#5495

Committed 21 May 2026 03:10PM UTC coverage: 89.917% (-0.02%) from 89.936%

Build # #5495

Build Type

Pull #3790

circleci

Committed by

bhearsum

Commit Message

feat: allow admin to run it read-only mode

From now until when we cut over prod to MozCloud we're going to run the database as a replica of the GCPv1 database. This means we can't make any writes through MozCloud infra. We need to accommodate the heartbeat function of admin, and make it operate as read-only until we cut over.

I intend to back this patch out entirely after cut-over.

Pull Request Pull Request #3790: feat: allow admin to run it read-only mode

Coverage Stats

2193 of 2576 branches covered (85.13%)

Branch coverage included in aggregate %.

3 of 4 new or added lines in 1 file covered. (75.0%)

5762 of 6271 relevant lines covered (91.88%)

0.92 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

87.93

/src/auslib/web/admin/base.py

import logging
import re
from os import path

import connexion
from flask import g, request
from sentry_sdk import capture_exception
from specsynthase.specbuilder import SpecBuilder
from statsd.defaults.env import statsd

import auslib
from auslib.db import ChangeScheduledError, OutdatedDataError, UpdateMergeError
from auslib.dockerflow import create_dockerflow_endpoints
from auslib.errors import BlobValidationError, PermissionDeniedError, ReadOnlyError, SignoffRequiredError
from auslib.util.auth import AuthError, verified_userinfo
from auslib.web.admin.views.problem import problem
from auslib.web.admin.views.validators import BalrogRequestBodyValidator

log = logging.getLogger(__name__)

current_dir = path.dirname(__file__)
web_dir = path.dirname(auslib.web.__file__)

spec = (
    SpecBuilder()
    .add_spec(path.join(current_dir, "swagger/api.yml"))
    .add_spec(path.join(web_dir, "common/swagger/definitions.yml"))
    .add_spec(path.join(web_dir, "common/swagger/parameters.yml"))
    .add_spec(path.join(web_dir, "common/swagger/responses.yml"))
)

validator_map = {"body": BalrogRequestBodyValidator}


def should_time_request():
    # don't time OPTIONS requests
    if request.method == "OPTIONS":
        return False
    # don't time requests that don't match a valid route
    if request.url_rule is None:
        return False
    # don't time dockerflow endpoints
    if request.path.startswith("/__"):
        return False

    return True


def create_app(allow_read_only=False):
    connexion_app = connexion.App(__name__, debug=False, options={"swagger_ui": False})
    connexion_app.add_api(spec, validator_map=validator_map, strict_validation=True)
    connexion_app.add_api(path.join(current_dir, "swagger", "api_v2.yml"), base_path="/v2", strict_validation=True, validate_responses=True)
    flask_app = connexion_app.app

    if allow_read_only:
        create_dockerflow_endpoints(flask_app, heartbeat_database_fn=lambda dbo: dbo.rules.count())
    else:
        create_dockerflow_endpoints(flask_app)

    @flask_app.before_request
    def setup_statsd():
        g.statsd = statsd.pipeline()
        g.request_timer = None
        if should_time_request():
            # do some massaging to get the metric name right
            # * get rid of the `/v2` prefix on v2 endpoints added by `base_path` further up
            # * remove various module prefixes
            # * add a common prefix to ensure that we can mark these metrics as gauges for
            #   statsd
            metric = (
                request.url_rule.endpoint.removeprefix("/v2.")
                .removeprefix("/.")
                .removeprefix("auslib_web_admin_views_")
                .removeprefix("auslib_web_admin_")
                .removeprefix("auslib_web_common_")
            )
            metric = f"endpoint_{metric}"
            g.request_timer = g.statsd.timer(metric)
            g.request_timer.start()

