buildbucket access: does not initialize auth context |
|||||
Issue descriptionToday buildbucket's access service does not initialize auth context, so all requests, authenticated or not, are seen as sent from "anonymous:anonymous". In other words, buildbucket's Access service is currently useless.
,
Feb 9 2018
,
Feb 12 2018
The following revision refers to this bug: https://chromium.googlesource.com/infra/luci/luci-go.git/+/a4421c9b2912a3ab352185d97d8716f4e7d22f20 commit a4421c9b2912a3ab352185d97d8716f4e7d22f20 Author: Nodir Turakulov <nodir@chromium.org> Date: Mon Feb 12 18:05:05 2018 Revert "[milo] Add ACL checks for builder page." This reverts commit 963d2795099a574ab459c1ecc71a13541ebc09d9. Reason for revert: incorrectly prevents users from accessing chromium/luci.chromium.findit/findit_variable builder which is restricted to googlers. Root cause: crbug.com/806080 Original change's description: > [milo] Add ACL checks for builder page. > > Bug: 781611 > Change-Id: I14f3caf416a2dcc68cbb96d9c16249bff20ce996 > Reviewed-on: https://chromium-review.googlesource.com/820294 > Commit-Queue: Michael Knyszek <mknyszek@google.com> > Reviewed-by: Nodir Turakulov <nodir@chromium.org> TBR=vadimsh@chromium.org,nodir@chromium.org,mknyszek@google.com # Not skipping CQ checks because original CL landed > 1 day ago. Bug: 781611, 806080 Change-Id: Iffcbb44d3731ab1e3a31f3ec39d450116444789e Reviewed-on: https://chromium-review.googlesource.com/914168 Commit-Queue: Nodir Turakulov <nodir@chromium.org> Reviewed-by: Nodir Turakulov <nodir@chromium.org> [modify] https://crrev.com/a4421c9b2912a3ab352185d97d8716f4e7d22f20/milo/frontend/view_builder.go
,
Feb 22 2018
Vadim, do you think you can take a look at this? We will need it to unblock internal migrations.
,
Feb 24 2018
,
Feb 26 2018
The following revision refers to this bug: https://chromium.googlesource.com/infra/luci/luci-py.git/+/53783f3e4ea7c15f43244f36a402bca655cb464d commit 53783f3e4ea7c15f43244f36a402bca655cb464d Author: Vadim Shtayura <vadimsh@chromium.org> Date: Mon Feb 26 21:56:27 2018 [auth] Allow passing AuthDB to check_bearer_delegation_token explicitly. This will be somewhat useful in subsequent refactoring that deduplicates some auth related code in auth.ApiHandler, Cloud Endpoints wrapper and (soon to be added) pRPC auth interceptor. BUG= 806080 R=nodir@chromium.org Change-Id: I6bb4b9761c18ebbacc28397dc9470ebd0d72e405 Reviewed-on: https://chromium-review.googlesource.com/938397 Reviewed-by: Nodir Turakulov <nodir@chromium.org> Commit-Queue: Vadim Shtayura <vadimsh@chromium.org> [modify] https://crrev.com/53783f3e4ea7c15f43244f36a402bca655cb464d/appengine/components/components/auth/delegation.py [modify] https://crrev.com/53783f3e4ea7c15f43244f36a402bca655cb464d/appengine/components/components/auth/delegation_test.py
,
Feb 26 2018
