def test_handle_bad_padding(self):
"""Test the handling of bad padding."""
request = Mock()
request.META = {"header1": BAD_PADDING_HEADER}
try:
extract_header(request, "header1")
except Exception:
self.fail("Should handle padding error.")
def process_request(self, request): # noqa: C901
"""Process request for identity middleware.
Args:
request (object): The request object
"""
if is_no_auth(request):
request.user = User('', '')
return
try:
rh_auth_header, json_rh_auth = extract_header(request, self.header)
username = json_rh_auth.get('identity', {}).get('user',
{}).get('username')
account = json_rh_auth.get('identity', {}).get('account_number')
is_admin = json_rh_auth.get('identity',
{}).get('user', {}).get('is_org_admin')
except (KeyError, JSONDecodeError) as decode_err:
logger.error('Could not obtain identity on request.')
raise decode_err
except binascii.Error as error:
logger.error('Could not decode header: %s.', error)
raise error
if (username and account):
# Get request ID
req_id = request.META.get(RH_INSIGHTS_REQUEST_ID)
# Check for customer creation & user creation
try:
schema_name = create_schema_name(account)
tenant = Tenant.objects.filter(schema_name=schema_name).get()
except Tenant.DoesNotExist:
tenant = IdentityHeaderMiddleware._create_tenant(account)
try:
user = User.objects.get(username__iexact=username)
except User.DoesNotExist:
user = IdentityHeaderMiddleware._create_user(
username, tenant, request)
with tenant_context(tenant):
try:
Principal.objects.get(username__iexact=username)
except Principal.DoesNotExist:
Principal.objects.create(username=username)
logger.info('Created new principal %s for account %s.',
username, account)
user.identity_header = {
'encoded': rh_auth_header,
'decoded': json_rh_auth
}
user.admin = is_admin
user.account = account
user.req_id = req_id
if not is_admin:
user.access = IdentityHeaderMiddleware._get_access_for_user(
username, tenant)
request.user = user
def process_request(self, request): # pylint: disable=R1710
"""Process request for identity middleware.
Args:
request (object): The request object
"""
# Get request ID
request.req_id = request.META.get(RH_INSIGHTS_REQUEST_ID)
if any([
request.path.startswith(prefix)
for prefix in settings.INTERNAL_API_PATH_PREFIXES
]):
# This request is for a private API endpoint
return
if is_no_auth(request):
return
user = User()
try:
_, json_rh_auth = extract_header(request, self.header)
user.username = json_rh_auth.get("identity",
{}).get("user", {})["username"]
user.account = json_rh_auth.get("identity", {})["account_number"]
user.admin = json_rh_auth.get("identity",
{}).get("user",
{}).get("is_org_admin")
user.system = False
if not user.admin:
user.access = IdentityHeaderMiddleware._get_access_for_user()
except (KeyError, JSONDecodeError):
request_psk = request.META.get(RH_RBAC_PSK)
account = request.META.get(RH_RBAC_ACCOUNT)
client_id = request.META.get(RH_RBAC_CLIENT_ID)
has_system_auth_headers = request_psk and account and client_id
if has_system_auth_headers and validate_psk(
request_psk, client_id):
user.username = client_id
user.account = account
user.admin = True
user.system = True
else:
logger.error("Could not obtain identity on request.")
return HttpResponseUnauthorizedRequest()
except binascii.Error as error:
logger.error("Could not decode header: %s.", error)
raise error
if user.username and user.account:
request.user = user
super().process_request(request)
# We are now in the database context of the tenant
assert request.tenant
def process_request(self, request): # noqa: C901
"""Process request for csrf checks.
Args:
request (object): The request object
"""
if is_no_auth(request):
request.user = User('', '')
return
try:
json_rh_auth = extract_header(request, self.header)
username = json_rh_auth['identity']['user']['username']
email = json_rh_auth['identity']['user']['email']
account = json_rh_auth['identity']['account_number']
except (KeyError, JSONDecodeError):
logger.warning('Could not obtain identity on request.')
return
if (username and email and account):
# Check for customer creation & user creation
query_string = ''
if request.META['QUERY_STRING']:
query_string = '?{}'.format(request.META['QUERY_STRING'])
logger.info(f'API: {request.path}{query_string}' # pylint: disable=W1203
f' -- ACCOUNT: {account} USER: {username}')
try:
schema_name = create_schema_name(account)
tenant = Tenant.objects.filter(schema_name=schema_name).get()
except Tenant.DoesNotExist:
tenant = IdentityHeaderMiddleware._create_tenant(account)
try:
user = User.objects.get(username=username)
except User.DoesNotExist:
user = IdentityHeaderMiddleware._create_user(
username, email, tenant, request)
request.user = user
# Temporarily add principals based on API interaction
with tenant_context(tenant):
try:
Principal.objects.get(username=username)
except Principal.DoesNotExist:
try:
with transaction.atomic():
principal = Principal(username=username,
email=email)
principal.save()
logger.info(
'Created new principal for account_id %s.',
account)
except IntegrityError:
pass
def process_request(self, request): # pylint: disable=R1710
"""Process request for identity middleware.
