def process_request(self, request): # pylint: disable=R1710 """Process request for identity middleware. Args: request (object): The request object """ # Get request ID request.req_id = request.META.get(RH_INSIGHTS_REQUEST_ID) if any([ request.path.startswith(prefix) for prefix in settings.INTERNAL_API_PATH_PREFIXES ]): # This request is for a private API endpoint return if is_no_auth(request): return user = User() try: _, json_rh_auth = extract_header(request, self.header) user.username = json_rh_auth.get("identity", {}).get("user", {})["username"] user.account = json_rh_auth.get("identity", {})["account_number"] user.admin = json_rh_auth.get("identity", {}).get("user", {}).get("is_org_admin") user.system = False if not user.admin: user.access = IdentityHeaderMiddleware._get_access_for_user() except (KeyError, JSONDecodeError): request_psk = request.META.get(RH_RBAC_PSK) account = request.META.get(RH_RBAC_ACCOUNT) client_id = request.META.get(RH_RBAC_CLIENT_ID) has_system_auth_headers = request_psk and account and client_id if has_system_auth_headers and validate_psk( request_psk, client_id): user.username = client_id user.account = account user.admin = True user.system = True else: logger.error("Could not obtain identity on request.") return HttpResponseUnauthorizedRequest() except binascii.Error as error: logger.error("Could not decode header: %s.", error) raise error if user.username and user.account: request.user = user super().process_request(request) # We are now in the database context of the tenant assert request.tenant
def process_request(self, request): # pylint: disable=R1710 """Process request for identity middleware. Args: request (object): The request object """ # Get request ID request.req_id = request.META.get(RH_INSIGHTS_REQUEST_ID) if is_no_auth(request): return user = User() try: _, json_rh_auth = extract_header(request, self.header) user.username = json_rh_auth.get('identity', {}).get('user', {})['username'] user.account = json_rh_auth.get('identity', {})['account_number'] user.admin = json_rh_auth.get('identity', {}).get('user', {}).get('is_org_admin') user.system = False if not user.admin: user.access = IdentityHeaderMiddleware._get_access_for_user() except (KeyError, JSONDecodeError): request_psk = request.META.get(RH_RBAC_PSK) account = request.META.get(RH_RBAC_ACCOUNT) client_id = request.META.get(RH_RBAC_CLIENT_ID) has_system_auth_headers = request_psk and account and client_id if has_system_auth_headers and validate_psk( request_psk, client_id): user.username = client_id user.account = account user.admin = True user.system = True else: logger.error('Could not obtain identity on request.') return HttpResponseUnauthorizedRequest() except binascii.Error as error: logger.error('Could not decode header: %s.', error) raise error if user.username and user.account: request.user = user super().process_request(request) # We are now in the database context of the tenant assert request.tenant
def process_request(self, request): # pylint: disable=R1710 """Process request for identity middleware. Args: request (object): The request object """ # Get request ID request.req_id = request.META.get(RH_INSIGHTS_REQUEST_ID) if any([request.path.startswith(prefix) for prefix in settings.INTERNAL_API_PATH_PREFIXES]): # This request is for a private API endpoint return if is_no_auth(request): return user = User() try: _, json_rh_auth = extract_header(request, self.header) user.account = json_rh_auth.get("identity", {})["account_number"] user_info = json_rh_auth.get("identity", {}).get("user", {}) user.username = user_info["username"] user.admin = user_info.get("is_org_admin") user.internal = user_info.get("is_internal") user.user_id = user_info.get("user_id") user.system = False if not user.admin: try: schema_name = create_schema_name(user.account) tenant = Tenant.objects.filter(schema_name=schema_name).get() except Tenant.DoesNotExist: request.user = user tenant = self.get_tenant(model=None, hostname=None, request=request) user.access = IdentityHeaderMiddleware._get_access_for_user(user.username, tenant) # Cross account request check internal = json_rh_auth.get("identity", {}).get("internal", {}) if internal != {}: cross_account = internal.get("cross_access", False) if cross_account: if not (user.internal and user_info.get("email").endswith("@redhat.com")): logger.error("Cross accout request permission denied. Requester is not internal user.") return HttpResponseUnauthorizedRequest() user.username = f"{user.account}-{user.user_id}" except (KeyError, JSONDecodeError): request_psk = request.META.get(RH_RBAC_PSK) account = request.META.get(RH_RBAC_ACCOUNT) client_id = request.META.get(RH_RBAC_CLIENT_ID) has_system_auth_headers = request_psk and account and client_id if has_system_auth_headers and validate_psk(request_psk, client_id): user.username = client_id user.account = account user.admin = True user.system = True else: logger.error("Could not obtain identity on request.") return HttpResponseUnauthorizedRequest() except binascii.Error as error: logger.error("Could not decode header: %s.", error) raise error if user.username and user.account: request.user = user super().process_request(request) # We are now in the database context of the tenant assert request.tenant