feat(controller): add check app owner status

Author: duanhongyi

rootfs/api/authentication.py

@@ -7,8 +7,6 @@
 from rest_framework.authentication import TokenAuthentication, \
     get_authorization_header
 from rest_framework import exceptions
-
-from api import manager
 from api.oauth import OAuthManager
 
 logger = logging.getLogger(__name__)
@@ -66,10 +64,6 @@ def _get_user(key):
             user_info = OAuthManager().get_user_by_token(key)
             if not user_info.get('email'):
                 user_info['email'] = OAuthManager().get_email_by_token(key)
-            if settings.WORKFLOW_MANAGER_URL and settings.WORKFLOW_MANAGER_TOKEN:
-                status = manager.User().get_status(user_info.username)
-                if not status["is_active"]:
-                    raise exceptions.AuthenticationFailed(_(status["message"]))
         except Exception as e:
             logger.info(e)
             raise exceptions.AuthenticationFailed(_('Verify token fail.'))

rootfs/api/models/__init__.py

@@ -140,6 +140,7 @@ class Meta:
 
 from .app import App, validate_app_id, validate_reserved_names, validate_app_structure  # noqa
 from .appsettings import AppSettings  # noqa
+from .blocklist import Blocklist  # noqa
 from .build import Build  # noqa
 from .certificate import Certificate, validate_certificate  # noqa
 from .config import Config  # noqa

rootfs/api/permissions.py

@@ -1,20 +1,26 @@
+import base64
 from rest_framework import permissions
 from django.conf import settings
 from django.contrib.auth.models import AnonymousUser
+from api.models import Blocklist, App
 
-from api import models
 
-
-def is_app_user(request, obj):
-    if request.user.is_superuser or \
-            isinstance(obj, models.App) and obj.owner == request.user or \
-            hasattr(obj, 'app') and obj.app.owner == request.user:
-        return True
-    elif request.user.has_perm('use_app', obj) or \
-            hasattr(obj, 'app') and request.user.has_perm('use_app', obj.app):
-        return request.method != 'DELETE'
-    else:
-        return False
+def has_app_permission(request, obj):
+    if isinstance(obj, App) or hasattr(obj, 'app'):
+        app = obj if isinstance(obj, App) else obj.app
+        blocklist = Blocklist.get_blocklist(app)
+        if blocklist:
+            return False, blocklist.remark
+        if request.user.is_superuser:
+            return True, None
+        elif app.owner == request.user:
+            return True, None
+        elif request.user.is_staff or request.user.has_perm('use_app', app):
+            if request.method != 'DELETE':
+                return True, None
+            else:
+                return False, "User does not have permission to delete"
+    return False, "App object does not exist or does not have permission."
 
 
 class IsAnonymous(permissions.BasePermission):
@@ -62,7 +68,7 @@ class IsAppUser(permissions.BasePermission):
     an app-related model.
     """
     def has_object_permission(self, request, view, obj):
-        return is_app_user(request, obj)
+        return has_app_permission(request, obj)[0]
 
 
 class IsAdmin(permissions.BasePermission):
@@ -106,3 +112,20 @@ def has_permission(self, request, view):
         if not auth_header:
             return False
         return auth_header == settings.BUILDER_KEY
+
+
+class IsWorkflowManager(permissions.BasePermission):
+    """
+    View permission to allow workflow manager to perform actions
+    with a special HTTP header
+    """
+
+    def has_permission(self, request, view):
+        if request.META.get("HTTP_AUTHORIZATION"):
+            token = request.META.get(
+                "HTTP_AUTHORIZATION").split(" ")[1].encode("utf8")
+            access_key, secret_key = base64.b85decode(token).decode("utf8").split(":")
+            if settings.WORKFLOW_MANAGER_ACCESS_KEY == access_key:
+                if settings.WORKFLOW_MANAGER_SECRET_KEY == secret_key:
+                    return True
+        return False

rootfs/api/settings/testing.py

@@ -10,6 +10,7 @@
 app.conf.update(task_always_eager=True)
 signals.request_started.send = lambda sender, **named: []
 signals.request_finished.send = lambda sender, **named: []
+signals.got_request_exception.send = lambda sender, **named: []
 
