def set_up_authorization(settings): if bool(settings.do_auth): auth = util.GitHubAuth( clientId=str(settings.github_auth_id), clientSecret=str(settings.github_auth_secret), apiVersion=4, getTeamsMembership=True, ) authz = util.Authz( allowRules=[ # Admins can do anything. util.AnyEndpointMatcher(role="admins", defaultDeny=False), # Allow authors to stop, force or rebuild their own builds, # allow core devs to stop, force or rebuild any build. util.StopBuildEndpointMatcher(role="owner", defaultDeny=False), util.StopBuildEndpointMatcher( role="buildbot-owners", defaultDeny=False ), util.StopBuildEndpointMatcher(role="python-triage", defaultDeny=False), util.StopBuildEndpointMatcher(role="python-core"), util.RebuildBuildEndpointMatcher(role="owner", defaultDeny=False), util.RebuildBuildEndpointMatcher( role="python-triage", defaultDeny=False ), util.RebuildBuildEndpointMatcher( role="buildbot-owners", defaultDeny=False ), util.RebuildBuildEndpointMatcher(role="python-core"), util.ForceBuildEndpointMatcher(role="owner", defaultDeny=False), util.ForceBuildEndpointMatcher(role="python-triage", defaultDeny=False), util.ForceBuildEndpointMatcher(role="python-core"), # Allow release managers to enable/disable schedulers. util.EnableSchedulerEndpointMatcher(role="python-release-managers"), # Future-proof control endpoints. util.AnyControlEndpointMatcher(role="admins"), ], roleMatchers=[ util.RolesFromGroups(groupPrefix="python/"), util.RolesFromOwner(role="owner"), util.RolesFromUsername( roles=["admins"], usernames=[ "zware", "vstinner", "bitdancer", "pitrou", "pablogsal", ], ), ], ) else: log.err("WARNING: Web UI is completely open") # Completely open auth = NoAuth() authz = util.Authz() return auth, authz
def getAuthz(): authz = util.Authz( allowRules=[ # Admins can do anything. # defaultDeny=False: if user does not have the admin role, # we continue parsing rules. util.AnyEndpointMatcher(role="LLVM Lab team", defaultDeny=False), # Allow authors to stop, force or rebuild their own builds, util.StopBuildEndpointMatcher(role="owner", defaultDeny=False), # Allow bot owners to stop, force or rebuild on their own bots, util.StopBuildEndpointMatcher(role="worker-owner"), # allow devs to force or rebuild any build. util.RebuildBuildEndpointMatcher(role="owner", defaultDeny=False), util.RebuildBuildEndpointMatcher(role="worker-owner", defaultDeny=False), util.RebuildBuildEndpointMatcher(role="LLVM Committers"), util.ForceBuildEndpointMatcher(role="owner", defaultDeny=False), util.ForceBuildEndpointMatcher(role="worker-owner", defaultDeny=False), util.ForceBuildEndpointMatcher(role="LLVM Committers"), # Future-proof control endpoints. No parsing rules beyond this. # Allows anonymous to look at build results. util.AnyControlEndpointMatcher(role="LLVM Lab team"), ], roleMatchers=[ util.RolesFromGroups(groupPrefix="llvm/"), util.RolesFromGroups(groupPrefix="llvm/"), # role owner is granted when property owner matches the email of the user util.RolesFromOwner(role="owner"), ], ) return authz
def get_www(): from buildbot.plugins import util from twisted.cred import strcred import private return dict( port="unix:/home/buildbot/buildbot.sock", plugins=dict(waterfall_view={}, console_view={}, grid_view={}, badges={}), auth=util.GitHubAuth(private.github_client_id, private.github_client_secret, apiVersion=4, getTeamsMembership=True), authz=util.Authz( allowRules=[util.AnyControlEndpointMatcher(role="SFML")], roleMatchers=[util.RolesFromGroups()]), change_hook_dialects={ 'base': True, 'github': {} }, change_hook_auth=[strcred.makeChecker("file:changehook.passwd")])
plugins=dict( console_view={}, grid_view={}, badges={"left_pad": 0, "right_pad": 0, "border_radius": 3, "style": "badgeio"}, ), change_hook_dialects={"github": github_hook}, allowed_origins=["*"], ) c["www"]["auth"] = util.GitHubAuth( env["GITHUB_CLIENT_ID"], env["GITHUB_CLIENT_SECRET"], apiVersion=4, getTeamsMembership=True, ) c["www"]["authz"] = util.Authz( allowRules=[util.AnyControlEndpointMatcher(role="developers"),], roleMatchers=[util.RolesFromGroups(groupPrefix="scummvm/")], ) ####### DB URL c["db"] = { # This specifies what database buildbot uses to store its state. # It's easy to start with sqlite, but it's recommended to switch to a dedicated # database, such as PostgreSQL or MySQL, for use in production environments. # http://docs.buildbot.net/current/manual/configuration/global.html#database-specification "db_url": env["DATABASE_URL"], }
