def is_ip_whitelisted_machine():
"""Returns True if the call is made from IP whitelisted machine."""
# TODO(vadimsh): Get rid of this. It's blocked on fixing /bot_code calls in
# bootstrap code everywhere to use service accounts and switching all Swarming
# Tasks API calls made from bots to use proper authentication.
return auth.is_in_ip_whitelist(auth.bots_ip_whitelist(),
auth.get_peer_ip(), False)
def validate_bot_id_and_fetch_config(bot_id):
"""Verifies ID reported by a bot matches the credentials being used.
Expected to be called in a context of some bot API request handler. Uses
bots.cfg config to look up what credentials are expected to be used by the bot
with given ID.
Raises auth.AuthorizationError if bot_id is unknown or bot is using invalid
credentials.
On success returns the configuration for this bot (BotGroupConfig tuple), as
defined in bots.cfg
"""
cfg = bot_groups_config.get_bot_group_config(bot_id)
if not cfg:
logging.error(
'bot_auth: unknown bot_id, not in the config\nbot_id: "%s"',
bot_id)
raise auth.AuthorizationError('Unknown bot ID, not in config')
peer_ident = auth.get_peer_identity()
if cfg.require_luci_machine_token:
if not _is_valid_ident_for_bot(peer_ident, bot_id):
logging.error(
'bot_auth: bot ID doesn\'t match the machine token used\n'
'bot_id: "%s", peer_ident: "%s"', bot_id,
peer_ident.to_bytes())
raise auth.AuthorizationError(
'Bot ID doesn\'t match the token used')
elif cfg.require_service_account:
expected_id = auth.Identity(auth.IDENTITY_USER,
cfg.require_service_account)
if peer_ident != expected_id:
logging.error(
'bot_auth: bot is not using expected service account\n'
'bot_id: "%s", expected_id: "%s", peer_ident: "%s"', bot_id,
expected_id.to_bytes(), peer_ident.to_bytes())
raise auth.AuthorizationError(
'bot is not using expected service account')
elif not cfg.ip_whitelist:
# This branch should not be hit for validated configs.
logging.error(
'bot_auth: invalid bot group config, no auth method defined\n'
'bot_id: "%s"', bot_id)
raise auth.AuthorizationError('Invalid bot group config')
# Check that IP whitelist applies (in addition to credentials).
if cfg.ip_whitelist:
ip = auth.get_peer_ip()
if not auth.is_in_ip_whitelist(cfg.ip_whitelist, ip):
logging.error(
'bot_auth: bot IP is not whitelisted\n'
'bot_id: "%s", peer_ip: "%s", ip_whitelist: "%s"', bot_id,
ipaddr.ip_to_string(ip), cfg.ip_whitelist)
raise auth.AuthorizationError('Not IP whitelisted')
return cfg
def check_ip_and_finish(auth_method, condition):
if bot_auth.ip_whitelist:
if not auth.is_in_ip_whitelist(bot_auth.ip_whitelist, ip):
error(
'bot_auth: bot IP is not whitelisted\n'
'bot_id: "%s", peer_ip: "%s", ip_whitelist: "%s"', bot_id,
ipaddr.ip_to_string(ip), bot_auth.ip_whitelist)
return 'Not IP whitelisted', errors
ts_mon_metrics.on_bot_auth_success(auth_method, condition)
return None, []
def file_size(size):
"""Reports the size of a file fetched from GCS by whitelisted clients.
If the client's requests are not whitelisted for monitoring, does nothing.
Args:
size: Size of the file in bytes.
"""
ip = auth.get_peer_ip()
for cfg in config.settings().client_monitoring_config:
if auth.is_in_ip_whitelist(cfg.ip_whitelist, ip):
_bytes_requested.increment_by(
size,
fields={
'client_name': cfg.label,
'client_email': auth.get_peer_identity().to_bytes(),
'download_source': 'GCS'
})
return
def is_ip_whitelisted_machine():
"""Returns True if the call is made from IP whitelisted machine."""
return auth.is_in_ip_whitelist(auth.bots_ip_whitelist(), auth.get_peer_ip(),
False)