def check_tasks_cancel_acl(pools): """Checks if the caller is allowed to cancel tasks. Checks if the caller has global permission using acl.can_edit_all_tasks(). If the caller doesn't have any global permissions, It checks realm permission 'swarming.pools.cancelTask'. The caller is required to specify pools, and have *all* permissions of the pools. Args: pools: List of pools for filtering. Returns: None Raises: auth.AuthorizationError: if the caller is not allowed. """ # check global permission. if acl.can_edit_all_tasks(): return _check_pools_filters_acl(realms_pb2.REALM_PERMISSION_POOLS_CANCEL_TASK, pools)
def permissions(self, _request): """Returns the caller's permissions.""" return swarming_rpcs.ClientPermissions( delete_bot=acl.can_delete_bot(), terminate_bot=acl.can_edit_bot(), get_configs=acl.can_view_config(), put_configs=acl.can_edit_config(), cancel_task=acl._is_user() or acl.is_ip_whitelisted_machine(), cancel_tasks=acl.can_edit_all_tasks(), get_bootstrap_token=acl.can_create_bot())
def test_ip_whitelisted(self): self.mock(auth, 'is_in_ip_whitelist', lambda _name, _ip, _warn: True) self.assertTrue(acl.is_ip_whitelisted_machine()) self.assertTrue(acl.can_access()) self.assertFalse(acl.can_view_config()) self.assertFalse(acl.can_edit_config()) self.assertFalse(acl.can_create_bot()) self.assertTrue(acl.can_edit_bot()) self.assertTrue(acl.can_delete_bot()) self.assertTrue(acl.can_view_bot()) self.assertTrue(acl.can_create_task()) self.assertFalse(acl.can_schedule_high_priority_tasks()) self.assertTrue(acl.can_edit_task(self._task_owned)) self.assertTrue(acl.can_edit_task(self._task_other)) self.assertFalse(acl.can_edit_all_tasks()) self.assertTrue(acl.can_view_task(self._task_owned)) self.assertTrue(acl.can_view_task(self._task_other)) self.assertFalse(acl.can_view_all_tasks())
def test_instance_admin(self): auth_testing.mock_is_admin(self, True) self.assertFalse(acl.is_ip_whitelisted_machine()) self.assertTrue(acl.can_access()) self.assertTrue(acl.can_view_config()) self.assertTrue(acl.can_edit_config()) self.assertTrue(acl.can_create_bot()) self.assertTrue(acl.can_edit_bot()) self.assertTrue(acl.can_delete_bot()) self.assertTrue(acl.can_view_bot()) self.assertTrue(acl.can_create_task()) self.assertTrue(acl.can_schedule_high_priority_tasks()) self.assertTrue(acl.can_edit_task(self._task_owned)) self.assertTrue(acl.can_edit_task(self._task_other)) self.assertTrue(acl.can_edit_all_tasks()) self.assertTrue(acl.can_view_task(self._task_owned)) self.assertTrue(acl.can_view_task(self._task_other)) self.assertTrue(acl.can_view_all_tasks())
def test_nobody(self): auth_testing.mock_get_current_identity(self, auth.Anonymous) self.assertFalse(acl.is_ip_whitelisted_machine()) self.assertFalse(acl.can_access()) self.assertFalse(acl.can_view_config()) self.assertFalse(acl.can_edit_config()) self.assertFalse(acl.can_create_bot()) self.assertFalse(acl.can_edit_bot()) self.assertFalse(acl.can_delete_bot()) self.assertFalse(acl.can_view_bot()) self.assertFalse(acl.can_create_task()) self.assertFalse(acl.can_schedule_high_priority_tasks()) self.assertFalse(acl.can_edit_task(self._task_owned)) self.assertFalse(acl.can_edit_task(self._task_other)) self.assertFalse(acl.can_edit_all_tasks()) self.assertFalse(acl.can_view_task(self._task_owned)) self.assertFalse(acl.can_view_task(self._task_other)) self.assertFalse(acl.can_view_all_tasks())
def test_view_all_tasks(self): self._add_to_group('view_all_tasks') self.assertFalse(acl.is_ip_whitelisted_machine()) self.assertTrue(acl.can_access()) self.assertFalse(acl.can_view_config()) self.assertFalse(acl.can_edit_config()) self.assertFalse(acl.can_create_bot()) self.assertFalse(acl.can_edit_bot()) self.assertFalse(acl.can_delete_bot()) self.assertFalse(acl.can_view_bot()) self.assertFalse(acl.can_create_task()) self.assertFalse(acl.can_schedule_high_priority_tasks()) self.assertTrue(acl.can_edit_task(self._task_owned)) self.assertFalse(acl.can_edit_task(self._task_other)) self.assertFalse(acl.can_edit_all_tasks()) self.assertTrue(acl.can_view_task(self._task_owned)) self.assertTrue(acl.can_view_task(self._task_other)) self.assertTrue(acl.can_view_all_tasks())
def test_nobody(self): self.mock(auth, 'get_current_identity', lambda: auth.IDENTITY_ANONYMOUS) self.assertFalse(acl.is_ip_whitelisted_machine()) self.assertFalse(acl.can_access()) self.assertFalse(acl.can_view_config()) self.assertFalse(acl.can_edit_config()) self.assertFalse(acl.can_create_bot()) self.assertFalse(acl.can_edit_bot()) self.assertFalse(acl.can_delete_bot()) self.assertFalse(acl.can_view_bot()) self.assertFalse(acl.can_create_task()) self.assertFalse(acl.can_schedule_high_priority_tasks()) self.assertFalse(acl.can_edit_task(self._task_owned)) self.assertFalse(acl.can_edit_task(self._task_other)) self.assertFalse(acl.can_edit_all_tasks()) self.assertFalse(acl.can_view_task(self._task_owned)) self.assertFalse(acl.can_view_task(self._task_other)) self.assertFalse(acl.can_view_all_tasks())