The following revision refers to this bug: https://chromium.googlesource.com/infra/luci/luci-py.git/+/f0556365b78bd9ba9b5d2ee2cef9458c1e0e1bd3 commit f0556365b78bd9ba9b5d2ee2cef9458c1e0e1bd3 Author: Vadim Shtayura <vadimsh@chromium.org> Date: Mon Feb 26 23:56:48 2018 [auth] Extract reusable code for IP whitelist and delegation token checks. It will be used in pRPC auth interceptor. BUG= 806080 R=nodir@chromium.org Change-Id: Iaa24910d594c473bf7c9e3eb3eb24e1907a5bc6f Reviewed-on: https://chromium-review.googlesource.com/938669 Commit-Queue: Vadim Shtayura <vadimsh@chromium.org> Reviewed-by: Nodir Turakulov <nodir@chromium.org> [modify] https://crrev.com/f0556365b78bd9ba9b5d2ee2cef9458c1e0e1bd3/appengine/components/components/auth/api.py [add] https://crrev.com/f0556365b78bd9ba9b5d2ee2cef9458c1e0e1bd3/appengine/components/components/auth/check.py [modify] https://crrev.com/f0556365b78bd9ba9b5d2ee2cef9458c1e0e1bd3/appengine/components/components/auth/endpoints_support.py [modify] https://crrev.com/f0556365b78bd9ba9b5d2ee2cef9458c1e0e1bd3/appengine/components/components/auth/endpoints_support_test.py [modify] https://crrev.com/f0556365b78bd9ba9b5d2ee2cef9458c1e0e1bd3/appengine/components/components/auth/handler.py [modify] https://crrev.com/f0556365b78bd9ba9b5d2ee2cef9458c1e0e1bd3/appengine/components/components/auth/ipaddr.py
,
Feb 27 2018
The following revision refers to this bug: https://chromium.googlesource.com/infra/luci/luci-py.git/+/7cd2310f71f8e574db3dfb3ba297e2eb4e75ab09 commit 7cd2310f71f8e574db3dfb3ba297e2eb4e75ab09 Author: Vadim Shtayura <vadimsh@chromium.org> Date: Tue Feb 27 00:01:08 2018 [prpc] Add support for interceptors. Will be used for auth and monitoring. The design vaguely resembles grpc.ServerInterceptor, except we use a callback instead of an abstract class, and it returns the response (and not grpc.RpcMethodHandler). Also fix few minor bugs while at it: * Make None response with OK code cause INTERNAL error. * set_code is always expecting a StatusCode.*, not just an int. Add assert. R=nodir@chromium.org, mknyszek@google.com BUG= 806080 Change-Id: Iab220d1fc10a5acbe8ebd86e089cdaa26111a91b Reviewed-on: https://chromium-review.googlesource.com/936261 Commit-Queue: Vadim Shtayura <vadimsh@chromium.org> Reviewed-by: Nodir Turakulov <nodir@chromium.org> [add] https://crrev.com/7cd2310f71f8e574db3dfb3ba297e2eb4e75ab09/appengine/components/components/prpc/codes.py [modify] https://crrev.com/7cd2310f71f8e574db3dfb3ba297e2eb4e75ab09/appengine/components/components/prpc/context.py [modify] https://crrev.com/7cd2310f71f8e574db3dfb3ba297e2eb4e75ab09/appengine/components/components/prpc/encoding.py [modify] https://crrev.com/7cd2310f71f8e574db3dfb3ba297e2eb4e75ab09/appengine/components/components/prpc/headers.py [modify] https://crrev.com/7cd2310f71f8e574db3dfb3ba297e2eb4e75ab09/appengine/components/components/prpc/headers_test.py [modify] https://crrev.com/7cd2310f71f8e574db3dfb3ba297e2eb4e75ab09/appengine/components/components/prpc/server.py [modify] https://crrev.com/7cd2310f71f8e574db3dfb3ba297e2eb4e75ab09/appengine/components/components/prpc/server_test.py
,
Feb 27 2018
