def get_available_buckets(): """Returns buckets available to the current identity. Results are memcached for 10 minutes per identity. Returns: Set of bucket names or None if all buckets are available. """ if auth.is_admin(): return None identity = auth.get_current_identity().to_bytes() cache_key = 'available_buckets/%s' % identity available_buckets = memcache.get(cache_key) if available_buckets is not None: return available_buckets logging.info( 'Computing a list of available buckets for %s' % identity) group_buckets_map = collections.defaultdict(set) available_buckets = set() all_buckets = config.get_buckets_async().get_result() for bucket in all_buckets: for rule in bucket.acls: if rule.identity == identity: available_buckets.add(bucket.name) if rule.group: group_buckets_map[rule.group].add(bucket.name) for group, buckets in group_buckets_map.iteritems(): if available_buckets.issuperset(buckets): continue if auth.is_group_member(group): available_buckets.update(buckets) # Cache for 10 min memcache.set(cache_key, available_buckets, 10 * 60) return available_buckets
def has_project_access(project_id): metadata = projects.get_metadata(project_id) super_group = read_acl_cfg().project_access_group return ( auth.is_admin() or super_group and auth.is_group_member(super_group) or metadata and config.api._has_access(metadata.access) )
def _has_access(access_list): cur_ident = auth.get_current_identity().to_bytes() for ac in access_list: if ac.startswith('group:'): if auth.is_group_member(ac.split(':', 2)[1]): return True else: identity_str = ac if ':' not in identity_str: identity_str = 'user:%s' % identity_str if cur_ident == identity_str: return True return False
def has_role(package_path, role, identity): """True if |identity| has |role| in some |package_path|.""" assert impl.is_valid_package_path(package_path), package_path assert is_valid_role(role), role if auth.is_admin(identity): return True for acl in get_package_acls(package_path, role): if identity in acl.users: return True for group in acl.groups: if auth.is_group_member(group, identity): return True return False
def get_current_backend(): """Returns the backend associated with the current user. Returns: An rpc_messages.Backend instance representing the current user, or None if the current user is not a recognized backend. """ for backend in rpc_messages.Backend: backend_group = 'machine-provider-%s-backend' % backend.name.lower() if auth.is_group_member(backend_group): logging.info('User is %s backend', backend.name) return backend logging.info('User is not a recognized backend service')
def _has_access(access_list, identity=None): identity = identity or auth.get_current_identity() identity_str = identity.to_bytes() for ac in access_list: if ac.startswith('group:'): group = ac.split(':', 2)[1] if auth.is_group_member(group, identity): return True else: ac_identity_str = ac if ':' not in ac_identity_str: ac_identity_str = 'user:%s' % ac_identity_str if identity_str == ac_identity_str: return True return False
def get(self): # Require users to be logged to see builder alerts from private/internal # trees. user = auth.get_current_identity() if user.is_anonymous: ret = {} ret.update({ 'date': datetime.datetime.utcnow(), 'redirect-url': self.create_login_url(self.request.uri) }) data = self.generate_json_dump(ret) self.send_json_headers() self.response.write(data) return if not auth.is_group_member('googlers'): self.response.set_status(403, 'Permission Denied') return super(InternalAlertsHandler, self).get()
def has_any_of_roles_async(bucket, roles): """True if current identity has any of |roles| in |bucket|.""" assert bucket assert roles errors.validate_bucket_name(bucket) roles = set(roles) assert roles.issubset(project_config_pb2.Acl.Role.values()) if auth.is_admin(): raise ndb.Return(True) bucket_cfg = yield config.get_bucket_async(bucket) identity_str = auth.get_current_identity().to_bytes() if bucket_cfg: for rule in bucket_cfg.acls: if rule.role not in roles: continue if rule.identity == identity_str: raise ndb.Return(True) if rule.group and auth.is_group_member(rule.group): raise ndb.Return(True) raise ndb.Return(False)
