def _set_access_ocp_all(self,
provider,
filter_key,
access_key,
raise_exception=True):
"""Alter query parameters based on user access."""
access_list = self.access.get(access_key, {}).get("read", [])
access_filter_applied = False
if ReportQueryHandler.has_wildcard(access_list):
with tenant_context(self.tenant):
access_list = list(
OCPAllCostLineItemDailySummary.objects.filter(
source_type=provider).values_list(
"usage_account_id", flat=True).distinct())
# check group by
group_by = self.parameters.get("group_by", {})
if group_by.get(filter_key):
items = set(group_by.get(filter_key))
items.update(access_list)
if set(group_by.get(filter_key)) != items:
self.parameters["group_by"][filter_key] = list(items)
access_filter_applied = True
if not access_filter_applied:
if self.parameters.get("filter", {}).get(filter_key):
items = set(self.get_filter(filter_key))
items.update(access_list)
self.parameters["filter"][filter_key] = list(items)
elif access_list:
self.parameters["filter"][filter_key] = access_list
def _set_access(self, filter_key, access_key, raise_exception=True):
"""Alter query parameters based on user access."""
access_list = self.access.get(access_key, {}).get('read', [])
access_filter_applied = False
if ReportQueryHandler.has_wildcard(access_list):
return
# check group by
group_by = self.parameters.get('group_by', {})
if group_by.get(filter_key):
items = set(group_by.get(filter_key))
result = get_replacement_result(items, access_list,
raise_exception)
if result:
self.parameters['group_by'][filter_key] = result
access_filter_applied = True
if not access_filter_applied:
if self.parameters.get('filter', {}).get(filter_key):
items = set(self.get_filter(filter_key))
result = get_replacement_result(items, access_list,
raise_exception)
if result:
self.parameters['filter'][filter_key] = result
elif access_list:
self.parameters['filter'][filter_key] = access_list
def _set_access(self, provider, filter_key, access_key, raise_exception=True):
"""Alter query parameters based on user access."""
access_list = self.access.get(access_key, {}).get("read", [])
access_filter_applied = False
if ReportQueryHandler.has_wildcard(access_list):
return
# check group by
group_by = self.parameters.get("group_by", {})
if access_key == "aws.organizational_unit":
if "org_unit_id" in group_by or "or:org_unit_id" in group_by:
# Only check the tree hierarchy if we are grouping by org units.
# we will want to overwrite the access_list here to include the sub orgs in
# the hierarchy for later checks regarding filtering.
access_list = self._check_org_unit_tree_hierarchy(group_by, access_list)
if group_by.get(filter_key):
items = set(group_by.get(filter_key))
result = get_replacement_result(items, access_list, raise_exception)
if result:
self.parameters["access"][filter_key] = result
access_filter_applied = True
if not access_filter_applied:
if self.parameters.get("filter", {}).get(filter_key):
items = set(self.get_filter(filter_key))
result = get_replacement_result(items, access_list, raise_exception)
if result:
self.parameters["access"][filter_key] = result
elif access_list:
self.parameters["access"][filter_key] = access_list
def _get_replacement_result(param_res_list, access_list, raise_exception=True):
if ReportQueryHandler.has_wildcard(param_res_list):
return access_list
if not access_list and not raise_exception:
return list(param_res_list)
intersection = param_res_list & set(access_list)
if not intersection:
raise PermissionDenied()
return list(intersection)
def _check_restrictions(self, set_access_list):
"""Check if all non-ocp providers have wildcard access."""
all_wildcard = []
for set_access in set_access_list:
provider, __, access_key, *__ = set_access
if provider != Provider.PROVIDER_OCP:
access_list = self.access.get(access_key, {}).get("read", [])
all_wildcard.append(ReportQueryHandler.has_wildcard(access_list))
return False in all_wildcard
def get_replacement_result(param_res_list, access_list, raise_exception=True):
"""Adjust param list based on access list."""
if ReportQueryHandler.has_wildcard(param_res_list):
return access_list
if not (access_list or raise_exception):
return list(param_res_list)
access_difference = param_res_list.difference(set(access_list))
if access_difference:
LOG.warning(
"User does not have permissions for the requested params: %s. Current access: %s.",
param_res_list,
access_list,
)
raise PermissionDenied()
return param_res_list
def get_replacement_result(param_res_list, access_list, raise_exception=True):
"""Adjust param list based on access list."""
if ReportQueryHandler.has_wildcard(param_res_list):
return access_list
if not access_list and not raise_exception:
return list(param_res_list)
intersection = param_res_list & set(access_list)
if not intersection:
LOG.warning(
"User does not have permissions for the "
"requested params: %s. Current access: %s.",
param_res_list,
access_list,
)
raise PermissionDenied()
return list(intersection)
def _update_query_parameters(query_parameters,
filter_key,
access,
access_key,
raise_exception=True):
"""Alter query parameters based on user access."""
access_list = access.get(access_key, {}).get('read', [])
access_filter_applied = False
if ReportQueryHandler.has_wildcard(access_list):
return query_parameters
# check group by
group_by = query_parameters.get('group_by', {})
if group_by.get(filter_key):
items = set(group_by.get(filter_key))
result = _get_replacement_result(items,
access_list,
raise_exception=True)
if result:
query_parameters['group_by'][filter_key] = result
access_filter_applied = True
if not access_filter_applied:
if query_parameters.get('filter', {}).get(filter_key):
items = set(query_parameters.get('filter', {}).get(filter_key))
result = _get_replacement_result(items, access_list,
raise_exception)
if result:
if query_parameters.get('filter') is None:
query_parameters['filter'] = {}
query_parameters['filter'][filter_key] = result
elif access_list:
if query_parameters.get('filter') is None:
query_parameters['filter'] = {}
query_parameters['filter'][filter_key] = access_list
return query_parameters
def test_has_wildcard_none(self):
"""Test an empty list doesn't have a wildcard."""
result = ReportQueryHandler.has_wildcard([])
self.assertFalse(result)
def test_has_wildcard_no(self):
"""Test a list doesn't have a wildcard."""
result = ReportQueryHandler.has_wildcard(['abc', 'def'])
self.assertFalse(result)
def test_has_wildcard_yes(self):
"""Test a list has a wildcard."""
result = ReportQueryHandler.has_wildcard(['abc', '*'])
self.assertTrue(result)