def check_bot_code_access(self, bot_id, generate_token):
"""Raises AuthorizationError if caller is not authorized to access bot code.
Four variants here:
1. A valid bootstrap token is passed as '?tok=...' parameter.
2. An user, allowed to do a bootstrap, is using their credentials.
3. An IP whitelisted machine is making this call.
4. A bot (with given bot_id) is using it's own machine credentials.
In later three cases we optionally generate and return a new bootstrap
token, that can be used to authorize /bot_code calls.
"""
existing_token = self.request.get('tok')
if existing_token:
payload = bot_code.validate_bootstrap_token(existing_token)
if payload is None:
raise auth.AuthorizationError('Invalid bootstrap token')
logging.debug('Using bootstrap token %r', payload)
return existing_token
machine_type = None
if bot_id:
bot_info = bot_management.get_info_key(bot_id).get()
if bot_info:
machine_type = bot_info.machine_type
# TODO(vadimsh): Remove is_ip_whitelisted_machine check once all bots are
# using auth for bootstrap and updating.
if (not acl.can_create_bot() and not acl.is_ip_whitelisted_machine()
and not (bot_id and bot_auth.is_authenticated_bot(
bot_id, machine_type))):
raise auth.AuthorizationError('Not allowed to access the bot code')
return bot_code.generate_bootstrap_token() if generate_token else None
def permissions(self, _request):
"""Returns the caller's permissions."""
return swarming_rpcs.ClientPermissions(
delete_bot=acl.can_delete_bot(),
terminate_bot=acl.can_edit_bot(),
get_configs=acl.can_view_config(),
put_configs=acl.can_edit_config(),
cancel_task=acl._is_user() or acl.is_ip_whitelisted_machine(),
cancel_tasks=acl.can_edit_all_tasks(),
get_bootstrap_token=acl.can_create_bot())
def test_ip_whitelisted(self):
self.mock(auth, 'is_in_ip_whitelist', lambda _name, _ip, _warn: True)
self.assertTrue(acl.is_ip_whitelisted_machine())
self.assertTrue(acl.can_access())
self.assertFalse(acl.can_view_config())
self.assertFalse(acl.can_edit_config())
self.assertFalse(acl.can_create_bot())
self.assertTrue(acl.can_edit_bot())
self.assertTrue(acl.can_delete_bot())
self.assertTrue(acl.can_view_bot())
self.assertTrue(acl.can_create_task())
self.assertFalse(acl.can_schedule_high_priority_tasks())
self.assertTrue(acl.can_edit_task(self._task_owned))
self.assertTrue(acl.can_edit_task(self._task_other))
self.assertFalse(acl.can_edit_all_tasks())
self.assertTrue(acl.can_view_task(self._task_owned))
self.assertTrue(acl.can_view_task(self._task_other))
self.assertFalse(acl.can_view_all_tasks())
def test_instance_admin(self):
auth_testing.mock_is_admin(self, True)
self.assertFalse(acl.is_ip_whitelisted_machine())
self.assertTrue(acl.can_access())
self.assertTrue(acl.can_view_config())
self.assertTrue(acl.can_edit_config())
self.assertTrue(acl.can_create_bot())
self.assertTrue(acl.can_edit_bot())
self.assertTrue(acl.can_delete_bot())
self.assertTrue(acl.can_view_bot())
self.assertTrue(acl.can_create_task())
self.assertTrue(acl.can_schedule_high_priority_tasks())
self.assertTrue(acl.can_edit_task(self._task_owned))
self.assertTrue(acl.can_edit_task(self._task_other))
self.assertTrue(acl.can_edit_all_tasks())
self.assertTrue(acl.can_view_task(self._task_owned))
self.assertTrue(acl.can_view_task(self._task_other))
self.assertTrue(acl.can_view_all_tasks())
def test_nobody(self):
auth_testing.mock_get_current_identity(self, auth.Anonymous)
self.assertFalse(acl.is_ip_whitelisted_machine())
self.assertFalse(acl.can_access())
self.assertFalse(acl.can_view_config())
self.assertFalse(acl.can_edit_config())
self.assertFalse(acl.can_create_bot())
self.assertFalse(acl.can_edit_bot())
self.assertFalse(acl.can_delete_bot())
self.assertFalse(acl.can_view_bot())
self.assertFalse(acl.can_create_task())
self.assertFalse(acl.can_schedule_high_priority_tasks())
self.assertFalse(acl.can_edit_task(self._task_owned))
self.assertFalse(acl.can_edit_task(self._task_other))
self.assertFalse(acl.can_edit_all_tasks())
self.assertFalse(acl.can_view_task(self._task_owned))
self.assertFalse(acl.can_view_task(self._task_other))
self.assertFalse(acl.can_view_all_tasks())
def test_view_all_tasks(self):
self._add_to_group('view_all_tasks')
self.assertFalse(acl.is_ip_whitelisted_machine())
self.assertTrue(acl.can_access())
self.assertFalse(acl.can_view_config())
self.assertFalse(acl.can_edit_config())
self.assertFalse(acl.can_create_bot())
self.assertFalse(acl.can_edit_bot())
self.assertFalse(acl.can_delete_bot())
self.assertFalse(acl.can_view_bot())
self.assertFalse(acl.can_create_task())
self.assertFalse(acl.can_schedule_high_priority_tasks())
self.assertTrue(acl.can_edit_task(self._task_owned))
self.assertFalse(acl.can_edit_task(self._task_other))
self.assertFalse(acl.can_edit_all_tasks())
self.assertTrue(acl.can_view_task(self._task_owned))
self.assertTrue(acl.can_view_task(self._task_other))
self.assertTrue(acl.can_view_all_tasks())
def test_nobody(self):
self.mock(auth, 'get_current_identity',
lambda: auth.IDENTITY_ANONYMOUS)
self.assertFalse(acl.is_ip_whitelisted_machine())
self.assertFalse(acl.can_access())
self.assertFalse(acl.can_view_config())
self.assertFalse(acl.can_edit_config())
self.assertFalse(acl.can_create_bot())
self.assertFalse(acl.can_edit_bot())
self.assertFalse(acl.can_delete_bot())
self.assertFalse(acl.can_view_bot())
self.assertFalse(acl.can_create_task())
self.assertFalse(acl.can_schedule_high_priority_tasks())
self.assertFalse(acl.can_edit_task(self._task_owned))
self.assertFalse(acl.can_edit_task(self._task_other))
self.assertFalse(acl.can_edit_all_tasks())
self.assertFalse(acl.can_view_task(self._task_owned))
self.assertFalse(acl.can_view_task(self._task_other))
self.assertFalse(acl.can_view_all_tasks())
