def test_bbb_worker():
"""Access to the Buildbot Bridge provisioner-id/worker-type allows
scheduling of BBB jobs (but only on non-restricted builders unless there
more scopes are also present)."""
assertPrincipalsWithScope("queue:define-task:buildbot-bridge/*", [
# root
'client-id:root',
# services
'client-id-alias:funsize-dev',
'client-id-alias:funsize-scheduler',
'client-id-alias:release-runner-dev',
'client-id-alias:scheduler-taskcluster-net', # Bug 1218541
'client-id-alias:mozilla-pulse-actions', # armen's thing
'client-id:bbb-scheduler',
# people
'client-id:adusca-development',
# user groups
principalsWith('mozilla-group:releng'),
principalsWith('mozilla-group:team_relops'),
principalsWith('mozilla-group:team_taskcluster'),
], omitTrusted=True)
def test_bbb():
assertPrincipalsWithScope("buildbot-bridge:*", [
# root
'client-id:root',
# services
'client-id-alias:release-runner-dev',
'client-id-alias:scheduler-taskcluster-net', # Bug 1218541
# user groups
principalsWith('mozilla-group:releng'),
principalsWith('mozilla-group:team_relops'),
principalsWith('mozilla-group:team_taskcluster'),
], omitTrusted=True)
def test_balrog():
# TODO: https://bugzilla.mozilla.org/show_bug.cgi?id=1220692
assertPrincipalsWithScope("docker-worker:feature:balrogVPNProxy", [
# root
'client-id:root',
# CI testing
'client-id-alias:worker-ci-tests', # XXX ??
# repos
'mozilla-group:scm_level_3',
'moz-tree:level:3',
'repo:*', # TODO: don't list this, somehow
'repo:hg.mozilla.org/integration/b2g-inbound:*',
'repo:hg.mozilla.org/integration/fx-team:*',
'repo:hg.mozilla.org/integration/mozilla-inbound:*',
'repo:hg.mozilla.org/mozilla-central:*',
'repo:hg.mozilla.org/releases/mozilla-b2g34_v2_1s:*',
'repo:hg.mozilla.org/releases/mozilla-b2g44_v2_5:*',
# all AWS workers
'worker-type:aws-provisioner-v1/*', # XXX ??
'client-id-alias:testdroid-worker', # XXX ??
# services
'client-id-alias:release-runner-dev',
'client-id:tc-login',
'client-id:tc-queue',
'client-id-alias:scheduler-taskcluster-net',
'client-id-alias:funsize-dev',
'client-id-alias:funsize-scheduler',
'client-id:aws-provisioner',
# people
releng_permacreds,
taskcluster_permacreds,
'client-id-alias:permacred-armenzg',
'client-id-alias:permacred-armenzg-testing',
'client-id-alias:permacred-nhirata',
'client-id-alias:permacred-ted',
'client-id-alias:temporary-credentials',
'client-id:gandalf',
# user groups
'mozilla-group:releng',
'mozilla-group:team_relops',
'mozilla-group:team_taskcluster',
], omitTrusted=True)
def test_bbb_tasks():
"""Buildbot Bridge (BBB) allows Buildbot jobs to be run via a TaskCluster
task. Most BBB tasks run without the need for additional scopes, but some
more sensitive builders are restricted by `buildbot-bridge:..` scopes. """
assertPrincipalsWithScope("buildbot-bridge:*", [
# root
'client-id:root',
# services
'client-id-alias:release-runner-dev',
'client-id-alias:scheduler-taskcluster-net', # Bug 1218541
# user groups
principalsWith('mozilla-group:releng'),
principalsWith('mozilla-group:team_relops'),
principalsWith('mozilla-group:team_taskcluster'),
], omitTrusted=True)
def test_balrog_vpn():
"""Balrog is the administrative interface for Mozilla's update server, and
automation uses it to publish information about new updates for download by
end-users' updaters. The BalrogVpnProxy docker-worker feature allows
*network* access to Balrog. It does not include any Balrog credentials.
As such, it is but one layer of access control protecting Balrog, and is
distributed a little more broadly than full access would be."""
assertPrincipalsWithScope("docker-worker:feature:balrogVPNProxy", [
# root
'client-id:root',
# CI testing
'client-id-alias:worker-ci-tests', # docker-worker integration tests
# repos
'moz-tree:level:3',
'repo:hg.mozilla.org/integration/b2g-inbound:*',
'repo:hg.mozilla.org/integration/fx-team:*',
'repo:hg.mozilla.org/integration/mozilla-inbound:*',
'repo:hg.mozilla.org/mozilla-central:*',
'repo:hg.mozilla.org/releases/b2g-ota:*',
'repo:hg.mozilla.org/releases/mozilla-b2g34_v2_1s:*',
'repo:hg.mozilla.org/releases/mozilla-b2g44_v2_5:*',
# AWS workers
'worker-type:aws-provisioner-v1/*', # Bug 1233555
'worker-type:aws-provisioner-v1/gaia-decision', # Bug 1233555
'worker-type:aws-provisioner-v1/gecko-decision', # Bug 1233555
'client-id-alias:testdroid-worker', # Bug 1218549
# services
'client-id-alias:funsize-dev',
'client-id-alias:funsize-scheduler',
'client-id-alias:release-runner-dev',
'client-id-alias:scheduler-taskcluster-net', # Bug 1218541
# people
'client-id:dustin-docker-dev',
# user groups
principalsWith('mozilla-group:scm_level_3'),
principalsWith('mozilla-group:releng'),
principalsWith('mozilla-group:team_relops'),
principalsWith('mozilla-group:team_taskcluster'),
], omitTrusted=True)
def test_bbb():
assertPrincipalsWithScope("buildbot-bridge:*", [
# root
'client-id:root',
# services
'client-id-alias:release-runner-dev',
'client-id:tc-login',
'client-id:tc-queue',
'client-id-alias:scheduler-taskcluster-net',
# people
releng_permacreds,
taskcluster_permacreds,
# user groups
'mozilla-group:releng',
'mozilla-group:team_relops',
'mozilla-group:team_taskcluster',
], omitTrusted=True)
def test_relengapi_tooltool_download():
"""Docker-worker allows tooltool download permissions, for public or internal files, to repositories
at all SCM levels including SCM level 1 (try). This is necessary to build Firefox for Android, which
requires non-public SDK and NDK bits."""
print principalsWith('mozilla-group:scm_level_1'), 'moz-tree:level:1',
for lvl in 'public', 'internal':
assertPrincipalsWithScope("docker-worker:relengapi-proxy:tooltool.download." + lvl, [
# trees
principalsWith('moz-tree:level:1'),
principalsWith('moz-tree:level:2'),
principalsWith('moz-tree:level:3'),
# permacreds used to download builds on bitbar
'client-id-alias:testdroid-worker',
# user groups that list the permission explicitly
principalsWith('mozilla-group:releng'),
# services
'client-id-alias:funsize-dev',
'client-id-alias:funsize-scheduler',
'client-id-alias:release-runner-dev',
'client-id-alias:scheduler-taskcluster-net', # Bug 1218541
# worker types
'worker-type:aws-provisioner-v1/*', # Bug 1233555
'worker-type:aws-provisioner-v1/gaia-decision', # Bug 1233555
'worker-type:aws-provisioner-v1/gecko-decision', # Bug 1233555
# root
'client-id:root',
# CI testing
'client-id:dustin-docker-dev',
'client-id-alias:worker-ci-tests', # docker-worker integration tests
], omitTrusted=True)
