View all taskcluster-lib-scopes analysis

How to use the taskcluster-lib-scopes.satisfiesExpression function in taskcluster-lib-scopes

To help you get started, we’ve selected a few taskcluster-lib-scopes examples, based on popular ways it is used in public projects.

Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.

taskcluster / taskcluster / services / auth / src / signaturevalidator.js View on Github

throw new Error('ext.certificate cannot last longer than 31 days!');
    }

    // Check clientId validity
    if (issuingClientId !== credentialName) {
      let createScope = 'auth:create-client:' + credentialName;
      if (!utils.satisfiesExpression(issuingScopes, createScope)) {
        throw new Error('ext.certificate issuer `' + issuingClientId +
                        '` doesn\'t have `' + createScope + '` for supplied clientId.');
      }
    } else if ('clientId' in cert) {
      throw new Error('ext.certificate.clientId must only be used with ext.certificate.issuer');
    }

    // Validate certificate scopes are subset of client
    if (!utils.satisfiesExpression(scopes, {AllOf: cert.scopes})) {
      throw new Error('ext.certificate issuer `' + issuingClientId +
                      '` doesn\'t satisfy all certificate scopes ' +
                      cert.scopes.join(', ') + '.  The temporary ' +
                      'credentials were not generated correctly.');
    }

    // Generate certificate signature
    let sigContent = [];
    sigContent.push('version:' + '1');
    if (cert.issuer) {
      sigContent.push('clientId:' + credentialName);
      sigContent.push('issuer:' + cert.issuer);
    }
    sigContent.push('seed:' + cert.seed);
    sigContent.push('start:' + cert.start);
    sigContent.push('expiry:' + cert.expiry);

taskcluster / taskcluster / services / auth / src / signaturevalidator.js View on Github

res.scopes = scopes = expandScopes(cert.scopes);
  }

  // Handle scope restriction with authorizedScopes
  if (ext.authorizedScopes) {
    // Validate input format
    if (!(ext.authorizedScopes instanceof Array)) {
      throw new Error('ext.authorizedScopes must be an array');
    }
    if (!ext.authorizedScopes.every(utils.validScope)) {
      throw new Error('ext.authorizedScopes must be an array of valid scopes');
    }

    // Validate authorizedScopes scopes are satisfied by client (or temp) scopes
    if (!utils.satisfiesExpression(res.scopes, {AllOf: ext.authorizedScopes})) {
      throw new Error([
        'Supplied credentials do not satisfy authorizedScopes; credentials have scopes:',
        '',
        '```',
        res.scopes.join('\n'),
        '```',
        '',
        'authorizedScopes are:',
        '',
        '```',
        ext.authorizedScopes.join('\n'),
        '```',
      ].join('\n'));
    }

    // Further limit scopes

taskcluster / taskcluster / services / auth / src / signaturevalidator.js View on Github

let now = new Date().getTime();
    if (cert.start &gt; now + 5 * 60 * 1000) {
      throw new Error('ext.certificate.start &gt; now');
    }
    if (cert.expiry &lt; now - 5 * 60 * 1000) {
      throw new Error('ext.certificate.expiry &lt; now');
    }
    // Check max time between start and expiry
    if (cert.expiry - cert.start &gt; 31 * 24 * 60 * 60 * 1000) {
      throw new Error('ext.certificate cannot last longer than 31 days!');
    }

    // Check clientId validity
    if (issuingClientId !== credentialName) {
      let createScope = 'auth:create-client:' + credentialName;
      if (!utils.satisfiesExpression(issuingScopes, createScope)) {
        throw new Error('ext.certificate issuer `' + issuingClientId +
                        '` doesn\'t have `' + createScope + '` for supplied clientId.');
      }
    } else if ('clientId' in cert) {
      throw new Error('ext.certificate.clientId must only be used with ext.certificate.issuer');
    }

    // Validate certificate scopes are subset of client
    if (!utils.satisfiesExpression(scopes, {AllOf: cert.scopes})) {
      throw new Error('ext.certificate issuer `' + issuingClientId +
                      '` doesn\'t satisfy all certificate scopes ' +
                      cert.scopes.join(', ') + '.  The temporary ' +
                      'credentials were not generated correctly.');
    }

