def get(self): """Download the package tree. --- description: Download the package tree. responses: 200: description: The package tree schema: $ref: "#/definitions/PkgTreeDownloadResponse" 403: description: GitHub personal access token (PAT) was not provided for authorization. 404: description: Package Tree file not found. Has it been generated yet? Try /sync/pkgtree first. tags: - pkgtree """ if not self.is_authorized(): FAILED_AUTH.inc() self.set_status(403, 'Valid authorization token was not provided') return try: with open(PKGTREE_FILE, 'rb') as pkgtree_file_reader: self.set_header("Content-Type", "application/json") self.set_header("Content-Encoding", "gzip") while True: chunk = pkgtree_file_reader.read(self.chunk_size) if not chunk: break self.write(chunk) self.flush() except FileNotFoundError: self.set_status( 404, 'Package Tree file not found. Has it been generated?') return
def delete(self, repo=None): """Delete repository. --- description: Delete repository parameters: - name: repo description: Repository name or POSIX regular expression pattern required: True type: string in: path x-example: rhel-6-server-rpms OR rhel-[4567]-.*-rpms OR rhel-\\d-server-rpms responses: 200: description: Repository deletion started schema: $ref: "#/definitions/TaskStartResponse" 429: description: Another task is already in progress 403: description: GitHub personal access token (PAT) was not provided for authorization. tags: - repos """ if not self.is_authorized(): FAILED_AUTH.inc() self.set_status(403, 'Valid authorization token was not provided') return status_code, status_msg = self.start_task(repo=repo) self.set_status(status_code) self.write(status_msg)
def put(self): """Cancel currently running background task. --- description: Cancel currently running background task responses: 200: description: Task canceled schema: $ref: "#/definitions/TaskStatusResponse" 403: description: GitHub personal access token (PAT) was not provided for authorization. tags: - task """ if not self.is_authorized(): FAILED_AUTH.inc() self.set_status(403, 'Valid authorization token was not provided') return if SyncTask.is_running(): SyncTask.cancel() LOGGER.warning("Background task terminated.") self.write( TaskStatusResponse(running=SyncTask.is_running(), task_type=SyncTask.get_task_type())) self.flush()
def auth_admin(x_rh_identity, required_scopes=None): # pylint: disable=unused-argument """ Parses user name from the x-rh-identity header """ identity = get_identity(x_rh_identity) user = identity.get("identity", {}).get("associate", {}).get("email") if user: LOGGER.info("User '%s' accessed admin API.", user) ADMIN_REQUESTS.inc() return {"uid": user} FAILED_AUTH.inc() return None
def is_authorized(self): """Authorization check routine only requests from the localhost are allowed w/o authorization token, otherwise, GitHub authorization token is required """ host_request = self.request.host.split(':')[0] if host_request in ('localhost', '127.0.0.1'): return True github_token = self.request.headers.get('Authorization', None) if not github_token: FAILED_AUTH.inc() return False user_info_response = requests.get( 'https://api.github.com/user', headers={'Authorization': github_token}) if user_info_response.status_code != 200: FAILED_AUTH.inc() LOGGER.warning("Cannot execute github API with provided %s", github_token) return False github_user_login = user_info_response.json()['login'] orgs_response = requests.get('https://api.github.com/users/' + github_user_login + '/orgs', headers={'Authorization': github_token}) if orgs_response.status_code != 200: FAILED_AUTH.inc() LOGGER.warning( "Cannot request github organizations for the user %s", github_user_login) return False for org_info in orgs_response.json(): if org_info['login'] == 'RedHatInsights': request_str = str(self.request) LOGGER.warning("User %s (id %s) got an access to API: %s", github_user_login, user_info_response.json()['id'], request_str) return True FAILED_AUTH.inc() LOGGER.warning( "User %s does not belong to RedHatInsights organization", github_user_login) return False
def github_auth(github_token, required_scopes=None): """Performs authorization using github""" host_request = request.host.split(':')[0] if host_request in ('localhost', '127.0.0.1'): return {'scopes': ['local']} if not github_token: FAILED_AUTH.inc() return None user_info_response = requests.get('https://api.github.com/user', headers={'Authorization': github_token}) if user_info_response.status_code != 200: FAILED_AUTH.inc() LOGGER.warning("Cannot execute github API with provided %s", github_token) return None github_user_login = user_info_response.json()['login'] orgs_response = requests.get('https://api.github.com/users/' + github_user_login + '/orgs', headers={'Authorization': github_token}) if orgs_response.status_code != 200: FAILED_AUTH.inc() LOGGER.warning("Cannot request github organizations for the user %s", github_user_login) return None authorized_org = os.getenv('AUTHORIZED_API_ORG', DEFAULT_AUTHORIZED_API_ORG) for org_info in orgs_response.json(): if org_info['login'] == authorized_org: request_str = str(request) LOGGER.warning("User %s (id %s) got an access to API: %s", github_user_login, user_info_response.json()['id'], request_str) return {'scopes': ['local', 'authorized']} FAILED_AUTH.inc() LOGGER.warning("User %s does not belong to %s organization", authorized_org, github_user_login) return None
def put(self): """Sync repos + CVEs + CVEmap. --- description: Sync repositories stored in DB and CVE lists responses: 200: description: Sync started schema: $ref: "#/definitions/TaskStartResponse" 429: description: Another task is already in progress 403: description: GitHub personal access token (PAT) was not provided for authorization. tags: - sync """ if not self.is_authorized(): FAILED_AUTH.inc() self.set_status(403, 'Valid authorization token was not provided') return status_code, status_msg = self.start_task() self.set_status(status_code) self.write(status_msg) self.flush()