def test_handle_bad_padding(self): """Test the handling of bad padding.""" request = Mock() request.META = {"header1": BAD_PADDING_HEADER} try: extract_header(request, "header1") except Exception: self.fail("Should handle padding error.")
def process_request(self, request): # noqa: C901 """Process request for identity middleware. Args: request (object): The request object """ if is_no_auth(request): request.user = User('', '') return try: rh_auth_header, json_rh_auth = extract_header(request, self.header) username = json_rh_auth.get('identity', {}).get('user', {}).get('username') account = json_rh_auth.get('identity', {}).get('account_number') is_admin = json_rh_auth.get('identity', {}).get('user', {}).get('is_org_admin') except (KeyError, JSONDecodeError) as decode_err: logger.error('Could not obtain identity on request.') raise decode_err except binascii.Error as error: logger.error('Could not decode header: %s.', error) raise error if (username and account): # Get request ID req_id = request.META.get(RH_INSIGHTS_REQUEST_ID) # Check for customer creation & user creation try: schema_name = create_schema_name(account) tenant = Tenant.objects.filter(schema_name=schema_name).get() except Tenant.DoesNotExist: tenant = IdentityHeaderMiddleware._create_tenant(account) try: user = User.objects.get(username__iexact=username) except User.DoesNotExist: user = IdentityHeaderMiddleware._create_user( username, tenant, request) with tenant_context(tenant): try: Principal.objects.get(username__iexact=username) except Principal.DoesNotExist: Principal.objects.create(username=username) logger.info('Created new principal %s for account %s.', username, account) user.identity_header = { 'encoded': rh_auth_header, 'decoded': json_rh_auth } user.admin = is_admin user.account = account user.req_id = req_id if not is_admin: user.access = IdentityHeaderMiddleware._get_access_for_user( username, tenant) request.user = user
def process_request(self, request): # pylint: disable=R1710 """Process request for identity middleware. Args: request (object): The request object """ # Get request ID request.req_id = request.META.get(RH_INSIGHTS_REQUEST_ID) if any([ request.path.startswith(prefix) for prefix in settings.INTERNAL_API_PATH_PREFIXES ]): # This request is for a private API endpoint return if is_no_auth(request): return user = User() try: _, json_rh_auth = extract_header(request, self.header) user.username = json_rh_auth.get("identity", {}).get("user", {})["username"] user.account = json_rh_auth.get("identity", {})["account_number"] user.admin = json_rh_auth.get("identity", {}).get("user", {}).get("is_org_admin") user.system = False if not user.admin: user.access = IdentityHeaderMiddleware._get_access_for_user() except (KeyError, JSONDecodeError): request_psk = request.META.get(RH_RBAC_PSK) account = request.META.get(RH_RBAC_ACCOUNT) client_id = request.META.get(RH_RBAC_CLIENT_ID) has_system_auth_headers = request_psk and account and client_id if has_system_auth_headers and validate_psk( request_psk, client_id): user.username = client_id user.account = account user.admin = True user.system = True else: logger.error("Could not obtain identity on request.") return HttpResponseUnauthorizedRequest() except binascii.Error as error: logger.error("Could not decode header: %s.", error) raise error if user.username and user.account: request.user = user super().process_request(request) # We are now in the database context of the tenant assert request.tenant
def process_request(self, request): # noqa: C901 """Process request for csrf checks. Args: request (object): The request object """ if is_no_auth(request): request.user = User('', '') return try: json_rh_auth = extract_header(request, self.header) username = json_rh_auth['identity']['user']['username'] email = json_rh_auth['identity']['user']['email'] account = json_rh_auth['identity']['account_number'] except (KeyError, JSONDecodeError): logger.warning('Could not obtain identity on request.') return if (username and email and account): # Check for customer creation & user creation query_string = '' if request.META['QUERY_STRING']: query_string = '?{}'.format(request.META['QUERY_STRING']) logger.info(f'API: {request.path}{query_string}' # pylint: disable=W1203 f' -- ACCOUNT: {account} USER: {username}') try: schema_name = create_schema_name(account) tenant = Tenant.objects.filter(schema_name=schema_name).get() except Tenant.DoesNotExist: tenant = IdentityHeaderMiddleware._create_tenant(account) try: user = User.objects.get(username=username) except User.DoesNotExist: user = IdentityHeaderMiddleware._create_user( username, email, tenant, request) request.user = user # Temporarily add principals based on API interaction with tenant_context(tenant): try: Principal.objects.get(username=username) except Principal.DoesNotExist: try: with transaction.atomic(): principal = Principal(username=username, email=email) principal.save() logger.info( 'Created new principal for account_id %s.', account) except IntegrityError: pass
