def check_tasks_create_in_realm(realm, pool_cfg, enforce):
"""Checks if the caller is allowed to create a task in the realm.
Args:
realm: Realm that a task will be created in or None for legacy tasks.
pool_cfg: PoolConfig of the pool where the task will run.
enforce: if True enforce realm ACLs regardless of is_enforced_permission.
Returns:
True if used realm ACLs, False if legacy ones.
Raises:
auth.AuthorizationError: if the caller is not allowed.
"""
# 'swarming.tasks.createInRealm'
perm_enum = realms_pb2.REALM_PERMISSION_TASKS_CREATE_IN_REALM
perm = get_permission(perm_enum)
if enforce or is_enforced_permission(perm_enum, pool_cfg):
_check_permission(perm, [realm])
return True
if realm:
# There is no existing permission that corresponds to the realm
# permission. So always pass expected_result=True to the dryrun.
auth.has_permission_dryrun(perm, [realm],
expected_result=True,
tracking_bug=_TRACKING_BUG)
return False
def check_pools_create_task(pool_cfg, enforce):
"""Checks if the caller can create the task in the pool.
Realm permission `swarming.pools.createTask` will be checked,
using auth.has_permission() or auth.has_permission_dryrun().
If the realm permission check is enforced,
It just calls auth.has_permission()
If it's legacy-compatible,
It calls the legacy task_scheduler.check_schedule_request_acl_caller() and
compare the legacy result with the realm permission check using the dryrun.
Args:
pool_cfg: PoolCfg of the pool.
enforce: if True enforce realm ACLs regardless of is_enforced_permission.
Returns:
True if used realm ACLs, False if legacy ones.
Raises:
auth.AuthorizationError: if the caller is not allowed to schedule the task
in the pool.
"""
# 'swarming.pools.createTask'
perm_enum = realms_pb2.REALM_PERMISSION_POOLS_CREATE_TASK
perm = get_permission(perm_enum)
if enforce or is_enforced_permission(perm_enum, pool_cfg):
_check_permission(perm, [pool_cfg.realm])
return True
# legacy-compatible path
# pool_cfg.realm is optional.
if not pool_cfg.realm:
logging.warning('%s: realm is missing in Pool "%s"', _TRACKING_BUG,
pool_cfg.name)
legacy_allowed = True
try:
task_scheduler.check_schedule_request_acl_caller(pool_cfg)
except auth.AuthorizationError:
legacy_allowed = False
raise # re-raise the exception
finally:
# compare the legacy check result with realm check result if the pool realm
# is specified.
if pool_cfg.realm:
auth.has_permission_dryrun(perm, [pool_cfg.realm],
legacy_allowed,
tracking_bug=_TRACKING_BUG)
return False
def has_projects_access(project_ids):
# TODO(crbug.com/1068817): During the migration we'll use the legacy response
# as the final result, but will compare it to realms checks and log
# discrepancies (this is what has_permission_dryrun does).
legacy = _has_projects_access_legacy(project_ids)
for pid in project_ids:
auth.has_permission_dryrun(
permission=_PERMISSION_READ,
realms=[auth.root_realm(pid)],
tracking_bug='crbug.com/1068817',
expected_result=legacy[pid])
return legacy
def check_tasks_act_as(task_request, pool_cfg, enforce):
"""Checks if the task service account is allowed to run in the task realm.
Realm permission `swarming.tasks.actAs` will be checked,
using auth.has_permission() or auth.has_permission_dryrun().
If the realm permission check is enforced,
It just calls auth.has_permission()
If it's legacy-compatible,
It calls task_scheduler.check_schedule_request_acl_service_account()
and compare the legacy result with the realm permission check using
the dryrun.
Args:
task_request: TaskRequest entity to be scheduled.
pool_cfg: PoolConfig of the pool where the task will run.
enforce: if True enforce realm ACLs regardless of is_enforced_permission.
Returns:
True if used realm ACLs, False if legacy ones.
Raises:
auth.AuthorizationError: if the service account is not allowed to run
in the task realm.
"""
perm_enum = realms_pb2.REALM_PERMISSION_TASKS_ACT_AS
perm = get_permission(perm_enum)
identity = auth.Identity(auth.IDENTITY_USER, task_request.service_account)
if enforce or is_enforced_permission(perm_enum, pool_cfg):
_check_permission(perm, [task_request.realm], identity)
return True
# legacy-compatible path
legacy_allowed = True
try:
# ACL check
task_scheduler.check_schedule_request_acl_service_account(
task_request, pool_cfg)
except auth.AuthorizationError:
legacy_allowed = False
raise # re-raise the exception
finally:
if task_request.realm:
auth.has_permission_dryrun(perm, [task_request.realm],
legacy_allowed,
identity=identity,
tracking_bug=_TRACKING_BUG)
return False
def _check_project_acl(project_id, permission, legacy_acl_group):
"""Checks legacy and realms ACLs, comparing them.
Returns the result of the legacy ACL check for now.
"""
# TODO(crbug.com/1068817): Switch to using Realms for real.
legacy_result = (
_has_projects_access_legacy([project_id])[project_id] and
_check_acl_cfg(legacy_acl_group))
auth.has_permission_dryrun(
permission=permission,
realms=[auth.root_realm(project_id)],
tracking_bug='crbug.com/1068817',
expected_result=legacy_result)
return legacy_result