 # A boolean that turns on/off debug mode.
 # https://docs.djangoproject.com/en/1.11/ref/settings/#debug

rootfs/api/tasks.py

@@ -25,13 +25,13 @@ def retrieve_resource(self, resource):
                 raise self.retry(exc=None, countdown=1800)
             else:
                 resource.detach_resource()
-    except Resource.DoesNotExist:
-        logger.exception(
-            "retrieve task not found resource: {}".format(resource.id))
-    except Exception as e:
+    except (Exception, Resource.DoesNotExist) as e:
         signals.got_request_exception.send(sender=task_id)
-        raise e
-    finally:
+        if isinstance(e, Resource.DoesNotExist):
+            logger.exception("retrieve task not found resource: {}".format(resource.id))
+        else:
+            raise e
+    else:
         signals.request_finished.send(sender=task_id)
 
 
@@ -51,7 +51,7 @@ def send_measurements(measurements: List[Dict[str, str]]):
     except Exception as e:
         signals.got_request_exception.send(sender=task_id)
         raise e
-    finally:
+    else:
         signals.request_finished.send(sender=task_id)
 
 
@@ -68,7 +68,7 @@ def scale_app(app, user, structure):
     except Exception as e:
         signals.got_request_exception.send(sender=task_id)
         raise e
-    finally:
+    else:
         signals.request_finished.send(sender=task_id)
 
 
@@ -85,5 +85,5 @@ def restart_app(app, **kwargs):
     except Exception as e:
         signals.got_request_exception.send(sender=task_id)
         raise e
-    finally:
+    else:
         signals.request_finished.send(sender=task_id)

rootfs/api/urls.py

@@ -144,12 +144,20 @@
         views.UserView.as_view({'patch': 'enable'})),
     url(r'^users/(?P<username>[\w.@+-]+)/disable/?$',
         views.UserView.as_view({'patch': 'disable'})),
-    url(r'^apps/(?P<id>{})/metrics/(?P<container_type>[a-z0-9]+(\-[a-z0-9]+)*)/?$'.format(settings.APP_URL_REGEX),  # noqa
+    url(r'^apps/(?P<id>{})/metrics/(?P<container_type>[a-z0-9]+(\-[a-z0-9]+)*)/?$'.format(
+        settings.APP_URL_REGEX),
         views.MetricView.as_view({'get': 'status'})),
+    url(r'^manager/(?P<type>[\w.@+-]+)s/(?P<id>{})/block/?$'.format(settings.APP_URL_REGEX),
+        views.WorkflowManagerViewset.as_view({'post': 'block'})),
+    url(r'^manager/(?P<type>[\w.@+-]+)s/(?P<id>{})/unblock/?$'.format(settings.APP_URL_REGEX),
+        views.WorkflowManagerViewset.as_view({'delete': 'unblock'})),
 ]
 
 webhook_urlpatterns = [
-    url(r'^webhooks/scale/(?P<token>.+)/?$', views.AdmissionWebhook.as_view({'post': 'scale'})),
+    url(
+        r'^webhooks/scale/(?P<token>.+)/?$',
+        views.AdmissionWebhookViewSet.as_view({'post': 'scale'})
+    ),
 ]
 
 # If there is a mutating admission webhook configuration, use webhook url

rootfs/api/views.py

@@ -119,6 +119,63 @@ def list(self, request, **kwargs):
         return Response(serializer.data)
 
