def set_up_authorization(settings): if bool(settings.do_auth): auth = util.GitHubAuth( clientId=str(settings.github_auth_id), clientSecret=str(settings.github_auth_secret), apiVersion=4, getTeamsMembership=True, ) authz = util.Authz( allowRules=[ # Admins can do anything. util.AnyEndpointMatcher(role="admins", defaultDeny=False), # Allow authors to stop, force or rebuild their own builds, # allow core devs to stop, force or rebuild any build. util.StopBuildEndpointMatcher(role="owner", defaultDeny=False), util.StopBuildEndpointMatcher( role="buildbot-owners", defaultDeny=False ), util.StopBuildEndpointMatcher(role="python-triage", defaultDeny=False), util.StopBuildEndpointMatcher(role="python-core"), util.RebuildBuildEndpointMatcher(role="owner", defaultDeny=False), util.RebuildBuildEndpointMatcher( role="python-triage", defaultDeny=False ), util.RebuildBuildEndpointMatcher( role="buildbot-owners", defaultDeny=False ), util.RebuildBuildEndpointMatcher(role="python-core"), util.ForceBuildEndpointMatcher(role="owner", defaultDeny=False), util.ForceBuildEndpointMatcher(role="python-triage", defaultDeny=False), util.ForceBuildEndpointMatcher(role="python-core"), # Allow release managers to enable/disable schedulers. util.EnableSchedulerEndpointMatcher(role="python-release-managers"), # Future-proof control endpoints. util.AnyControlEndpointMatcher(role="admins"), ], roleMatchers=[ util.RolesFromGroups(groupPrefix="python/"), util.RolesFromOwner(role="owner"), util.RolesFromUsername( roles=["admins"], usernames=[ "zware", "vstinner", "bitdancer", "pitrou", "pablogsal", ], ), ], ) else: log.err("WARNING: Web UI is completely open") # Completely open auth = NoAuth() authz = util.Authz() return auth, authz
def getDefaultAllowRules(self, admins): epms = [ util.AnyEndpointMatcher(role=admin, defaultDeny=False) for admin in admins ] epms += [TravisEndpointMatcher(role=admin) for admin in admins] return epms + [ util.StopBuildEndpointMatcher(role="owner"), util.RebuildBuildEndpointMatcher(role="owner"), ]
def getAuthz(): authz = util.Authz( allowRules=[ # Admins can do anything. # defaultDeny=False: if user does not have the admin role, # we continue parsing rules. util.AnyEndpointMatcher(role="LLVM Lab team", defaultDeny=False), # Allow authors to stop, force or rebuild their own builds, util.StopBuildEndpointMatcher(role="owner", defaultDeny=False), # Allow bot owners to stop, force or rebuild on their own bots, util.StopBuildEndpointMatcher(role="worker-owner"), # allow devs to force or rebuild any build. util.RebuildBuildEndpointMatcher(role="owner", defaultDeny=False), util.RebuildBuildEndpointMatcher(role="worker-owner", defaultDeny=False), util.RebuildBuildEndpointMatcher(role="LLVM Committers"), util.ForceBuildEndpointMatcher(role="owner", defaultDeny=False), util.ForceBuildEndpointMatcher(role="worker-owner", defaultDeny=False), util.ForceBuildEndpointMatcher(role="LLVM Committers"), # Future-proof control endpoints. No parsing rules beyond this. # Allows anonymous to look at build results. util.AnyControlEndpointMatcher(role="LLVM Lab team"), ], roleMatchers=[ util.RolesFromGroups(groupPrefix="llvm/"), util.RolesFromGroups(groupPrefix="llvm/"), # role owner is granted when property owner matches the email of the user util.RolesFromOwner(role="owner"), ], ) return authz
from buildbot.plugins import util from maxscale.config.github_client_config import GITHUB_CLIENT_CONFIG from maxscale.config.auth_config import AUTH_CONFIG SETTINGS = { 'auth': util.GitHubAuth(GITHUB_CLIENT_CONFIG['client_id'], GITHUB_CLIENT_CONFIG['client_secret']), 'authz': util.Authz(allowRules=[ util.AnyEndpointMatcher(role="admins"), util.AnyControlEndpointMatcher(role="admins", defaultDeny=False) ], roleMatchers=[ util.RolesFromUsername(roles=["admins"], usernames=AUTH_CONFIG['admins']) ]) }
