def set_up_authorization(settings):
if bool(settings.do_auth):
auth = util.GitHubAuth(
clientId=str(settings.github_auth_id),
clientSecret=str(settings.github_auth_secret),
apiVersion=4,
getTeamsMembership=True,
)
authz = util.Authz(
allowRules=[
# Admins can do anything.
util.AnyEndpointMatcher(role="admins", defaultDeny=False),
# Allow authors to stop, force or rebuild their own builds,
# allow core devs to stop, force or rebuild any build.
util.StopBuildEndpointMatcher(role="owner", defaultDeny=False),
util.StopBuildEndpointMatcher(
role="buildbot-owners", defaultDeny=False
),
util.StopBuildEndpointMatcher(role="python-triage", defaultDeny=False),
util.StopBuildEndpointMatcher(role="python-core"),
util.RebuildBuildEndpointMatcher(role="owner", defaultDeny=False),
util.RebuildBuildEndpointMatcher(
role="python-triage", defaultDeny=False
),
util.RebuildBuildEndpointMatcher(
role="buildbot-owners", defaultDeny=False
),
util.RebuildBuildEndpointMatcher(role="python-core"),
util.ForceBuildEndpointMatcher(role="owner", defaultDeny=False),
util.ForceBuildEndpointMatcher(role="python-triage", defaultDeny=False),
util.ForceBuildEndpointMatcher(role="python-core"),
# Allow release managers to enable/disable schedulers.
util.EnableSchedulerEndpointMatcher(role="python-release-managers"),
# Future-proof control endpoints.
util.AnyControlEndpointMatcher(role="admins"),
],
roleMatchers=[
util.RolesFromGroups(groupPrefix="python/"),
util.RolesFromOwner(role="owner"),
util.RolesFromUsername(
roles=["admins"],
usernames=[
"zware",
"vstinner",
"bitdancer",
"pitrou",
"pablogsal",
],
),
],
)
else:
log.err("WARNING: Web UI is completely open")
# Completely open
auth = NoAuth()
authz = util.Authz()
return auth, authz
def createAuthzConfigCustom(self, authcfg):
if not self.configAssertContains(authcfg, ['customauthzcode']):
return None
cfg = self.execCustomCode(authcfg["customauthzcode"],
['allowRules', 'roleMatchers'])
return util.Authz(cfg['allowRules'], cfg['roleMatchers'])
def createAuthzConfigAdmin(self, authcfg):
class AdminsRolesFromAdminUser(RolesFromBase):
def getRolesFromUser(self, userDetails):
if 'name' in userDetails and userDetails['name'] == "admin":
return "admins"
return []
return util.Authz(self.getDefaultAllowRules(admins=['admins']),
[util.RolesFromEmails(admins=['admin'])])
def get_www():
from buildbot.plugins import util
from twisted.cred import strcred
import private
return dict(
port="unix:/home/buildbot/buildbot.sock",
plugins=dict(waterfall_view={},
console_view={},
grid_view={},
badges={}),
auth=util.GitHubAuth(private.github_client_id,
private.github_client_secret,
apiVersion=4,
getTeamsMembership=True),
authz=util.Authz(
allowRules=[util.AnyControlEndpointMatcher(role="SFML")],
roleMatchers=[util.RolesFromGroups()]),
change_hook_dialects={
'base': True,
'github': {}
},
change_hook_auth=[strcred.makeChecker("file:changehook.passwd")])
def getAuthz():
