From 97a2b79dba94ade71d8725d3d739eb5260c3291b Mon Sep 17 00:00:00 2001
From: Raito Bezarius <raito@lix.systems>
Date: Sun, 9 Jun 2024 17:01:32 +0200
Subject: [PATCH] feat: enable Lix admins to admin the Buildbot properly

This removes the need for a proxy and let *@lix.systems folks to
be able to admin the Buildbot instance.

Our authentication layer should confirm emails to avoid someone
impersonating a @lix.systems user and grant themselves trivial admin
rights.

Signed-off-by: Raito Bezarius <raito@lix.systems>
---
 buildbot_nix/__init__.py | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/buildbot_nix/__init__.py b/buildbot_nix/__init__.py
index 8ccba85..ae151ee 100644
--- a/buildbot_nix/__init__.py
+++ b/buildbot_nix/__init__.py
@@ -17,7 +17,6 @@ from buildbot.process.properties import Interpolate, Properties
 from buildbot.process.results import ALL_RESULTS, statusToString
 from buildbot.steps.trigger import Trigger
 from buildbot.util import asyncSleep
-from buildbot.www.authz.endpointmatchers import EndpointMatcherBase, Match
 from buildbot.www.oauth2 import OAuth2Auth
 from buildbot.changes.gerritchangesource import GerritChangeSource
 from buildbot.reporters.utils import getURLForBuild
@@ -901,3 +900,16 @@ class GerritNixConfigurator(ConfiguratorBase):
 
         if "auth" not in config["www"]:
             config["www"]["auth"] = LixSystemsOAuth2('buildbot', read_secret_file('buildbot-oauth2-secret'), autologin=True)
+
+        if "authz" not in config["www"]:
+            config["www"]["authz"] = util.Authz(
+                allowRules=[
+                    util.AnyEndpointMatcher(role="admins", defaultDeny=False),
+                    util.StopBuildEndpointMatcher(role="owner"),
+                    util.AnyControlEndpointMatcher(role="admins"),
+                ],
+                roleMatcher=[
+                    util.RolesFromDomain(admins=["lix.systems"]),
+                    util.RolesFromOwner(role="owner")
+                ],
+            )