def set_up_authorization(settings):
if bool(settings.do_auth):
auth = util.GitHubAuth(
clientId=str(settings.github_auth_id),
clientSecret=str(settings.github_auth_secret),
apiVersion=4,
getTeamsMembership=True,
)
authz = util.Authz(
allowRules=[
# Admins can do anything.
util.AnyEndpointMatcher(role="admins", defaultDeny=False),
# Allow authors to stop, force or rebuild their own builds,
# allow core devs to stop, force or rebuild any build.
util.StopBuildEndpointMatcher(role="owner", defaultDeny=False),
util.StopBuildEndpointMatcher(
role="buildbot-owners", defaultDeny=False
),
util.StopBuildEndpointMatcher(role="python-triage", defaultDeny=False),
util.StopBuildEndpointMatcher(role="python-core"),
util.RebuildBuildEndpointMatcher(role="owner", defaultDeny=False),
util.RebuildBuildEndpointMatcher(
role="python-triage", defaultDeny=False
),
util.RebuildBuildEndpointMatcher(
role="buildbot-owners", defaultDeny=False
),
util.RebuildBuildEndpointMatcher(role="python-core"),
util.ForceBuildEndpointMatcher(role="owner", defaultDeny=False),
util.ForceBuildEndpointMatcher(role="python-triage", defaultDeny=False),
util.ForceBuildEndpointMatcher(role="python-core"),
# Allow release managers to enable/disable schedulers.
util.EnableSchedulerEndpointMatcher(role="python-release-managers"),
# Future-proof control endpoints.
util.AnyControlEndpointMatcher(role="admins"),
],
roleMatchers=[
util.RolesFromGroups(groupPrefix="python/"),
util.RolesFromOwner(role="owner"),
util.RolesFromUsername(
roles=["admins"],
usernames=[
"zware",
"vstinner",
"bitdancer",
"pitrou",
"pablogsal",
],
),
],
)
else:
log.err("WARNING: Web UI is completely open")
# Completely open
auth = NoAuth()
authz = util.Authz()
return auth, authz
def getDefaultAllowRules(self, admins):
epms = [
util.AnyEndpointMatcher(role=admin, defaultDeny=False)
for admin in admins
]
epms += [TravisEndpointMatcher(role=admin) for admin in admins]
return epms + [
util.StopBuildEndpointMatcher(role="owner"),
util.RebuildBuildEndpointMatcher(role="owner"),
]
def getAuthz():
authz = util.Authz(
allowRules=[
# Admins can do anything.
# defaultDeny=False: if user does not have the admin role,
# we continue parsing rules.
util.AnyEndpointMatcher(role="LLVM Lab team", defaultDeny=False),
# Allow authors to stop, force or rebuild their own builds,
util.StopBuildEndpointMatcher(role="owner", defaultDeny=False),
# Allow bot owners to stop, force or rebuild on their own bots,
util.StopBuildEndpointMatcher(role="worker-owner"),
# allow devs to force or rebuild any build.
util.RebuildBuildEndpointMatcher(role="owner", defaultDeny=False),
util.RebuildBuildEndpointMatcher(role="worker-owner", defaultDeny=False),
util.RebuildBuildEndpointMatcher(role="LLVM Committers"),
util.ForceBuildEndpointMatcher(role="owner", defaultDeny=False),
util.ForceBuildEndpointMatcher(role="worker-owner", defaultDeny=False),
util.ForceBuildEndpointMatcher(role="LLVM Committers"),
# Future-proof control endpoints. No parsing rules beyond this.
# Allows anonymous to look at build results.
util.AnyControlEndpointMatcher(role="LLVM Lab team"),
],
roleMatchers=[
util.RolesFromGroups(groupPrefix="llvm/"),
util.RolesFromGroups(groupPrefix="llvm/"),
# role owner is granted when property owner matches the email of the user
util.RolesFromOwner(role="owner"),
],
)
return authz
