def test_ip_whitelisted(self):
self.mock(auth, 'is_in_ip_whitelist', lambda _name, _ip, _warn: True)
self.assertTrue(acl.is_ip_whitelisted_machine())
self.assertTrue(acl.can_access())
self.assertFalse(acl.can_view_config())
self.assertFalse(acl.can_edit_config())
self.assertFalse(acl.can_create_bot())
self.assertTrue(acl.can_edit_bot())
self.assertTrue(acl.can_delete_bot())
self.assertTrue(acl.can_view_bot())
self.assertTrue(acl.can_create_task())
self.assertFalse(acl.can_schedule_high_priority_tasks())
self.assertTrue(acl.can_edit_task(self._task_owned))
self.assertTrue(acl.can_edit_task(self._task_other))
self.assertFalse(acl.can_edit_all_tasks())
self.assertTrue(acl.can_view_task(self._task_owned))
self.assertTrue(acl.can_view_task(self._task_other))
self.assertFalse(acl.can_view_all_tasks())
def test_instance_admin(self):
auth_testing.mock_is_admin(self, True)
self.assertFalse(acl.is_ip_whitelisted_machine())
self.assertTrue(acl.can_access())
self.assertTrue(acl.can_view_config())
self.assertTrue(acl.can_edit_config())
self.assertTrue(acl.can_create_bot())
self.assertTrue(acl.can_edit_bot())
self.assertTrue(acl.can_delete_bot())
self.assertTrue(acl.can_view_bot())
self.assertTrue(acl.can_create_task())
self.assertTrue(acl.can_schedule_high_priority_tasks())
self.assertTrue(acl.can_edit_task(self._task_owned))
self.assertTrue(acl.can_edit_task(self._task_other))
self.assertTrue(acl.can_edit_all_tasks())
self.assertTrue(acl.can_view_task(self._task_owned))
self.assertTrue(acl.can_view_task(self._task_other))
self.assertTrue(acl.can_view_all_tasks())
def test_nobody(self):
auth_testing.mock_get_current_identity(self, auth.Anonymous)
self.assertFalse(acl.is_ip_whitelisted_machine())
self.assertFalse(acl.can_access())
self.assertFalse(acl.can_view_config())
self.assertFalse(acl.can_edit_config())
self.assertFalse(acl.can_create_bot())
self.assertFalse(acl.can_edit_bot())
self.assertFalse(acl.can_delete_bot())
self.assertFalse(acl.can_view_bot())
self.assertFalse(acl.can_create_task())
self.assertFalse(acl.can_schedule_high_priority_tasks())
self.assertFalse(acl.can_edit_task(self._task_owned))
self.assertFalse(acl.can_edit_task(self._task_other))
self.assertFalse(acl.can_edit_all_tasks())
self.assertFalse(acl.can_view_task(self._task_owned))
self.assertFalse(acl.can_view_task(self._task_other))
self.assertFalse(acl.can_view_all_tasks())
def test_view_all_tasks(self):
self._add_to_group('view_all_tasks')
self.assertFalse(acl.is_ip_whitelisted_machine())
self.assertTrue(acl.can_access())
self.assertFalse(acl.can_view_config())
self.assertFalse(acl.can_edit_config())
self.assertFalse(acl.can_create_bot())
self.assertFalse(acl.can_edit_bot())
self.assertFalse(acl.can_delete_bot())
self.assertFalse(acl.can_view_bot())
self.assertFalse(acl.can_create_task())
self.assertFalse(acl.can_schedule_high_priority_tasks())
self.assertTrue(acl.can_edit_task(self._task_owned))
self.assertFalse(acl.can_edit_task(self._task_other))
self.assertFalse(acl.can_edit_all_tasks())
self.assertTrue(acl.can_view_task(self._task_owned))
self.assertTrue(acl.can_view_task(self._task_other))
self.assertTrue(acl.can_view_all_tasks())
def test_nobody(self):
self.mock(auth, 'get_current_identity',
lambda: auth.IDENTITY_ANONYMOUS)
self.assertFalse(acl.is_ip_whitelisted_machine())
self.assertFalse(acl.can_access())
self.assertFalse(acl.can_view_config())
self.assertFalse(acl.can_edit_config())
self.assertFalse(acl.can_create_bot())
self.assertFalse(acl.can_edit_bot())
self.assertFalse(acl.can_delete_bot())
self.assertFalse(acl.can_view_bot())
self.assertFalse(acl.can_create_task())
self.assertFalse(acl.can_schedule_high_priority_tasks())
self.assertFalse(acl.can_edit_task(self._task_owned))
self.assertFalse(acl.can_edit_task(self._task_other))
self.assertFalse(acl.can_edit_all_tasks())
self.assertFalse(acl.can_view_task(self._task_owned))
self.assertFalse(acl.can_view_task(self._task_other))
self.assertFalse(acl.can_view_all_tasks())
def check_task_get_acl(task_request):
"""Checks if the caller is allowed to get the task entities.
Checks if the caller has global permission using acl.can_view_task().
If the caller doesn't have any global permissions,
Checks if the caller has either of 'swarming.pools.listTasks' or
'swarming.tasks.get' permission.
Args:
task_request: An instance of TaskRequest.
Returns:
None
Raises:
auth.AuthorizationError: if the caller is not allowed.
"""
if acl.can_view_task(task_request):
return
# check 'swarming.pools.listTasks' permission of the pool in task dimensions.
if task_request.pool:
pool_cfg = pools_config.get_pool_config(task_request.pool)
if not pool_cfg:
raise endpoints.InternalServerErrorException(
'Pool cfg not found. pool: %s' % task_request.pool)
if pool_cfg.realm and auth.has_permission(
get_permission(realms_pb2.REALM_PERMISSION_POOLS_LIST_TASKS),
[pool_cfg.realm]):
return
# check 'swarming.pools.listTasks' permission of the pool in bot dimensions.
if task_request.bot_id:
pools = bot_management.get_pools_from_dimensions_flat(
_retrieve_bot_dimensions(task_request.bot_id))
pool_realms = [
p.realm for p in map(pools_config.get_pool_config, pools)
if p.realm
]
if pool_realms and auth.has_permission(
get_permission(realms_pb2.REALM_PERMISSION_POOLS_LIST_TASKS),
pool_realms):
return
# check 'swarming.tasks.get' permission.
task_realm = task_request.realm
if task_realm and auth.has_permission(
get_permission(realms_pb2.REALM_PERMISSION_TASKS_GET),
[task_realm]):
return
raise auth.AuthorizationError('Task "%s" is not accessible' %
task_request.task_id)
def _get_task_request_async(task_id, request_key, viewing):
"""Returns the TaskRequest corresponding to a task ID.
Enforces the ACL for users. Allows bots all access for the moment.
Returns:
TaskRequest instance.
"""
request = yield request_key.get_async()
if not request:
raise endpoints.NotFoundException('%s not found.' % task_id)
if viewing == _VIEW:
if not acl.can_view_task(request):
raise endpoints.ForbiddenException('%s is not accessible.' %
task_id)
elif viewing == _EDIT:
if not acl.can_edit_task(request):
raise endpoints.ForbiddenException('%s is not accessible.' %
task_id)
else:
raise endpoints.InternalServerErrorException(
'_get_task_request_async()')
raise ndb.Return(request)
