chore(oauth): use oauth to unify service-to-service authentication.

Author: duanhongyi

.gitignore

@@ -14,6 +14,7 @@ develop-eggs
 .venv
 lib
 lib64
+.sisyphus
 
 # Drycc' config file
 controller/drycc/local_settings.py

charts/controller/templates/_helpers.tpl

@@ -49,11 +49,6 @@ env:
     secretKeyRef:
       name: controller-creds
       key: django-secret-key
-- name: DRYCC_SERVICE_KEY
-  valueFrom:
-    secretKeyRef:
-      name: controller-creds
-      key: service-key
 {{- if (.Values.valkeyUrl) }}
 - name: DRYCC_VALKEY_URL
   valueFrom:
@@ -99,12 +94,6 @@ env:
   value: "postgres://$(DRYCC_PG_USER):$(DRYCC_PG_PASSWORD)@drycc-database-replica:5432/controller"
 {{- end }}
 {{- if (.Values.workflowManagerUrl) }}
-- name: WORKFLOW_MANAGER_URL
-  value: "{{ .Values.workflowManagerUrl }}"
-- name: WORKFLOW_MANAGER_ACCESS_KEY
-  value: "{{ .Values.workflowManagerAccessKey }}"
-- name: WORKFLOW_MANAGER_SECRET_KEY
-  value: "{{ .Values.workflowManagerSecretKey }}"
 {{- end }}
 - name: POD_IP
   valueFrom:
@@ -129,7 +118,7 @@ env:
   value: "http://drycc-victoriametrics-vmselect:8481/select/multitenant/prometheus"
 {{- end }}
 {{- if .Values.passport.enabled }}
-- name: "DRYCC_PASSPORT_URL"
+- name: DRYCC_PASSPORT_URL
 {{- if .Values.global.certManagerEnabled }}
   value: https://drycc-passport.{{ .Values.global.platformDomain }}
 {{- else }}
@@ -145,7 +134,12 @@ env:
     secretKeyRef:
       name: passport-creds
       key: drycc-passport-controller-secret
-{{- else }}
+- name: DRYCC_PASSPORT_SCOPES
+  valueFrom:
+    secretKeyRef:
+      name: passport-creds
+      key: drycc-passport-controller-scopes
+{{- else if .Values.passportUrl }}
 - name: DRYCC_PASSPORT_URL
   valueFrom:
     secretKeyRef:
@@ -161,6 +155,11 @@ env:
     secretKeyRef:
       name: controller-creds
       key: passport-secret
+- name: DRYCC_PASSPORT_SCOPES
+  valueFrom:
+    secretKeyRef:
+      name: controller-creds
+      key: passport-scopes
 {{- end }}
 - name: QUICKWIT_INDEXER_URL
   value: http://drycc-quickwit-indexer:7280

charts/controller/templates/controller-job-upgrade.yaml

@@ -4,8 +4,6 @@ metadata:
   name: drycc-controller-job-upgrade
   annotations:
     component.drycc.cc/version: {{ .Values.imageTag }}
-    helm.sh/hook: post-install,post-upgrade,post-rollback
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
 spec:
   template:
     spec:

charts/controller/templates/controller-secret-creds.yaml

@@ -26,11 +26,13 @@ data:
   {{- if (.Values.passportSecret) }}
   passport-secret: {{ .Values.passportSecret | b64enc }}
   {{- end }}
+  {{- if (.Values.passportScopes) }}
+  passport-scopes: {{ .Values.passportScopes | b64enc }}
+  {{- end }}
   {{- if (.Values.registryHost) }}
   registry-host: {{ .Values.registryHost | b64enc }}
   registry-username: {{ .Values.registryUsername | b64enc }}
   registry-password: {{ .Values.registryPassword | b64enc }}
   {{- end }}
-  service-key: {{ (include "common.secrets.lookup" (dict "secret" "controller-creds" "key" "service-key" "defaultValue" (randAlphaNum 64) "context" $)) }}
   django-secret-key: {{ (include "common.secrets.lookup" (dict "secret" "controller-creds" "key" "django-secret-key" "defaultValue" (randAlphaNum 64) "context" $)) }}
   deploy-hook-secret-key: {{ (include "common.secrets.lookup" (dict "secret" "controller-creds" "key" "deploy-hook-secret-key" "defaultValue" (randAlphaNum 64) "context" $)) }}

rootfs/api/manager.py rootfs/api/clients.pyrootfs/api/manager.py renamed to rootfs/api/clients.py

