go.chromium.org/luci@v0.0.0-20240309015107-7cdc2e660f33/milo/internal/projectconfig/acl.go

go.chromium.org/luci@v0.0.0-20240309015107-7cdc2e660f33/milo/internal/projectconfig/acl.go (about)

     1  // Copyright 2016 The LUCI Authors.
     2  //
     3  // Licensed under the Apache License, Version 2.0 (the "License");
     4  // you may not use this file except in compliance with the License.
     5  // You may obtain a copy of the License at
     6  //
     7  //      http://www.apache.org/licenses/LICENSE-2.0
     8  //
     9  // Unless required by applicable law or agreed to in writing, software
    10  // distributed under the License is distributed on an "AS IS" BASIS,
    11  // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    12  // See the License for the specific language governing permissions and
    13  // limitations under the License.
    14  
    15  package projectconfig
    16  
    17  import (
    18  	"context"
    19  
    20  	"go.chromium.org/luci/common/errors"
    21  	"go.chromium.org/luci/common/logging"
    22  	"go.chromium.org/luci/gae/service/datastore"
    23  	"go.chromium.org/luci/grpc/grpcutil"
    24  	"go.chromium.org/luci/server/auth"
    25  )
    26  
    27  // Helper functions for ACL checking.
    28  
    29  // IsAllowed checks to see if the user in the context is allowed to access
    30  // the given project.
    31  //
    32  // Returns false for unknown projects. Returns an internal error if the check
    33  // itself fails.
    34  func IsAllowed(c context.Context, project string) (bool, error) {
    35  	proj := Project{ID: project}
    36  	switch err := datastore.Get(c, &proj); {
    37  	case err == datastore.ErrNoSuchEntity:
    38  		return false, nil
    39  	case err != nil:
    40  		logging.Errorf(c, "datastore error when fetching project %q: %s", project, err)
    41  		return false, errors.New("internal server error", grpcutil.InternalTag)
    42  	default:
    43  		return CheckACL(c, proj.ACL)
    44  	}
    45  }
    46  
    47  // CheckACL returns true if the caller is in the ACL.
    48  //
    49  // Returns an internal error if the check itself fails.
    50  func CheckACL(c context.Context, acl ACL) (bool, error) {
    51  	// Try to find a direct hit first, it is cheaper.
    52  	caller := auth.CurrentIdentity(c)
    53  	for _, ident := range acl.Identities {
    54  		if caller == ident {
    55  			return true, nil
    56  		}
    57  	}
    58  	// More expensive groups check comes second. Note that admins implicitly have
    59  	// access to all projects.
    60  	// TODO(nodir): unhardcode group name to config file if there is a need
    61  	yes, err := auth.IsMember(c, append(acl.Groups, "administrators")...)
    62  	if err != nil {
    63  		logging.Errorf(c, "error when checking administrators ACL: %s", err)
    64  		return false, errors.New("internal server error", grpcutil.InternalTag)
    65  	}
    66  	return yes, nil
    67  }