commit 686732b22343fc3663ee85e62f17f201cb7205fe
author Carlos Amedee <carlos@golang.org> Thu Dec 15 14:03:09 2022 -0500
committer Gopher Robot <gobot@golang.org> Fri Dec 16 16:13:27 2022 +0000
tree a05fb053afb0a767e6d29469de1a952e593c23fe
parent c977ae2fe00d623b41b592558d05831bc85a6b95

internal/gomote: expand restriction check on gomote instances

This change expands the check on what restricted gomote instances should be.
Previously it relied on and instance being flagged as restricted. Moving
forward, the instance will be considered restricted if it is either flagged
as restricted or an team managed instance which isn't hermetic.

Change-Id: I36738097baf3a0122d2399fff275a56608c34e6f
Reviewed-on: https://go-review.googlesource.com/c/build/+/457935
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Carlos Amedee <carlos@golang.org>
Reviewed-by: Carlos Amedee <carlos@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
Auto-Submit: Carlos Amedee <carlos@golang.org>

internal/gomote/gomote.go

diff --git a/internal/gomote/gomote.go b/internal/gomote/gomote.go
index 2565e14..36c4789 100644
--- a/internal/gomote/gomote.go
+++ b/internal/gomote/gomote.go
@@ -128,7 +128,7 @@
 	if !ok {
 		return status.Errorf(codes.InvalidArgument, "unknown builder type")
 	}
-	if bconf.IsRestricted() && !isPrivilegedUser(creds.Email) {
+	if ((!bconf.HostConfig().IsHermetic() && bconf.HostConfig().IsGoogle()) || bconf.IsRestricted()) && !isPrivilegedUser(creds.Email) {
 		return status.Errorf(codes.PermissionDenied, "user is unable to create gomote of that builder type")
 	}
 	userName, err := emailToUser(creds.Email)