Package perm implements permission checks.
The API is formulated in terms of LUCI Realms permissions, but it is currently implemented on top of native Buildbucket roles (which are deprecated).
- func BucketsByPerm(ctx context.Context, p realms.Permission, project string) (buckets string, err error)
- func CanUpdateBuild(ctx context.Context) (bool, error)
- func HasInBucket(ctx context.Context, perm realms.Permission, project, bucket string) error
- func HasInBuilder(ctx context.Context, perm realms.Permission, id *pb.BuilderID) error
- func NotFoundErr(ctx context.Context) error
const ( // UpdateBuildAllowedUsers is a group of users allowed to update builds. // They are expected to be robots. UpdateBuildAllowedUsers = "buildbucket-update-build-users" // Administrators is a group of users that have all permissions in all // buckets. Administrators = "administrators" )
var ( // BuildsAdd allows to schedule new builds in a bucket. BuildsAdd = realms.RegisterPermission("buildbucket.builds.add") // BuildsGet allows to see all information about a build. BuildsGet = realms.RegisterPermission("buildbucket.builds.get") // BuildsList allows to list and search builds in a bucket. BuildsList = realms.RegisterPermission("buildbucket.builds.list") // BuildsCancel allows to cancel a build. BuildsCancel = realms.RegisterPermission("buildbucket.builds.cancel") // BuildersGet allows to see details of a builder (but not its builds). BuildersGet = realms.RegisterPermission("buildbucket.builders.get") // BuildersList allows to list and search builders (but not builds). BuildersList = realms.RegisterPermission("buildbucket.builders.list") )
func BucketsByPerm ¶
BucketsByPerm returns buckets of the project that the caller has the given permission in. If the project is empty, it returns all user accessible buckets. Note: if the caller doesn't have the permission, it returns empty buckets.
func CanUpdateBuild ¶
CanUpdateBuild returns whether the caller has a permission to update builds.
func HasInBucket ¶
HasInBucket checks the caller has the given permission in the bucket.
Returns appstatus errors. If the bucket doesn't exist returns NotFound.
Always checks the read permission first, returning NotFound if the caller doesn't have it. Returns PermissionDenied if the caller has the read permission, but not the requested `perm`.
func HasInBuilder ¶
HasInBuilder checks the caller has the given permission in the builder.
It's just a tiny wrapper around HasInBucket to reduce typing.
func NotFoundErr ¶
NotFoundErr returns an appstatus with a generic error message indicating the resource requested was not found with a hint that the user may not have permission to view it. By not differentiating between "not found" and "permission denied" errors, leaking existence of resources a user doesn't have permission to view can be avoided. Should be used everywhere a "not found" or "permission denied" error occurs.