def set_up_authorization(settings):
if bool(settings.do_auth):
auth = util.GitHubAuth(
clientId=str(settings.github_auth_id),
clientSecret=str(settings.github_auth_secret),
apiVersion=4,
getTeamsMembership=True,
)
authz = util.Authz(
allowRules=[
# Admins can do anything.
util.AnyEndpointMatcher(role="admins", defaultDeny=False),
# Allow authors to stop, force or rebuild their own builds,
# allow core devs to stop, force or rebuild any build.
util.StopBuildEndpointMatcher(role="owner", defaultDeny=False),
util.StopBuildEndpointMatcher(
role="buildbot-owners", defaultDeny=False
),
util.StopBuildEndpointMatcher(role="python-triage", defaultDeny=False),
util.StopBuildEndpointMatcher(role="python-core"),
util.RebuildBuildEndpointMatcher(role="owner", defaultDeny=False),
util.RebuildBuildEndpointMatcher(
role="python-triage", defaultDeny=False
),
util.RebuildBuildEndpointMatcher(
role="buildbot-owners", defaultDeny=False
),
util.RebuildBuildEndpointMatcher(role="python-core"),
util.ForceBuildEndpointMatcher(role="owner", defaultDeny=False),
util.ForceBuildEndpointMatcher(role="python-triage", defaultDeny=False),
util.ForceBuildEndpointMatcher(role="python-core"),
# Allow release managers to enable/disable schedulers.
util.EnableSchedulerEndpointMatcher(role="python-release-managers"),
# Future-proof control endpoints.
util.AnyControlEndpointMatcher(role="admins"),
],
roleMatchers=[
util.RolesFromGroups(groupPrefix="python/"),
util.RolesFromOwner(role="owner"),
util.RolesFromUsername(
roles=["admins"],
usernames=[
"zware",
"vstinner",
"bitdancer",
"pitrou",
"pablogsal",
],
),
],
)
else:
log.err("WARNING: Web UI is completely open")
# Completely open
auth = NoAuth()
authz = util.Authz()
return auth, authz
def getAuthz():
authz = util.Authz(
allowRules=[
# Admins can do anything.
# defaultDeny=False: if user does not have the admin role,
# we continue parsing rules.
util.AnyEndpointMatcher(role="LLVM Lab team", defaultDeny=False),
# Allow authors to stop, force or rebuild their own builds,
util.StopBuildEndpointMatcher(role="owner", defaultDeny=False),
# Allow bot owners to stop, force or rebuild on their own bots,
util.StopBuildEndpointMatcher(role="worker-owner"),
# allow devs to force or rebuild any build.
util.RebuildBuildEndpointMatcher(role="owner", defaultDeny=False),
util.RebuildBuildEndpointMatcher(role="worker-owner", defaultDeny=False),
util.RebuildBuildEndpointMatcher(role="LLVM Committers"),
util.ForceBuildEndpointMatcher(role="owner", defaultDeny=False),
util.ForceBuildEndpointMatcher(role="worker-owner", defaultDeny=False),
util.ForceBuildEndpointMatcher(role="LLVM Committers"),
# Future-proof control endpoints. No parsing rules beyond this.
# Allows anonymous to look at build results.
util.AnyControlEndpointMatcher(role="LLVM Lab team"),
],
roleMatchers=[
util.RolesFromGroups(groupPrefix="llvm/"),
util.RolesFromGroups(groupPrefix="llvm/"),
# role owner is granted when property owner matches the email of the user
util.RolesFromOwner(role="owner"),
],
)
return authz
def get_www():
from buildbot.plugins import util
from twisted.cred import strcred
import private
return dict(
port="unix:/home/buildbot/buildbot.sock",
plugins=dict(waterfall_view={},
console_view={},
grid_view={},
badges={}),
auth=util.GitHubAuth(private.github_client_id,
private.github_client_secret,
apiVersion=4,
getTeamsMembership=True),
authz=util.Authz(
allowRules=[util.AnyControlEndpointMatcher(role="SFML")],
roleMatchers=[util.RolesFromGroups()]),
change_hook_dialects={
'base': True,
'github': {}
},
change_hook_auth=[strcred.makeChecker("file:changehook.passwd")])
plugins=dict(
console_view={},
grid_view={},
badges={"left_pad": 0, "right_pad": 0, "border_radius": 3, "style": "badgeio"},
),
change_hook_dialects={"github": github_hook},
allowed_origins=["*"],
)
c["www"]["auth"] = util.GitHubAuth(
env["GITHUB_CLIENT_ID"],
env["GITHUB_CLIENT_SECRET"],
apiVersion=4,
getTeamsMembership=True,
)
c["www"]["authz"] = util.Authz(
allowRules=[util.AnyControlEndpointMatcher(role="developers"),],
roleMatchers=[util.RolesFromGroups(groupPrefix="scummvm/")],
)
