Documentation

Overview

Package perm implements permission checks.

The API is formulated in terms of LUCI Realms permissions, but it is currently implemented on top of native Buildbucket roles (which are deprecated).

Index

Constants

View Source
const UpdateBuildAllowedUsers = "buildbucket-update-build-users"

UpdateBuildAllowedUsers is a group of users allowed to update builds. They are expected to be robots.

Variables

View Source
var (
	// BuildsGet allows to see all information about a build.
	BuildsGet = realms.RegisterPermission("buildbucket.builds.get")
	// BuildsList allows to list and search builds in a bucket.
	BuildsList = realms.RegisterPermission("buildbucket.builds.list")
	// BuildsCancel allows to cancel a build.
	BuildsCancel = realms.RegisterPermission("buildbucket.builds.cancel")

	// BuildersGet allows to see details of a builder (but not its builds).
	BuildersGet = realms.RegisterPermission("buildbucket.builders.get")
	// BuildersList allows to list and search builders (but not builds).
	BuildersList = realms.RegisterPermission("buildbucket.builders.list")
)

Functions

func BucketsByPerm

func BucketsByPerm(ctx context.Context, p realms.Permission, project string) (buckets []string, err error)

BucketsByPerm returns buckets of the project that the caller has the given permission in. If the project is empty, it returns all user accessible buckets. Note: if the caller doesn't have the permission, it returns empty buckets.

func CanUpdateBuild

func CanUpdateBuild(ctx context.Context) (bool, error)

CanUpdateBuild returns whether the caller has a permission to update builds.

func HasInBucket

func HasInBucket(ctx context.Context, perm realms.Permission, project, bucket string) error

HasInBucket checks the caller has the given permission in the bucket.

Returns appstatus errors. If the bucket doesn't exist returns NotFound.

Always checks the read permission first, returning NotFound if the caller doesn't have it. Returns PermissionDenied if the caller has the read permission, but not the requested `perm`.

func HasInBuilder

func HasInBuilder(ctx context.Context, perm realms.Permission, id *pb.BuilderID) error

HasInBuilder checks the caller has the given permission in the builder.

It's just a tiny wrapper around HasInBucket to reduce typing.

func NotFoundErr

func NotFoundErr(ctx context.Context) error

NotFoundErr returns an appstatus with a generic error message indicating the resource requested was not found with a hint that the user may not have permission to view it. By not differentiating between "not found" and "permission denied" errors, leaking existence of resources a user doesn't have permission to view can be avoided. Should be used everywhere a "not found" or "permission denied" error occurs.

Types

This section is empty.

Source Files