RHCLOUD-37820: user lookup endpoint (#1569)

* configure logging for rbac.internal packages, added logs to internal middleware utils

* start new endpoint for getting user data with username or email. support getting username from bop if only email present

* add whitespace

* honor include_permissions in request to bop

* always query bop for user

* query all the required data and return it

* use underscore for email

* updated error message

* ran linter and fixed errors

* fixed lint error for membership check, moved Sentry error to new errors file

* added method docs and fixed formatting

* removed usage of deprecated function

* catch exception when querying for principal, and use correct options in request to bop

* fixed invalid assertions, added happy path test for get_user_data

* add warning if bop user doesnt have required data, added tests for invalid requests

* split up internal view set tests into multiple classes and a base class

* log warning when user in bop but not rbac, add more tests to cover the rest of get_user_data

* updates after running linter

* abstract out the path for user lookup tests

* change endpoint name to user_lookup

* catch error if identity header not included on request

* use exact match when querying for username, and update error message

* handle case where no principal exists in rbac, and multiple exist in rbac

* updated api spec

* remove todo

* revert unneeded change

* add functionality to disable auth for internal apis

* linter fixes

* dont expose no_auth_paths as env var because that could be a security risk

* remove uuid and platform and admind efault

* add default for role description

* utilize util methods

* linter fixes

* log exceptions

* fix existing tests

* linter fix

* test for public tenant

* add new test cases, use assertCountEqual

* linter fixes

* cover case where tenant does not exist

* Add test to cover exception

* linter fixes

* remove no auth for user lookup

* pass user tenant to get_principal method

* remove blank line

* update test to account for exception being caught

* add optional to get_principal and add a test for this case

Author: dagbay-rh

Diff for: rbac/internal/errors.py

@@ -0,0 +1,30 @@
+#
+# Copyright 2025 Red Hat, Inc.
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as
+# published by the Free Software Foundation, either version 3 of the
+# License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <https://www.gnu.org/licenses/>.
+#
+
+"""Public errors related to internal views/endpoints."""
+
+
+class UserNotFoundError(Exception):
+    """Raised when a user cannot be found via proxy service (bop)."""
+
+    pass
+
+
+class SentryDiagnosticError(Exception):
+    """Raise this to create an event in Sentry."""
+
+    pass

Diff for: rbac/internal/middleware.py

@@ -56,7 +56,7 @@ def process_request(self, request):
         else:
             try:
                 _, json_rh_auth = extract_header(request, self.header)
-            except (JSONDecodeError, binascii.Error):
+            except (JSONDecodeError, binascii.Error, KeyError):
                 logger.exception("Invalid X-RH-Identity header.")
                 return HttpResponseForbidden()
             user = build_internal_user(request, json_rh_auth)

Diff for: rbac/internal/specs/openapi.json

@@ -2015,6 +2015,124 @@
         }
       }
     },
+    "/api/utils/user_lookup/": {
+      "get":{
+        "summary": "Get user info",
+        "description": "Query for a user's groups, roles, and permissions based on their username or email. Only one of the params is required.",
+        "operationId": "userLookup",
+        "parameters": [
+          {
+            "name": "username",
+            "in": "query",
+            "description": "Username of the desired user to query for. If both username and email are provided, username is used and email is ignored.",
+            "required": true,
+            "schema":{
+              "type": "string"
+            }
+          },
+          {
+            "name": "email",
+            "in": "query",
+            "description": "Email address of the desired user to query for. If both username and email are provided, username is used and email is ignored.",
+            "required": true,
+            "schema":{
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "Result set of user groups, roles, and permissions.",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "username": { "type": "string", "example": "fake_user" },
+                    "email_address": { "type": "string", "example": "[email protected]" },
+                    "groups":{
+                      "type": "array",
+                      "items":{
+                        "type": "object",
+                        "properties": {
+                          "name": { "type": "string", "example": "Example group"},
+                          "description": { "type": "string", "example": "A group for some users" },
+                          "uuid": { "type": "string", "format":"uuid", "example": "1c4da003-569d-433f-8159-fd77e6984de1" },
+                          "platform_default": { "type": "boolean", "example": true },
+                          "admin_default": { "type": "boolean", "example": false },
+                          "roles":{
+                            "type": "array",
+                            "items": {
+                              "type": "object",
+                              "properties": {
+                                "name": { "type": "string", "example": "Example Role" },
+                                "display_name": { "type": "string", "example": "Example Role Display" },
+                                "description": { "type": "string", "example": "An example role for the spec" },
+                                "uuid": { "type": "string", "format":"uuid", "example": "a8d33564-628f-4eba-bd59-6a2948bfb31e" },
+                                "platform_default": { "type": "boolean", "example": true },
+                                "admin_default": { "type": "boolean", "example": false },
+                                "permissions": {
+                                  "type": "array",
+                                  "items":{
+                                    "type": "string",
+                                    "example": "application | resource | verb"
+                                  }
+                                }
+                              }
+                            }
+                          }
+                        }
+                      }
+                    }
+                  },
+                  "required": ["username", "email_address", "groups"]
+                }
+              }
+            }
+          },
+          "400": {
+            "description": "Invalid request - bad input",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/ErrorSingle"
+                }
+              }
+            }
+          },
+          "404": {
+            "description": "Not found - user not found",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/ErrorSingle"
+                }
+              }
+            }
+          },
+          "405": {
+            "description": "Invalid method - invalid http method used, only GET allowed",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/ErrorSingle"
+                }
+              }
+            }
+          },
+          "500": {
+            "description": "Internal error - unexpected internal server error",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/ErrorSingle"
+                }
+              }
+            }
+          }
+        }
+      }
+    },
     "/_s2s/workspaces/ungrouped/": {
       "post": {
         "tags": [
@@ -2111,6 +2229,17 @@
           }
         }
       },
+      "ErrorSingle": {
+        "required": [
+          "error"
+        ],
+        "properties": {
+          "error": {
+            "type": "string",
+            "example": "Invalid request - bad input provided"
+          }
+        }
+      },
       "Error403": {
         "required": [
           "errors"

Diff for: rbac/internal/urls.py

@@ -96,6 +96,7 @@
     path("api/utils/reset_imported_tenants/", views.reset_imported_tenants),
     path("api/utils/resource_definitions/", views.correct_resource_definitions),
     path("api/utils/principal/", views.principal_removal),
+    path("api/utils/user_lookup/", views.user_lookup),
 ]
 
 urlpatterns.extend(integration_urlpatterns)

Diff for: rbac/internal/utils.py

@@ -36,13 +36,20 @@ def build_internal_user(request, json_rh_auth):
     user = User()
     valid_identity_types = ["Associate", "X509"]
     try:
-        if not json_rh_auth["identity"]["type"] in valid_identity_types:
+        identity_type = json_rh_auth["identity"]["type"]
+        if identity_type not in valid_identity_types:
+            logger.debug(
+                f"User identity type is not valid: '{identity_type}'. Valid types are: {valid_identity_types}"
+            )
             return None
         user.username = json_rh_auth["identity"].get("associate", {}).get("email", "system")
         user.admin = True
         user.org_id = resolve(request.path).kwargs.get("org_id")
         return user
     except KeyError:
+        logger.debug(
+            f"Identity object is missing 'identity.type' attribute. Valid options are: {valid_identity_types}"
+        )
         return None