def is_ip_whitelisted_machine(): """Returns True if the call is made from IP whitelisted machine.""" # TODO(vadimsh): Get rid of this. It's blocked on fixing /bot_code calls in # bootstrap code everywhere to use service accounts and switching all Swarming # Tasks API calls made from bots to use proper authentication. return auth.is_in_ip_whitelist(auth.bots_ip_whitelist(), auth.get_peer_ip(), False)
def validate_bot_id_and_fetch_config(bot_id): """Verifies ID reported by a bot matches the credentials being used. Expected to be called in a context of some bot API request handler. Uses bots.cfg config to look up what credentials are expected to be used by the bot with given ID. Raises auth.AuthorizationError if bot_id is unknown or bot is using invalid credentials. On success returns the configuration for this bot (BotGroupConfig tuple), as defined in bots.cfg """ cfg = bot_groups_config.get_bot_group_config(bot_id) if not cfg: logging.error( 'bot_auth: unknown bot_id, not in the config\nbot_id: "%s"', bot_id) raise auth.AuthorizationError('Unknown bot ID, not in config') peer_ident = auth.get_peer_identity() if cfg.require_luci_machine_token: if not _is_valid_ident_for_bot(peer_ident, bot_id): logging.error( 'bot_auth: bot ID doesn\'t match the machine token used\n' 'bot_id: "%s", peer_ident: "%s"', bot_id, peer_ident.to_bytes()) raise auth.AuthorizationError( 'Bot ID doesn\'t match the token used') elif cfg.require_service_account: expected_id = auth.Identity(auth.IDENTITY_USER, cfg.require_service_account) if peer_ident != expected_id: logging.error( 'bot_auth: bot is not using expected service account\n' 'bot_id: "%s", expected_id: "%s", peer_ident: "%s"', bot_id, expected_id.to_bytes(), peer_ident.to_bytes()) raise auth.AuthorizationError( 'bot is not using expected service account') elif not cfg.ip_whitelist: # This branch should not be hit for validated configs. logging.error( 'bot_auth: invalid bot group config, no auth method defined\n' 'bot_id: "%s"', bot_id) raise auth.AuthorizationError('Invalid bot group config') # Check that IP whitelist applies (in addition to credentials). if cfg.ip_whitelist: ip = auth.get_peer_ip() if not auth.is_in_ip_whitelist(cfg.ip_whitelist, ip): logging.error( 'bot_auth: bot IP is not whitelisted\n' 'bot_id: "%s", peer_ip: "%s", ip_whitelist: "%s"', bot_id, ipaddr.ip_to_string(ip), cfg.ip_whitelist) raise auth.AuthorizationError('Not IP whitelisted') return cfg
def check_ip_and_finish(auth_method, condition): if bot_auth.ip_whitelist: if not auth.is_in_ip_whitelist(bot_auth.ip_whitelist, ip): error( 'bot_auth: bot IP is not whitelisted\n' 'bot_id: "%s", peer_ip: "%s", ip_whitelist: "%s"', bot_id, ipaddr.ip_to_string(ip), bot_auth.ip_whitelist) return 'Not IP whitelisted', errors ts_mon_metrics.on_bot_auth_success(auth_method, condition) return None, []
def file_size(size): """Reports the size of a file fetched from GCS by whitelisted clients. If the client's requests are not whitelisted for monitoring, does nothing. Args: size: Size of the file in bytes. """ ip = auth.get_peer_ip() for cfg in config.settings().client_monitoring_config: if auth.is_in_ip_whitelist(cfg.ip_whitelist, ip): _bytes_requested.increment_by( size, fields={ 'client_name': cfg.label, 'client_email': auth.get_peer_identity().to_bytes(), 'download_source': 'GCS' }) return
def is_ip_whitelisted_machine(): """Returns True if the call is made from IP whitelisted machine.""" return auth.is_in_ip_whitelist(auth.bots_ip_whitelist(), auth.get_peer_ip(), False)