'secret': config.github_webhook_secret, # Only be strict when secret is provided # When not strict, if no signature is returned, check isn't done 'strict': bool(config.github_webhook_secret), } if hasattr(config, 'ht_auth_file') and config.ht_auth_file: ht_auth_file = os.path.join(config.configuration_dir, config.ht_auth_file) www['auth'] = util.HTPasswdAuth(ht_auth_file) # When using htpasswd file, we don't have any group information nor email information www['authz'] = util.Authz( stringsMatcher=util.fnmatchStrMatcher, # simple matcher with '*' glob character allowRules=[ # admins can do anything, # defaultDeny=False: if user does not have the admin role, we continue parsing rules util.AnyEndpointMatcher(role="admin", defaultDeny=False), # if future Buildbot implement new control, we are safe with this last rule util.AnyControlEndpointMatcher(role="admin") ], roleMatchers=[ util.RolesFromUsername(roles=['admin'], usernames=config.ht_auth_admins), ] ) elif hasattr(config, 'github_auth_clientid') and config.github_auth_clientid: www['auth'] = util.GitHubAuth( config.github_auth_clientid, config.github_auth_clientsecret, apiVersion=4, getTeamsMembership=True) # When using Github authentication, we can use group membership information www['authz'] = util.Authz( stringsMatcher=util.fnmatchStrMatcher, # simple matcher with '*' glob character # stringsMatcher = util.reStrMatcher, # if you prefer regular expressions
def build_config() -> dict[str, Any]: c = {} c["buildbotNetUsageData"] = None # configure a janitor which will delete all logs older than one month, and will run on sundays at noon c['configurators'] = [util.JanitorConfigurator( logHorizon=timedelta(weeks=4), hour=12, dayOfWeek=6 )] c["schedulers"] = [ # build all pushes to master schedulers.SingleBranchScheduler( name="master", change_filter=util.ChangeFilter(branch="master"), builderNames=["nix-eval"], ), # build all pull requests schedulers.SingleBranchScheduler( name="prs", change_filter=util.ChangeFilter(category="pull"), builderNames=["nix-eval"], ), # this is triggered from `nix-eval` schedulers.Triggerable( name="nix-build", builderNames=["nix-build"], ), # allow to manually trigger a nix-build schedulers.ForceScheduler(name="force", builderNames=["nix-eval"]), # allow to manually update flakes schedulers.ForceScheduler( name="update-flake", builderNames=["nix-update-flake"], buttonName="Update flakes", ), # updates flakes once a weeek schedulers.NightlyTriggerable( name="update-flake-weekly", builderNames=["nix-update-flake"], hour=3, minute=0, dayOfWeek=6, ), ] github_api_token = read_secret_file("github-token") c["services"] = [ reporters.GitHubStatusPush( token=github_api_token, # Since we dynamically create build steps, # we use `virtual_builder_name` in the webinterface # so that we distinguish what has beeing build context=Interpolate("buildbot/%(prop:virtual_builder_name)s"), ), # Notify on irc NotifyFailedBuilds("irc://buildbot|[email protected]:6667/#xxx"), ] # Shape of this file: # [ { "name": "<worker-name>", "pass": "******", "cores": "<cpu-cores>" } ] worker_config = json.loads(read_secret_file("github-workers")) credentials = os.environ.get("CREDENTIALS_DIRECTORY", ".") enable_cachix = os.path.isfile(os.path.join(credentials, "cachix-token")) systemd_secrets = secrets.SecretInAFile(dirname=credentials) c["secretsProviders"] = [systemd_secrets] c["workers"] = [] worker_names = [] for item in worker_config: cores = item.get("cores", 0) for i in range(cores): worker_name = f"{item['name']}-{i}" c["workers"].append(worker.Worker(worker_name, item["pass"])) worker_names.append(worker_name) c["builders"] = [ # Since all workers run on the same machine, we only assign one of them to do the evaluation. # This should prevent exessive memory usage. nix_eval_config([worker_names[0]], github_token_secret="github-token"), nix_build_config(worker_names, enable_cachix), nix_update_flake_config( worker_names, "TUM-DSE/doctor-cluster-config", github_token_secret="github-token", ), ] c["www"] = { "port": int(os.environ.get("PORT", "1810")), "auth": util.GitHubAuth( os.environ.get("GITHUB_OAUTH_ID"), read_secret_file("github-oauth-secret") ), "authz": util.Authz( roleMatchers=[ util.RolesFromGroups(groupPrefix="") # so we can match on TUM-DSE ], allowRules=[ util.AnyEndpointMatcher(role="TUM-DSE", defaultDeny=False), util.AnyControlEndpointMatcher(role="TUM-DSE"), ], ), "plugins": dict(waterfall_view={}, console_view={}, grid_view={}), "change_hook_dialects": dict( github={ "secret": read_secret_file("github-webhook-secret"), "strict": True, "token": github_api_token, "github_property_whitelist": "*", } ), } c["db"] = {"db_url": os.environ.get("DB_URL", "sqlite:///state.sqlite")} c["protocols"] = {"pb": {"port": "tcp:9989:interface=\\:\\:"}} c["buildbotURL"] = "https://buildbot.dse.in.tum.de/" return c