def process_request(self, request): # pylint: disable=R1710 """Process request for identity middleware. Args: request (object): The request object """ # Get request ID request.req_id = request.META.get(RH_INSIGHTS_REQUEST_ID) if is_no_auth(request): return user = User() try: _, json_rh_auth = extract_header(request, self.header) user.username = json_rh_auth.get('identity', {}).get('user', {})['username'] user.account = json_rh_auth.get('identity', {})['account_number'] user.admin = json_rh_auth.get('identity', {}).get('user', {}).get('is_org_admin') user.system = False if not user.admin: user.access = IdentityHeaderMiddleware._get_access_for_user() except (KeyError, JSONDecodeError): request_psk = request.META.get(RH_RBAC_PSK) account = request.META.get(RH_RBAC_ACCOUNT) client_id = request.META.get(RH_RBAC_CLIENT_ID) has_system_auth_headers = request_psk and account and client_id if has_system_auth_headers and validate_psk( request_psk, client_id): user.username = client_id user.account = account user.admin = True user.system = True else: logger.error('Could not obtain identity on request.') return HttpResponseUnauthorizedRequest() except binascii.Error as error: logger.error('Could not decode header: %s.', error) raise error if user.username and user.account: request.user = user super().process_request(request) # We are now in the database context of the tenant assert request.tenant
def process_request(self, request): """Process request for internal identity middleware.""" if not any([request.path.startswith(prefix) for prefix in settings.INTERNAL_API_PATH_PREFIXES]): # We are not in an internal API section return try: _, json_rh_auth = extract_header(request, self.header) except (JSONDecodeError, binascii.Error): logger.exception("Invalid X-RH-Identity header.") return HttpResponseForbidden() user = User() try: if not json_rh_auth["identity"]["type"] == "Associate": return HttpResponseForbidden() user.username = json_rh_auth["identity"]["associate"]["email"] user.admin = True except KeyError: logger.error("Malformed X-RH-Identity header.") return HttpResponseForbidden() request.user = user
def process_request(self, request): # pylint: disable=R1710 """Process request for identity middleware. Args: request (object): The request object """ # Get request ID request.req_id = request.META.get(RH_INSIGHTS_REQUEST_ID) if any([request.path.startswith(prefix) for prefix in settings.INTERNAL_API_PATH_PREFIXES]): # This request is for a private API endpoint return if is_no_auth(request): return user = User() try: _, json_rh_auth = extract_header(request, self.header) user.account = json_rh_auth.get("identity", {})["account_number"] user_info = json_rh_auth.get("identity", {}).get("user", {}) user.username = user_info["username"] user.admin = user_info.get("is_org_admin") user.internal = user_info.get("is_internal") user.user_id = user_info.get("user_id") user.system = False if not user.admin: try: schema_name = create_schema_name(user.account) tenant = Tenant.objects.filter(schema_name=schema_name).get() except Tenant.DoesNotExist: request.user = user tenant = self.get_tenant(model=None, hostname=None, request=request) user.access = IdentityHeaderMiddleware._get_access_for_user(user.username, tenant) # Cross account request check internal = json_rh_auth.get("identity", {}).get("internal", {}) if internal != {}: cross_account = internal.get("cross_access", False) if cross_account: if not (user.internal and user_info.get("email").endswith("@redhat.com")): logger.error("Cross accout request permission denied. Requester is not internal user.") return HttpResponseUnauthorizedRequest() user.username = f"{user.account}-{user.user_id}" except (KeyError, JSONDecodeError): request_psk = request.META.get(RH_RBAC_PSK) account = request.META.get(RH_RBAC_ACCOUNT) client_id = request.META.get(RH_RBAC_CLIENT_ID) has_system_auth_headers = request_psk and account and client_id if has_system_auth_headers and validate_psk(request_psk, client_id): user.username = client_id user.account = account user.admin = True user.system = True else: logger.error("Could not obtain identity on request.") return HttpResponseUnauthorizedRequest() except binascii.Error as error: logger.error("Could not decode header: %s.", error) raise error if user.username and user.account: request.user = user super().process_request(request) # We are now in the database context of the tenant assert request.tenant