authz = util.Authz(
allowRules=[
# Admins can do anything.
# defaultDeny=False: if user does not have the admin role,
# we continue parsing rules.
util.AnyEndpointMatcher(role="LLVM Lab team", defaultDeny=False),
# Allow authors to stop, force or rebuild their own builds,
util.StopBuildEndpointMatcher(role="owner", defaultDeny=False),
# Allow bot owners to stop, force or rebuild on their own bots,
util.StopBuildEndpointMatcher(role="worker-owner"),
# allow devs to force or rebuild any build.
util.RebuildBuildEndpointMatcher(role="owner", defaultDeny=False),
util.RebuildBuildEndpointMatcher(role="worker-owner", defaultDeny=False),
util.RebuildBuildEndpointMatcher(role="LLVM Committers"),
util.ForceBuildEndpointMatcher(role="owner", defaultDeny=False),
util.ForceBuildEndpointMatcher(role="worker-owner", defaultDeny=False),
util.ForceBuildEndpointMatcher(role="LLVM Committers"),
# Future-proof control endpoints. No parsing rules beyond this.
# Allows anonymous to look at build results.
util.AnyControlEndpointMatcher(role="LLVM Lab team"),
],
roleMatchers=[
util.RolesFromGroups(groupPrefix="llvm/"),
util.RolesFromGroups(groupPrefix="llvm/"),
# role owner is granted when property owner matches the email of the user
util.RolesFromOwner(role="owner"),
],
)
return authz
from buildbot.plugins import util
from maxscale.config.github_client_config import GITHUB_CLIENT_CONFIG
from maxscale.config.auth_config import AUTH_CONFIG
SETTINGS = {
'auth':
util.GitHubAuth(GITHUB_CLIENT_CONFIG['client_id'],
GITHUB_CLIENT_CONFIG['client_secret']),
'authz':
util.Authz(allowRules=[
util.AnyEndpointMatcher(role="admins"),
util.AnyControlEndpointMatcher(role="admins", defaultDeny=False)
],
roleMatchers=[
util.RolesFromUsername(roles=["admins"],
usernames=AUTH_CONFIG['admins'])
])
}
plugins=dict(
console_view={},
grid_view={},
badges={"left_pad": 0, "right_pad": 0, "border_radius": 3, "style": "badgeio"},
),
change_hook_dialects={"github": github_hook},
allowed_origins=["*"],
)
c["www"]["auth"] = util.GitHubAuth(
env["GITHUB_CLIENT_ID"],
env["GITHUB_CLIENT_SECRET"],
apiVersion=4,
getTeamsMembership=True,
)
c["www"]["authz"] = util.Authz(
allowRules=[util.AnyControlEndpointMatcher(role="developers"),],
roleMatchers=[util.RolesFromGroups(groupPrefix="scummvm/")],
)
####### DB URL
c["db"] = {
# This specifies what database buildbot uses to store its state.
# It's easy to start with sqlite, but it's recommended to switch to a dedicated
# database, such as PostgreSQL or MySQL, for use in production environments.
# http://docs.buildbot.net/current/manual/configuration/global.html#database-specification
"db_url": env["DATABASE_URL"],
}
# Only be strict when secret is provided
# When not strict, if no signature is returned, check isn't done
'strict': bool(config.github_webhook_secret),
}
if hasattr(config, 'ht_auth_file') and config.ht_auth_file:
ht_auth_file = os.path.join(config.configuration_dir, config.ht_auth_file)
www['auth'] = util.HTPasswdAuth(ht_auth_file)
# When using htpasswd file, we don't have any group information nor email information
www['authz'] = util.Authz(
stringsMatcher=util.fnmatchStrMatcher, # simple matcher with '*' glob character
allowRules=[
# admins can do anything,
# defaultDeny=False: if user does not have the admin role, we continue parsing rules
util.AnyEndpointMatcher(role="admin", defaultDeny=False),
# if future Buildbot implement new control, we are safe with this last rule
util.AnyControlEndpointMatcher(role="admin")
],
roleMatchers=[
util.RolesFromUsername(roles=['admin'], usernames=config.ht_auth_admins),
