Add query endpoint for trusted users

[MialLewis]

This PR adds an endpoint that allows trusted users to query the report database.

• It requires a token which will only be shared selectively
• It utilises a read only Postgres account
• The database connection is read only

To test (contact me for the token, it's on keeper):

Error on write:

curl -vk "https://reports.a.staging-mantidproject.stfc.ac.uk/api/query" \
  --data-urlencode "sql=INSERT INTO services_featureusage DEFAULT VALUES" --data-urlencode "token=<TOKEN>"

Read action:

curl -vk "https://reports.a.staging-mantidproject.stfc.ac.uk/api/query" \
  --data-urlencode "sql=SELECT * FROM services_featureusage LIMIT 10;" --data-urlencode "token=<TOKEN>" 

Closes #95

[warunawickramasingha]

Proposed a few suggestions to improve the code, style and better handle exceptions + rate limiting rule at nginx level. Please check and apply as necessary.

[warunawickramasingha]

Not a huge concern in this context. But for secret validations, it is recommended to use something like compare_digest instead of == to avoid timing attacks.

Suggested change

	return token == secret
	from hmac import compare_digest
	return compare_digest(token, secret)

[warunawickramasingha]

Suggested change

	from rest_framework import response, viewsets, status

[warunawickramasingha]

I guess these numbers are quite generous

Suggested change

	proxy_connect_timeout 60s;
	proxy_send_timeout 60s;
	proxy_read_timeout 60s;
	proxy_connect_timeout 30s;
	proxy_send_timeout 30s;
	proxy_read_timeout 30s;

[warunawickramasingha]

For improved readability

Suggested change

	return response.Response(status=401, data="UNAUTHORIZED")
	return response.Response(status=status.HTTP_401_UNAUTHORIZED, data="UNAUTHORIZED")

[warunawickramasingha]

Exception handling for db operations

Suggested change

	if sql_err:
	return response.Response(status=400, data=f"Invalid Parameters: {sql_err}")
	conn = connections["readonly"]
	with conn.cursor() as cur:
	cur.execute(sql)
	res = cur.fetchall()
	return response.Response(res)
	if sql_err:
	return response.Response(status=status.HTTP_400_BAD_REQUEST, data=f"Invalid Parameters: {sql_err}")
	try:
	conn = connections["readonly"]
	with conn.cursor() as cur:
	cur.execute(sql)
	res = cur.fetchall()
	except Exception:
	return Response({"error": "Query failed"}, status=status.HTTP_400_BAD_REQUEST)
	return response.Response(res)

[warunawickramasingha]

To work better with --data-urlencode "sql="

Suggested change

	return err, val
	def get_parameter(request, param):
	val = request.POST.get(param)
	if val is None or val.strip() == "":
	return f"No {param} parameter provided", None
	return None, val

[warunawickramasingha]

Define a rate limiting zone with 5 requests per second to be used at /api/query location to avoid any spikes due to usage errors

Suggested change

	http {
	limit_req_zone $binary_remote_addr zone=query_limit:10m rate=5r/s;
	server {

[warunawickramasingha]

Apply the above defined query_limit rate limiting allowing short bursts with delays to be queued further

Suggested change

	# Rate limiting
	limit_req zone=query_limit burst=10;

[warunawickramasingha]

add extra closing } for the new http block

Suggested change

	}
	}
	}