InTheForest/chromium_depot_tools
1
0
Fork 0
mirror of https://chromium.googlesource.com/chromium/tools/depot_tools.git synced 2026-01-11 10:41:31 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add luci-auth account check for non-google on corp.

Browse Source 
Include a luci-auth check of the account logged in.

This is to check that a user isn't using a non-google account on a corp machine. Also this check is only performed every 12 hours, so it doesn't impact every build. This check was already performed with other auth mechanisms, this is just making sure it is being done for luci-auth as well.

Bug: b/330339907
Change-Id: I8ea97c8de0f2d74c2d735fa959d8227cec35df46
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/tools/depot_tools/+/5379037
Auto-Submit: Michael Savigny <msavigny@google.com>
Reviewed-by: Bruce Dawson <brucedawson@chromium.org>
Commit-Queue: Bruce Dawson <brucedawson@chromium.org>
Reviewed-by: Dirk Pranke <dpranke@google.com>
This commit is contained in:
Michael Savigny
2024-03-27 18:19:32 +00:00
committed by LUCI CQ
parent 79cfa048c0
commit 8de9817392
2 changed files with 36 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
autoninja.py
View File

@@ -96,6 +96,25 @@ def _gcloud_auth_account():
return None
def _luci_auth_account():
"""Returns active account authenticated with `luci-auth login -scopes-context`."""
if shutil.which("luci-auth") is None:
return None
# First line returned should be "Logged in as account@domain.com."
# Extract the account@domain.com from that line.
try:
info = subprocess.check_output("luci-auth info -scopes-context",
shell=True,
stderr=subprocess.STDOUT,
text=True).split('\n')[0]
if info.startswith("Logged in as "):
return info[len("Logged in as "):-1]
except subprocess.CalledProcessError:
return None
return None
def _is_google_corp_machine():
"""This assumes that corp machine has gcert binary in known location."""
return shutil.which("gcert") is not None
@@ -124,6 +143,10 @@ def _is_google_corp_machine_using_external_account():
if account and not account.endswith("@google.com"):
return True
account = _luci_auth_account()
if account and not account.endswith("@google.com"):
return True
account = _gcloud_auth_account()
if not account:
db["last_false"] = now

19
tests/autoninja_test.py
View File

@@ -156,15 +156,20 @@ class AutoninjaTest(trial_dir.TestCase):
self.assertEqual(args[args.index('-C') + 1], out_dir)
@parameterized.expand([
("non corp machine", False, None, None, False),
("non corp adc account", True, "foo@chromium.org", None, True),
("corp adc account", True, "foo@google.com", None, False),
("non corp gcloud auth account", True, None, "foo@chromium.org", True),
("corp gcloud auth account", True, None, "foo@google.com", False),
("non corp machine", False, None, None, None, False),
("non corp adc account", True, "foo@chromium.org", None, None, True),
("corp adc account", True, "foo@google.com", None, None, False),
("non corp gcloud auth account", True, None, "foo@chromium.org", None,
True),
("corp gcloud auth account", True, None, "foo@google.com", None, False),
("non corp luci auth account", True, None, None, "foo@chromium.org",
True),
("corp luci auth account", True, None, None, "foo@google.com", False),
])
def test_is_corp_machine_using_external_account(self, _, is_corp,
adc_account,
gcloud_auth_account,
luci_auth_account,
expected):
for shelve_file in glob.glob(
os.path.join(autoninja.SCRIPT_DIR, ".autoninja*")):
@@ -176,7 +181,9 @@ class AutoninjaTest(trial_dir.TestCase):
'autoninja._adc_account',
return_value=adc_account), mock.patch(
'autoninja._gcloud_auth_account',
return_value=gcloud_auth_account):
return_value=gcloud_auth_account), mock.patch(
'autoninja._luci_auth_account',
return_value=luci_auth_account):
self.assertEqual(
bool(
# pylint: disable=line-too-long