def check_bot_terminate_acl(bot_id): """Checks if the caller is allowed to terminate the bot. Checks if the caller has global permission using acl.can_edit_bot(). If the caller doesn't have any global permissions, It checks realm permission 'swarming.pools.terminateBot'. The caller is required to have the permissions in *any* pools. Args: bot_id: ID of the bot. Returns: None Raises: auth.AuthorizationError: if the caller is not allowed. """ # check global permission. if acl.can_edit_bot(): return # check Realm permission 'swarming.pools.terminateBot' _check_bot_acl(realms_pb2.REALM_PERMISSION_POOLS_TERMINATE_BOT, bot_id)
def permissions(self, _request): """Returns the caller's permissions.""" return swarming_rpcs.ClientPermissions( delete_bot=acl.can_delete_bot(), terminate_bot=acl.can_edit_bot(), get_configs=acl.can_view_config(), put_configs=acl.can_edit_config(), cancel_task=acl._is_user() or acl.is_ip_whitelisted_machine(), cancel_tasks=acl.can_edit_all_tasks(), get_bootstrap_token=acl.can_create_bot())
def can_terminate_bot(bot_id): """Checks if the caller is allowed to terminate the bot. Args: bot_id: ID of the bot. Returns: allowed: True if allowed, False otherwise. """ if not bot_id: return acl.can_edit_bot() try: check_bot_terminate_acl(bot_id) return True except auth.AuthorizationError: return False
def test_ip_whitelisted(self): self.mock(auth, 'is_in_ip_whitelist', lambda _name, _ip, _warn: True) self.assertTrue(acl.is_ip_whitelisted_machine()) self.assertTrue(acl.can_access()) self.assertFalse(acl.can_view_config()) self.assertFalse(acl.can_edit_config()) self.assertFalse(acl.can_create_bot()) self.assertTrue(acl.can_edit_bot()) self.assertTrue(acl.can_delete_bot()) self.assertTrue(acl.can_view_bot()) self.assertTrue(acl.can_create_task()) self.assertFalse(acl.can_schedule_high_priority_tasks()) self.assertTrue(acl.can_edit_task(self._task_owned)) self.assertTrue(acl.can_edit_task(self._task_other)) self.assertFalse(acl.can_edit_all_tasks()) self.assertTrue(acl.can_view_task(self._task_owned)) self.assertTrue(acl.can_view_task(self._task_other)) self.assertFalse(acl.can_view_all_tasks())
def test_instance_admin(self): auth_testing.mock_is_admin(self, True) self.assertFalse(acl.is_ip_whitelisted_machine()) self.assertTrue(acl.can_access()) self.assertTrue(acl.can_view_config()) self.assertTrue(acl.can_edit_config()) self.assertTrue(acl.can_create_bot()) self.assertTrue(acl.can_edit_bot()) self.assertTrue(acl.can_delete_bot()) self.assertTrue(acl.can_view_bot()) self.assertTrue(acl.can_create_task()) self.assertTrue(acl.can_schedule_high_priority_tasks()) self.assertTrue(acl.can_edit_task(self._task_owned)) self.assertTrue(acl.can_edit_task(self._task_other)) self.assertTrue(acl.can_edit_all_tasks()) self.assertTrue(acl.can_view_task(self._task_owned)) self.assertTrue(acl.can_view_task(self._task_other)) self.assertTrue(acl.can_view_all_tasks())
def test_nobody(self): auth_testing.mock_get_current_identity(self, auth.Anonymous) self.assertFalse(acl.is_ip_whitelisted_machine()) self.assertFalse(acl.can_access()) self.assertFalse(acl.can_view_config()) self.assertFalse(acl.can_edit_config()) self.assertFalse(acl.can_create_bot()) self.assertFalse(acl.can_edit_bot()) self.assertFalse(acl.can_delete_bot()) self.assertFalse(acl.can_view_bot()) self.assertFalse(acl.can_create_task()) self.assertFalse(acl.can_schedule_high_priority_tasks()) self.assertFalse(acl.can_edit_task(self._task_owned)) self.assertFalse(acl.can_edit_task(self._task_other)) self.assertFalse(acl.can_edit_all_tasks()) self.assertFalse(acl.can_view_task(self._task_owned)) self.assertFalse(acl.can_view_task(self._task_other)) self.assertFalse(acl.can_view_all_tasks())
def test_view_all_tasks(self): self._add_to_group('view_all_tasks') self.assertFalse(acl.is_ip_whitelisted_machine()) self.assertTrue(acl.can_access()) self.assertFalse(acl.can_view_config()) self.assertFalse(acl.can_edit_config()) self.assertFalse(acl.can_create_bot()) self.assertFalse(acl.can_edit_bot()) self.assertFalse(acl.can_delete_bot()) self.assertFalse(acl.can_view_bot()) self.assertFalse(acl.can_create_task()) self.assertFalse(acl.can_schedule_high_priority_tasks()) self.assertTrue(acl.can_edit_task(self._task_owned)) self.assertFalse(acl.can_edit_task(self._task_other)) self.assertFalse(acl.can_edit_all_tasks()) self.assertTrue(acl.can_view_task(self._task_owned)) self.assertTrue(acl.can_view_task(self._task_other)) self.assertTrue(acl.can_view_all_tasks())
def test_nobody(self): self.mock(auth, 'get_current_identity', lambda: auth.IDENTITY_ANONYMOUS) self.assertFalse(acl.is_ip_whitelisted_machine()) self.assertFalse(acl.can_access()) self.assertFalse(acl.can_view_config()) self.assertFalse(acl.can_edit_config()) self.assertFalse(acl.can_create_bot()) self.assertFalse(acl.can_edit_bot()) self.assertFalse(acl.can_delete_bot()) self.assertFalse(acl.can_view_bot()) self.assertFalse(acl.can_create_task()) self.assertFalse(acl.can_schedule_high_priority_tasks()) self.assertFalse(acl.can_edit_task(self._task_owned)) self.assertFalse(acl.can_edit_task(self._task_other)) self.assertFalse(acl.can_edit_all_tasks()) self.assertFalse(acl.can_view_task(self._task_owned)) self.assertFalse(acl.can_view_task(self._task_other)) self.assertFalse(acl.can_view_all_tasks())