Documentation
¶
Overview ¶
Package perm implements permission checks.
The API is formulated in terms of LUCI Realms permissions, but it is currently implemented on top of native Buildbucket roles (which are deprecated).
Index ¶
- Constants
- func BucketsByPerm(ctx context.Context, p realms.Permission, project string) (buckets []string, err error)
- func GetFirstAvailablePerm(ctx context.Context, builderID *pb.BuilderID, perms ...realms.Permission) (realms.Permission, error)
- func HasInBucket(ctx context.Context, perm realms.Permission, project, bucket string) error
- func HasInBuilder(ctx context.Context, perm realms.Permission, id *pb.BuilderID) error
- func NotFoundErr(ctx context.Context) error
- func RedactBuild(ctx context.Context, bucketPermCache map[string]realms.Permission, ...) error
Constants ¶
const ( // Administrators is a group of users that have all permissions in all // buckets. Administrators = "administrators" )
Variables ¶
This section is empty.
Functions ¶
func BucketsByPerm ¶
func BucketsByPerm(ctx context.Context, p realms.Permission, project string) (buckets []string, err error)
BucketsByPerm returns buckets of the project that the caller has the given permission in. If the project is empty, it returns all user accessible buckets. Note: if the caller doesn't have the permission, it returns empty buckets.
func GetFirstAvailablePerm ¶
func GetFirstAvailablePerm(ctx context.Context, builderID *pb.BuilderID, perms ...realms.Permission) (realms.Permission, error)
GetFirstAvailablePerm returns the first permission in the given list which is granted to the user for the given builder. Returns an error if the user has none of the permissions.
func HasInBucket ¶
HasInBucket checks the caller has the given permission in the bucket.
Returns appstatus errors. If the bucket doesn't exist returns NotFound.
Always checks the read permission (represented by BuildersGet), returning NotFound if the caller doesn't have it. Returns PermissionDenied if the caller has the read permission, but not the requested `perm`.
func HasInBuilder ¶
HasInBuilder checks the caller has the given permission in the builder.
It's just a tiny wrapper around HasInBucket to reduce typing.
func NotFoundErr ¶
NotFoundErr returns an appstatus with a generic error message indicating the resource requested was not found with a hint that the user may not have permission to view it. By not differentiating between "not found" and "permission denied" errors, leaking existence of resources a user doesn't have permission to view can be avoided. Should be used everywhere a "not found" or "permission denied" error occurs.
func RedactBuild ¶
func RedactBuild(ctx context.Context, bucketPermCache map[string]realms.Permission, build *pb.Build) error
RedactBuild redacts fields from the given build based on whether the user has appropriate permissions to see those fields. The relevant permissions are:
bbperms.BuildsGet: can see all fields bbperms.BuildsGetLimited: can see a limited set of fields excluding detailed builder output bbperms.BuildsList: can see only basic fields required to list builds
Returns an error if the user does not have at least bbperms.BuildsList.
For efficiency in the case where multiple builds are going to be redacted at once, the caller may optionally supply a bucket cache (map of bucket names to broadest Build read permission).
Types ¶
This section is empty.
Source Files