lix-project/buildbot-nix
15
0
Fork 0
Code Issues 9 Pull requests 2 Packages Projects Releases Wiki Activity

feat: enable Lix admins to admin the Buildbot properly #16

Merged
raito merged 1 commit from authz into main 2024-09-28 20:45:09 +00:00
Conversation 9 Commits 1 Files changed 1 +28 -2
1 changed files with 28 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

30
buildbot_nix/__init__.py
View file

@ -17,7 +17,6 @@ from buildbot.process.properties import Interpolate, Properties
from buildbot.process.results import ALL_RESULTS, statusToString
from buildbot.steps.trigger import Trigger
from buildbot.util import asyncSleep
from buildbot.www.authz.endpointmatchers import EndpointMatcherBase, Match
from buildbot.www.oauth2 import OAuth2Auth
from buildbot.changes.gerritchangesource import GerritChangeSource
from buildbot.reporters.utils import getURLForBuild
@ -47,10 +46,22 @@ class LixSystemsOAuth2(OAuth2Auth):
name = 'Lix'
faIcon = 'fa-login'
resourceEndpoint = "https://identity.lix.systems"
# is passing scope necessary?
authUriAdditionalParameters = {
"scope": ' '.join([
"email",
"openid",
"profile"
])
}
authUri = 'https://identity.lix.systems/realms/lix-project/protocol/openid-connect/auth'
tokenUri = 'https://identity.lix.systems/realms/lix-project/protocol/openid-connect/token'
def getUserInfoFromOAuthClient(self, c):
data = self.get(c, '/userinfo')
return {
'groups': data['buildbot_roles']
}
class BuildbotNixError(Exception):
pass
@ -901,3 +912,18 @@ class GerritNixConfigurator(ConfiguratorBase):
if "auth" not in config["www"]:
config["www"]["auth"] = LixSystemsOAuth2('buildbot', read_secret_file('buildbot-oauth2-secret'), autologin=True)
if "authz" not in config["www"]:
config["www"]["authz"] = util.Authz(
allowRules=[
util.AnyEndpointMatcher(role="admins", defaultDeny=False),
util.StopBuildEndpointMatcher(role="owner"),
util.AnyControlEndpointMatcher(role="admins"),
],
roleMatcher=[
# A user must have buildbot-<something> to have the role <something>
# e.g. buildbot-admin to be admin.
util.RolesFromGroups(groupPrefix="buildbot-"),
util.RolesFromOwner(role="owner")
],
)