def is_identity_in_principal_set(ident, principals): """True if Identity is in a set specified by principals. Args: ident: auth.Identity instance. principals: string, one of 'group:<name>', identity glob string ('user:*'), or just a single identity ('user:[email protected]'). Returns: True or False. Also returns False if 'principals' is in unrecognized format. """ try: # Group? if principals.startswith('group:'): return auth.is_group_member(principals.lstrip('group:'), ident) # Glob? if '*' in principals: return auth.IdentityGlob.from_bytes(principals).match(ident) # Identity? return auth.Identity.from_bytes(principals) == ident except ValueError as ex: logging.error('Unrecognized principal string "%s": %s', principals, ex) return False
def isolate_readable(): """Returns True if current user can read from isolate.""" return auth.is_group_member(READONLY_ACCESS_GROUP) or isolate_writable()
def is_catalog_admin(): """Returns whether the current user is a catalog administrator.""" if auth.is_group_member('machine-provider-catalog-administrators'): logging.info('User is Catalog administrator') return True return False
def is_admin(): return auth.is_group_member(ADMINS_GROUP) or auth.is_admin()
def is_ereporter2_editor(): """Only auth admins or recipients can edit the silencing filters.""" return auth.is_admin() or auth.is_group_member(RECIPIENTS_AUTH_GROUP)
def is_bot(): return auth.is_group_member(BOTS_GROUP) or is_admin()
def is_privileged_user(): return auth.is_group_member(PRIVILEGED_USERS_GROUP) or is_admin()
def _is_admin(): """Full administrative access.""" group = config.settings().auth.admins_group return auth.is_group_member(group) or auth.is_admin()
def isolate_writable(): """Returns True if current user can write to isolate.""" full_access = auth.is_group_member(config.settings().auth.full_access_group) return full_access or auth.is_admin()
def can_update_build_async(): # pragma: no cover """Returns if the current identity is whitelisted to update builds.""" raise ndb.Return(auth.is_group_member(UPDATE_BUILD_ALLOWED_USERS))
def has_project_access(project_id): metadata = projects.get_metadata(project_id) super_group = read_acl_cfg().project_access_group return (auth.is_admin() or super_group and auth.is_group_member(super_group) or metadata and config.api._has_access(metadata.access))
def is_admin(): if auth.is_superuser(): return True acl_cfg = _get_acl_cfg() return auth.is_group_member( acl_cfg and acl_cfg.admin_group or auth.ADMIN_GROUP)
def is_user(): return auth.is_group_member(USERS_GROUP) or is_privileged_user()
def is_trooper_or_admin(): return (auth.is_group_member("mdb/chrome-troopers") or users.is_current_user_admin())
def is_trusted_service(identity=None): """Returns True if caller is in 'auth-trusted-services' group.""" return auth.is_group_member('auth-trusted-services', identity)
def _is_privileged_user(): """Can edit all bots and tasks.""" group = config.settings().auth.privileged_users_group return auth.is_group_member(group) or _is_admin()
def _is_user(): group = config.settings().auth.users_group return auth.is_group_member(group) or _is_privileged_user()
def isolate_writable(): """Returns True if current user can write to isolate.""" return auth.is_group_member(FULL_ACCESS_GROUP) or auth.is_admin()
def is_ereporter2_viewer(): """True if current user is in recipients list, viewer list or is an admin.""" if auth.is_admin() or auth.is_group_member(VIEWERS_AUTH_GROUP): return True ident = auth.get_current_identity() return ident.is_user and ident.name in get_ereporter2_recipients()
def _is_bootstrapper(): """Returns True if current user have access to bot code (for bootstrap).""" bot_group = config.settings().auth.bot_bootstrap_group return auth.is_group_member(bot_group) or _is_admin()
def _is_view_all_tasks(): group = config.settings().auth.view_all_tasks_group return auth.is_group_member(group) or _is_privileged_user()
def isolate_readable(): """Returns True if current user can read from isolate.""" read_only = config.settings().auth.readonly_access_group return auth.is_group_member(read_only) or isolate_writable()