def check_bots_list_acl(pools): """Checks if the caller is allowed to list or count bots. Checks if the caller has global permission using acl.can_view_bot(). If the caller doesn't have any global permissions, It checks realm permission 'swarming.pools.listBots'. The caller is required to specify a pool dimension, and have the permission in *all* pools. Args: pools: List of pools for filtering. Returns: None Raises: auth.AuthorizationError: if the caller is not allowed. """ # check global permission. if acl.can_view_bot(): return _check_pools_filters_acl(realms_pb2.REALM_PERMISSION_POOLS_LIST_BOTS, pools)
def check_bot_get_acl(bot_id): """Checks if the caller is allowed to get the bot. Checks if the caller has global permission using acl.can_view_bot(). If the caller doesn't have any global permissions, It checks realm permission 'swarming.pools.listBots'. The caller is required to have the permission in *any* pools. Args: bot_id: ID of the bot. Returns: None Raises: auth.AuthorizationError: if the caller is not allowed. """ # check global permission. if acl.can_view_bot(): return # check Realm permission 'swarming.pools.listBots' _check_bot_acl(realms_pb2.REALM_PERMISSION_POOLS_LIST_BOTS, bot_id)
def test_ip_whitelisted(self): self.mock(auth, 'is_in_ip_whitelist', lambda _name, _ip, _warn: True) self.assertTrue(acl.is_ip_whitelisted_machine()) self.assertTrue(acl.can_access()) self.assertFalse(acl.can_view_config()) self.assertFalse(acl.can_edit_config()) self.assertFalse(acl.can_create_bot()) self.assertTrue(acl.can_edit_bot()) self.assertTrue(acl.can_delete_bot()) self.assertTrue(acl.can_view_bot()) self.assertTrue(acl.can_create_task()) self.assertFalse(acl.can_schedule_high_priority_tasks()) self.assertTrue(acl.can_edit_task(self._task_owned)) self.assertTrue(acl.can_edit_task(self._task_other)) self.assertFalse(acl.can_edit_all_tasks()) self.assertTrue(acl.can_view_task(self._task_owned)) self.assertTrue(acl.can_view_task(self._task_other)) self.assertFalse(acl.can_view_all_tasks())
def test_instance_admin(self): auth_testing.mock_is_admin(self, True) self.assertFalse(acl.is_ip_whitelisted_machine()) self.assertTrue(acl.can_access()) self.assertTrue(acl.can_view_config()) self.assertTrue(acl.can_edit_config()) self.assertTrue(acl.can_create_bot()) self.assertTrue(acl.can_edit_bot()) self.assertTrue(acl.can_delete_bot()) self.assertTrue(acl.can_view_bot()) self.assertTrue(acl.can_create_task()) self.assertTrue(acl.can_schedule_high_priority_tasks()) self.assertTrue(acl.can_edit_task(self._task_owned)) self.assertTrue(acl.can_edit_task(self._task_other)) self.assertTrue(acl.can_edit_all_tasks()) self.assertTrue(acl.can_view_task(self._task_owned)) self.assertTrue(acl.can_view_task(self._task_other)) self.assertTrue(acl.can_view_all_tasks())
def test_nobody(self): auth_testing.mock_get_current_identity(self, auth.Anonymous) self.assertFalse(acl.is_ip_whitelisted_machine()) self.assertFalse(acl.can_access()) self.assertFalse(acl.can_view_config()) self.assertFalse(acl.can_edit_config()) self.assertFalse(acl.can_create_bot()) self.assertFalse(acl.can_edit_bot()) self.assertFalse(acl.can_delete_bot()) self.assertFalse(acl.can_view_bot()) self.assertFalse(acl.can_create_task()) self.assertFalse(acl.can_schedule_high_priority_tasks()) self.assertFalse(acl.can_edit_task(self._task_owned)) self.assertFalse(acl.can_edit_task(self._task_other)) self.assertFalse(acl.can_edit_all_tasks()) self.assertFalse(acl.can_view_task(self._task_owned)) self.assertFalse(acl.can_view_task(self._task_other)) self.assertFalse(acl.can_view_all_tasks())
def test_view_all_tasks(self): self._add_to_group('view_all_tasks') self.assertFalse(acl.is_ip_whitelisted_machine()) self.assertTrue(acl.can_access()) self.assertFalse(acl.can_view_config()) self.assertFalse(acl.can_edit_config()) self.assertFalse(acl.can_create_bot()) self.assertFalse(acl.can_edit_bot()) self.assertFalse(acl.can_delete_bot()) self.assertFalse(acl.can_view_bot()) self.assertFalse(acl.can_create_task()) self.assertFalse(acl.can_schedule_high_priority_tasks()) self.assertTrue(acl.can_edit_task(self._task_owned)) self.assertFalse(acl.can_edit_task(self._task_other)) self.assertFalse(acl.can_edit_all_tasks()) self.assertTrue(acl.can_view_task(self._task_owned)) self.assertTrue(acl.can_view_task(self._task_other)) self.assertTrue(acl.can_view_all_tasks())
def test_nobody(self): self.mock(auth, 'get_current_identity', lambda: auth.IDENTITY_ANONYMOUS) self.assertFalse(acl.is_ip_whitelisted_machine()) self.assertFalse(acl.can_access()) self.assertFalse(acl.can_view_config()) self.assertFalse(acl.can_edit_config()) self.assertFalse(acl.can_create_bot()) self.assertFalse(acl.can_edit_bot()) self.assertFalse(acl.can_delete_bot()) self.assertFalse(acl.can_view_bot()) self.assertFalse(acl.can_create_task()) self.assertFalse(acl.can_schedule_high_priority_tasks()) self.assertFalse(acl.can_edit_task(self._task_owned)) self.assertFalse(acl.can_edit_task(self._task_other)) self.assertFalse(acl.can_edit_all_tasks()) self.assertFalse(acl.can_view_task(self._task_owned)) self.assertFalse(acl.can_view_task(self._task_other)) self.assertFalse(acl.can_view_all_tasks())
def can_list_bots(pool): """Checks if the caller is allowed to list tasks of the pool. Args: pool: Pool name Returns: allowed: True if allowed, False otherwise. """ if acl.can_view_bot(): return True pool_cfg = pools_config.get_pool_config(pool) if not pool_cfg: logging.warning('Pool "%s" not found', pool) return False try: _check_permission( get_permission(realms_pb2.REALM_PERMISSION_POOLS_LIST_BOTS), [pool_cfg.realm]) return True except auth.AuthorizationError: return False