def set_up_authorization(settings): if bool(settings.do_auth): auth = util.GitHubAuth( clientId=str(settings.github_auth_id), clientSecret=str(settings.github_auth_secret), apiVersion=4, getTeamsMembership=True, ) authz = util.Authz( allowRules=[ # Admins can do anything. util.AnyEndpointMatcher(role="admins", defaultDeny=False), # Allow authors to stop, force or rebuild their own builds, # allow core devs to stop, force or rebuild any build. util.StopBuildEndpointMatcher(role="owner", defaultDeny=False), util.StopBuildEndpointMatcher( role="buildbot-owners", defaultDeny=False ), util.StopBuildEndpointMatcher(role="python-triage", defaultDeny=False), util.StopBuildEndpointMatcher(role="python-core"), util.RebuildBuildEndpointMatcher(role="owner", defaultDeny=False), util.RebuildBuildEndpointMatcher( role="python-triage", defaultDeny=False ), util.RebuildBuildEndpointMatcher( role="buildbot-owners", defaultDeny=False ), util.RebuildBuildEndpointMatcher(role="python-core"), util.ForceBuildEndpointMatcher(role="owner", defaultDeny=False), util.ForceBuildEndpointMatcher(role="python-triage", defaultDeny=False), util.ForceBuildEndpointMatcher(role="python-core"), # Allow release managers to enable/disable schedulers. util.EnableSchedulerEndpointMatcher(role="python-release-managers"), # Future-proof control endpoints. util.AnyControlEndpointMatcher(role="admins"), ], roleMatchers=[ util.RolesFromGroups(groupPrefix="python/"), util.RolesFromOwner(role="owner"), util.RolesFromUsername( roles=["admins"], usernames=[ "zware", "vstinner", "bitdancer", "pitrou", "pablogsal", ], ), ], ) else: log.err("WARNING: Web UI is completely open") # Completely open auth = NoAuth() authz = util.Authz() return auth, authz
def getDefaultAllowRules(self, admins): epms = [ util.AnyEndpointMatcher(role=admin, defaultDeny=False) for admin in admins ] epms += [TravisEndpointMatcher(role=admin) for admin in admins] return epms + [ util.StopBuildEndpointMatcher(role="owner"), util.RebuildBuildEndpointMatcher(role="owner"), ]
def getAuthz(): authz = util.Authz( allowRules=[ # Admins can do anything. # defaultDeny=False: if user does not have the admin role, # we continue parsing rules. util.AnyEndpointMatcher(role="LLVM Lab team", defaultDeny=False), # Allow authors to stop, force or rebuild their own builds, util.StopBuildEndpointMatcher(role="owner", defaultDeny=False), # Allow bot owners to stop, force or rebuild on their own bots, util.StopBuildEndpointMatcher(role="worker-owner"), # allow devs to force or rebuild any build. util.RebuildBuildEndpointMatcher(role="owner", defaultDeny=False), util.RebuildBuildEndpointMatcher(role="worker-owner", defaultDeny=False), util.RebuildBuildEndpointMatcher(role="LLVM Committers"), util.ForceBuildEndpointMatcher(role="owner", defaultDeny=False), util.ForceBuildEndpointMatcher(role="worker-owner", defaultDeny=False), util.ForceBuildEndpointMatcher(role="LLVM Committers"), # Future-proof control endpoints. No parsing rules beyond this. # Allows anonymous to look at build results. util.AnyControlEndpointMatcher(role="LLVM Lab team"), ], roleMatchers=[ util.RolesFromGroups(groupPrefix="llvm/"), util.RolesFromGroups(groupPrefix="llvm/"), # role owner is granted when property owner matches the email of the user util.RolesFromOwner(role="owner"), ], ) return authz