apiVersion=4, getTeamsMembership=True) # When using Github authentication, we can use group membership information www['authz'] = util.Authz( stringsMatcher=util.fnmatchStrMatcher, # simple matcher with '*' glob character # stringsMatcher = util.reStrMatcher, # if you prefer regular expressions allowRules=[ # admins can do anything, # defaultDeny=False: if user does not have the admin role, we continue parsing rules util.AnyEndpointMatcher(role=config.github_admin_group, defaultDeny=False), # Let owner stop its build util.StopBuildEndpointMatcher(role="owner"), # if future Buildbot implement new control, we are safe with this last rule util.AnyControlEndpointMatcher(role=config.github_admin_group) ], roleMatchers=[ util.RolesFromGroups(groupPrefix="{0}/".format(config.github_organization)), # role owner is granted when property owner matches the email of the user util.RolesFromOwner(role="owner") ] ) try: if len(config.www_port) == 2: www['port'] = "tcp:{1}:interface={0}".format(*config.www_port) elif len(config.www_port) == 1: www['port'] = "tcp:{0}".format(*config.www_port) else: raise Exception("www_port hasn't length 2") except TypeError: www['port'] = "tcp:{0}".format(config.www_port)
def createAuthzConfigGroups(self, authcfg): if not self.configAssertContains(authcfg, ['groups']): return None return util.Authz(self.getDefaultAllowRules(admins=authcfg['groups']), [util.RolesFromGroups(groupPrefix="")])
def build_config() -> dict[str, Any]: c = {} c["buildbotNetUsageData"] = None # configure a janitor which will delete all logs older than one month, and will run on sundays at noon c['configurators'] = [util.JanitorConfigurator( logHorizon=timedelta(weeks=4), hour=12, dayOfWeek=6 )] c["schedulers"] = [ # build all pushes to master schedulers.SingleBranchScheduler( name="master", change_filter=util.ChangeFilter(branch="master"), builderNames=["nix-eval"], ), # build all pull requests schedulers.SingleBranchScheduler( name="prs", change_filter=util.ChangeFilter(category="pull"), builderNames=["nix-eval"], ), # this is triggered from `nix-eval` schedulers.Triggerable( name="nix-build", builderNames=["nix-build"], ), # allow to manually trigger a nix-build schedulers.ForceScheduler(name="force", builderNames=["nix-eval"]), # allow to manually update flakes schedulers.ForceScheduler( name="update-flake", builderNames=["nix-update-flake"], buttonName="Update flakes", ), # updates flakes once a weeek schedulers.NightlyTriggerable( name="update-flake-weekly", builderNames=["nix-update-flake"], hour=3, minute=0, dayOfWeek=6, ), ] github_api_token = read_secret_file("github-token") c["services"] = [ reporters.GitHubStatusPush( token=github_api_token, # Since we dynamically create build steps, # we use `virtual_builder_name` in the webinterface # so that we distinguish what has beeing build context=Interpolate("buildbot/%(prop:virtual_builder_name)s"), ), # Notify on irc NotifyFailedBuilds("irc://buildbot|[email protected]:6667/#xxx"), ] # Shape of this file: # [ { "name": "<worker-name>", "pass": "******", "cores": "<cpu-cores>" } ] worker_config = json.loads(read_secret_file("github-workers")) credentials = os.environ.get("CREDENTIALS_DIRECTORY", ".") enable_cachix = os.path.isfile(os.path.join(credentials, "cachix-token")) systemd_secrets = secrets.SecretInAFile(dirname=credentials) c["secretsProviders"] = [systemd_secrets] c["workers"] = [] worker_names = [] for item in worker_config: cores = item.get("cores", 0) for i in range(cores): worker_name = f"{item['name']}-{i}" c["workers"].append(worker.Worker(worker_name, item["pass"])) worker_names.append(worker_name) c["builders"] = [ # Since all workers run on the same machine, we only assign one of them to do the evaluation. # This should prevent exessive memory usage. nix_eval_config([worker_names[0]], github_token_secret="github-token"), nix_build_config(worker_names, enable_cachix), nix_update_flake_config( worker_names, "TUM-DSE/doctor-cluster-config", github_token_secret="github-token", ), ] c["www"] = { "port": int(os.environ.get("PORT", "1810")), "auth": util.GitHubAuth( os.environ.get("GITHUB_OAUTH_ID"), read_secret_file("github-oauth-secret") ), "authz": util.Authz( roleMatchers=[ util.RolesFromGroups(groupPrefix="") # so we can match on TUM-DSE ], allowRules=[ util.AnyEndpointMatcher(role="TUM-DSE", defaultDeny=False), util.AnyControlEndpointMatcher(role="TUM-DSE"), ], ), "plugins": dict(waterfall_view={}, console_view={}, grid_view={}), "change_hook_dialects": dict( github={ "secret": read_secret_file("github-webhook-secret"), "strict": True, "token": github_api_token, "github_property_whitelist": "*", } ), } c["db"] = {"db_url": os.environ.get("DB_URL", "sqlite:///state.sqlite")} c["protocols"] = {"pb": {"port": "tcp:9989:interface=\\:\\:"}} c["buildbotURL"] = "https://buildbot.dse.in.tum.de/" return c