Args:
request (object): The request object
"""
# Get request ID
request.req_id = request.META.get(RH_INSIGHTS_REQUEST_ID)
if is_no_auth(request):
return
user = User()
try:
_, json_rh_auth = extract_header(request, self.header)
user.username = json_rh_auth.get('identity',
{}).get('user', {})['username']
user.account = json_rh_auth.get('identity', {})['account_number']
user.admin = json_rh_auth.get('identity',
{}).get('user',
{}).get('is_org_admin')
user.system = False
if not user.admin:
user.access = IdentityHeaderMiddleware._get_access_for_user()
except (KeyError, JSONDecodeError):
request_psk = request.META.get(RH_RBAC_PSK)
account = request.META.get(RH_RBAC_ACCOUNT)
client_id = request.META.get(RH_RBAC_CLIENT_ID)
has_system_auth_headers = request_psk and account and client_id
if has_system_auth_headers and validate_psk(
request_psk, client_id):
user.username = client_id
user.account = account
user.admin = True
user.system = True
else:
logger.error('Could not obtain identity on request.')
return HttpResponseUnauthorizedRequest()
except binascii.Error as error:
logger.error('Could not decode header: %s.', error)
raise error
if user.username and user.account:
request.user = user
super().process_request(request)
# We are now in the database context of the tenant
assert request.tenant
def process_request(self, request):
"""Process request for internal identity middleware."""
if not any([request.path.startswith(prefix) for prefix in settings.INTERNAL_API_PATH_PREFIXES]):
# We are not in an internal API section
return
try:
_, json_rh_auth = extract_header(request, self.header)
except (JSONDecodeError, binascii.Error):
logger.exception("Invalid X-RH-Identity header.")
return HttpResponseForbidden()
user = User()
try:
if not json_rh_auth["identity"]["type"] == "Associate":
return HttpResponseForbidden()
user.username = json_rh_auth["identity"]["associate"]["email"]
user.admin = True
except KeyError:
logger.error("Malformed X-RH-Identity header.")
return HttpResponseForbidden()
request.user = user
def process_request(self, request): # pylint: disable=R1710
"""Process request for identity middleware.
Args:
request (object): The request object
"""
# Get request ID
request.req_id = request.META.get(RH_INSIGHTS_REQUEST_ID)
if any([request.path.startswith(prefix) for prefix in settings.INTERNAL_API_PATH_PREFIXES]):
# This request is for a private API endpoint
return
if is_no_auth(request):
return
user = User()
try:
_, json_rh_auth = extract_header(request, self.header)
user.account = json_rh_auth.get("identity", {})["account_number"]
user_info = json_rh_auth.get("identity", {}).get("user", {})
user.username = user_info["username"]
user.admin = user_info.get("is_org_admin")
user.internal = user_info.get("is_internal")
user.user_id = user_info.get("user_id")
user.system = False
if not user.admin:
try:
schema_name = create_schema_name(user.account)
tenant = Tenant.objects.filter(schema_name=schema_name).get()
except Tenant.DoesNotExist:
request.user = user
tenant = self.get_tenant(model=None, hostname=None, request=request)
user.access = IdentityHeaderMiddleware._get_access_for_user(user.username, tenant)
# Cross account request check
internal = json_rh_auth.get("identity", {}).get("internal", {})
if internal != {}:
cross_account = internal.get("cross_access", False)
if cross_account:
if not (user.internal and user_info.get("email").endswith("@redhat.com")):
logger.error("Cross accout request permission denied. Requester is not internal user.")
return HttpResponseUnauthorizedRequest()
user.username = f"{user.account}-{user.user_id}"
except (KeyError, JSONDecodeError):
request_psk = request.META.get(RH_RBAC_PSK)
account = request.META.get(RH_RBAC_ACCOUNT)
client_id = request.META.get(RH_RBAC_CLIENT_ID)
has_system_auth_headers = request_psk and account and client_id
if has_system_auth_headers and validate_psk(request_psk, client_id):
user.username = client_id
user.account = account
user.admin = True
user.system = True
else:
logger.error("Could not obtain identity on request.")
return HttpResponseUnauthorizedRequest()
except binascii.Error as error:
logger.error("Could not decode header: %s.", error)
raise error
if user.username and user.account:
request.user = user
super().process_request(request)
# We are now in the database context of the tenant
assert request.tenant
