-
Notifications
You must be signed in to change notification settings - Fork 1
/
test_scopes.py
144 lines (114 loc) · 4.85 KB
/
test_scopes.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
"""
Tests for scopes of interest to Release Engineering.
The idea is to know exactly who has which sorts of scopes, and detect any
changes in those lists.
"""
from common import assertPrincipalsWithScope
from common import principalsWith
def test_signing():
assertPrincipalsWithScope("signing:*", [
# root
'client-id:root',
# services
'client-id-alias:funsize-dev',
'client-id-alias:funsize-scheduler',
'client-id-alias:release-runner-dev',
'client-id-alias:scheduler-taskcluster-net', # Bug 1218541
# user groups
principalsWith('mozilla-group:releng'),
principalsWith('mozilla-group:team_relops'),
principalsWith('mozilla-group:team_taskcluster'),
], omitTrusted=True)
def test_bbb():
assertPrincipalsWithScope("buildbot-bridge:*", [
# root
'client-id:root',
# services
'client-id-alias:release-runner-dev',
'client-id-alias:scheduler-taskcluster-net', # Bug 1218541
# user groups
principalsWith('mozilla-group:releng'),
principalsWith('mozilla-group:team_relops'),
principalsWith('mozilla-group:team_taskcluster'),
], omitTrusted=True)
def test_bbb_tasks():
"""Buildbot Bridge (BBB) allows Buildbot jobs to be run via a TaskCluster
task. Most BBB tasks run without the need for additional scopes, but some
more sensitive builders are restricted by `buildbot-bridge:..` scopes. """
assertPrincipalsWithScope("buildbot-bridge:*", [
# root
'client-id:root',
# services
'client-id-alias:release-runner-dev',
'client-id-alias:scheduler-taskcluster-net', # Bug 1218541
# user groups
principalsWith('mozilla-group:releng'),
principalsWith('mozilla-group:team_relops'),
principalsWith('mozilla-group:team_taskcluster'),
], omitTrusted=True)
def test_bbb_worker():
"""Access to the Buildbot Bridge provisioner-id/worker-type allows
scheduling of BBB jobs (but only on non-restricted builders unless there
more scopes are also present)."""
assertPrincipalsWithScope("queue:define-task:buildbot-bridge/*", [
# root
'client-id:root',
# services
'client-id-alias:funsize-dev',
'client-id-alias:funsize-scheduler',
'client-id-alias:release-runner-dev',
'client-id-alias:scheduler-taskcluster-net', # Bug 1218541
'client-id-alias:mozilla-pulse-actions', # armen's thing
'client-id:bbb-scheduler',
# people
'client-id:adusca-development',
# user groups
principalsWith('mozilla-group:releng'),
principalsWith('mozilla-group:team_relops'),
principalsWith('mozilla-group:team_taskcluster'),
], omitTrusted=True)
def test_balrog_vpn():
"""Balrog is the administrative interface for Mozilla's update server, and
automation uses it to publish information about new updates for download by
end-users' updaters. The BalrogVpnProxy docker-worker feature allows
*network* access to Balrog. It does not include any Balrog credentials.
As such, it is but one layer of access control protecting Balrog, and is
distributed a little more broadly than full access would be."""
assertPrincipalsWithScope("docker-worker:feature:balrogVPNProxy", [
# root
'client-id:root',
# CI testing
'client-id-alias:worker-ci-tests', # docker-worker integration tests
# repos
'moz-tree:level:3',
'repo:hg.mozilla.org/integration/b2g-inbound:*',
'repo:hg.mozilla.org/integration/fx-team:*',
'repo:hg.mozilla.org/integration/mozilla-inbound:*',
'repo:hg.mozilla.org/mozilla-central:*',
'repo:hg.mozilla.org/releases/b2g-ota:*',
'repo:hg.mozilla.org/releases/mozilla-b2g34_v2_1s:*',
'repo:hg.mozilla.org/releases/mozilla-b2g44_v2_5:*',
# AWS workers
'worker-type:aws-provisioner-v1/*', # Bug 1233555
'worker-type:aws-provisioner-v1/gaia-decision', # Bug 1233555
'worker-type:aws-provisioner-v1/gecko-decision', # Bug 1233555
'client-id-alias:testdroid-worker', # Bug 1218549
# services
'client-id-alias:funsize-dev',
'client-id-alias:funsize-scheduler',
'client-id-alias:release-runner-dev',
'client-id-alias:scheduler-taskcluster-net', # Bug 1218541
# people
'client-id:dustin-docker-dev',
# user groups
principalsWith('mozilla-group:scm_level_3'),
principalsWith('mozilla-group:releng'),
principalsWith('mozilla-group:team_relops'),
principalsWith('mozilla-group:team_taskcluster'),
], omitTrusted=True)
# TODO: docker-worker caches
# TODO: queue:create-task:prov/wt
# TODO: queue:get-artifact:project/releng/*
# TODO: releng routes
# TODO: (new file?) auth stuff
# TODO: allowPtrace feature