chore(channels): add cache user permission

Author: duanhongyi

rootfs/api/authentication.py

@@ -65,7 +65,7 @@ def authenticate_credentials(self, key):
             from api.backend import OauthCacheManager
             token.refresh_token()
             user = OauthCacheManager().get_user(token.oauth['access_token'])
-            cache.set(token, user, timeout=token.oauth['expires_in'])
+            cache.set(key, user, timeout=token.oauth['expires_in'])
             return user, token.key
         return (token.owner, token.key)
 

rootfs/api/backend.py

@@ -32,16 +32,27 @@ class DryccOIDC(OpenIdConnectAuth):
         ('scope', 'scope'),
     ]
 
+    def __init__(self, *args, **kwargs):
+        self.timeout = 3  # request timeout
+        super().__init__(*args, **kwargs)
+
     @social_cache(ttl=86400)
     def oidc_config(self):
-        return self.get_json(self.OIDC_ENDPOINT +
-                             '/.well-known/openid-configuration/')
+        return self.get_json(
+            self.OIDC_ENDPOINT + '/.well-known/openid-configuration/',
+            timeout=self.timeout
+        )
 
     def get_user_data(self, access_token):
         """Loads user data from service"""
         url = settings.SOCIAL_AUTH_DRYCC_USERINFO_URL
-        response = self.get_json(url, headers={
-            'authorization': 'Bearer ' + access_token})
+        response = self.get_json(
+            url,
+            headers={
+                'authorization': 'Bearer ' + access_token
+            },
+            timeout=self.timeout,
+        )
         return {
             'id': response.get('id'),
             'username': response.get('username'),
@@ -62,13 +73,13 @@ def refresh_token(self, refresh_token):
                 'client_id': settings.SOCIAL_AUTH_DRYCC_KEY,
                 'refresh_token': refresh_token,
             },
+            timeout=self.timeout,
         )
 
 
 class OauthCacheManager(object):
 
-    def __init__(self, timeout=60 * 10):
-        self.timeout = timeout
+    def __init__(self):
         self.drycc_oauth = DryccOIDC()
 
     def get_user(self, access_token):
@@ -82,13 +93,13 @@ def _get_user(access_token):
                 logger.info(e)
                 raise exceptions.AuthenticationFailed(gettext_lazy('Verify token fail.'))
         return cache.get_or_set(
-            access_token, lambda: _get_user(access_token), settings.OAUTH_CACHE_USER_TIME)
+            access_token, lambda: _get_user(access_token), settings.DRYCC_CACHE_USER_TIME)
 
     def set_state(self, key, state):
-        cache.set("oidc_key_" + key, state, self.timeout)
+        cache.set("oidc_key_" + key, state, settings.DRYCC_CACHE_USER_TIME)
 
     def set_token(self, state, data):
-        cache.set("oidc_state_" + state, data, self.timeout)
+        cache.set("oidc_state_" + state, data, settings.DRYCC_CACHE_USER_TIME)
 
     def get_token(self, key):
         state = cache.get("oidc_key_" + key, "")

rootfs/api/consumers.py

@@ -4,8 +4,8 @@
 import ssl
 import aiohttp
 import asyncio
-import collections
 from django.conf import settings
+from django.core.cache import cache
 
 from asgiref.sync import sync_to_async, async_to_sync
 
@@ -22,21 +22,24 @@
 from .permissions import has_app_permission
 
 
-Request = collections.namedtuple("Request", ["user", "method"])
-
-
 class BaseAppConsumer(AsyncWebsocketConsumer):
+    timeout = 60 * 60
 
     @database_sync_to_async
     def has_perm(self):
         if self.scope["user"] is None:
             return False, "user not login"
-        request = Request(self.scope["user"], "POST")
-        try:
-            app = App.objects.get(id=self.id)
-            return has_app_permission(request, app)
-        except App.DoesNotExist:
-            return False, "user not exists"
+        key = f"permission:user:{self.scope["user"].id}:app:{self.id}"
+        permission = cache.get(key)
+        if permission is None:
+            try:
+                app = App.objects.get(id=self.id)
+                permission = has_app_permission(self.scope["user"], app, "GET")
+                if permission[0]:
+                    cache.set(key, permission, timeout=self.timeout)
+            except App.DoesNotExist:
+                permission = (False, "user not exists")
+        return permission
 
     async def connect(self):
         self.id = self.scope["url_route"]["kwargs"]["id"]

rootfs/api/manager.py

@@ -1,14 +1,19 @@
 import base64
+import logging
 import requests
 from typing import List, Dict
+from django.core.cache import cache
 from requests_toolbelt import user_agent
 from django.conf import settings
 from api import __version__ as drycc_version
 
