def process_request(self, request):
"""Check before super."""
connection.set_schema_to_public()
if not is_no_auth(request):
if hasattr(request, "user") and hasattr(request.user, "username"):
username = request.user.username
try:
if username not in USER_CACHE:
USER_CACHE[username] = User.objects.get(
username=username)
LOG.debug(f"User added to cache: {username}")
except User.DoesNotExist:
return HttpResponseUnauthorizedRequest()
if not request.user.admin and request.user.access is None:
LOG.warning(
"User %s is does not have permissions for Cost Management.",
username)
# For /user-access we do not want to raise the exception since the API will
# return a false boolean response that the platfrom frontend code is expecting.
if request.path != reverse("user-access"):
raise PermissionDenied()
else:
return HttpResponseUnauthorizedRequest()
try:
super().process_request(request)
except OperationalError as err:
LOG.error("Request resulted in OperationalError: %s", err)
DB_CONNECTION_ERRORS_COUNTER.inc()
return HttpResponseFailedDependency({
"source": "Database",
"exception": err
})
def process_exception(self, request, exception):
"""Raise 424 on InterfaceError."""
if isinstance(exception, InterfaceError):
DB_CONNECTION_ERRORS_COUNTER.inc()
LOG.error("KokuTenantMiddleware InterfaceError exception: %s",
exception)
return HttpResponseFailedDependency({
"source": "Database",
"exception": exception
})
def process_exception(self, request, exception): # pylint: disable=R0201,R1710
"""Raise 424 on InterfaceError."""
if isinstance(exception, InterfaceError):
DB_CONNECTION_ERRORS_COUNTER.inc()
LOG.error('KokuTenantMiddleware InterfaceError exception: %s',
exception)
return HttpResponseFailedDependency({
'source': 'Database',
'exception': exception
})
def process_request(self, request): # pylint: disable=R1710
"""Check before super."""
connection.set_schema_to_public()
if not is_no_auth(request):
if hasattr(request, "user") and hasattr(request.user, "username"):
username = request.user.username
try:
User.objects.get(username=username)
except User.DoesNotExist:
return HttpResponseUnauthorizedRequest()
if not request.user.admin and request.user.access is None:
LOG.warning("User %s is does not have permissions for Cost Management.", username)
raise PermissionDenied()
else:
return HttpResponseUnauthorizedRequest()
try:
super().process_request(request)
except OperationalError as err:
LOG.error("Request resulted in OperationalError: %s", err)
DB_CONNECTION_ERRORS_COUNTER.inc()
return HttpResponseFailedDependency({"source": "Database", "exception": err})
def process_request(self, request): # pylint: disable=R1710
"""Check before super."""
if not is_no_auth(request):
if hasattr(request, 'user') and hasattr(request.user, 'username'):
username = request.user.username
try:
User.objects.get(username=username)
except User.DoesNotExist:
return HttpResponseUnauthorizedRequest()
if not request.user.admin and request.user.access is None:
raise PermissionDenied()
else:
return HttpResponseUnauthorizedRequest()
try:
super().process_request(request)
except OperationalError as err:
LOG.error('Request resulted in OperationalError: %s', err)
DB_CONNECTION_ERRORS_COUNTER.inc()
return HttpResponseFailedDependency({
'source': 'Database',
'exception': err
})
def process_request(self, request): # noqa: C901
"""Process request for csrf checks.
Args:
request (object): The request object
"""
connection.set_schema_to_public()
if is_no_auth(request):
request.user = User("", "")
return
try:
rh_auth_header, json_rh_auth = extract_header(request, self.header)
except (KeyError, JSONDecodeError):
LOG.warning("Could not obtain identity on request.")
return
except binascii.Error as error:
LOG.error("Error decoding authentication header: %s", str(error))
raise PermissionDenied()
is_cost_management = json_rh_auth.get("entitlements", {}).get(
"cost_management", {}).get("is_entitled", False)
skip_entitlement = is_no_entitled(request)
if not skip_entitlement and not is_cost_management:
LOG.warning("User is not entitled for Cost Management.")
raise PermissionDenied()
account = json_rh_auth.get("identity", {}).get("account_number")
user = json_rh_auth.get("identity", {}).get("user", {})
username = user.get("username")
email = user.get("email")
is_admin = user.get("is_org_admin")
req_id = None
if username and email and account:
# Get request ID
req_id = request.META.get("HTTP_X_RH_INSIGHTS_REQUEST_ID")
# Check for customer creation & user creation
query_string = ""
if request.META["QUERY_STRING"]:
query_string = "?{}".format(request.META["QUERY_STRING"])
stmt = {
"method": request.method,
"path": request.path + query_string,
"request_id": req_id,
"account": account,
"username": username,
"is_admin": is_admin,
}
LOG.info(stmt)
try:
if account not in IdentityHeaderMiddleware.customer_cache:
IdentityHeaderMiddleware.customer_cache[
account] = Customer.objects.filter(
account_id=account).get()
LOG.debug(f"Customer added to cache: {account}")
customer = IdentityHeaderMiddleware.customer_cache[account]
except Customer.DoesNotExist:
customer = IdentityHeaderMiddleware.create_customer(account)
except OperationalError as err:
LOG.error("IdentityHeaderMiddleware exception: %s", err)
DB_CONNECTION_ERRORS_COUNTER.inc()
return HttpResponseFailedDependency({
"source": "Database",
"exception": err
})
try:
if username not in USER_CACHE:
user = User.objects.get(username=username)
USER_CACHE[username] = user
LOG.debug(f"User added to cache: {username}")
else:
user = USER_CACHE[username]
except User.DoesNotExist:
user = IdentityHeaderMiddleware.create_user(
username, email, customer, request)
user.identity_header = {
"encoded": rh_auth_header,
"decoded": json_rh_auth
}
user.admin = is_admin
user.req_id = req_id
cache = caches["rbac"]
user_access = cache.get(user.uuid)
if not user_access:
if settings.DEVELOPMENT and request.user.req_id == "DEVELOPMENT":
