_config()) self.assertFalse(acl.can_create_bot()) self.assertFalse(acl.can_edit_bot()) self.assertFalse(acl.can_delete_bot()) self.assertFalse(acl.can_view_bot()) self.assertFalse(acl.can_create_task()) self.assertFalse(acl.can_schedule_high_priority_tasks()) self.assertFalse(acl.can_edit_task(self._task_owned)) self.assertFalse(acl.can_edit_task(self._task_other)) self.assertFalse(acl.can_edit_all_tasks()) self.assertFalse(acl.can_view_task(self._task_owned)) self.assertFalse(acl.can_view_task(self._task_other)) self.assertFalse(acl.can_view_all_tasks())
def check_task_get_acl(task_request): """Checks if the caller is allowed to get the task entities. Checks if the caller has global permission using acl.can_view_task(). If the caller doesn't have any global permissions, Checks if the caller has either of 'swarming.pools.listTasks' or 'swarming.tasks.get' permission. Args: task_request: An instance of TaskRequest. Returns: None Raises: auth.AuthorizationError: if the caller is not allowed. """ if acl.can_view_task(task_request): return # check 'swarming.pools.listTasks' permission of the pool in task dimensions. if task_request.pool: pool_cfg = pools_config.get_pool_config(task_request.pool) if not pool_cfg: raise endpoints.InternalServerErrorException( 'Pool cfg not found. pool: %s' % task_request.pool) if pool_cfg.realm and auth.has_permission( get_permission(realms_pb2.REALM_PERMISSION_POOLS_LIST_TASKS), [pool_cfg.realm]): return # check 'swarming.pools.listTasks' permission of the pool in bot dimensions. if task_request.bot_id: pools = bot_management.get_pools_from_dimensions_flat( _retrieve_bot_dimensions(task_request.bot_id)) pool_realms = [ p.realm for p in map(pools_config.get_pool_config, pools) if p.realm ] if pool_realms and auth.has_permission( get_permission(realms_pb2.REALM_PERMISSION_POOLS_LIST_TASKS), pool_realms): return # check 'swarming.tasks.get' permission. task_realm = task_request.realm if task_realm and auth.has_permission( get_permission(realms_pb2.REALM_PERMISSION_TASKS_GET), [task_realm]): return raise auth.AuthorizationError('Task "%s" is not accessible' % task_request.task_id)
def _get_task_request_async(task_id, request_key, viewing): """Returns the TaskRequest corresponding to a task ID. Enforces the ACL for users. Allows bots all access for the moment. Returns: TaskRequest instance. """ request = yield request_key.get_async() if not request: raise endpoints.NotFoundException('%s not found.' % task_id) if viewing == _VIEW: if not acl.can_view_task(request): raise endpoints.ForbiddenException('%s is not accessible.' % task_id) elif viewing == _EDIT: if not acl.can_edit_task(request): raise endpoints.ForbiddenException('%s is not accessible.' % task_id) else: raise endpoints.InternalServerErrorException( '_get_task_request_async()') raise ndb.Return(request)