示例#1
0
 def test_validate_bucket_name(self):
   with self.assertRaises(errors.InvalidInputError):
     errors.validate_bucket_name(1)
   with self.assertRaises(errors.InvalidInputError):
     errors.validate_bucket_name('')
   with self.assertRaises(errors.InvalidInputError):
     errors.validate_bucket_name('no spaces')
   with self.assertRaises(errors.InvalidInputError):
     errors.validate_bucket_name('no spaces')
   errors.validate_bucket_name('good-name')
示例#2
0
 def test_validate_bucket_name(self):
     with self.assertRaises(errors.InvalidInputError):
         errors.validate_bucket_name(1)
     with self.assertRaises(errors.InvalidInputError):
         errors.validate_bucket_name('')
     with self.assertRaises(errors.InvalidInputError):
         errors.validate_bucket_name('no spaces')
     with self.assertRaises(errors.InvalidInputError):
         errors.validate_bucket_name('no spaces')
     errors.validate_bucket_name('good-name')
示例#3
0
def validate_buildbucket_cfg(cfg, ctx):
    import swarmingcfg

    acl_set_names = set()
    for i, acl_set in enumerate(cfg.acl_sets):
        with ctx.prefix('ACL set #%d (%s): ', i + 1, acl_set.name):
            if not acl_set.name:
                ctx.error('name is unspecified')
            elif not ACL_SET_NAME_RE.match(acl_set.name):
                ctx.error('invalid name "%s" does not match regex %r',
                          acl_set.name, ACL_SET_NAME_RE.pattern)
            elif acl_set.name in acl_set_names:
                ctx.error('duplicate name "%s"', acl_set.name)
            acl_set_names.add(acl_set.name)

            validate_access_list(acl_set.acls, ctx)

    mixin_ctx = validation.Context(  # pragma: no cover
        on_message=lambda msg: ctx.msg(msg.severity, '%s', msg.text))
    swarmingcfg.validate_builder_mixins(cfg.builder_mixins, mixin_ctx)
    mixins_are_valid = not mixin_ctx.result().has_errors
    mixin_by_name = {m.name: m for m in cfg.builder_mixins}

    bucket_names = set()

    for i, bucket in enumerate(cfg.buckets):
        with ctx.prefix('Bucket %s: ', bucket.name or ('#%d' % (i + 1))):
            try:
                errors.validate_bucket_name(bucket.name,
                                            project_id=ctx.project_id)
            except errors.InvalidInputError as ex:
                ctx.error('invalid name: %s', ex.message)
            else:
                if bucket.name in bucket_names:
                    ctx.error('duplicate bucket name')
                else:
                    bucket_names.add(bucket.name)
                    if i > 0 and bucket.name < cfg.buckets[i - 1].name:
                        ctx.warning('out of order')

            validate_access_list(bucket.acls, ctx)
            for name in bucket.acl_sets:
                if name not in acl_set_names:
                    ctx.error(
                        'undefined ACL set "%s". '
                        'It must be defined in the same file', name)

            if bucket.HasField('swarming'):  # pragma: no cover
                with ctx.prefix('swarming: '):
                    swarmingcfg.validate_project_cfg(bucket.swarming,
                                                     mixin_by_name,
                                                     mixins_are_valid, ctx)
示例#4
0
def can_async(bucket, action):
    errors.validate_bucket_name(bucket)
    assert isinstance(action, Action)

    identity = auth.get_current_identity()
    cache_key = 'acl_can/%s/%s/%s' % (bucket, identity.to_bytes(), action.name)
    ctx = ndb.get_context()
    result = yield ctx.memcache_get(cache_key)
    if result is not None:
        raise ndb.Return(result)

    result = yield has_any_of_roles_async(bucket, ROLES_FOR_ACTION[action])
    yield ctx.memcache_set(cache_key, result, time=60)
    raise ndb.Return(result)
示例#5
0
def can_async(bucket, action):
  errors.validate_bucket_name(bucket)
  assert isinstance(action, Action)

  identity = auth.get_current_identity()
  cache_key = 'acl_can/%s/%s/%s' % (bucket, identity.to_bytes(), action.name)
  ctx = ndb.get_context()
  result = yield ctx.memcache_get(cache_key)
  if result is not None:
    raise ndb.Return(result)

  result = yield has_any_of_roles_async(bucket, ROLES_FOR_ACTION[action])
  yield ctx.memcache_set(cache_key, result, time=60)
  raise ndb.Return(result)
示例#6
0
文件: config.py 项目: eunchong/infra
def validate_buildbucket_cfg(cfg, ctx):
  is_sorted = True
  bucket_names = set()

  for i, bucket in enumerate(cfg.buckets):
    with ctx.prefix('Bucket %s: ', bucket.name or ('#%d' % (i + 1))):
      try:
        errors.validate_bucket_name(bucket.name)
      except errors.InvalidInputError as ex:
        ctx.error('invalid name: %s', ex.message)
      else:
        if bucket.name in bucket_names:
          ctx.error('duplicate bucket name')
        else:
          bucket_names.add(bucket.name)
          if ctx.project_id:  # pragma: no branch
            bucket_entity = Bucket.get_by_id(bucket.name)
            if bucket_entity and bucket_entity.project_id != ctx.project_id:
              ctx.error('this name is already reserved by another project')

