luci: go.chromium.org/luci/buildbucket/appengine/internal/perm Index | Files

package perm

import "go.chromium.org/luci/buildbucket/appengine/internal/perm"

Package perm implements permission checks.

The API is formulated in terms of LUCI Realms permissions, but it is currently implemented on top of native Buildbucket roles (which are deprecated).

Index

Package Files

perm.go

Constants

const (
    // UpdateBuildAllowedUsers is a group of users allowed to update builds.
    // They are expected to be robots.
    UpdateBuildAllowedUsers = "buildbucket-update-build-users"

    // Administrators is a group of users that have all permissions in all
    // buckets.
    Administrators = "administrators"
)

Variables

var (
    // BuildsGet allows to see all information about a build.
    BuildsGet = realms.RegisterPermission("buildbucket.builds.get")
    // BuildsList allows to list and search builds in a bucket.
    BuildsList = realms.RegisterPermission("buildbucket.builds.list")
    // BuildsCancel allows to cancel a build.
    BuildsCancel = realms.RegisterPermission("buildbucket.builds.cancel")

    // BuildersGet allows to see details of a builder (but not its builds).
    BuildersGet = realms.RegisterPermission("buildbucket.builders.get")
    // BuildersList allows to list and search builders (but not builds).
    BuildersList = realms.RegisterPermission("buildbucket.builders.list")
)

func BucketsByPerm Uses

func BucketsByPerm(ctx context.Context, p realms.Permission, project string) (buckets []string, err error)

BucketsByPerm returns buckets of the project that the caller has the given permission in. If the project is empty, it returns all user accessible buckets. Note: if the caller doesn't have the permission, it returns empty buckets.

func CanUpdateBuild Uses

func CanUpdateBuild(ctx context.Context) (bool, error)

CanUpdateBuild returns whether the caller has a permission to update builds.

func HasInBucket Uses

func HasInBucket(ctx context.Context, perm realms.Permission, project, bucket string) error

HasInBucket checks the caller has the given permission in the bucket.

Returns appstatus errors. If the bucket doesn't exist returns NotFound.

Always checks the read permission first, returning NotFound if the caller doesn't have it. Returns PermissionDenied if the caller has the read permission, but not the requested `perm`.

func HasInBuilder Uses

func HasInBuilder(ctx context.Context, perm realms.Permission, id *pb.BuilderID) error

HasInBuilder checks the caller has the given permission in the builder.

It's just a tiny wrapper around HasInBucket to reduce typing.

func NotFoundErr Uses

func NotFoundErr(ctx context.Context) error

NotFoundErr returns an appstatus with a generic error message indicating the resource requested was not found with a hint that the user may not have permission to view it. By not differentiating between "not found" and "permission denied" errors, leaking existence of resources a user doesn't have permission to view can be avoided. Should be used everywhere a "not found" or "permission denied" error occurs.

Package perm imports 15 packages (graph) and is imported by 2 packages. Updated 2020-09-30. Refresh now. Tools for package owners.