| """Django Airavata Auth Middleware.""" |
| import copy |
| import logging |
| |
| from django.conf import settings |
| from django.contrib.auth import logout |
| from django.shortcuts import redirect |
| from django.urls import reverse |
| |
| from . import utils |
| |
| log = logging.getLogger(__name__) |
| |
| |
| def authz_token_middleware(get_response): |
| """Automatically add the 'authz_token' to the request.""" |
| def middleware(request): |
| |
| authz_token = None |
| if request.user.is_authenticated: |
| authz_token = utils.get_authz_token(request) |
| # If we can't construct an authz_token then need to re-login |
| if authz_token is None: |
| # logout user since no longer logged in with IAM server |
| logout(request) |
| |
| request.authz_token = authz_token |
| |
| return get_response(request) |
| |
| return middleware |
| |
| |
| def set_admin_group_attributes(request, gateway_groups=None): |
| """Set is_gateway_admin and is_read_only_gateway_admin request attrs.""" |
| if gateway_groups is None: |
| gateway_groups = request.airavata_client.getGatewayGroups(request.authz_token) |
| gateway_groups = copy.deepcopy(gateway_groups.__dict__) |
| admins_group_id = gateway_groups['adminsGroupId'] |
| read_only_admins_group_id = gateway_groups['readOnlyAdminsGroupId'] |
| group_manager_client = request.profile_service['group_manager'] |
| group_memberships = group_manager_client.getAllGroupsUserBelongs( |
| request.authz_token, request.user.username + "@" + settings.GATEWAY_ID) |
| group_ids = [group.id for group in group_memberships] |
| request.is_gateway_admin = admins_group_id in group_ids |
| request.is_read_only_gateway_admin = read_only_admins_group_id in group_ids |
| |
| |
| def gateway_groups_middleware(get_response): |
| """Add 'is_gateway_admin' and 'is_read_only_gateway_admin' to request.""" |
| def middleware(request): |
| |
| request.is_gateway_admin = False |
| request.is_read_only_gateway_admin = False |
| |
| if (not request.user.is_authenticated or |
| not request.authz_token or |
| (hasattr(request.user, "user_profile") and |
| not request.user.user_profile.is_complete)): |
| return get_response(request) |
| |
| try: |
| # Load the GatewayGroups and check if user is in the Admins and/or |
| # Read Only Admins groups |
| if not request.session.get('GATEWAY_GROUPS'): |
| gateway_groups = request.airavata_client.getGatewayGroups( |
| request.authz_token) |
| gateway_groups_dict = copy.deepcopy(gateway_groups.__dict__) |
| request.session['GATEWAY_GROUPS'] = gateway_groups_dict |
| set_admin_group_attributes(request, gateway_groups=request.session.get("GATEWAY_GROUPS")) |
| # Gateway Admins are made 'superuser' in Django so they can edit |
| # pages in the CMS |
| if request.is_gateway_admin and ( |
| not request.user.is_superuser or |
| not request.user.is_staff): |
| request.user.is_superuser = True |
| request.user.is_staff = True |
| request.user.save() |
| except Exception as e: |
| log.warning("Failed to set is_gateway_admin, " |
| "is_read_only_gateway_admin for user", exc_info=e) |
| |
| return get_response(request) |
| return middleware |
| |
| |
| def user_profile_completeness_check(get_response): |
| """Check if user profile is complete and if not, redirect to user profile editor.""" |
| def middleware(request): |
| |
| if not request.user.is_authenticated: |
| return get_response(request) |
| |
| allowed_paths = [ |
| reverse('django_airavata_auth:user_profile'), |
| reverse('django_airavata_auth:logout'), |
| ] |
| incomplete_user_profile = (hasattr(request.user, "user_profile") and |
| not request.user.user_profile.is_complete) |
| # Exclude admin's from the ext user profile check since they will be |
| # creating/editing the ext user profile fields |
| invalid_ext_user_profile = (not getattr(request, "is_gateway_admin", False) and |
| hasattr(request.user, "user_profile") and |
| not request.user.user_profile.is_ext_user_profile_valid) |
| if ((incomplete_user_profile or invalid_ext_user_profile) and |
| request.path not in allowed_paths and |
| 'text/html' in request.META['HTTP_ACCEPT']): |
| return redirect('django_airavata_auth:user_profile') |
| else: |
| return get_response(request) |
| return middleware |