]
)
elif hasattr(config, 'github_auth_clientid') and config.github_auth_clientid:
www['auth'] = util.GitHubAuth(
config.github_auth_clientid, config.github_auth_clientsecret,
apiVersion=4, getTeamsMembership=True)
# When using Github authentication, we can use group membership information
www['authz'] = util.Authz(
stringsMatcher=util.fnmatchStrMatcher, # simple matcher with '*' glob character
# stringsMatcher = util.reStrMatcher, # if you prefer regular expressions
allowRules=[
def createAuthzConfigEmails(self, authcfg):
if not self.configAssertContains(authcfg, ['emails']):
return None
return util.Authz(self.getDefaultAllowRules(admins=['admins']),
[util.RolesFromEmails(admins=authcfg['emails'])])
def createAuthzConfigGroups(self, authcfg):
if not self.configAssertContains(authcfg, ['groups']):
return None
return util.Authz(self.getDefaultAllowRules(admins=authcfg['groups']),
[util.RolesFromGroups(groupPrefix="")])
from buildbot.plugins import util
from maxscale.config.google_auth_config import GOOGLE_AUTH_CONFIG
SETTINGS = {
'auth':
util.GoogleAuth(GOOGLE_AUTH_CONFIG['client_id'],
GOOGLE_AUTH_CONFIG['client_secret']),
'authz':
util.Authz(allowRules=[
util.AnyEndpointMatcher(role="admins"),
util.AnyControlEndpointMatcher(role="admins", defaultDeny=False)
],
roleMatchers=[util.RolesFromDomain(admins=["mariadb.com"])])
}
def build_config() -> dict[str, Any]:
c = {}
c["buildbotNetUsageData"] = None
# configure a janitor which will delete all logs older than one month, and will run on sundays at noon
c['configurators'] = [util.JanitorConfigurator(
logHorizon=timedelta(weeks=4),
hour=12,
dayOfWeek=6
)]
c["schedulers"] = [
# build all pushes to master
schedulers.SingleBranchScheduler(
name="master",
change_filter=util.ChangeFilter(branch="master"),
builderNames=["nix-eval"],
),
# build all pull requests
schedulers.SingleBranchScheduler(
name="prs",
change_filter=util.ChangeFilter(category="pull"),
builderNames=["nix-eval"],
),
# this is triggered from `nix-eval`
schedulers.Triggerable(
name="nix-build",
builderNames=["nix-build"],
),
# allow to manually trigger a nix-build
schedulers.ForceScheduler(name="force", builderNames=["nix-eval"]),
# allow to manually update flakes
schedulers.ForceScheduler(
name="update-flake",
builderNames=["nix-update-flake"],
buttonName="Update flakes",
),
# updates flakes once a weeek
schedulers.NightlyTriggerable(
name="update-flake-weekly",
builderNames=["nix-update-flake"],
hour=3,
minute=0,
dayOfWeek=6,
),
]
github_api_token = read_secret_file("github-token")
c["services"] = [
reporters.GitHubStatusPush(
token=github_api_token,
# Since we dynamically create build steps,
# we use `virtual_builder_name` in the webinterface
# so that we distinguish what has beeing build
context=Interpolate("buildbot/%(prop:virtual_builder_name)s"),
),
# Notify on irc
NotifyFailedBuilds("irc://buildbot|[email protected]:6667/#xxx"),
]
# Shape of this file:
# [ { "name": "<worker-name>", "pass": "******", "cores": "<cpu-cores>" } ]
worker_config = json.loads(read_secret_file("github-workers"))
credentials = os.environ.get("CREDENTIALS_DIRECTORY", ".")
enable_cachix = os.path.isfile(os.path.join(credentials, "cachix-token"))
systemd_secrets = secrets.SecretInAFile(dirname=credentials)
c["secretsProviders"] = [systemd_secrets]
c["workers"] = []
worker_names = []
for item in worker_config:
cores = item.get("cores", 0)
for i in range(cores):
worker_name = f"{item['name']}-{i}"
c["workers"].append(worker.Worker(worker_name, item["pass"]))
worker_names.append(worker_name)