+logger = logging.getLogger(__name__)
+
 
 class ManagerAPI(object):
 
-    def __init__(self):
+    def __init__(self, timeout=3):
+        self.timeout = timeout
         token = base64.b85encode(b"%s:%s" % (
             settings.WORKFLOW_MANAGER_ACCESS_KEY.encode("utf8"),
             settings.WORKFLOW_MANAGER_SECRET_KEY.encode("utf8"),
@@ -23,6 +28,7 @@ def request(self, method, url, **kwargs):
         headers = kwargs.get("headers", {})
         headers.update(self.headers)
         kwargs["headers"] = headers
+        kwargs["timeout"] = self.timeout
         return requests.request(method, url, **kwargs)
 
     def get(self, url, params=None, **kwargs):
@@ -57,8 +63,19 @@ def get_status(self, id):
             "message": "The user is in arrears"
         }
         """
-        url = f"{settings.WORKFLOW_MANAGER_URL}/users/{id}/status/"
-        return self.get(url=url).json()
+        key = f"user:status:{id}"
+        status = cache.get(key)
+        if not status:
+            url = f"{settings.WORKFLOW_MANAGER_URL}/users/{id}/status/"
+            try:
+                status = self.get(url=url, timeout=self.timeout).json()
+            except requests.exceptions.Timeout as ex:
+                msg = f"request user {id} timeout, skipping verification."
+                status = {"is_active": True, "message": msg}
+                logger.error(msg)
+                logger.exception(ex)
+            cache.set(key, status, timeout=settings.DRYCC_CACHE_USER_TIME)
+        return status
 
 
 class Measurement(ManagerAPI):

rootfs/api/middleware.py

@@ -3,8 +3,8 @@
 
 See https://docs.djangoproject.com/en/1.11/topics/http/middleware/
 """
-import collections
 from api import __version__
+from django.http.request import HttpRequest
 
 from channels.middleware import BaseMiddleware
 from channels.db import database_sync_to_async
@@ -36,18 +36,20 @@ class ChannelOAuthMiddleware(BaseMiddleware):
     """
     Middleware which populates scope["user"] from a auth2 token.
     """
-    Request = collections.namedtuple('Request', ["META"])
+    authentication = DryccAuthentication()
 
-    async def get_user(self, scope):
+    @database_sync_to_async
+    def get_user(self, scope):
         headers = {}
         for header in scope["headers"]:
-            if header[0] in (b"user-agent", b"authorization"):
+            if header[0] in (b"authorization", ):
                 key = "HTTP_%s" % header[0].decode().replace("-", "_").upper()
                 headers[key] = header[1].decode()
-        if len(headers) != 2:
+        if len(headers) < 1:
             return None
-        request = self.Request(headers)
-        user, _ = await database_sync_to_async(DryccAuthentication().authenticate)(request)
+        request = HttpRequest()
+        request.META = headers
+        user, _ = self.authentication.authenticate(request)
         return user
 
     async def __call__(self, scope, receive, send):

rootfs/api/models/app.py

@@ -1,4 +1,3 @@
-import backoff
 import base64
 import functools
 import json
@@ -341,33 +340,6 @@ def cleanup_old(self, procfile_types=None):
                     self.scheduler().deployments.delete(self.id, name, True)
         self.log(f"cleanup old kubernetes deployments for {self.id}")
 
-    @backoff.on_exception(backoff.expo, ServiceUnavailable, max_tries=3)
-    def logs(self, log_lines=str(settings.LOG_LINES)):
-        """Return aggregated log data for this application."""
-        url = "http://{}:{}/logs/{}?log_lines={}".format(
-            settings.LOGGER_HOST, settings.LOGGER_PORT, self.id, log_lines)
-        try:
-            r = requests.get(url)
-        # Handle HTTP request errors
-        except requests.exceptions.RequestException as e:
-            msg = "Error accessing drycc-logger using url '{}': {}".format(url, e)
-            logger.error(msg)
-            raise ServiceUnavailable(msg) from e
-
-        # Handle logs empty or not found
-        if r.status_code == 204 or r.status_code == 404:
-            logger.info("GET {} returned a {} status code".format(url, r.status_code))
-            raise NotFound('Could not locate logs')
-
-        # Handle unanticipated status codes
-        if r.status_code != 200:
-            logger.error("Error accessing drycc-logger: GET {} returned a {} status code"
-                         .format(url, r.status_code))
-            raise ServiceUnavailable('Error accessing drycc-logger')
-
-        # cast content to string since it comes as bytes via the requests object
-        return str(r.content.decode('utf-8'))
-
     def run(self, user, image=None, command=None, args=None, volumes=None,
             timeout=3600, expires=3600, **kwargs):
         def pod_name(size=5, chars=string.ascii_lowercase + string.digits):

rootfs/api/models/certificate.py

@@ -130,6 +130,10 @@ def domains(self):
 
         return domains
 
+    @property
+    def certname(self):
+        return '%s-certificate' % self.name
+
     def __str__(self):
         return self.name
 
