def process_request(self, request): # pylint: disable=R1710
"""Process request for identity middleware.
Args:
request (object): The request object
"""
# Get request ID
request.req_id = request.META.get(RH_INSIGHTS_REQUEST_ID)
if any([
request.path.startswith(prefix)
for prefix in settings.INTERNAL_API_PATH_PREFIXES
]):
# This request is for a private API endpoint
return
if is_no_auth(request):
return
user = User()
try:
_, json_rh_auth = extract_header(request, self.header)
user.username = json_rh_auth.get("identity",
{}).get("user", {})["username"]
user.account = json_rh_auth.get("identity", {})["account_number"]
user.admin = json_rh_auth.get("identity",
{}).get("user",
{}).get("is_org_admin")
user.system = False
if not user.admin:
user.access = IdentityHeaderMiddleware._get_access_for_user()
except (KeyError, JSONDecodeError):
request_psk = request.META.get(RH_RBAC_PSK)
account = request.META.get(RH_RBAC_ACCOUNT)
client_id = request.META.get(RH_RBAC_CLIENT_ID)
has_system_auth_headers = request_psk and account and client_id
if has_system_auth_headers and validate_psk(
request_psk, client_id):
user.username = client_id
user.account = account
user.admin = True
user.system = True
else:
logger.error("Could not obtain identity on request.")
return HttpResponseUnauthorizedRequest()
except binascii.Error as error:
logger.error("Could not decode header: %s.", error)
raise error
if user.username and user.account:
request.user = user
super().process_request(request)
# We are now in the database context of the tenant
assert request.tenant
def process_request(self, request): # pylint: disable=R1710
"""Process request for identity middleware.
Args:
request (object): The request object
"""
# Get request ID
request.req_id = request.META.get(RH_INSIGHTS_REQUEST_ID)
if is_no_auth(request):
return
user = User()
try:
_, json_rh_auth = extract_header(request, self.header)
user.username = json_rh_auth.get('identity',
{}).get('user', {})['username']
user.account = json_rh_auth.get('identity', {})['account_number']
user.admin = json_rh_auth.get('identity',
{}).get('user',
{}).get('is_org_admin')
user.system = False
if not user.admin:
user.access = IdentityHeaderMiddleware._get_access_for_user()
except (KeyError, JSONDecodeError):
request_psk = request.META.get(RH_RBAC_PSK)
account = request.META.get(RH_RBAC_ACCOUNT)
client_id = request.META.get(RH_RBAC_CLIENT_ID)
has_system_auth_headers = request_psk and account and client_id
if has_system_auth_headers and validate_psk(
request_psk, client_id):
user.username = client_id
user.account = account
user.admin = True
user.system = True
else:
logger.error('Could not obtain identity on request.')
return HttpResponseUnauthorizedRequest()
except binascii.Error as error:
logger.error('Could not decode header: %s.', error)
raise error
if user.username and user.account:
request.user = user
super().process_request(request)
# We are now in the database context of the tenant
assert request.tenant
def process_request(self, request):
"""Process request for internal identity middleware."""
if not any([request.path.startswith(prefix) for prefix in settings.INTERNAL_API_PATH_PREFIXES]):
# We are not in an internal API section
return
try:
_, json_rh_auth = extract_header(request, self.header)
except (JSONDecodeError, binascii.Error):
logger.exception("Invalid X-RH-Identity header.")
return HttpResponseForbidden()
user = User()
try:
if not json_rh_auth["identity"]["type"] == "Associate":
return HttpResponseForbidden()
user.username = json_rh_auth["identity"]["associate"]["email"]
user.admin = True
except KeyError:
logger.error("Malformed X-RH-Identity header.")
return HttpResponseForbidden()
request.user = user
def process_request(self, request): # pylint: disable=R1710
"""Process request for identity middleware.
Args:
request (object): The request object
"""
# Get request ID
request.req_id = request.META.get(RH_INSIGHTS_REQUEST_ID)
if any([request.path.startswith(prefix) for prefix in settings.INTERNAL_API_PATH_PREFIXES]):
# This request is for a private API endpoint
return
if is_no_auth(request):
return
user = User()
try:
_, json_rh_auth = extract_header(request, self.header)
user.account = json_rh_auth.get("identity", {})["account_number"]
user_info = json_rh_auth.get("identity", {}).get("user", {})
user.username = user_info["username"]
user.admin = user_info.get("is_org_admin")
user.internal = user_info.get("is_internal")
user.user_id = user_info.get("user_id")
user.system = False
if not user.admin:
try:
schema_name = create_schema_name(user.account)
tenant = Tenant.objects.filter(schema_name=schema_name).get()
except Tenant.DoesNotExist:
request.user = user
tenant = self.get_tenant(model=None, hostname=None, request=request)
user.access = IdentityHeaderMiddleware._get_access_for_user(user.username, tenant)
# Cross account request check
internal = json_rh_auth.get("identity", {}).get("internal", {})
if internal != {}:
cross_account = internal.get("cross_access", False)
if cross_account:
if not (user.internal and user_info.get("email").endswith("@redhat.com")):
logger.error("Cross accout request permission denied. Requester is not internal user.")
return HttpResponseUnauthorizedRequest()
user.username = f"{user.account}-{user.user_id}"
except (KeyError, JSONDecodeError):
request_psk = request.META.get(RH_RBAC_PSK)
account = request.META.get(RH_RBAC_ACCOUNT)
client_id = request.META.get(RH_RBAC_CLIENT_ID)
has_system_auth_headers = request_psk and account and client_id
if has_system_auth_headers and validate_psk(request_psk, client_id):
user.username = client_id
user.account = account
user.admin = True
user.system = True
else:
logger.error("Could not obtain identity on request.")
return HttpResponseUnauthorizedRequest()
except binascii.Error as error:
logger.error("Could not decode header: %s.", error)
raise error
if user.username and user.account:
request.user = user
super().process_request(request)
# We are now in the database context of the tenant
assert request.tenant