    @flask_app.before_request
    def setup_request():
        if request.full_path.startswith("/v2"):
            from auslib.global_state import dbo

            request.transaction = dbo.begin()

            if request.method in ("POST", "PUT", "DELETE"):
                username = verified_userinfo(request, flask_app.config["AUTH_DOMAIN"], flask_app.config["AUTH_AUDIENCE"])["email"]
                if not username:
                    log.warning("Login Required")
                    return problem(401, "Unauthenticated", "Login Required")
                # Machine to machine accounts are identified by uninformative clientIds
                # In order to keep Balrog permissions more readable, we map them to
                # more useful usernames, which are stored in the app config.
                if "@" not in username:
                    username = flask_app.config["M2M_ACCOUNT_MAPPING"].get(username, username)
                # Even if the user has provided a valid access token, we don't want to assume
                # that person should be able to access Balrog (in case auth0 is not configured
                # to be restrictive enough.
                elif not dbo.isKnownUser(username):
                    log.warning("Authorization Required")
                    return problem(403, "Forbidden", "Authorization Required")

                request.username = username

    @flask_app.after_request
    def complete_request(response):
        if hasattr(request, "transaction"):
            try:
                if response.status_code >= 400:
                    request.transaction.rollback()
                else:
                    request.transaction.commit()
            finally:
                request.transaction.close()

        return response

    @flask_app.errorhandler(OutdatedDataError)
    def outdated_data_error(error):
        msg = "Couldn't perform the request %s. Outdated Data Version. old_data_version doesn't match current data_version" % request.method
        log.warning("Bad input: %s", msg)
        log.warning(error)
        return problem(400, "Bad Request", "OutdatedDataError", ext={"exception": msg})

    @flask_app.errorhandler(UpdateMergeError)
    def update_merge_error(error):
        msg = "Couldn't perform the request %s due to merge error. Is there a scheduled change that conflicts with yours?" % request.method
        log.warning("Bad input: %s", msg)
        log.warning(error)
        return problem(400, "Bad Request", "UpdateMergeError", ext={"exception": msg})

    @flask_app.errorhandler(ChangeScheduledError)
    def change_scheduled_error(error):
        msg = "Couldn't perform the request %s due a conflict with a scheduled change. " % request.method
        msg += str(error)
        log.warning("Bad input: %s", msg)
        log.warning(error)
        return problem(400, "Bad Request", "ChangeScheduledError", ext={"exception": msg})

    @flask_app.errorhandler(AuthError)
    def auth_error(error):
        msg = "Permission denied to perform the request. {}".format(error.error)
        log.warning(msg)
        return problem(error.status_code, "Forbidden", "PermissionDeniedError", ext={"exception": msg})

    @flask_app.errorhandler(BlobValidationError)
    def blob_validation_error(error):
        return problem(400, "Bad Request", "Invalid Blob", ext={"exception": error.errors})

    @flask_app.errorhandler(SignoffRequiredError)
    def signoff_required_error(error):
        return problem(400, "Bad Request", "Signoff Required", ext={"exception": f"{error}"})

    @flask_app.errorhandler(ReadOnlyError)
    def read_only_error(error):
        return problem(400, "Bad Request", "Read only", ext={"exception": f"{error}"})

    @flask_app.errorhandler(PermissionDeniedError)
    def permission_denied_error(error):
        return problem(403, "Forbidden", "Permission Denied", ext={"exception": f"{error}"})

    @flask_app.errorhandler(ValueError)
    def value_error(error):
        return problem(400, "Bad Request", "Unknown error", ext={"exception": f"{error}"})

    # Connexion's error handling sometimes breaks when parameters contain
    # unicode characters (https://github.com/zalando/connexion/issues/604).
    # To work around, we catch them and return a 400 (which is what Connexion
    # would do if it didn't hit this error).
    @flask_app.errorhandler(UnicodeEncodeError)
    def unicode(error):
        return problem(400, "Unicode Error", "Connexion was unable to parse some unicode data correctly.")