####### DB URL
c["db"] = {
# This specifies what database buildbot uses to store its state.
# It's easy to start with sqlite, but it's recommended to switch to a dedicated
# database, such as PostgreSQL or MySQL, for use in production environments.
# http://docs.buildbot.net/current/manual/configuration/global.html#database-specification
"db_url": env["DATABASE_URL"],
}
apiVersion=4, getTeamsMembership=True)
# When using Github authentication, we can use group membership information
www['authz'] = util.Authz(
stringsMatcher=util.fnmatchStrMatcher, # simple matcher with '*' glob character
# stringsMatcher = util.reStrMatcher, # if you prefer regular expressions
allowRules=[
# admins can do anything,
# defaultDeny=False: if user does not have the admin role, we continue parsing rules
util.AnyEndpointMatcher(role=config.github_admin_group, defaultDeny=False),
# Let owner stop its build
util.StopBuildEndpointMatcher(role="owner"),
# if future Buildbot implement new control, we are safe with this last rule
util.AnyControlEndpointMatcher(role=config.github_admin_group)
],
roleMatchers=[
util.RolesFromGroups(groupPrefix="{0}/".format(config.github_organization)),
# role owner is granted when property owner matches the email of the user
util.RolesFromOwner(role="owner")
]
)
try:
if len(config.www_port) == 2:
www['port'] = "tcp:{1}:interface={0}".format(*config.www_port)
elif len(config.www_port) == 1:
www['port'] = "tcp:{0}".format(*config.www_port)
else:
raise Exception("www_port hasn't length 2")
except TypeError:
www['port'] = "tcp:{0}".format(config.www_port)
def createAuthzConfigGroups(self, authcfg):
if not self.configAssertContains(authcfg, ['groups']):
return None
return util.Authz(self.getDefaultAllowRules(admins=authcfg['groups']),
[util.RolesFromGroups(groupPrefix="")])
def build_config() -> dict[str, Any]:
c = {}
c["buildbotNetUsageData"] = None
# configure a janitor which will delete all logs older than one month, and will run on sundays at noon
c['configurators'] = [util.JanitorConfigurator(
logHorizon=timedelta(weeks=4),
hour=12,
dayOfWeek=6
)]
c["schedulers"] = [
# build all pushes to master
schedulers.SingleBranchScheduler(
name="master",
change_filter=util.ChangeFilter(branch="master"),
builderNames=["nix-eval"],
),
# build all pull requests
schedulers.SingleBranchScheduler(
name="prs",
change_filter=util.ChangeFilter(category="pull"),
builderNames=["nix-eval"],
),
# this is triggered from `nix-eval`
schedulers.Triggerable(
name="nix-build",
builderNames=["nix-build"],
),
# allow to manually trigger a nix-build
schedulers.ForceScheduler(name="force", builderNames=["nix-eval"]),
# allow to manually update flakes
schedulers.ForceScheduler(
name="update-flake",
builderNames=["nix-update-flake"],
buttonName="Update flakes",
),
# updates flakes once a weeek
schedulers.NightlyTriggerable(
name="update-flake-weekly",
builderNames=["nix-update-flake"],
hour=3,
minute=0,
dayOfWeek=6,
),
]
github_api_token = read_secret_file("github-token")
c["services"] = [
reporters.GitHubStatusPush(
token=github_api_token,
# Since we dynamically create build steps,
# we use `virtual_builder_name` in the webinterface
# so that we distinguish what has beeing build
context=Interpolate("buildbot/%(prop:virtual_builder_name)s"),
),
# Notify on irc
NotifyFailedBuilds("irc://buildbot|[email protected]:6667/#xxx"),
]
# Shape of this file:
# [ { "name": "<worker-name>", "pass": "******", "cores": "<cpu-cores>" } ]
worker_config = json.loads(read_secret_file("github-workers"))
credentials = os.environ.get("CREDENTIALS_DIRECTORY", ".")
enable_cachix = os.path.isfile(os.path.join(credentials, "cachix-token"))
systemd_secrets = secrets.SecretInAFile(dirname=credentials)
c["secretsProviders"] = [systemd_secrets]
c["workers"] = []
worker_names = []
for item in worker_config:
cores = item.get("cores", 0)
for i in range(cores):
worker_name = f"{item['name']}-{i}"
c["workers"].append(worker.Worker(worker_name, item["pass"]))
worker_names.append(worker_name)
c["builders"] = [
# Since all workers run on the same machine, we only assign one of them to do the evaluation.
# This should prevent exessive memory usage.
nix_eval_config([worker_names[0]], github_token_secret="github-token"),
nix_build_config(worker_names, enable_cachix),
nix_update_flake_config(
worker_names,
"TUM-DSE/doctor-cluster-config",
github_token_secret="github-token",
),
]
c["www"] = {
"port": int(os.environ.get("PORT", "1810")),
"auth": util.GitHubAuth(
os.environ.get("GITHUB_OAUTH_ID"), read_secret_file("github-oauth-secret")
),
"authz": util.Authz(
roleMatchers=[
util.RolesFromGroups(groupPrefix="") # so we can match on TUM-DSE
],
allowRules=[
util.AnyEndpointMatcher(role="TUM-DSE", defaultDeny=False),
util.AnyControlEndpointMatcher(role="TUM-DSE"),
],
),
"plugins": dict(waterfall_view={}, console_view={}, grid_view={}),
"change_hook_dialects": dict(
github={
"secret": read_secret_file("github-webhook-secret"),
"strict": True,
"token": github_api_token,
"github_property_whitelist": "*",
}
),
}
c["db"] = {"db_url": os.environ.get("DB_URL", "sqlite:///state.sqlite")}
c["protocols"] = {"pb": {"port": "tcp:9989:interface=\\:\\:"}}
c["buildbotURL"] = "https://buildbot.dse.in.tum.de/"
return c