contrib.update( dict(name='opencv_contrib', repo='opencv_contrib', caption='Pull Requests(Contrib)', icon='share-alt')) ### Fetch users from json file users = [] admins = [] for user in json.load(open('../users.json')): if user['admin']: admins.append(user['user']) users.append((user['user'], user['pass'])) authz = util.Authz(allowRules=[ util.AnyEndpointMatcher(role='admins', defaultDeny=False), util.StopBuildEndpointMatcher(role='owner'), util.ForceBuildEndpointMatcher(role='users'), util.ForceBuildEndpointMatcher(role='users'), util.ForceBuildEndpointMatcher(role='users'), util.AnyControlEndpointMatcher(role='admins') ], roleMatchers=[ util.RolesFromUsername(roles=['admins'], usernames=admins), util.RolesFromUsername(roles=['users'], usernames=users), util.RolesFromOwner(role='owner') ]) ######################################################################
def buildmaster_config_base(self) -> Dict[str, Any]: """Generate a base for the Buildmaster configuration settings as `dict` (i.e. the ``BuildmasterConfig`` `dict` that is read by the Buildbot twistd application) with all the settings properly defined.""" # The buildbot instance name title title = "CLIP OS" if self.__settings else "DEBUGGING ONLY" title_url = "https://clip-os.org/" # Authentication settings if not self.__settings: auth = NoAuth() authz = util.Authz() else: if not self.secrets: admin_usernames = [] auth_backend = 'user-password-dict' auth_backend_parameters = {} else: admin_usernames = self.secrets.admin_usernames auth_backend = self.secrets.auth_backend auth_backend_parameters = self.secrets.auth_backend_parameters if auth_backend == 'user-password-dict': auth = util.UserPasswordAuth(auth_backend_parameters) elif auth_backend == 'github': auth = util.GitHubAuth( clientId=auth_backend_parameters['clientId'], clientSecret=auth_backend_parameters['clientSecret'], getTeamsMembership=False, # useless for us ) else: raise NotImplementedError( "Unknown auth backend {!r} from secrets".format( auth_backend)) authz = util.Authz( allowRules=[ # Admins can do anything. util.AnyEndpointMatcher(role="admins", defaultDeny=False), # Future-proof control endpoints. util.AnyControlEndpointMatcher(role="admins"), ], roleMatchers=[ # Defined administration from their usernames util.RolesFromUsername( roles=['admins'], usernames=admin_usernames, ) ], ) return { # Presentation settings 'title': title, 'titleURL': title_url, # Database settings 'db': { 'db_url': self.db_url, }, # Web UI settings 'buildbotURL': self.buildbot_url, 'www': { # The port to listen to (a HTTP reverse-proxy should be # configured behind this port): 'port': self.www_port, # Do not use an alternative logfile for HTTP logging, use # twistd logging output (the fallback) rather than a separate # file because the twistd logging output is known to be # properly collected. 'logfileName': None, # Do not use Gravatars: 'avatar_methods': [], # Web UI plugins potential settings: 'plugins': { 'waterfall_view': {}, # Useless for now: #'console_view': {}, #'grid_view': {}, }, # Web UI custom configuration: 'ui_default_config': { 'Waterfall.scaling_waterfall': 0.04, 'Builders.show_old_builders': True, 'Builders.show_workers_name': True, }, # Authentication settings for the web UI and REST API: 'auth': auth, 'authz': authz, }, # Buildmaster/workers network related settings 'protocols': { # Settings for Twisted's Perspective Broker protocol 'pb': { # The port to use to communicate with the Buildbot workers 'port': self.pb_port, }, }, # Disable Buildbot usage tracking for the moment: # See: http://docs.buildbot.net/latest/manual/cfg-global.html#buildbotnetusagedata 'buildbotNetUsageData': None, }