The following revision refers to this bug: https://chromium.googlesource.com/infra/luci/luci-py.git/+/bddf3a369fa6669c41eccc6002af8276370a7be7 commit bddf3a369fa6669c41eccc6002af8276370a7be7 Author: Vadim Shtayura <vadimsh@chromium.org> Date: Tue Feb 27 01:43:46 2018 [prpc] Adjust ServicerContext API to better match real gRPC API. Real ServicerContext doesn't expose any fields, everything is exposed through methods. R=nodir@chromium.org BUG= 806080 Change-Id: I9cb2fc36d3187378f0a3cf754601b508680651bf Reviewed-on: https://chromium-review.googlesource.com/938307 Commit-Queue: Vadim Shtayura <vadimsh@chromium.org> Reviewed-by: Nodir Turakulov <nodir@chromium.org> [modify] https://crrev.com/bddf3a369fa6669c41eccc6002af8276370a7be7/appengine/components/components/prpc/context.py [modify] https://crrev.com/bddf3a369fa6669c41eccc6002af8276370a7be7/appengine/components/components/prpc/headers.py [modify] https://crrev.com/bddf3a369fa6669c41eccc6002af8276370a7be7/appengine/components/components/prpc/headers_test.py [modify] https://crrev.com/bddf3a369fa6669c41eccc6002af8276370a7be7/appengine/components/components/prpc/server.py
,
Feb 27 2018
The following revision refers to this bug: https://chromium.googlesource.com/infra/luci/luci-py.git/+/7dbda436ba787b386ef109ea00cc22d21c077eec commit 7dbda436ba787b386ef109ea00cc22d21c077eec Author: Vadim Shtayura <vadimsh@chromium.org> Date: Tue Feb 27 01:50:46 2018 [prpc] Add 'peer' to ServicesContext, it returns IP address of the caller. It is either 'ipv4:xxx.xxx.xxx.xxx' or 'ipv6:[.....]', see https://github.com/grpc/grpc/pull/2542/commits/698d00c60e91ebf8acf993cf6602d74c BUG= 806080 R=nodir@chromium.org Change-Id: Ieeec37f1c163f21dd989fe1a03c22d4d26a4dca0 Reviewed-on: https://chromium-review.googlesource.com/938633 Commit-Queue: Vadim Shtayura <vadimsh@chromium.org> Reviewed-by: Nodir Turakulov <nodir@chromium.org> [modify] https://crrev.com/7dbda436ba787b386ef109ea00cc22d21c077eec/appengine/components/components/prpc/context.py [modify] https://crrev.com/7dbda436ba787b386ef109ea00cc22d21c077eec/appengine/components/components/prpc/server.py [modify] https://crrev.com/7dbda436ba787b386ef109ea00cc22d21c077eec/appengine/components/components/prpc/server_test.py
,
Feb 27 2018
The following revision refers to this bug: https://chromium.googlesource.com/infra/luci/luci-py.git/+/aae6f01c114c3aa53b66d1531b00ef4a1aaf8d51 commit aae6f01c114c3aa53b66d1531b00ef4a1aaf8d51 Author: Vadim Shtayura <vadimsh@chromium.org> Date: Tue Feb 27 03:35:16 2018 [auth] Make check_oauth_access_token accept only one header value. It used to accept all headers, but then used only values for Authorization key. pRPC handlers don't have headers dict (and have different convention for how to encode header keys), so it would be cleaner just to pass the value of Authorization header directly. BUG= 806080 R=nodir@chromium.org Change-Id: If6b90b27314b1fca5e14f50ceca1b45253585c1a Reviewed-on: https://chromium-review.googlesource.com/938977 Reviewed-by: Nodir Turakulov <nodir@chromium.org> Commit-Queue: Vadim Shtayura <vadimsh@chromium.org> [modify] https://crrev.com/aae6f01c114c3aa53b66d1531b00ef4a1aaf8d51/appengine/components/components/auth/api.py [modify] https://crrev.com/aae6f01c114c3aa53b66d1531b00ef4a1aaf8d51/appengine/components/components/auth/endpoints_support.py [modify] https://crrev.com/aae6f01c114c3aa53b66d1531b00ef4a1aaf8d51/appengine/components/components/auth/handler.py