 
+class WorkflowManagerViewset(GenericViewSet):
+
+    permission_classes = (permissions.IsWorkflowManager, )
+
+    def block(self, request,  **kwargs):
+        try:
+            blocklist = models.Blocklist(
+                id=kwargs['id'],
+                type=models.Blocklist.get_type(kwargs["type"]),
+                remark=request.data.get("remark")
+            )
+            apps = blocklist.related_apps
+            [scale_app(app, app.owner, {key: 0 for key in app.structure.keys()}) for app in apps]
+            blocklist.save()
+        except ValueError as e:
+            logger.info(e)
+            raise DryccException("Unsupported block type: %s" % kwargs["type"])
+
+    def unblock(self, request,  **kwargs):
+        try:
+            models.Blocklist.objects.filter(
+                id=kwargs['id'],
+                type=models.Blocklist.get_type(kwargs["type"])
+            ).delete()
+        except ValueError as e:
+            logger.info(e)
+            raise DryccException("Unsupported block type: %s" % kwargs["type"])
+
+
+class AdmissionWebhookViewSet(GenericViewSet):
+
+    permission_classes = (AllowAny, )
+
+    def scale(self, request,  **kwargs):
+        token = kwargs['token']
+        data = json.loads(request.body.decode("utf8"))["request"]
+        if settings.DRYCC_ADMISSION_WEBHOOK_TOKEN == token:
+            allowed = True
+            app_id = data["object"]["metadata"]["namespace"]
+            app = models.App.objects.filter(id=app_id).first()
+            replicas = data["object"]["spec"].get("replicas", 0)
+            container_type = data["object"]["metadata"]["name"].replace(f"{app_id}-", "", 1)
+            if app and app.structure.get(container_type) != replicas:  # sync replicas
+                app.structure[container_type] = replicas
+                super(models.App, app).save(update_fields=["structure", ])
+        else:
+            allowed = False
+        return Response({
+            "apiVersion": "admission.k8s.io/v1",
+            "kind": "AdmissionReview",
+            "response": {
+                "uid": data["uid"],
+                "allowed": allowed,
+            }
+        })
+
+
 class BaseDryccViewSet(viewsets.OwnerViewSet):
     """
     A generic ViewSet for objects related to Drycc.
@@ -508,8 +565,9 @@ def users(self, request, *args, **kwargs):
         app = get_object_or_404(models.App, id=kwargs['id'])
         request.user = get_object_or_404(User, username=kwargs['username'])
         # check the user is authorized for this app
-        if not permissions.is_app_user(request, app):
-            raise PermissionDenied()
+        has_permission, message = permissions.has_app_permission(request, app)
+        if not has_permission:
+            raise PermissionDenied(message)
 
         data = {request.user.username: []}
         keys = models.Key.objects \
@@ -537,8 +595,9 @@ def create(self, request, *args, **kwargs):
         app = get_object_or_404(models.App, id=request.data['receive_repo'])
         self.user = request.user = get_object_or_404(User, username=request.data['receive_user'])
         # check the user is authorized for this app
-        if not permissions.is_app_user(request, app):
-            raise PermissionDenied()
+        has_permission, message = permissions.has_app_permission(request, app)
+        if not has_permission:
+            raise PermissionDenied(message)
         request.data['app'] = app
         request.data['owner'] = self.user
         super(BuildHookViewSet, self).create(request, *args, **kwargs)
@@ -559,8 +618,9 @@ def create(self, request, *args, **kwargs):
         app = get_object_or_404(models.App, id=request.data['receive_repo'])
         request.user = get_object_or_404(User, username=request.data['receive_user'])
         # check the user is authorized for this app
-        if not permissions.is_app_user(request, app):
-            raise PermissionDenied()
+        has_permission, message = permissions.has_app_permission(request, app)
+        if not has_permission:
+            raise PermissionDenied(message)
         config = app.release_set.filter(failed=False).latest().config
         serializer = self.get_serializer(config)
         return Response(serializer.data, status=status.HTTP_200_OK)
@@ -908,32 +968,3 @@ def status(self, request, **kwargs):
             "networks": self._get_networks(
                 app_id, container_type, start, stop, every)
         })
-
-
-class AdmissionWebhook(GenericViewSet):
-
-    permission_classes = (AllowAny, )
-
-    def scale(self, request,  **kwargs):
-        token = kwargs['token']
-        print(request.body.decode("utf8"))
-        data = json.loads(request.body.decode("utf8"))["request"]
-        if settings.DRYCC_ADMISSION_WEBHOOK_TOKEN == token:
-            allowed = True
-            app_id = data["object"]["metadata"]["namespace"]
-            app = models.App.objects.filter(id=app_id).first()
-            replicas = data["object"]["spec"].get("replicas", 0)
-            container_type = data["object"]["metadata"]["name"].replace(f"{app_id}-", "", 1)
-            if app and app.structure.get(container_type) != replicas:  # sync replicas
-                app.structure[container_type] = replicas
-                super(models.App, app).save(update_fields=["structure", ])
-        else:
-            allowed = False
-        return Response({
-            "apiVersion": "admission.k8s.io/v1",
-            "kind": "AdmissionReview",
-            "response": {
-                "uid": data["uid"],
-                "allowed": allowed,
-            }
-        })