def test_bbb_worker(): """Access to the Buildbot Bridge provisioner-id/worker-type allows scheduling of BBB jobs (but only on non-restricted builders unless there more scopes are also present).""" assertPrincipalsWithScope("queue:define-task:buildbot-bridge/*", [ # root 'client-id:root', # services 'client-id-alias:funsize-dev', 'client-id-alias:funsize-scheduler', 'client-id-alias:release-runner-dev', 'client-id-alias:scheduler-taskcluster-net', # Bug 1218541 'client-id-alias:mozilla-pulse-actions', # armen's thing 'client-id:bbb-scheduler', # people 'client-id:adusca-development', # user groups principalsWith('mozilla-group:releng'), principalsWith('mozilla-group:team_relops'), principalsWith('mozilla-group:team_taskcluster'), ], omitTrusted=True)
def test_moco(): assertPrincipalsWithRole('mozilla-group:team_moco', [ 'client-id-alias:temporary-credentials', # Bug 1233553 # everyone with a legacy permacred is considered an honorary moco # employee principalsWith('legacy-permacred'), # taskcluster folks have *, hence matching this group principalsWith('mozilla-group:team_taskcluster'), ], omitTrusted=True)
def test_releng(): assertPrincipalsWithRole('mozilla-group:releng', [ # all of the relengers releng_permacreds, # plus team_relops, because they're OK too principalsWith('mozilla-group:team_relops'), # taskcluster folks have *, hence matching this group principalsWith('mozilla-group:team_taskcluster'), ], omitTrusted=True)
def test_bbb(): assertPrincipalsWithScope("buildbot-bridge:*", [ # root 'client-id:root', # services 'client-id-alias:release-runner-dev', 'client-id-alias:scheduler-taskcluster-net', # Bug 1218541 # user groups principalsWith('mozilla-group:releng'), principalsWith('mozilla-group:team_relops'), principalsWith('mozilla-group:team_taskcluster'), ], omitTrusted=True)
def test_relops(): assertPrincipalsWithRole('mozilla-group:team_relops', [ relops_permacreds, # taskcluster folks have *, hence matching this group principalsWith('mozilla-group:team_taskcluster'), ], omitTrusted=True)
def test_bbb_tasks(): """Buildbot Bridge (BBB) allows Buildbot jobs to be run via a TaskCluster task. Most BBB tasks run without the need for additional scopes, but some more sensitive builders are restricted by `buildbot-bridge:..` scopes. """ assertPrincipalsWithScope("buildbot-bridge:*", [ # root 'client-id:root', # services 'client-id-alias:release-runner-dev', 'client-id-alias:scheduler-taskcluster-net', # Bug 1218541 # user groups principalsWith('mozilla-group:releng'), principalsWith('mozilla-group:team_relops'), principalsWith('mozilla-group:team_taskcluster'), ], omitTrusted=True)
def test_balrog_vpn(): """Balrog is the administrative interface for Mozilla's update server, and automation uses it to publish information about new updates for download by end-users' updaters. The BalrogVpnProxy docker-worker feature allows *network* access to Balrog. It does not include any Balrog credentials. As such, it is but one layer of access control protecting Balrog, and is distributed a little more broadly than full access would be.""" assertPrincipalsWithScope("docker-worker:feature:balrogVPNProxy", [ # root 'client-id:root', # CI testing 'client-id-alias:worker-ci-tests', # docker-worker integration tests # repos 'moz-tree:level:3', 'repo:hg.mozilla.org/integration/b2g-inbound:*', 'repo:hg.mozilla.org/integration/fx-team:*', 'repo:hg.mozilla.org/integration/mozilla-inbound:*', 'repo:hg.mozilla.org/mozilla-central:*', 'repo:hg.mozilla.org/releases/b2g-ota:*', 'repo:hg.mozilla.org/releases/mozilla-b2g34_v2_1s:*', 'repo:hg.mozilla.org/releases/mozilla-b2g44_v2_5:*', # AWS workers 'worker-type:aws-provisioner-v1/*', # Bug 1233555 'worker-type:aws-provisioner-v1/gaia-decision', # Bug 1233555 'worker-type:aws-provisioner-v1/gecko-decision', # Bug 1233555 'client-id-alias:testdroid-worker', # Bug 1218549 # services 'client-id-alias:funsize-dev', 'client-id-alias:funsize-scheduler', 'client-id-alias:release-runner-dev', 'client-id-alias:scheduler-taskcluster-net', # Bug 1218541 # people 'client-id:dustin-docker-dev', # user groups principalsWith('mozilla-group:scm_level_3'), principalsWith('mozilla-group:releng'), principalsWith('mozilla-group:team_relops'), principalsWith('mozilla-group:team_taskcluster'), ], omitTrusted=True)