c["builders"] = [
# Since all workers run on the same machine, we only assign one of them to do the evaluation.
# This should prevent exessive memory usage.
nix_eval_config([worker_names[0]], github_token_secret="github-token"),
nix_build_config(worker_names, enable_cachix),
nix_update_flake_config(
worker_names,
"TUM-DSE/doctor-cluster-config",
github_token_secret="github-token",
),
]
c["www"] = {
"port": int(os.environ.get("PORT", "1810")),
"auth": util.GitHubAuth(
os.environ.get("GITHUB_OAUTH_ID"), read_secret_file("github-oauth-secret")
),
"authz": util.Authz(
roleMatchers=[
util.RolesFromGroups(groupPrefix="") # so we can match on TUM-DSE
],
allowRules=[
util.AnyEndpointMatcher(role="TUM-DSE", defaultDeny=False),
util.AnyControlEndpointMatcher(role="TUM-DSE"),
],
),
"plugins": dict(waterfall_view={}, console_view={}, grid_view={}),
"change_hook_dialects": dict(
github={
"secret": read_secret_file("github-webhook-secret"),
"strict": True,
"token": github_api_token,
"github_property_whitelist": "*",
}
),
}
c["db"] = {"db_url": os.environ.get("DB_URL", "sqlite:///state.sqlite")}
c["protocols"] = {"pb": {"port": "tcp:9989:interface=\\:\\:"}}
c["buildbotURL"] = "https://buildbot.dse.in.tum.de/"
return c
### Fetch users from json file
users = []
admins = []
for user in json.load(open('../users.json')):
if user['admin']:
admins.append(user['user'])
users.append((user['user'], user['pass']))
authz = util.Authz(allowRules=[
util.AnyEndpointMatcher(role='admins', defaultDeny=False),
util.StopBuildEndpointMatcher(role='owner'),
util.ForceBuildEndpointMatcher(role='users'),
util.ForceBuildEndpointMatcher(role='users'),
util.ForceBuildEndpointMatcher(role='users'),
util.AnyControlEndpointMatcher(role='admins')
],
roleMatchers=[
util.RolesFromUsername(roles=['admins'],
usernames=admins),
util.RolesFromUsername(roles=['users'],
usernames=users),
util.RolesFromOwner(role='owner')
])
######################################################################
WWW = dict(port=8010,
authz=authz,
auth=util.UserPasswordAuth(users),
plugins=dict(console_view={}, pullrequests=[opencv, contrib]))
def buildmaster_config_base(self) -> Dict[str, Any]:
"""Generate a base for the Buildmaster configuration settings as `dict`
(i.e. the ``BuildmasterConfig`` `dict` that is read by the Buildbot
twistd application) with all the settings properly defined."""
# The buildbot instance name title
title = "CLIP OS" if self.__settings else "DEBUGGING ONLY"
title_url = "https://clip-os.org/"
# Authentication settings
if not self.__settings:
auth = NoAuth()
authz = util.Authz()
else:
if not self.secrets:
admin_usernames = []
auth_backend = 'user-password-dict'
auth_backend_parameters = {}
else:
admin_usernames = self.secrets.admin_usernames
auth_backend = self.secrets.auth_backend
auth_backend_parameters = self.secrets.auth_backend_parameters
if auth_backend == 'user-password-dict':
auth = util.UserPasswordAuth(auth_backend_parameters)
elif auth_backend == 'github':
auth = util.GitHubAuth(
clientId=auth_backend_parameters['clientId'],
clientSecret=auth_backend_parameters['clientSecret'],
getTeamsMembership=False, # useless for us
)
else:
raise NotImplementedError(
"Unknown auth backend {!r} from secrets".format(
auth_backend))
authz = util.Authz(
allowRules=[
# Admins can do anything.
util.AnyEndpointMatcher(role="admins", defaultDeny=False),
# Future-proof control endpoints.
util.AnyControlEndpointMatcher(role="admins"),
],
roleMatchers=[
# Defined administration from their usernames
util.RolesFromUsername(
roles=['admins'],
usernames=admin_usernames,
)
],
)
return {
# Presentation settings
'title': title,
'titleURL': title_url,
# Database settings
'db': {
'db_url': self.db_url,
},
# Web UI settings
'buildbotURL': self.buildbot_url,
'www': {
# The port to listen to (a HTTP reverse-proxy should be
# configured behind this port):
'port': self.www_port,
# Do not use an alternative logfile for HTTP logging, use
# twistd logging output (the fallback) rather than a separate
# file because the twistd logging output is known to be
# properly collected.
'logfileName': None,
# Do not use Gravatars:
'avatar_methods': [],
# Web UI plugins potential settings:
'plugins': {
'waterfall_view': {},
# Useless for now:
#'console_view': {},
#'grid_view': {},
},
# Web UI custom configuration:
'ui_default_config': {
'Waterfall.scaling_waterfall': 0.04,
'Builders.show_old_builders': True,
'Builders.show_workers_name': True,
},
# Authentication settings for the web UI and REST API:
'auth': auth,
'authz': authz,
},
# Buildmaster/workers network related settings
'protocols': {
# Settings for Twisted's Perspective Broker protocol
'pb': {
# The port to use to communicate with the Buildbot workers
'port': self.pb_port,
},
},
# Disable Buildbot usage tracking for the moment:
# See: http://docs.buildbot.net/latest/manual/cfg-global.html#buildbotnetusagedata
'buildbotNetUsageData': None,
}
