go.chromium.org/luci@v0.0.0-20240309015107-7cdc2e660f33/resultdb/proto/config/project_config.proto

// Copyright 2022 The LUCI Authors.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//      http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

syntax = "proto3";

package luci.resultdb.config;

option go_package = "go.chromium.org/luci/resultdb/proto/config;resultpb";

// ProjectConfig is the project-specific configuration data for Luci ResultDB.
message ProjectConfig {
  // Per user allow list to control GCS buckets that can be referenced as
  // artifacts in ResultDB invocations.
  // Since ResultDB returns GCS artifacts through signed urls, the allow list
  // is needed to prevent potential exploit where user could gain access to
  // artifacts in GCS buckets they don't have access to by feigning the
  // uploaded artifact GCS path.
  repeated GcsAllowList gcs_allow_list = 1;
}

// Capture the per user GCS bucket allow list.
message GcsAllowList {
  // The users allowed to reference the specified buckets.
  // Each user is a LUCI Auth identity string, e.g. user:username@email.com
  // For all available identity kinds see luci/auth/identity/identity.go
  repeated string users = 1;

  // GCS buckets the user is allowed to reference.
  repeated string buckets = 2;
}