def handle_request():
# inc total group counter
TOTAL_GROUP.inc()
debug = os.getenv("DEBUG_GROUP_VALIDATION", "False")
debug = (debug == "True")
if debug:
print("REQUEST BODY => {}".format(request.json))
valid = True
try:
valid = validate.validate_request_structure(request.json)
except:
valid = False
if not valid:
# inc denied group counter
DENIED_GROUP.inc()
return responses.response_invalid()
try:
body_dict = request.json['request']
# If trying to delete a group, must get group name from oldObject instead of object
if body_dict['object'] is None:
group_name = body_dict['oldObject']['metadata']['name']
else:
group_name = body_dict['object']['metadata']['name']
userinfo = body_dict['userInfo']
if userinfo['username'] in ("kube:admin", "system:admin"):
# kube/system admin can do anything
if debug:
print("Performing action: {} in {} group for {}".format(body_dict['operation'], group_name, userinfo['username']))
return responses.response_allow(req=body_dict)
if group_name.startswith(group_prefix):
if debug:
print("Performing action: {} in {} group".format(body_dict['operation'], group_name))
if len(set(userinfo['groups']) & set(admin_groups)) > 0:
response_body = responses.response_allow(req=body_dict, msg="{} group {}".format(body_dict['operation'], group_name))
else:
deny_msg = "User not authorized to {} group {}".format(body_dict['operation'], group_name)
response_body = responses.response_deny(req=body_dict, msg=deny_msg)
else:
response_body = responses.response_allow(req=body_dict)
if debug:
print("Response body => {}".format(response_body))
return response_body
except Exception:
print("Exception when trying to access attributes. Request body: {}".format(request.json))
print("Backtrace:")
print("-" * 60)
traceback.print_exc(file=sys.stdout)
return responses.response_invalid()
def handle_request():
debug = os.getenv("DEBUG_REGULAR_USER_DENIER", "False")
debug = (debug == "True")
if debug:
print("REQUEST BODY => {}".format(request.json))
valid = True
try:
valid = validate.validate_request_structure(request.json)
except Exception:
valid = False
if not valid:
return responses.response_invalid()
return get_response(request, debug)
def handle_request():
# inc total identity counter
TOTAL_IDENTITY.inc()
debug = os.getenv("DEBUG_IDENTITY_VALIDATION", "False")
debug = (debug == "True")
if debug:
print("REQUEST BODY => {}".format(request.json))
valid = True
try:
valid = validate.validate_request_structure(request.json)
except:
valid = False
if not valid:
# inc denied identity counter
DENIED_IDENTITY.inc()
return responses.response_invalid()
return get_response(request, debug)
def handle_request():
# inc total subscription counter
TOTAL_SUBSCRIPTION.inc()
debug = os.getenv("DEBUG_SUBSCRIPTION_VALIDATION", "False")
debug = (debug == "True")
if debug:
print("REQUEST BODY => {}".format(request.json))
valid = True
try:
valid = validate.validate_request_structure(request.json)
except Exception:
valid = False
if not valid:
# inc denied subscription counter
DENIED_SUBSCRIPTION.inc()
return responses.response_invalid()
try:
body_dict = request.json['request']
requester_group_memberships = body_dict['userInfo']['groups']
if "dedicated-admins" in requester_group_memberships:
if body_dict['object']['spec'][
'sourceNamespace'] not in valid_source_namespaces:
return responses.response_deny(
req=body_dict,
msg="You cannot manage Subscriptions that target {}.".
format(body_dict['object']['spec']['sourceNamespace']))
else:
return responses.response_allow(req=body_dict)
else:
return responses.response_allow(req=body_dict)
except Exception:
print("Exception:")
print("-" * 60)
traceback.print_exc(file=sys.stdout)
return responses.response_invalid()
def handle_request():
# inc total namespace counter
TOTAL_NAMESPACE.inc()
debug = os.getenv("DEBUG_NAMESPACE_VALIDATION", "False")
debug = (debug == "True")
if debug:
print("REQUEST BODY => {}".format(request.json))
valid = True
try:
valid = validate.validate_request_structure(request.json)
except Exception:
valid = False
if not valid:
# inc denied namespace counter
DENIED_NAMESPACE.inc()
return responses.response_invalid()
try:
body_dict = request.json['request']
requester_group_memberships = body_dict['userInfo']['groups']
if "dedicated-admins" in requester_group_memberships:
requested_ns = body_dict['namespace']
privileged_namespace_re = '(^kube-.*|^openshift.*|^ops-health-monitoring$|^management-infra$|^default$|^logging$|^sre-app-check$|^redhat-.*)'
# match will return a match object if the namespace matches the regex, or None if the namespace doesn't match the regex
if re.match(privileged_namespace_re, requested_ns) is not None:
return responses.response_deny(req=body_dict, msg="You cannot update the privileged namespace {}.".format(requested_ns))
else:
return responses.response_allow(req=body_dict)
else:
return responses.response_allow(req=body_dict)
except Exception:
print("Exception:")
print("-" * 60)
traceback.print_exc(file=sys.stdout)
return responses.response_invalid()