Working authentication with orgs and group retrieval

2024-11-21 09:02:00 +01:00 · 2024-11-21 09:02:00 +01:00 · b91ee462b8
commit b91ee462b8
parent edb56e96dc
3 changed files with 44 additions and 21 deletions
--- a/buildbot/config/conf/auth.py
+++ b/buildbot/config/conf/auth.py
@ -119,4 +119,17 @@ def fetch_authorization(environment: str):
        roleMatchers=file_based_group_username_role_matchers,
    )

+    # my_authz = buildbot.plugins.util.Authz(
+    #     allowRules=[
+    #         buildbot.plugins.util.AnyControlEndpointMatcher(
+    #             role="Developers"
+    #         ),  # Organization teams
+    #     ],
+    #     roleMatchers=[
+    #         buildbot.plugins.util.RolesFromGroups(
+    #             groupPrefix="test-org/"
+    #         )  # Gitea organization
+    #     ],
+    # )
+
    return my_authz
--- a/buildbot/config/conf/local/auth.py
+++ b/buildbot/config/conf/local/auth.py
@ -2,9 +2,9 @@
 # SPDX-FileCopyrightText: 2011-2024 Blender Authors
 # <pep8 compliant>

-# import buildbot.plugins
 import os
 from buildbot.www.oauth2 import OAuth2Auth
+import buildbot.plugins
 from urllib.parse import urljoin

 # Buildbot admin with access to everything.
@ -29,8 +29,8 @@ gitea_client_secret = os.environ.get("GITEA_CLIENT_SECRET", default="")

 def get_authentication(environment: str):
    class GiteaAuth(OAuth2Auth):
-        name = "projects.blender.org"
-        faIcon = "fa-cogs"
+        name = "Gitea"
+        faIcon = "fa-gitea"

        AUTH_URL = "login/oauth/authorize"
        TOKEN_URL = "login/oauth/access_token"
@ -42,10 +42,32 @@ def get_authentication(environment: str):
            self.tokenUri = urljoin(endpoint, self.TOKEN_URL)

        def getUserInfoFromOAuthClient(self, c):
-            return self.get(c, "/api/v1/user")
+            user_info = self.get(c, "/api/v1/user")

-    # class LocalEnvAuth(buildbot.plugins.util.CustomAuth):
-    #     def check_credentials(self, user, password):
-    #         return user.decode() == "admin" and password.decode() == "admin"
+            orgs = self.get(c, "/api/v1/user/orgs")
+            org_groups = [org["username"] for org in orgs]

+            teams = self.get(c, "/api/v1/user/teams")
+            team_groups = [
+                f"{team['organization']['username']}/{team['name']}" for team in teams
+            ]  # Format: org/team
+
+            groups = org_groups + team_groups
+
+            user_data = {
+                "full_name": user_info.get("full_name", user_info.get("username")),
+                "email": user_info.get("email"),
+                "username": user_info.get("username"),
+                "groups": groups,
+            }
+
+            return user_data
+
+    class LocalEnvAuth(buildbot.plugins.util.CustomAuth):
+        def check_credentials(self, user, password):
+            return user.decode() == "admin" and password.decode() == "admin"
+
+    if gitea_endpoint and gitea_client_id and gitea_client_secret:
        return GiteaAuth(gitea_endpoint, gitea_client_id, gitea_client_secret)
+    else:
+        return LocalEnvAuth()
--- a/buildbot/config/setup.py
+++ b/buildbot/config/setup.py
@ -130,19 +130,7 @@ def setup() -> Dict[str, Any]:
    c["www"]["auth"] = conf.auth.fetch_authentication(environment)

    # Authorization
-    # c["www"]["authz"] = conf.auth.fetch_authorization(environment)
-    c["www"]["authz"] = buildbot.plugins.util.Authz(
-        allowRules=[
-            buildbot.plugins.util.AnyControlEndpointMatcher(
-                role="Admins"
-            ),  # Organization teams
-        ],
-        roleMatchers=[
-            buildbot.plugins.util.RolesFromGroups(
-                groupPrefix="test-org/"
-            )  # Gitea organization
-        ],
-    )
+    c["www"]["authz"] = conf.auth.fetch_authorization(environment)

    # Disable UI - does not work
    c["www"]["plugins"] = {