lix-project/buildbot-nix
15
0
Fork 0
Code Issues 13 Pull requests 7 Projects Releases Packages Wiki Activity

feat: enable Lix admins to admin the Buildbot properly #16

Merged
raito merged 1 commit from authz into main 2024-09-28 20:45:09 +00:00
Conversation 9 Commits 1 Files changed 1 +28 -2
1 changed files with 28 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

30
buildbot_nix/__init__.py
View file

@ -17,7 +17,6 @@ from buildbot.process.properties import Interpolate, Properties
from buildbot.process.results import ALL_RESULTS, statusToString from buildbot.process.results import ALL_RESULTS, statusToString
from buildbot.steps.trigger import Trigger from buildbot.steps.trigger import Trigger
from buildbot.util import asyncSleep from buildbot.util import asyncSleep
from buildbot.www.authz.endpointmatchers import EndpointMatcherBase, Match
from buildbot.www.oauth2 import OAuth2Auth from buildbot.www.oauth2 import OAuth2Auth
from buildbot.changes.gerritchangesource import GerritChangeSource from buildbot.changes.gerritchangesource import GerritChangeSource
from buildbot.reporters.utils import getURLForBuild from buildbot.reporters.utils import getURLForBuild
@ -47,10 +46,22 @@ class LixSystemsOAuth2(OAuth2Auth):
name = 'Lix' name = 'Lix'
faIcon = 'fa-login' faIcon = 'fa-login'
resourceEndpoint = "https://identity.lix.systems" resourceEndpoint = "https://identity.lix.systems"
# is passing scope necessary? authUriAdditionalParameters = {
"scope": ' '.join([
"email",
"openid",
"profile"
])
}
authUri = 'https://identity.lix.systems/realms/lix-project/protocol/openid-connect/auth' authUri = 'https://identity.lix.systems/realms/lix-project/protocol/openid-connect/auth'
tokenUri = 'https://identity.lix.systems/realms/lix-project/protocol/openid-connect/token' tokenUri = 'https://identity.lix.systems/realms/lix-project/protocol/openid-connect/token'
def getUserInfoFromOAuthClient(self, c):
data = self.get(c, '/userinfo')
return {
'groups': data['buildbot_roles']
}
class BuildbotNixError(Exception): class BuildbotNixError(Exception):
pass pass
@ -901,3 +912,18 @@ class GerritNixConfigurator(ConfiguratorBase):
if "auth" not in config["www"]: if "auth" not in config["www"]:
config["www"]["auth"] = LixSystemsOAuth2('buildbot', read_secret_file('buildbot-oauth2-secret'), autologin=True) config["www"]["auth"] = LixSystemsOAuth2('buildbot', read_secret_file('buildbot-oauth2-secret'), autologin=True)
if "authz" not in config["www"]:
config["www"]["authz"] = util.Authz(
allowRules=[
util.AnyEndpointMatcher(role="admins", defaultDeny=False),
util.StopBuildEndpointMatcher(role="owner"),
util.AnyControlEndpointMatcher(role="admins"),
],
roleMatcher=[
# A user must have buildbot-<something> to have the role <something>
# e.g. buildbot-admin to be admin.
util.RolesFromGroups(groupPrefix="buildbot-"),
util.RolesFromOwner(role="owner")
],
)