1 files changed, 59 insertions, 0 deletions

diff --git a/ofborg/tickborg/src/acl.rs b/ofborg/tickborg/src/acl.rs
new file mode 100644
index 0000000000..2059b3e08f
--- /dev/null
+++ b/ofborg/tickborg/src/acl.rs
@@ -0,0 +1,59 @@
+use crate::systems::System;
+
+pub struct Acl {
+    trusted_users: Option<Vec<String>>,
+    repos: Vec<String>,
+}
+
+impl Acl {
+    pub fn new(repos: Vec<String>, mut trusted_users: Option<Vec<String>>) -> Acl {
+        if let Some(ref mut users) = trusted_users {
+            for user in users.iter_mut() {
+                *user = user.to_lowercase();
+            }
+        }
+
+        Acl {
+            trusted_users,
+            repos,
+        }
+    }
+
+    pub fn is_repo_eligible(&self, name: &str) -> bool {
+        self.repos.contains(&name.to_lowercase())
+    }
+
+    pub fn build_job_architectures_for_user_repo(&self, user: &str, repo: &str) -> Vec<System> {
+        if self.can_build_unrestricted(user, repo) {
+            System::all_known_systems()
+        } else {
+            // Non-trusted users can only build on primary platforms
+            System::primary_systems()
+        }
+    }
+
+    pub fn build_job_destinations_for_user_repo(
+        &self,
+        user: &str,
+        repo: &str,
+    ) -> Vec<(Option<String>, Option<String>)> {
+        self.build_job_architectures_for_user_repo(user, repo)
+            .iter()
+            .map(|system| system.as_build_destination())
+            .collect()
+    }
+
+    pub fn can_build_unrestricted(&self, user: &str, repo: &str) -> bool {
+        if let Some(ref users) = self.trusted_users {
+            if repo.to_lowercase().starts_with("project-tick/") {
+                users.contains(&user.to_lowercase())
+            } else {
+                false
+            }
+        } else {
+            // If trusted_users is disabled (and thus None), everybody can build
+            // unrestricted
+            true
+        }
+    }
+}