def set_up_authorization(settings):
if bool(settings.do_auth):
auth = util.GitHubAuth(
clientId=str(settings.github_auth_id),
clientSecret=str(settings.github_auth_secret),
apiVersion=4,
getTeamsMembership=True,
)
authz = util.Authz(
allowRules=[
# Admins can do anything.
util.AnyEndpointMatcher(role="admins", defaultDeny=False),
# Allow authors to stop, force or rebuild their own builds,
# allow core devs to stop, force or rebuild any build.
util.StopBuildEndpointMatcher(role="owner", defaultDeny=False),
util.StopBuildEndpointMatcher(
role="buildbot-owners", defaultDeny=False
),
util.StopBuildEndpointMatcher(role="python-triage", defaultDeny=False),
util.StopBuildEndpointMatcher(role="python-core"),
util.RebuildBuildEndpointMatcher(role="owner", defaultDeny=False),
util.RebuildBuildEndpointMatcher(
role="python-triage", defaultDeny=False
),
util.RebuildBuildEndpointMatcher(
role="buildbot-owners", defaultDeny=False
),
util.RebuildBuildEndpointMatcher(role="python-core"),
util.ForceBuildEndpointMatcher(role="owner", defaultDeny=False),
util.ForceBuildEndpointMatcher(role="python-triage", defaultDeny=False),
util.ForceBuildEndpointMatcher(role="python-core"),
# Allow release managers to enable/disable schedulers.
util.EnableSchedulerEndpointMatcher(role="python-release-managers"),
# Future-proof control endpoints.
util.AnyControlEndpointMatcher(role="admins"),
],
roleMatchers=[
util.RolesFromGroups(groupPrefix="python/"),
util.RolesFromOwner(role="owner"),
util.RolesFromUsername(
roles=["admins"],
usernames=[
"zware",
"vstinner",
"bitdancer",
"pitrou",
"pablogsal",
],
),
],
)
else:
log.err("WARNING: Web UI is completely open")
# Completely open
auth = NoAuth()
authz = util.Authz()
return auth, authz
def getDefaultAllowRules(self, admins):
epms = [
util.AnyEndpointMatcher(role=admin, defaultDeny=False)
for admin in admins
]
epms += [TravisEndpointMatcher(role=admin) for admin in admins]
return epms + [
util.StopBuildEndpointMatcher(role="owner"),
util.RebuildBuildEndpointMatcher(role="owner"),
]
def getAuthz():
authz = util.Authz(
allowRules=[
# Admins can do anything.
# defaultDeny=False: if user does not have the admin role,
# we continue parsing rules.
util.AnyEndpointMatcher(role="LLVM Lab team", defaultDeny=False),
# Allow authors to stop, force or rebuild their own builds,
util.StopBuildEndpointMatcher(role="owner", defaultDeny=False),
# Allow bot owners to stop, force or rebuild on their own bots,
util.StopBuildEndpointMatcher(role="worker-owner"),
# allow devs to force or rebuild any build.
util.RebuildBuildEndpointMatcher(role="owner", defaultDeny=False),
util.RebuildBuildEndpointMatcher(role="worker-owner", defaultDeny=False),
util.RebuildBuildEndpointMatcher(role="LLVM Committers"),
util.ForceBuildEndpointMatcher(role="owner", defaultDeny=False),
util.ForceBuildEndpointMatcher(role="worker-owner", defaultDeny=False),
util.ForceBuildEndpointMatcher(role="LLVM Committers"),
# Future-proof control endpoints. No parsing rules beyond this.
# Allows anonymous to look at build results.
util.AnyControlEndpointMatcher(role="LLVM Lab team"),
],
roleMatchers=[
util.RolesFromGroups(groupPrefix="llvm/"),
util.RolesFromGroups(groupPrefix="llvm/"),
# role owner is granted when property owner matches the email of the user
util.RolesFromOwner(role="owner"),
],
)
return authz
]
)
elif hasattr(config, 'github_auth_clientid') and config.github_auth_clientid:
www['auth'] = util.GitHubAuth(
config.github_auth_clientid, config.github_auth_clientsecret,
apiVersion=4, getTeamsMembership=True)
# When using Github authentication, we can use group membership information
www['authz'] = util.Authz(
stringsMatcher=util.fnmatchStrMatcher, # simple matcher with '*' glob character
# stringsMatcher = util.reStrMatcher, # if you prefer regular expressions
allowRules=[
# admins can do anything,
# defaultDeny=False: if user does not have the admin role, we continue parsing rules
util.AnyEndpointMatcher(role=config.github_admin_group, defaultDeny=False),
# Let owner stop its build
util.StopBuildEndpointMatcher(role="owner"),
# if future Buildbot implement new control, we are safe with this last rule
util.AnyControlEndpointMatcher(role=config.github_admin_group)
],
roleMatchers=[
util.RolesFromGroups(groupPrefix="{0}/".format(config.github_organization)),
# role owner is granted when property owner matches the email of the user
util.RolesFromOwner(role="owner")
]
)
try:
if len(config.www_port) == 2:
www['port'] = "tcp:{1}:interface={0}".format(*config.www_port)
elif len(config.www_port) == 1:
www['port'] = "tcp:{0}".format(*config.www_port)
dict(name='opencv_contrib',
repo='opencv_contrib',
caption='Pull Requests(Contrib)',
icon='share-alt'))
### Fetch users from json file
users = []
admins = []
for user in json.load(open('../users.json')):
if user['admin']:
admins.append(user['user'])
users.append((user['user'], user['pass']))
authz = util.Authz(allowRules=[
util.AnyEndpointMatcher(role='admins', defaultDeny=False),
util.StopBuildEndpointMatcher(role='owner'),
util.ForceBuildEndpointMatcher(role='users'),
util.ForceBuildEndpointMatcher(role='users'),
util.ForceBuildEndpointMatcher(role='users'),
util.AnyControlEndpointMatcher(role='admins')
],
roleMatchers=[
util.RolesFromUsername(roles=['admins'],
usernames=admins),
util.RolesFromUsername(roles=['users'],
usernames=users),
util.RolesFromOwner(role='owner')
])
######################################################################
