feat: enable Lix admins to admin the Buildbot properly

This removes the need for a proxy and rely on the `groups` property of the `userDetails` passed at the authentication layer. To add a certain role, add the group `buildbot-$role` to that user via Keycloak. Signed-off-by: Raito Bezarius <raito@lix.systems>
2024-06-09 17:01:32 +02:00 · 2024-06-09 17:01:32 +02:00 · 0bd761173a
parent 45135d249b
commit 0bd761173a
1 changed files with 28 additions and 2 deletions
--- a/buildbot_nix/init.py
+++ b/buildbot_nix/init.py
@ -17,7 +17,6 @@ from buildbot.process.properties import Interpolate, Properties
 from buildbot.process.results import ALL_RESULTS, statusToString
 from buildbot.steps.trigger import Trigger
 from buildbot.util import asyncSleep
-from buildbot.www.authz.endpointmatchers import EndpointMatcherBase, Match
 from buildbot.www.oauth2 import OAuth2Auth
 from buildbot.changes.gerritchangesource import GerritChangeSource
 from buildbot.reporters.utils import getURLForBuild
@ -47,10 +46,22 @@ class LixSystemsOAuth2(OAuth2Auth):
    name = 'Lix'
    faIcon = 'fa-login'
    resourceEndpoint = "https://identity.lix.systems"
-    # is passing scope necessary?
+    authUriAdditionalParameters = {
+        "scope": ' '.join([
+            "email",
+            "openid",
+            "profile"
+        ])
+    }
    authUri = 'https://identity.lix.systems/realms/lix-project/protocol/openid-connect/auth'
    tokenUri = 'https://identity.lix.systems/realms/lix-project/protocol/openid-connect/token'

+    def getUserInfoFromOAuthClient(self, c):
+        data = self.get(c, '/userinfo')
+        return {
+            'groups': data['buildbot_roles']
+        }
+
 class BuildbotNixError(Exception):
    pass

@ -901,3 +912,18 @@ class GerritNixConfigurator(ConfiguratorBase):

        if "auth" not in config["www"]:
            config["www"]["auth"] = LixSystemsOAuth2('buildbot', read_secret_file('buildbot-oauth2-secret'), autologin=True)
+
+        if "authz" not in config["www"]:
+            config["www"]["authz"] = util.Authz(
+                allowRules=[
+                    util.AnyEndpointMatcher(role="admins", defaultDeny=False),
+                    util.StopBuildEndpointMatcher(role="owner"),
+                    util.AnyControlEndpointMatcher(role="admins"),
+                ],
+                roleMatcher=[
+                    # A user must have buildbot-<something> to have the role <something>
+                    # e.g. buildbot-admin to be admin.
+                    util.RolesFromGroups(groupPrefix="buildbot-"),
+                    util.RolesFromOwner(role="owner")
+                ],
+            )