    @flask_app.errorhandler(Exception)
    def ise(error):
        capture_exception(error)
        log.exception("Caught ISE 500 error: %r", error)
        log.debug("Request path is: %s", request.path)
        log.debug("Request environment is: %s", request.environ)
        log.debug("Request headers are: %s", request.headers)
        return problem(500, "Internal Server Error", "Internal Server Error")

    @flask_app.after_request
    def add_security_headers(response):
        response.headers["X-Frame-Options"] = "DENY"
        response.headers["X-Content-Type-Options"] = "nosniff"
        response.headers["Strict-Transport-Security"] = flask_app.config.get("STRICT_TRANSPORT_SECURITY", "max-age=31536000;")
        response.headers["Access-Control-Allow-Headers"] = "Authorization, Content-Type"
        response.headers["Access-Control-Allow-Methods"] = "OPTIONS, GET, POST, PUT, DELETE"
        if "*" in flask_app.config["CORS_ORIGINS"]:
            response.headers["Access-Control-Allow-Origin"] = "*"
        elif "Origin" in request.headers and request.headers["Origin"] in flask_app.config["CORS_ORIGINS"]:
            response.headers["Access-Control-Allow-Origin"] = request.headers["Origin"]
        if re.match("^/ui/", request.path):
            # This enables swagger-ui to dynamically fetch and
            # load the swagger specification JSON file containing API definition and examples.
            response.headers["X-Frame-Options"] = "SAMEORIGIN"
        else:
            response.headers["Content-Security-Policy"] = flask_app.config.get("CONTENT_SECURITY_POLICY", "default-src 'none'; frame-ancestors 'none'")
        return response

    # this is specifically set-up last before after_request handlers are called
    # in reverse order of registering, and we want this one to be called first
    # to avoid it being skipped if another one raises an exception
    @flask_app.after_request
    def send_stats(response):
        if hasattr(g, "request_timer") and g.request_timer:
            g.request_timer.stop()
        g.statsd.send()

