go.chromium.org/luci@v0.0.0-20240309015107-7cdc2e660f33/lucicfg/starlark/stdlib/internal/luci/rules/binding.star

go.chromium.org/luci@v0.0.0-20240309015107-7cdc2e660f33/lucicfg/starlark/stdlib/internal/luci/rules/binding.star (about)

     1  # Copyright 2020 The LUCI Authors.
     2  #
     3  # Licensed under the Apache License, Version 2.0 (the "License");
     4  # you may not use this file except in compliance with the License.
     5  # You may obtain a copy of the License at
     6  #
     7  #      http://www.apache.org/licenses/LICENSE-2.0
     8  #
     9  # Unless required by applicable law or agreed to in writing, software
    10  # distributed under the License is distributed on an "AS IS" BASIS,
    11  # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    12  # See the License for the specific language governing permissions and
    13  # limitations under the License.
    14  
    15  """Defines luci.binding(...) rule."""
    16  
    17  load("@stdlib//internal/luci/lib/realms.star", "realms")
    18  load("@stdlib//internal/lucicfg.star", "lucicfg")
    19  
    20  def _binding(
    21          ctx,  # @unused
    22          *,
    23          realm = None,
    24          roles = None,
    25          groups = None,
    26          users = None,
    27          projects = None,
    28          conditions = None):
    29      """Binding assigns roles in a realm to individuals, groups or LUCI projects.
    30  
    31      A role can either be predefined (if its name starts with `role/`) or custom
    32      (if its name starts with `customRole/`).
    33  
    34      Predefined roles are declared in the LUCI deployment configs, see **TODO**
    35      for the up-to-date list of available predefined roles and their meaning.
    36  
    37      Custom roles are defined in the project configs via luci.custom_role(...).
    38      They can be used if none of the predefined roles represent the desired set
    39      of permissions.
    40  
    41      Args:
    42        ctx: the implicit rule context, see lucicfg.rule(...).
    43        realm: a single realm or a list of realms to add the binding to. Can be
    44          omitted if the binding is used inline inside some luci.realm(...)
    45          declaration.
    46        roles: a single role or a list of roles to assign. Required.
    47        groups: a single group name or a list of groups to assign the role to.
    48        users: a single user email or a list of emails to assign the role to.
    49        projects: a single LUCI project name or a list of project names to assign
    50          the role to.
    51        conditions: a list of conditions (ANDed together) that define when this
    52          binding is active. Currently only a list of luci.restrict_attribute(...)
    53          conditions is supported. See luci.restrict_attribute(...) for more
    54          details. This is an experimental feature.
    55      """
    56      return realms.binding(
    57          impl = realms.default_impl,
    58          realm = realm,
    59          roles = roles,
    60          groups = groups,
    61          users = users,
    62          projects = projects,
    63          conditions = conditions,
    64      )
    65  
    66  binding = lucicfg.rule(impl = _binding)