go.chromium.org/luci@v0.0.0-20240309015107-7cdc2e660f33/cv/internal/acls/legacystatus.go (about) 1 // Copyright 2021 The LUCI Authors. 2 // 3 // Licensed under the Apache License, Version 2.0 (the "License"); 4 // you may not use this file except in compliance with the License. 5 // You may obtain a copy of the License at 6 // 7 // http://www.apache.org/licenses/LICENSE-2.0 8 // 9 // Unless required by applicable law or agreed to in writing, software 10 // distributed under the License is distributed on an "AS IS" BASIS, 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 // See the License for the specific language governing permissions and 13 // limitations under the License. 14 15 package acls 16 17 import ( 18 "context" 19 "time" 20 21 "go.chromium.org/luci/common/logging" 22 "go.chromium.org/luci/server/auth" 23 "go.chromium.org/luci/server/caching/layered" 24 25 "go.chromium.org/luci/cv/internal/configs/prjcfg" 26 "go.chromium.org/luci/cv/internal/configs/validation" 27 ) 28 29 const ( 30 cqStatusInternalCrIAGroup = "googlers" 31 legacyCQStatusHostTTL = 20 * time.Minute 32 ) 33 34 // legacyCQStatusHostCache caches CQ status hosts per LUCI project. 35 var legacyCQStatusHostCache = layered.RegisterCache(layered.Parameters[string]{ 36 ProcessCacheCapacity: 100, 37 GlobalNamespace: "acls_legacy_cqstatus_v1", 38 Marshal: func(host string) ([]byte, error) { 39 return []byte(host), nil 40 }, 41 Unmarshal: func(blob []byte) (string, error) { 42 return string(blob), nil 43 }, 44 }) 45 46 // checkLegacyCQStatusAccess checks if the calling user has access to the Runs 47 // of the given LUCI project via the legacy CQ status app. 48 // 49 // Returns true if user has access. 50 // 51 // Each LUCI project can configure cq status app usage in 3 diff ways: 52 // - (P) public via "chromium-cq-status.appspot.com" 53 // - (I) internal via "internal-cq-stauts.appspot.com" 54 // - (N) none 55 // 56 // Thus, the project config can be used to infer visibility of project's Runs. 57 // 58 // See also https://crbug.com/1250737. 59 // TODO(crbug/1233963): remove this legacy after implementing CV ACLs. 60 func checkLegacyCQStatusAccess(ctx context.Context, luciProject string) (bool, error) { 61 switch host, err := loadCQStatusHost(ctx, luciProject); { 62 case err != nil: 63 return false, err 64 case host == validation.CQStatusHostPublic: 65 return true, nil 66 case host == validation.CQStatusHostInternal: 67 return auth.IsMember(ctx, cqStatusInternalCrIAGroup) 68 case host == "": 69 return false, nil 70 default: 71 logging.Errorf(ctx, "crbug/1250737: Unrecognized CQ Status Host %q", host) 72 return false, nil 73 } 74 } 75 76 // loadCQStatusHost returns CQ status host configured for a LUCI projects. 77 func loadCQStatusHost(ctx context.Context, luciProject string) (string, error) { 78 return legacyCQStatusHostCache.GetOrCreate(ctx, luciProject, func() (string, time.Duration, error) { 79 m, err := prjcfg.GetLatestMeta(ctx, luciProject) 80 switch { 81 case err != nil: 82 return "", 0, err 83 case m.Status != prjcfg.StatusEnabled: 84 // Cache for disabled/deleted projects, too. 85 return "", legacyCQStatusHostTTL, nil 86 } 87 // All ConfigGroups have the same CQStatusHost, so just load the first one. 88 switch cfg, err := prjcfg.GetConfigGroup(ctx, m.Project, m.ConfigGroupIDs[0]); { 89 case err != nil: 90 return "", 0, err 91 default: 92 return cfg.CQStatusHost, legacyCQStatusHostTTL, nil 93 } 94 }) 95 }