        return response

    return connexion_app

1	import logging	1✔
2	import re	1✔
3	from os import path	1✔
4
5	import connexion	1✔
6	from flask import g, request	1✔
7	from sentry_sdk import capture_exception	1✔
8	from specsynthase.specbuilder import SpecBuilder	1✔
9	from statsd.defaults.env import statsd	1✔
10
11	import auslib	1✔
12	from auslib.db import ChangeScheduledError, OutdatedDataError, UpdateMergeError	1✔
13	from auslib.dockerflow import create_dockerflow_endpoints	1✔
14	from auslib.errors import BlobValidationError, PermissionDeniedError, ReadOnlyError, SignoffRequiredError	1✔
15	from auslib.util.auth import AuthError, verified_userinfo	1✔
16	from auslib.web.admin.views.problem import problem	1✔
17	from auslib.web.admin.views.validators import BalrogRequestBodyValidator	1✔
18
19	log = logging.getLogger(__name__)	1✔
20
21	current_dir = path.dirname(__file__)	1✔
22	web_dir = path.dirname(auslib.web.__file__)	1✔
23
24	spec = (	1✔
25	SpecBuilder()
26	.add_spec(path.join(current_dir, "swagger/api.yml"))
27	.add_spec(path.join(web_dir, "common/swagger/definitions.yml"))
28	.add_spec(path.join(web_dir, "common/swagger/parameters.yml"))
29	.add_spec(path.join(web_dir, "common/swagger/responses.yml"))
30	)
31
32	validator_map = {"body": BalrogRequestBodyValidator}	1✔
33
34
35	def should_time_request():	1✔
36	# don't time OPTIONS requests
37	if request.method == "OPTIONS":	1!
38	return False	×
39	# don't time requests that don't match a valid route
40	if request.url_rule is None:	1✔
41	return False	1✔
42	# don't time dockerflow endpoints
43	if request.path.startswith("/__"):	1✔
44	return False	1✔
45
46	return True	1✔
47
48
49	def create_app(allow_read_only=False):	1✔
50	connexion_app = connexion.App(__name__, debug=False, options={"swagger_ui": False})	1✔
51	connexion_app.add_api(spec, validator_map=validator_map, strict_validation=True)	1✔
52	connexion_app.add_api(path.join(current_dir, "swagger", "api_v2.yml"), base_path="/v2", strict_validation=True, validate_responses=True)	1✔
53	flask_app = connexion_app.app	1✔
54
55	if allow_read_only:	1!
NEW 56	create_dockerflow_endpoints(flask_app, heartbeat_database_fn=lambda dbo: dbo.rules.count())	×
57	else:
58	create_dockerflow_endpoints(flask_app)	1✔
59
60	@flask_app.before_request	1✔
61	def setup_statsd():	1✔
62	g.statsd = statsd.pipeline()	1✔
63	g.request_timer = None	1✔
64	if should_time_request():	1✔
65	# do some massaging to get the metric name right
66	# * get rid of the `/v2` prefix on v2 endpoints added by `base_path` further up
67	# * remove various module prefixes
68	# * add a common prefix to ensure that we can mark these metrics as gauges for
69	# statsd
70	metric = (	1✔
71	request.url_rule.endpoint.removeprefix("/v2.")
72	.removeprefix("/.")
73	.removeprefix("auslib_web_admin_views_")
74	.removeprefix("auslib_web_admin_")
75	.removeprefix("auslib_web_common_")
76	)
77	metric = f"endpoint_{metric}"	1✔
78	g.request_timer = g.statsd.timer(metric)	1✔
79	g.request_timer.start()	1✔
80
81	@flask_app.before_request	1✔
82	def setup_request():	1✔
83	if request.full_path.startswith("/v2"):	1✔
84	from auslib.global_state import dbo	1✔
85
86	request.transaction = dbo.begin()	1✔
87
88	if request.method in ("POST", "PUT", "DELETE"):	1✔
89	username = verified_userinfo(request, flask_app.config["AUTH_DOMAIN"], flask_app.config["AUTH_AUDIENCE"])["email"]	1✔
90	if not username:	1!
91	log.warning("Login Required")	×
92	return problem(401, "Unauthenticated", "Login Required")	×
93	# Machine to machine accounts are identified by uninformative clientIds
94	# In order to keep Balrog permissions more readable, we map them to
95	# more useful usernames, which are stored in the app config.
96	if "@" not in username:	1!
97	username = flask_app.config["M2M_ACCOUNT_MAPPING"].get(username, username)	1✔
98	# Even if the user has provided a valid access token, we don't want to assume
99	# that person should be able to access Balrog (in case auth0 is not configured
100	# to be restrictive enough.
101	elif not dbo.isKnownUser(username):	×
102	log.warning("Authorization Required")	×
103	return problem(403, "Forbidden", "Authorization Required")	×
104
105	request.username = username	1✔
106
107	@flask_app.after_request	1✔
108	def complete_request(response):	1✔
109	if hasattr(request, "transaction"):	1✔
110	try:	1✔
111	if response.status_code >= 400:	1✔
112	request.transaction.rollback()	1✔
113	else:
114	request.transaction.commit()	1✔
115	finally:
116	request.transaction.close()	1✔
117
118	return response	1✔
119
120	@flask_app.errorhandler(OutdatedDataError)	1✔
121	def outdated_data_error(error):	1✔
122	msg = "Couldn't perform the request %s. Outdated Data Version. old_data_version doesn't match current data_version" % request.method	1✔