# passthrough for DEVELOPMENT_IDENTITY env var.
LOG.warning(
"DEVELOPMENT is Enabled. Bypassing access lookup for user: %s",
json_rh_auth)
user_access = request.user.access
else:
try:
user_access = self._get_access(user)
except RbacConnectionError as err:
return HttpResponseFailedDependency({
"source": "Rbac",
"exception": err
})
cache.set(user.uuid, user_access, self.rbac.cache_ttl)
user.access = user_access
request.user = user
def process_request(self, request): # noqa: C901
"""Process request for csrf checks.
Args:
request (object): The request object
"""
connection.set_schema_to_public()
if is_no_auth(request):
request.user = User("", "")
return
try:
rh_auth_header, json_rh_auth = extract_header(request, self.header)
except (KeyError, JSONDecodeError):
LOG.warning("Could not obtain identity on request.")
return
except binascii.Error as error:
LOG.error("Error decoding authentication header: %s", str(error))
raise PermissionDenied()
is_openshift = json_rh_auth.get("entitlements",
{}).get("openshift",
{}).get("is_entitled", False)
if not is_openshift:
raise PermissionDenied()
account = json_rh_auth.get("identity", {}).get("account_number")
user = json_rh_auth.get("identity", {}).get("user", {})
username = user.get("username")
email = user.get("email")
is_admin = user.get("is_org_admin")
if username and email and account:
# Get request ID
req_id = request.META.get("HTTP_X_RH_INSIGHTS_REQUEST_ID")
# Check for customer creation & user creation
query_string = ""
if request.META["QUERY_STRING"]:
query_string = "?{}".format(request.META["QUERY_STRING"])
stmt = (f"{request.method}: {request.path}{query_string}"
f" -- ACCOUNT: {account} USER: {username}"
f" ORG_ADMIN: {is_admin} REQ_ID: {req_id}")
LOG.info(stmt)
try:
customer = Customer.objects.filter(account_id=account).get()
except Customer.DoesNotExist:
customer = IdentityHeaderMiddleware._create_customer(account)
except OperationalError as err:
LOG.error("IdentityHeaderMiddleware exception: %s", err)
DB_CONNECTION_ERRORS_COUNTER.inc()
return HttpResponseFailedDependency({
"source": "Database",
"exception": err
})
try:
user = User.objects.get(username=username)
except User.DoesNotExist:
user = IdentityHeaderMiddleware._create_user(
username, email, customer, request)
user.identity_header = {
"encoded": rh_auth_header,
"decoded": json_rh_auth
}
user.admin = is_admin
user.req_id = req_id
cache = caches["rbac"]
user_access = cache.get(user.uuid)
if not user_access:
try:
user_access = self._get_access(user)
except RbacConnectionError as err:
return HttpResponseFailedDependency({
"source": "Rbac",
"exception": err
})
cache.set(user.uuid, user_access, self.rbac.cache_ttl)
user.access = user_access
request.user = user
def process_request(self, request): # noqa: C901
"""Process request for csrf checks.
Args:
request (object): The request object
"""
if is_no_auth(request):
request.user = User('', '')
return
try:
rh_auth_header, json_rh_auth = extract_header(request, self.header)
except (KeyError, JSONDecodeError):
LOG.warning('Could not obtain identity on request.')
return
except binascii.Error as error:
LOG.error('Error decoding authentication header: %s', str(error))
raise PermissionDenied()
is_openshift = (json_rh_auth.get('entitlements',
{}).get('openshift',
{}).get('is_entitled', False))
if not is_openshift:
raise PermissionDenied()
account = json_rh_auth.get('identity', {}).get('account_number')
user = json_rh_auth.get('identity', {}).get('user', {})
username = user.get('username')
email = user.get('email')
is_admin = user.get('is_org_admin')
if username and email and account:
# Check for customer creation & user creation
query_string = ''
if request.META['QUERY_STRING']:
query_string = '?{}'.format(request.META['QUERY_STRING'])
stmt = (f'API: {request.path}{query_string}'
f' -- ACCOUNT: {account} USER: {username}')
LOG.info(stmt)
try:
customer = Customer.objects.filter(account_id=account).get()
except Customer.DoesNotExist:
customer = IdentityHeaderMiddleware._create_customer(account)
except OperationalError as err:
LOG.error('IdentityHeaderMiddleware exception: %s', err)
DB_CONNECTION_ERRORS_COUNTER.inc()
return HttpResponseFailedDependency({
'source': 'Database',
'exception': err
})
try:
user = User.objects.get(username=username)
except User.DoesNotExist:
user = IdentityHeaderMiddleware._create_user(
username, email, customer, request)
user.identity_header = {
'encoded': rh_auth_header,
'decoded': json_rh_auth
}
user.admin = is_admin
cache = caches['rbac']
user_access = cache.get(user.uuid)
if not user_access:
try:
user_access = self._get_access(user)
except RbacConnectionError as err:
return HttpResponseFailedDependency({
'source': 'Rbac',
'exception': err
})
cache.set(user.uuid, user_access, self.rbac.cache_ttl)
user.access = user_access
request.user = user