def test_scm_level_3(): assertPrincipalsWithRole('mozilla-group:scm_level_3', [ # a whole bunch of people "manually" granted this role 'client-id-alias:permacred-armenzg', 'client-id-alias:permacred-armenzg-testing', 'client-id-alias:permacred-bhearsum', 'client-id-alias:permacred-jlund', 'client-id-alias:permacred-mrrrgn', 'client-id-alias:permacred-mshal', 'client-id-alias:permacred-nhirata', 'client-id-alias:permacred-rail', 'client-id-alias:permacred-ted', 'client-id-alias:temporary-credentials', 'client-id:gandalf', # taskcluster folks have *, hence matching this group principalsWith('mozilla-group:team_taskcluster'), ], omitTrusted=True)
def test_tree_level_3(): assertPrincipalsWithRole('moz-tree:level:3', [ # level-3 people and repos principalsWith('mozilla-group:scm_level_3'), l3_repos, # CI testing 'client-id:dustin-docker-dev', 'client-id-alias:worker-ci-tests', # docker-worker integration tests # permacreds used to download builds on bitbar 'client-id-alias:testdroid-worker', # Bug 1218549 # services 'client-id:aws-provisioner', # worker types 'worker-type:aws-provisioner-v1/*', # Bug 1233555 ], omitTrusted=True)
def test_scm_level_1(): assertPrincipalsWithRole('mozilla-group:scm_level_1', [ # a whole bunch of people "manually" granted this role 'client-id-alias:brson', 'client-id-alias:drs', 'client-id-alias:gerard-majax', 'client-id-alias:kgrandon', 'client-id-alias:mihneadb', 'client-id-alias:npark', 'client-id-alias:nullaus', 'client-id-alias:permacred-rthijssen', 'client-id-alias:russn', 'client-id-alias:rwood', 'client-id-alias:shako', 'client-id-alias:sousmangoosta', # taskcluster folks have *, hence matching this group principalsWith('mozilla-group:team_taskcluster'), ], omitTrusted=True)
def test_relengapi_tooltool_download(): """Docker-worker allows tooltool download permissions, for public or internal files, to repositories at all SCM levels including SCM level 1 (try). This is necessary to build Firefox for Android, which requires non-public SDK and NDK bits.""" print principalsWith('mozilla-group:scm_level_1'), 'moz-tree:level:1', for lvl in 'public', 'internal': assertPrincipalsWithScope("docker-worker:relengapi-proxy:tooltool.download." + lvl, [ # trees principalsWith('moz-tree:level:1'), principalsWith('moz-tree:level:2'), principalsWith('moz-tree:level:3'), # permacreds used to download builds on bitbar 'client-id-alias:testdroid-worker', # user groups that list the permission explicitly principalsWith('mozilla-group:releng'), # services 'client-id-alias:funsize-dev', 'client-id-alias:funsize-scheduler', 'client-id-alias:release-runner-dev', 'client-id-alias:scheduler-taskcluster-net', # Bug 1218541 # worker types 'worker-type:aws-provisioner-v1/*', # Bug 1233555 'worker-type:aws-provisioner-v1/gaia-decision', # Bug 1233555 'worker-type:aws-provisioner-v1/gecko-decision', # Bug 1233555 # root 'client-id:root', # CI testing 'client-id:dustin-docker-dev', 'client-id-alias:worker-ci-tests', # docker-worker integration tests ], omitTrusted=True)
def test_scm_level_2(): assertPrincipalsWithRole('mozilla-group:scm_level_2', [ # taskcluster folks have *, hence matching this group principalsWith('mozilla-group:team_taskcluster'), ], omitTrusted=True)
def test_tree_level_1(): assertPrincipalsWithRole('moz-tree:level:1', [ # level 2, plus level-2 people and repos principalsWith('mozilla-group:scm_level_1'), l1_repos, principalsWith('moz-tree:level:2'), ], omitTrusted=True)