go.chromium.org/luci@v0.0.0-20240309015107-7cdc2e660f33/buildbucket/appengine/internal/perm/perm.go

// Copyright 2020 The LUCI Authors.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//      http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

// Package perm implements permission checks.
//
// The API is formulated in terms of LUCI Realms permissions, but it is
// currently implemented on top of native Buildbucket roles (which are
// deprecated).
package perm

import (
	"context"
	"sort"
	"sync"
	"time"

	"google.golang.org/grpc/codes"
	"google.golang.org/protobuf/proto"

	"go.chromium.org/luci/common/errors"
	"go.chromium.org/luci/common/logging"
	"go.chromium.org/luci/common/sync/parallel"
	"go.chromium.org/luci/gae/service/datastore"
	"go.chromium.org/luci/grpc/appstatus"
	"go.chromium.org/luci/server/auth"
	"go.chromium.org/luci/server/auth/realms"
	"go.chromium.org/luci/server/caching/layered"

	"go.chromium.org/luci/buildbucket/appengine/model"
	"go.chromium.org/luci/buildbucket/bbperms"
	pb "go.chromium.org/luci/buildbucket/proto"
	"go.chromium.org/luci/buildbucket/protoutil"
)

const (
	// Administrators is a group of users that have all permissions in all
	// buckets.
	Administrators = "administrators"
)

// Cache "<project>/<bucket>" => wirepb-serialized pb.Bucket.
//
// Missing buckets are represented by empty pb.Bucket protos.
var bucketCache = layered.RegisterCache(layered.Parameters[*pb.Bucket]{
	ProcessCacheCapacity: 65536,
	GlobalNamespace:      "bucket_cache_v1",
	Marshal: func(item *pb.Bucket) ([]byte, error) {
		return proto.Marshal(item)
	},
	Unmarshal: func(blob []byte) (*pb.Bucket, error) {
		pb := &pb.Bucket{}
		if err := proto.Unmarshal(blob, pb); err != nil {
			return nil, err
		}
		return pb, nil
	},
	AllowNoProcessCacheFallback: true, // allow skipping cache in tests
})

// getBucket fetches a cached bucket proto.
//
// The returned value can be up to a minute stale compared to the state in
// the datastore.
//
// Returns:
//
//	bucket, nil - on success.
//	nil, nil - if the bucket is absent.
//	nil, err - on internal errors.
func getBucket(ctx context.Context, project, bucket string) (*pb.Bucket, error) {
	if project == "" {
		return nil, errors.Reason("project name is empty").Err()
	}
	if bucket == "" {
		return nil, errors.Reason("bucket name is empty").Err()
	}

	item, err := bucketCache.GetOrCreate(ctx, project+"/"+bucket, func() (*pb.Bucket, time.Duration, error) {
		entity := &model.Bucket{ID: bucket, Parent: model.ProjectKey(ctx, project)}
		switch err := datastore.Get(ctx, entity); {
		case err == nil:
			// We rely on Name to not be empty for existing buckets. Make sure it is
			// not empty.
			bucketPB := entity.Proto
			if bucketPB == nil {
				bucketPB = &pb.Bucket{}
			}
			bucketPB.Name = bucket
			return bucketPB, time.Minute, nil
		case err == datastore.ErrNoSuchEntity:
			// Cache "absence" for a shorter duration to make it harder to overflow
			// the cache with requests for non-existing buckets.
			return &pb.Bucket{}, 15 * time.Second, nil
		default:
			return nil, 0, errors.Annotate(err, "datastore error").Err()
		}
	}, layered.WithRandomizedExpiration(10*time.Second))
	if err != nil {
		return nil, err
	}

	// Name is always populated in existing buckets. It is never populated in
	// missing buckets.
	if item.Name == "" {
		return nil, nil
	}
	return item, nil
}

// HasInBucket checks the caller has the given permission in the bucket.
//
// Returns appstatus errors. If the bucket doesn't exist returns NotFound.
//
// Always checks the read permission (represented by BuildersGet), returning
// NotFound if the caller doesn't have it. Returns PermissionDenied if the
// caller has the read permission, but not the requested `perm`.
func HasInBucket(ctx context.Context, perm realms.Permission, project, bucket string) error {
	// Referring to a non-existing bucket is NotFound, even if the requested
	// permission is available via the @root realm.
	bucketPB, err := getBucket(ctx, project, bucket)
	switch {
	case err != nil:
		return errors.Annotate(err, "failed to fetch bucket %q", project+"/"+bucket).Err()
	case bucketPB == nil:
		return NotFoundErr(ctx)
	}

	realm := realms.Join(project, bucket)
	switch yes, err := auth.HasPermission(ctx, perm, realm, nil); {
	case err != nil:
		return errors.Annotate(err, "failed to check realm %q ACLs", realm).Err()
	case yes:
		return nil
	}

	// For compatibility with legacy ACLs, administrators have implicit access to
	// everything. Log when this rule is invoked, since it's surprising and it
	// something we might want to get rid of after everything is migrated to
	// Realms.
	switch is, err := auth.IsMember(ctx, Administrators); {
	case err != nil:
		return errors.Annotate(err, "failed to check group membership in %q", Administrators).Err()
	case is:
		logging.Warningf(ctx, "ADMIN_FALLBACK: perm=%q bucket=%q caller=%q",
			perm, project+"/"+bucket, auth.CurrentIdentity(ctx))
		return nil
	}

	// The user doesn't have the requested permission. Give a detailed error
	// message only if the caller is allowed to see the builder. Otherwise return
	// generic "Not found or no permission" error.
	if perm != bbperms.BuildersGet {
		switch visible, err := auth.HasPermission(ctx, bbperms.BuildersGet, realm, nil); {
		case err != nil:
			return errors.Annotate(err, "failed to check realm %q ACLs", realm).Err()
		case visible:
			return appstatus.Errorf(codes.PermissionDenied,
				"%q does not have permission %q in bucket %q",
				auth.CurrentIdentity(ctx), perm, project+"/"+bucket)
		}
	}

	return NotFoundErr(ctx)
}

// HasInBuilder checks the caller has the given permission in the builder.
//
// It's just a tiny wrapper around HasInBucket to reduce typing.
func HasInBuilder(ctx context.Context, perm realms.Permission, id *pb.BuilderID) error {
	return HasInBucket(ctx, perm, id.Project, id.Bucket)
}

// NotFoundErr returns an appstatus with a generic error message indicating
// the resource requested was not found with a hint that the user may not have
// permission to view it. By not differentiating between "not found" and
// "permission denied" errors, leaking existence of resources a user doesn't
// have permission to view can be avoided. Should be used everywhere a
// "not found" or "permission denied" error occurs.
func NotFoundErr(ctx context.Context) error {
	return appstatus.Errorf(codes.NotFound, "requested resource not found or %q does not have permission to view it", auth.CurrentIdentity(ctx))
}

// BucketsByPerm returns buckets of the project that the caller has the given permission in.
// If the project is empty, it returns all user accessible buckets.
// Note: if the caller doesn't have the permission, it returns empty buckets.
func BucketsByPerm(ctx context.Context, p realms.Permission, project string) (buckets []string, err error) {
	var projKey *datastore.Key
	if project != "" {
		projKey = datastore.KeyForObj(ctx, &model.Project{ID: project})
	}

	var bucketKeys []*datastore.Key
	if err := datastore.GetAll(ctx, datastore.NewQuery(model.BucketKind).Ancestor(projKey), &bucketKeys); err != nil {
		return nil, err
	}

	err = parallel.WorkPool(len(bucketKeys), func(c chan<- func() error) {
		var mu sync.Mutex
		for _, bk := range bucketKeys {
			bk := bk
			c <- func() error {
				if err := HasInBucket(ctx, p, bk.Parent().StringID(), bk.StringID()); err != nil {
					status, ok := appstatus.Get(err)
					if ok && (status.Code() == codes.PermissionDenied || status.Code() == codes.NotFound) {
						return nil
					}
					return err
				}
				mu.Lock()
				buckets = append(buckets, protoutil.FormatBucketID(bk.Parent().StringID(), bk.StringID()))
				mu.Unlock()
				return nil
			}
		}
	})
	sort.Strings(buckets)
	return
}

// hasInBuilderBoolean is a wrapper around HasInBuilder that handles denied/not-found errors
// and returns false instead of an error in those cases.
func hasInBuilderBoolean(ctx context.Context, p realms.Permission, builderID *pb.BuilderID) (bool, error) {
	err := HasInBuilder(ctx, p, builderID)
	if err == nil {
		return true, nil
	}
	status, ok := appstatus.Get(err)
	if ok && (status.Code() == codes.PermissionDenied || status.Code() == codes.NotFound) {
		return false, nil
	}
	return false, err
}

// GetFirstAvailablePerm returns the first permission in the given list which is granted to
// the user for the given builder. Returns an error if the user has none of the permissions.
func GetFirstAvailablePerm(ctx context.Context, builderID *pb.BuilderID, perms ...realms.Permission) (realms.Permission, error) {
	if len(perms) == 0 {
		panic("at least one permission must be provided")
	}
	// Look at each permission in turn except for the last one.
	for _, perm := range perms[:len(perms)-1] {
		if ok, err := hasInBuilderBoolean(ctx, perm, builderID); err != nil {
			return realms.Permission{}, err
		} else if ok {
			return perm, nil
		}
	}

	// If the user doesn't have any permissions at all, we want to throw an error, so use
	// HasInBuilder instead of the boolean version.
	lastPerm := perms[len(perms)-1]
	if err := HasInBuilder(ctx, lastPerm, builderID); err != nil {
		return realms.Permission{}, err
	}
	return lastPerm, nil
}

// getCachedPerm is a simple caching wrapper to check whether the user has a permission in
// a given bucket cache (map of bucket names to broadest Build read permission).
//
// Returns an error if the user does not have at least bbperms.BuildsList.
func getCachedPerm(ctx context.Context, bucketPermCache map[string]realms.Permission, builderID *pb.BuilderID) (realms.Permission, error) {
	qualifiedBucket := protoutil.FormatBucketID(builderID.GetProject(), builderID.GetBucket())
	_, cached := bucketPermCache[qualifiedBucket]
	if !cached {
		broadestBuildReadPerm, err := GetFirstAvailablePerm(ctx, builderID, bbperms.BuildsGet, bbperms.BuildsGetLimited, bbperms.BuildsList)
		if err != nil {
			return realms.Permission{}, err
		}
		bucketPermCache[qualifiedBucket] = broadestBuildReadPerm
	}
	return bucketPermCache[qualifiedBucket], nil
}

// RedactBuild redacts fields from the given build based on whether the user has
// appropriate permissions to see those fields.
// The relevant permissions are:
//
//	bbperms.BuildsGet: can see all fields
//	bbperms.BuildsGetLimited: can see a limited set of fields excluding detailed builder output
//	bbperms.BuildsList: can see only basic fields required to list builds
//
// Returns an error if the user does not have at least bbperms.BuildsList.
//
// For efficiency in the case where multiple builds are going to be redacted at once, the caller
// may optionally supply a bucket cache (map of bucket names to broadest Build read permission).
func RedactBuild(ctx context.Context, bucketPermCache map[string]realms.Permission, build *pb.Build) error {
	if bucketPermCache == nil {
		bucketPermCache = make(map[string]realms.Permission)
	}
	builderID := build.GetBuilder()
	broadestPerm, err := getCachedPerm(ctx, bucketPermCache, builderID)
	if err != nil {
		return err
	}
	var redactionMask *model.BuildMask
	switch {
	case broadestPerm == bbperms.BuildsGet:
		return nil
	case broadestPerm == bbperms.BuildsGetLimited:
		redactionMask = model.GetLimitedBuildMask
	case broadestPerm == bbperms.BuildsList:
		redactionMask = model.ListOnlyBuildMask
	}
	if err := redactionMask.Trim(build); err != nil {
		return err
	}
	return nil
}