@@ -197,24 +201,23 @@ def attach_in_kubernetes(self, domain):
         """Creates the certificate as a kubernetes secret"""
         # only create if it exists - We raise an exception when a secret doesn't exist
         try:
-            name = '%s-certificate' % self.name
             namespace = domain.app.id
             data = {
                 'tls.crt': self.certificate,
                 'tls.key': self.key
             }
 
-            secret = self.scheduler().secret.get(namespace, name).json()['data']
+            secret = self.scheduler().secret.get(namespace, self.certname).json()['data']
         except KubeException:
-            self.scheduler().secret.create(namespace, name, data)
+            self.scheduler().secret.create(namespace, self.certname, data)
         else:
             # update cert secret to the TLS Ingress format if required
             if secret != data:
                 try:
-                    self.scheduler().secret.update(namespace, name, data)
+                    self.scheduler().secret.update(namespace, self.certname, data)
                 except KubeException as e:
                     msg = 'There was a problem updating the certificate secret ' \
-                          '{} for {}'.format(name, namespace)
+                          '{} for {}'.format(self.certname, namespace)
                     raise ServiceUnavailable(msg) from e
 
     def detach(self, *args, **kwargs):
@@ -223,14 +226,15 @@ def detach(self, *args, **kwargs):
         domain.certificate = None
         domain.save()
 
-        name = '%s-certificate' % self.name
         namespace = domain.app.id
 
         # only delete if it exists and if no other domains depend on secret
         if len(self.domains) == 0:
             try:
                 # We raise an exception when a secret doesn't exist
-                self.scheduler().secret.get(namespace, name)
-                self.scheduler().secret.delete(namespace, name)
+                self.scheduler().secret.get(namespace, self.certname)
+                self.scheduler().secret.delete(namespace, self.certname)
             except KubeException as e:
-                raise ServiceUnavailable("Could not delete certificate secret {} for application {}".format(name, namespace)) from e  # noqa
+                raise ServiceUnavailable(
+                    "Could not delete certificate secret {} for application {}".format(
+                        self.certname, namespace)) from e

rootfs/api/models/gateway.py

@@ -68,7 +68,7 @@ def listeners(self):
                         "protocol": protocol,
                     }
                     secret_name = f"{self.app.id}-auto-tls" if auto_tls else (
-                        domain.certificate.name if domain.certificate else None)
+                        domain.certificate.certname if domain.certificate else None)
                     if secret_name and protocol in TLS_PROTOCOLS:
                         listener["tls"] = {
                             "certificateRefs": [{"kind": "Secret", "name": secret_name}]}

rootfs/api/permissions.py

@@ -17,17 +17,17 @@ def get_app_status(app):
     return True, None
 
 
-def has_app_permission(request, obj):
+def has_app_permission(user, obj, method):
     if isinstance(obj, App) or hasattr(obj, 'app'):
         app = obj if isinstance(obj, App) else obj.app
         is_ok, message = get_app_status(app)
         if is_ok:
-            if request.user.is_superuser:
+            if user.is_superuser:
                 return True, None
-            elif app.owner == request.user:
+            elif app.owner == user:
                 return True, None
-            elif request.user.is_staff or request.user.has_perm('use_app', app):
-                if request.method != 'DELETE':
+            elif user.is_staff or user.has_perm('use_app', app):
+                if method != 'DELETE':
                     return True, None
                 else:
                     return False, "User does not have permission to delete"
@@ -81,7 +81,7 @@ class IsAppUser(permissions.BasePermission):
     an app-related model.
     """
     def has_object_permission(self, request, view, obj):
-        return has_app_permission(request, obj)[0]
+        return has_app_permission(request.user, obj, request.method)[0]
 
 
 class IsAdmin(permissions.BasePermission):

rootfs/api/settings/production.py

@@ -457,7 +457,7 @@
     'social_core.pipeline.user.user_details',
 )
 AUTHENTICATION_BACKENDS = ("api.backend.DryccOIDC", ) + AUTHENTICATION_BACKENDS
-OAUTH_CACHE_USER_TIME = int(os.environ.get('OAUTH_CACHE_USER_TIME', 30 * 60))
+DRYCC_CACHE_USER_TIME = int(os.environ.get('DRYCC_CACHE_USER_TIME', 30 * 60))
 
 # Redis Configuration
 DRYCC_REDIS_ADDRS = os.environ.get('DRYCC_REDIS_ADDRS', '127.0.0.1:6379').split(",")