,
Feb 28 2018
The following revision refers to this bug: https://chromium.googlesource.com/infra/luci/luci-py.git/+/886d1c5e8b02df3ed771982802dae1dca93129df commit 886d1c5e8b02df3ed771982802dae1dca93129df Author: Vadim Shtayura <vadimsh@chromium.org> Date: Wed Feb 28 04:01:25 2018 [auth] Add pRPC interceptor that sets up auth context. Validates Authorization header, delegation tokens and checks IP whitelist. On success updates the auth context in the thread-local storage. This makes various components.auth functions work from inside pRPC handlers. Additionally it catches auth.AuthenticationError and auth.AuthorizationError and converts them to corresponding gRPC status codes, with logging matching what we have for Cloud Endpoints and webapp2 handlers. BUG= 806080 R=nodir@chromium.org Change-Id: I8eec19e1c0d52a3cb2847c59abb8c90f1961c3ce Reviewed-on: https://chromium-review.googlesource.com/939048 Reviewed-by: Nodir Turakulov <nodir@chromium.org> Commit-Queue: Vadim Shtayura <vadimsh@chromium.org> [modify] https://crrev.com/886d1c5e8b02df3ed771982802dae1dca93129df/appengine/components/components/auth/__init__.py [add] https://crrev.com/886d1c5e8b02df3ed771982802dae1dca93129df/appengine/components/components/auth/prpc.py [add] https://crrev.com/886d1c5e8b02df3ed771982802dae1dca93129df/appengine/components/components/auth/prpc_test.py [modify] https://crrev.com/886d1c5e8b02df3ed771982802dae1dca93129df/appengine/components/components/auth/version.py
,
Feb 28 2018
The following revision refers to this bug: https://chromium.googlesource.com/infra/infra/+/1c744baf9681aa48ef842f1adbda2dd166f342aa commit 1c744baf9681aa48ef842f1adbda2dd166f342aa Author: Vadim Shtayura <vadimsh@chromium.org> Date: Wed Feb 28 04:20:02 2018 Roll luci DEPS. infra/luci: 886d1c5e [auth] Add pRPC interceptor that sets up auth context. 5dc02ee6 [gerrit] make functions async 7d491717 Swarming: fix fix_python_cmd again 47af739c Swarming: fix the exception in tidy_stale 432378e2 Swarming: do not crash in _get_os_numbers() if cmd.exe is hosed. TBR=nodir@chromium.org BUG= 806080 Change-Id: I9bb5404718136ce8271fe207199a265af89e7423 Reviewed-on: https://chromium-review.googlesource.com/940806 Reviewed-by: Vadim Shtayura <vadimsh@chromium.org> Commit-Queue: Vadim Shtayura <vadimsh@chromium.org> [modify] https://crrev.com/1c744baf9681aa48ef842f1adbda2dd166f342aa/DEPS
,
Feb 28 2018
The following revision refers to this bug: https://chromium.googlesource.com/infra/infra/+/500abb7b12d67e940d0f32c8b9f801d7ea49df0a commit 500abb7b12d67e940d0f32c8b9f801d7ea49df0a Author: Vadim Shtayura <vadimsh@chromium.org> Date: Wed Feb 28 20:48:42 2018 [cr-buildbucket] Enable auth for pRPC APIs. R=nodir@chromium.org BUG= 806080 Change-Id: I29ccc14b015c9d02ff2687be87d3da5278d3a4af Reviewed-on: https://chromium-review.googlesource.com/940811 Reviewed-by: Nodir Turakulov <nodir@chromium.org> Commit-Queue: Vadim Shtayura <vadimsh@chromium.org> [modify] https://crrev.com/500abb7b12d67e940d0f32c8b9f801d7ea49df0a/appengine/cr-buildbucket/access/api.py
,
Feb 28 2018
|
|||||
►
Sign in to add a comment |
|||||
Comment 1 by no...@chromium.org
, Jan 25 2018