    // Generate certificate signature

taskcluster / taskcluster / ui / src / views / Tasks / submitTaskAction.js View on Github

// Case where action.kind === 'hook'
  const hookPayload = jsone(action.hookPayload, context);
  const { hookId, hookGroupId } = action;
  // verify that the decision task has
  // the appropriate in-tree:action-hook:.. scope
  const {
    data: { expandScopes },
  } = await apolloClient.query({
    query: expandScopesQuery,
    variables: {
      scopes: taskGroup.scopes || [],
    },
  });
  const expression = `in-tree:hook-action:${hookGroupId}/${hookId}`;

  if (!satisfiesExpression(expandScopes, expression)) {
    throw new Error(
      `Action is misconfigured: decision task's scopes do not satisfy ${expression}`
    );
  }

  const result = await apolloClient.mutate({
    mutation: triggerHookQuery,
    variables: {
      hookGroupId,
      hookId,
      payload: hookPayload,
    },
  });

  return result.data.triggerHook.taskId;
};

taskcluster / taskcluster / infrastructure / tooling / src / smoketest / index.js View on Github

if (!process.env.TASKCLUSTER_ROOT_URL ||
    !process.env.TASKCLUSTER_CLIENT_ID ||
    !process.env.TASKCLUSTER_ACCESS_TOKEN
  ) {
    console.log([
      'Must provide TASKCLUSTER_ROOT_URL, TASKCLUSTER_CLIENT_ID, and TASKCLUSTER_ACCESS_TOKEN as',
      'environment variables. We recommend using signin from:',
      '',
      'https://github.com/taskcluster/taskcluster/tree/master/clients/client-shell#taskcluster-shell-client',
    ].join('\n'));
    process.exit(1);
  }

  const auth = new taskcluster.Auth(taskcluster.fromEnvVars());
  const res = await auth.currentScopes();
  if (!libScopes.satisfiesExpression(res.scopes, scopeExpression)) {
    const required = libScopes.removeGivenScopes(res.scopes, scopeExpression);
    const message = [
      'The provided Taskcluster credentials are missing the following scopes:',
      '',
      JSON.stringify(required, null, 2),
      '',
      'The credentials must satisfy the following expression:',
      '',
      JSON.stringify(scopeExpression, null, 2),
    ].join('\n');
    console.log(message);
    process.exit(1);
  }

  const target = options.target ? [`target-${options.target}`] : undefined;
  const taskgraph = new TaskGraph(checks, {target});

taskcluster / taskcluster / services / auth / src / api.js View on Github

      const scopesAdded = input.scopes.filter(s => !scopeUtils.satisfiesExpression(formerRoleScopes, s));
      await req.authorize({roleId, scopesAdded});

mozilla / treeherder / ui / models / taskcluster.js View on Github

? taskcluster.getMockCredentials()
        : taskcluster.getCredentials(currentRepo.tc_root_url);
      if (!userCredentials) {
        throw new Error(tcCredentialsMessage);
      }
      const hooks = new Hooks({
        rootUrl: currentRepo.tc_root_url,
        credentials: userCredentials.credentials,
      });
      const decisionTask = await queue.task(decisionTaskId);
      const expansion = await auth.expandScopes({
        scopes: decisionTask.scopes,
      });
      const expression = `in-tree:hook-action:${hookGroupId}/${hookId}`;

      if (!satisfiesExpression(expansion.scopes, expression)) {
        throw new Error(
          `Action is misconfigured: decision task's scopes do not satisfy ${expression}`,
        );
      }

      const result = await hooks.triggerHook(hookGroupId, hookId, hookPayload);

      return result.status.taskId;
    }
  }

How to use the taskcluster-lib-scopes.satisfiesExpression function in taskcluster-lib-scopes

To help you get started, we’ve selected a few taskcluster-lib-scopes examples, based on popular ways it is used in public projects.

taskcluster-lib-scopes

Package Health Score

Popular taskcluster-lib-scopes functions

Similar packages