def check_tasks_create_in_realm(realm, pool_cfg, enforce): """Checks if the caller is allowed to create a task in the realm. Args: realm: Realm that a task will be created in or None for legacy tasks. pool_cfg: PoolConfig of the pool where the task will run. enforce: if True enforce realm ACLs regardless of is_enforced_permission. Returns: True if used realm ACLs, False if legacy ones. Raises: auth.AuthorizationError: if the caller is not allowed. """ # 'swarming.tasks.createInRealm' perm_enum = realms_pb2.REALM_PERMISSION_TASKS_CREATE_IN_REALM perm = get_permission(perm_enum) if enforce or is_enforced_permission(perm_enum, pool_cfg): _check_permission(perm, [realm]) return True if realm: # There is no existing permission that corresponds to the realm # permission. So always pass expected_result=True to the dryrun. auth.has_permission_dryrun(perm, [realm], expected_result=True, tracking_bug=_TRACKING_BUG) return False
def check_pools_create_task(pool_cfg, enforce): """Checks if the caller can create the task in the pool. Realm permission `swarming.pools.createTask` will be checked, using auth.has_permission() or auth.has_permission_dryrun(). If the realm permission check is enforced, It just calls auth.has_permission() If it's legacy-compatible, It calls the legacy task_scheduler.check_schedule_request_acl_caller() and compare the legacy result with the realm permission check using the dryrun. Args: pool_cfg: PoolCfg of the pool. enforce: if True enforce realm ACLs regardless of is_enforced_permission. Returns: True if used realm ACLs, False if legacy ones. Raises: auth.AuthorizationError: if the caller is not allowed to schedule the task in the pool. """ # 'swarming.pools.createTask' perm_enum = realms_pb2.REALM_PERMISSION_POOLS_CREATE_TASK perm = get_permission(perm_enum) if enforce or is_enforced_permission(perm_enum, pool_cfg): _check_permission(perm, [pool_cfg.realm]) return True # legacy-compatible path # pool_cfg.realm is optional. if not pool_cfg.realm: logging.warning('%s: realm is missing in Pool "%s"', _TRACKING_BUG, pool_cfg.name) legacy_allowed = True try: task_scheduler.check_schedule_request_acl_caller(pool_cfg) except auth.AuthorizationError: legacy_allowed = False raise # re-raise the exception finally: # compare the legacy check result with realm check result if the pool realm # is specified. if pool_cfg.realm: auth.has_permission_dryrun(perm, [pool_cfg.realm], legacy_allowed, tracking_bug=_TRACKING_BUG) return False
def has_projects_access(project_ids): # TODO(crbug.com/1068817): During the migration we'll use the legacy response # as the final result, but will compare it to realms checks and log # discrepancies (this is what has_permission_dryrun does). legacy = _has_projects_access_legacy(project_ids) for pid in project_ids: auth.has_permission_dryrun( permission=_PERMISSION_READ, realms=[auth.root_realm(pid)], tracking_bug='crbug.com/1068817', expected_result=legacy[pid]) return legacy
def check_tasks_act_as(task_request, pool_cfg, enforce): """Checks if the task service account is allowed to run in the task realm. Realm permission `swarming.tasks.actAs` will be checked, using auth.has_permission() or auth.has_permission_dryrun(). If the realm permission check is enforced, It just calls auth.has_permission() If it's legacy-compatible, It calls task_scheduler.check_schedule_request_acl_service_account() and compare the legacy result with the realm permission check using the dryrun. Args: task_request: TaskRequest entity to be scheduled. pool_cfg: PoolConfig of the pool where the task will run. enforce: if True enforce realm ACLs regardless of is_enforced_permission. Returns: True if used realm ACLs, False if legacy ones. Raises: auth.AuthorizationError: if the service account is not allowed to run in the task realm. """ perm_enum = realms_pb2.REALM_PERMISSION_TASKS_ACT_AS perm = get_permission(perm_enum) identity = auth.Identity(auth.IDENTITY_USER, task_request.service_account) if enforce or is_enforced_permission(perm_enum, pool_cfg): _check_permission(perm, [task_request.realm], identity) return True # legacy-compatible path legacy_allowed = True try: # ACL check task_scheduler.check_schedule_request_acl_service_account( task_request, pool_cfg) except auth.AuthorizationError: legacy_allowed = False raise # re-raise the exception finally: if task_request.realm: auth.has_permission_dryrun(perm, [task_request.realm], legacy_allowed, identity=identity, tracking_bug=_TRACKING_BUG) return False
def _check_project_acl(project_id, permission, legacy_acl_group): """Checks legacy and realms ACLs, comparing them. Returns the result of the legacy ACL check for now. """ # TODO(crbug.com/1068817): Switch to using Realms for real. legacy_result = ( _has_projects_access_legacy([project_id])[project_id] and _check_acl_cfg(legacy_acl_group)) auth.has_permission_dryrun( permission=permission, realms=[auth.root_realm(project_id)], tracking_bug='crbug.com/1068817', expected_result=legacy_result) return legacy_result