Working authentication with orgs and group retrieval

buildbot/config/conf/auth.py

@@ -119,4 +119,17 @@ def fetch_authorization(environment: str):
         roleMatchers=file_based_group_username_role_matchers,
     )
 
+    # my_authz = buildbot.plugins.util.Authz(
+    #     allowRules=[
+    #         buildbot.plugins.util.AnyControlEndpointMatcher(
+    #             role="Developers"
+    #         ),  # Organization teams
+    #     ],
+    #     roleMatchers=[
+    #         buildbot.plugins.util.RolesFromGroups(
+    #             groupPrefix="test-org/"
+    #         )  # Gitea organization
+    #     ],
+    # )
+
     return my_authz

buildbot/config/conf/local/auth.py

@@ -2,9 +2,9 @@
 # SPDX-FileCopyrightText: 2011-2024 Blender Authors
 # <pep8 compliant>
 
-# import buildbot.plugins
 import os
 from buildbot.www.oauth2 import OAuth2Auth
+import buildbot.plugins
 from urllib.parse import urljoin
 
 # Buildbot admin with access to everything.
@@ -29,8 +29,8 @@ gitea_client_secret = os.environ.get("GITEA_CLIENT_SECRET", default="")
 
 def get_authentication(environment: str):
     class GiteaAuth(OAuth2Auth):
-        name = "projects.blender.org"
+        name = "Gitea"
-        faIcon = "fa-cogs"
+        faIcon = "fa-gitea"
 
         AUTH_URL = "login/oauth/authorize"
         TOKEN_URL = "login/oauth/access_token"
@@ -42,10 +42,32 @@ def get_authentication(environment: str):
             self.tokenUri = urljoin(endpoint, self.TOKEN_URL)
 
         def getUserInfoFromOAuthClient(self, c):
-            return self.get(c, "/api/v1/user")
+            user_info = self.get(c, "/api/v1/user")
 
-    # class LocalEnvAuth(buildbot.plugins.util.CustomAuth):
+            orgs = self.get(c, "/api/v1/user/orgs")
-    #     def check_credentials(self, user, password):
+            org_groups = [org["username"] for org in orgs]
-    #         return user.decode() == "admin" and password.decode() == "admin"
 
+            teams = self.get(c, "/api/v1/user/teams")
+            team_groups = [
+                f"{team['organization']['username']}/{team['name']}" for team in teams
+            ]  # Format: org/team
+
+            groups = org_groups + team_groups
+
+            user_data = {
+                "full_name": user_info.get("full_name", user_info.get("username")),
+                "email": user_info.get("email"),
+                "username": user_info.get("username"),
+                "groups": groups,
+            }
+
+            return user_data
+
+    class LocalEnvAuth(buildbot.plugins.util.CustomAuth):
+        def check_credentials(self, user, password):
+            return user.decode() == "admin" and password.decode() == "admin"
+
+    if gitea_endpoint and gitea_client_id and gitea_client_secret:
         return GiteaAuth(gitea_endpoint, gitea_client_id, gitea_client_secret)
+    else:
+        return LocalEnvAuth()

buildbot/config/setup.py

@@ -130,19 +130,7 @@ def setup() -> Dict[str, Any]:
     c["www"]["auth"] = conf.auth.fetch_authentication(environment)
 
     # Authorization
-    # c["www"]["authz"] = conf.auth.fetch_authorization(environment)
+    c["www"]["authz"] = conf.auth.fetch_authorization(environment)
-    c["www"]["authz"] = buildbot.plugins.util.Authz(
-        allowRules=[
-            buildbot.plugins.util.AnyControlEndpointMatcher(
-                role="Admins"
-            ),  # Organization teams
-        ],
-        roleMatchers=[
-            buildbot.plugins.util.RolesFromGroups(
-                groupPrefix="test-org/"
-            )  # Gitea organization
-        ],
-    )
 
     # Disable UI - does not work
     c["www"]["plugins"] = {