        if is_sorted and i > 0 and cfg.buckets[i - 1].name:
          if bucket.name < cfg.buckets[i - 1].name:
            is_sorted = False

      for i, acl in enumerate(bucket.acls):
        with ctx.prefix('acl #%d: ', i + 1):
          if acl.group and acl.identity:
            ctx.error('either group or identity must be set, not both')
          elif acl.group:
            if not auth.is_valid_group_name(acl.group):
              ctx.error('invalid group: %s', acl.group)
          elif acl.identity:
            validate_identity(acl.identity, ctx)
          else:
            ctx.error('group or identity must be set')
      if bucket.HasField('swarming'):  # pragma: no cover
        with ctx.prefix('swarming: '):
          swarmingcfg.validate_cfg(bucket.swarming, ctx)
  if not is_sorted:
    ctx.warning('Buckets are not sorted by name')
示例#7
0
def validate_buildbucket_cfg(cfg, ctx):
    is_sorted = True
    bucket_names = set()

    for i, bucket in enumerate(cfg.buckets):
        with ctx.prefix('Bucket %s: ', bucket.name or ('#%d' % (i + 1))):
            try:
                errors.validate_bucket_name(bucket.name)
            except errors.InvalidInputError as ex:
                ctx.error('invalid name: %s', ex.message)
            else:
                if bucket.name in bucket_names:
                    ctx.error('duplicate bucket name')
                else:
                    bucket_names.add(bucket.name)
                    if ctx.project_id:  # pragma: no branch
                        bucket_entity = Bucket.get_by_id(bucket.name)
                        if bucket_entity and bucket_entity.project_id != ctx.project_id:
                            ctx.error(
                                'this name is already reserved by another project'
                            )

                if is_sorted and i > 0 and cfg.buckets[i - 1].name:
                    if bucket.name < cfg.buckets[i - 1].name:
                        is_sorted = False

            for i, acl in enumerate(bucket.acls):
                with ctx.prefix('acl #%d: ', i + 1):
                    if acl.group and acl.identity:
                        ctx.error(
                            'either group or identity must be set, not both')
                    elif acl.group:
                        if not auth.is_valid_group_name(acl.group):
                            ctx.error('invalid group: %s', acl.group)
                    elif acl.identity:
                        validate_identity(acl.identity, ctx)
                    else:
                        ctx.error('group or identity must be set')
    if not is_sorted:
        ctx.warning('Buckets are not sorted by name')
示例#8
0
def has_any_of_roles_async(bucket, roles):
    """True if current identity has any of |roles| in |bucket|."""
    assert bucket
    assert roles
    errors.validate_bucket_name(bucket)
    roles = set(roles)
    assert roles.issubset(project_config_pb2.Acl.Role.values())

    if auth.is_admin():
        raise ndb.Return(True)

    _, bucket_cfg = yield config.get_bucket_async(bucket)
    identity_str = auth.get_current_identity().to_bytes()
    if bucket_cfg:
        for rule in bucket_cfg.acls:
            if rule.role not in roles:
                continue
            if rule.identity == identity_str:
                raise ndb.Return(True)
            if rule.group and auth.is_group_member(rule.group):
                raise ndb.Return(True)
    raise ndb.Return(False)
示例#9
0
def has_any_of_roles_async(bucket, roles):
  """True if current identity has any of |roles| in |bucket|."""
  assert bucket
  assert roles
  errors.validate_bucket_name(bucket)
  roles = set(roles)
  assert roles.issubset(project_config_pb2.Acl.Role.values())

  if auth.is_admin():
    raise ndb.Return(True)

  bucket_cfg = yield config.get_bucket_async(bucket)
  identity_str = auth.get_current_identity().to_bytes()
  if bucket_cfg:
    for rule in bucket_cfg.acls:
      if rule.role not in roles:
        continue
      if rule.identity == identity_str:
        raise ndb.Return(True)
      if rule.group and auth.is_group_member(rule.group):
        raise ndb.Return(True)
  raise ndb.Return(False)
示例#10
0
 def test_validate_bucket_name(self):
     with self.assertRaises(errors.InvalidInputError):
         errors.validate_bucket_name(1)
     with self.assertRaises(errors.InvalidInputError):
         errors.validate_bucket_name('luci.x', project_id='y')
     with self.assertRaises(errors.InvalidInputError):
         errors.validate_bucket_name('')
     with self.assertRaises(errors.InvalidInputError):
         errors.validate_bucket_name('no spaces')
     with self.assertRaises(errors.InvalidInputError):
         errors.validate_bucket_name('no spaces')
     errors.validate_bucket_name('good-name')
     errors.validate_bucket_name('luci.infra.try', project_id='infra')