123	log.warning("Bad input: %s", msg)	1✔
124	log.warning(error)	1✔
125	return problem(400, "Bad Request", "OutdatedDataError", ext={"exception": msg})	1✔
126
127	@flask_app.errorhandler(UpdateMergeError)	1✔
128	def update_merge_error(error):	1✔
129	msg = "Couldn't perform the request %s due to merge error. Is there a scheduled change that conflicts with yours?" % request.method	1✔
130	log.warning("Bad input: %s", msg)	1✔
131	log.warning(error)	1✔
132	return problem(400, "Bad Request", "UpdateMergeError", ext={"exception": msg})	1✔
133
134	@flask_app.errorhandler(ChangeScheduledError)	1✔
135	def change_scheduled_error(error):	1✔
136	msg = "Couldn't perform the request %s due a conflict with a scheduled change. " % request.method	1✔
137	msg += str(error)	1✔
138	log.warning("Bad input: %s", msg)	1✔
139	log.warning(error)	1✔
140	return problem(400, "Bad Request", "ChangeScheduledError", ext={"exception": msg})	1✔
141
142	@flask_app.errorhandler(AuthError)	1✔
143	def auth_error(error):	1✔
144	msg = "Permission denied to perform the request. {}".format(error.error)	1✔
145	log.warning(msg)	1✔
146	return problem(error.status_code, "Forbidden", "PermissionDeniedError", ext={"exception": msg})	1✔
147
148	@flask_app.errorhandler(BlobValidationError)	1✔
149	def blob_validation_error(error):	1✔
150	return problem(400, "Bad Request", "Invalid Blob", ext={"exception": error.errors})	1✔
151
152	@flask_app.errorhandler(SignoffRequiredError)	1✔
153	def signoff_required_error(error):	1✔
154	return problem(400, "Bad Request", "Signoff Required", ext={"exception": f"{error}"})	1✔
155
156	@flask_app.errorhandler(ReadOnlyError)	1✔
157	def read_only_error(error):	1✔
158	return problem(400, "Bad Request", "Read only", ext={"exception": f"{error}"})	1✔
159
160	@flask_app.errorhandler(PermissionDeniedError)	1✔
161	def permission_denied_error(error):	1✔
162	return problem(403, "Forbidden", "Permission Denied", ext={"exception": f"{error}"})	1✔
163
164	@flask_app.errorhandler(ValueError)	1✔
165	def value_error(error):	1✔
166	return problem(400, "Bad Request", "Unknown error", ext={"exception": f"{error}"})	1✔
167
168	# Connexion's error handling sometimes breaks when parameters contain
169	# unicode characters (https://github.com/zalando/connexion/issues/604).
170	# To work around, we catch them and return a 400 (which is what Connexion
171	# would do if it didn't hit this error).
172	@flask_app.errorhandler(UnicodeEncodeError)	1✔
173	def unicode(error):	1✔
174	return problem(400, "Unicode Error", "Connexion was unable to parse some unicode data correctly.")	×
175
176	@flask_app.errorhandler(Exception)	1✔
177	def ise(error):	1✔
178	capture_exception(error)	1✔
179	log.exception("Caught ISE 500 error: %r", error)	1✔
180	log.debug("Request path is: %s", request.path)	1✔
181	log.debug("Request environment is: %s", request.environ)	1✔
182	log.debug("Request headers are: %s", request.headers)	1✔
183	return problem(500, "Internal Server Error", "Internal Server Error")	1✔
184
185	@flask_app.after_request	1✔
186	def add_security_headers(response):	1✔
187	response.headers["X-Frame-Options"] = "DENY"	1✔
188	response.headers["X-Content-Type-Options"] = "nosniff"	1✔
189	response.headers["Strict-Transport-Security"] = flask_app.config.get("STRICT_TRANSPORT_SECURITY", "max-age=31536000;")	1✔
190	response.headers["Access-Control-Allow-Headers"] = "Authorization, Content-Type"	1✔
191	response.headers["Access-Control-Allow-Methods"] = "OPTIONS, GET, POST, PUT, DELETE"	1✔
192	if "*" in flask_app.config["CORS_ORIGINS"]:	1!
193	response.headers["Access-Control-Allow-Origin"] = "*"	1✔
194	elif "Origin" in request.headers and request.headers["Origin"] in flask_app.config["CORS_ORIGINS"]:	×
195	response.headers["Access-Control-Allow-Origin"] = request.headers["Origin"]	×
196	if re.match("^/ui/", request.path):	1!
197	# This enables swagger-ui to dynamically fetch and
198	# load the swagger specification JSON file containing API definition and examples.
199	response.headers["X-Frame-Options"] = "SAMEORIGIN"	×
200	else:
201	response.headers["Content-Security-Policy"] = flask_app.config.get("CONTENT_SECURITY_POLICY", "default-src 'none'; frame-ancestors 'none'")	1✔
202	return response	1✔
203
204	# this is specifically set-up last before after_request handlers are called
205	# in reverse order of registering, and we want this one to be called first
206	# to avoid it being skipped if another one raises an exception
207	@flask_app.after_request	1✔
208	def send_stats(response):	1✔
209	if hasattr(g, "request_timer") and g.request_timer:	1✔
210	g.request_timer.stop()	1✔
211	g.statsd.send()	1✔
212
213	return response	1✔
214
215	return connexion_app	1✔

mozilla-releng / balrog / #5495

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous