go.chromium.org/luci@v0.0.0-20240309015107-7cdc2e660f33/cipd/appengine/impl/rpcacl/admin.go (about) 1 // Copyright 2020 The LUCI Authors. 2 // 3 // Licensed under the Apache License, Version 2.0 (the "License"); 4 // you may not use this file except in compliance with the License. 5 // You may obtain a copy of the License at 6 // 7 // http://www.apache.org/licenses/LICENSE-2.0 8 // 9 // Unless required by applicable law or agreed to in writing, software 10 // distributed under the License is distributed on an "AS IS" BASIS, 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 // See the License for the specific language governing permissions and 13 // limitations under the License. 14 15 // Package rpcacl contains helpers for checking ACLs of individual RPCs. 16 package rpcacl 17 18 import ( 19 "context" 20 21 "google.golang.org/grpc/codes" 22 "google.golang.org/grpc/status" 23 24 "go.chromium.org/luci/common/logging" 25 "go.chromium.org/luci/server/auth" 26 ) 27 28 // AdminGroup is a name of a group with accounts that can use Admin API. 29 const AdminGroup = "administrators" 30 31 // CheckAdmin returns nil if the caller is an administrator. 32 // 33 // Returns PermissionDenied gRPC error otherwise. It also logs the admin access. 34 func CheckAdmin(ctx context.Context) error { 35 switch yep, err := auth.IsMember(ctx, AdminGroup); { 36 case err != nil: 37 logging.WithError(err).Errorf(ctx, "IsMember(%q) failed", AdminGroup) 38 return status.Errorf(codes.Internal, "failed to check ACL") 39 case !yep: 40 logging.Warningf(ctx, "Denying access for %q, not in %q group", auth.CurrentIdentity(ctx), AdminGroup) 41 return status.Errorf(codes.PermissionDenied, "not allowed") 42 default: 43 logging.Infof(ctx, "RPC is called by admin %q", auth.CurrentIdentity(ctx)) 44 return nil 45 } 46 }