@@ -1,6 +1,7 @@
 import base64
 import logging
 import requests
+import urllib.parse
 from typing import List, Dict
 from django.core.cache import cache
 from requests_toolbelt import user_agent
@@ -15,8 +16,8 @@ class ManagerAPI(object):
     def __init__(self, timeout=3):
         self.timeout = timeout
         token = base64.b85encode(b"%s:%s" % (
-            settings.WORKFLOW_MANAGER_ACCESS_KEY.encode("utf8"),
-            settings.WORKFLOW_MANAGER_SECRET_KEY.encode("utf8"),
+            settings.SOCIAL_AUTH_DRYCC_KEY.encode("utf8"),
+            settings.SOCIAL_AUTH_DRYCC_SECRET.encode("utf8"),
         )).decode("utf8")
         self.headers = {
             'Content-Type': 'application/json',
@@ -100,3 +101,72 @@ def post(self, usages: List[Dict[str, str]]):
         """
         url = "%s/usages/" % settings.WORKFLOW_MANAGER_URL
         return super().post(url=url, json=usages)
+
+
+class PassportAPI(object):
+    """Service-to-service client for Drycc Passport using OAuth2 client_credentials."""
+
+    TOKEN_CACHE_KEY = "controller:passport:m2m_token"
+    TOKEN_REFRESH_LEEWAY = 60
+
+    def __init__(self, timeout=10):
+        self.timeout = timeout
+        self.base_url = settings.DRYCC_PASSPORT_URL.rstrip("/")
+
+    def _get_token(self) -> str:
+        token = cache.get(self.TOKEN_CACHE_KEY)
+        if token and self.get_scopes(token) == set(settings.DRYCC_PASSPORT_SCOPES.split()):
+            return token
+        resp = requests.post(
+            f"{self.base_url}/oauth/token/",
+            data={
+                "grant_type": "client_credentials",
+                "client_id": settings.SOCIAL_AUTH_DRYCC_KEY,
+                "client_secret": settings.SOCIAL_AUTH_DRYCC_SECRET,
+                "scope": settings.DRYCC_PASSPORT_SCOPES,
+            },
+            timeout=self.timeout,
+        )
+        resp.raise_for_status()
+        body = resp.json()
+        token = body["access_token"]
+        ttl = max(int(body.get("expires_in", 3600)) - self.TOKEN_REFRESH_LEEWAY, 60)
+        cache.set(self.TOKEN_CACHE_KEY, token, timeout=ttl)
+        return token
+
+    def get_scopes(self, token):
+        def _get_scopes():
+            endpoint = getattr(settings, 'SOCIAL_AUTH_DRYCC_OIDC_ENDPOINT', None)
+            if not endpoint:
+                return set()
+            oauth_introspect_url = urllib.parse.urljoin(endpoint + "/", "introspect/")
+            key = getattr(settings, 'SOCIAL_AUTH_DRYCC_KEY', '')
+            secret = getattr(settings, 'SOCIAL_AUTH_DRYCC_SECRET', '')
+            try:
+                resp = requests.post(
+                    oauth_introspect_url, auth=(key, secret), data={'token': token}, timeout=5)
+                if resp.status_code == 200:
+                    data = resp.json()
+                    if data.get("active"):
+                        return set(data.get("scope", "").split())
+            except Exception as e:
+                logger.info(f"Error introspecting token: {e}")
+            return set()
+        return cache.get_or_set(
+            f"drycc_oauth_scopes_v2_{token}", _get_scopes, settings.DRYCC_CACHE_USER_TIME)
+
+    def send_message(self, username: str, message: Dict) -> None:
+        token = self._get_token()
+        headers = {
+            "Authorization": f"Bearer {token}",
+            "Content-Type": "application/json",
+            "User-Agent": user_agent("Drycc Controller", drycc_version),
+        }
+        body = {**message, "username": username}
+        resp = requests.post(
+            f"{self.base_url}/messages/",
+            json=body,
+            headers=headers,
+            timeout=self.timeout,
+        )
+        resp.raise_for_status()

rootfs/api/permissions.py

@@ -1,17 +1,20 @@
-import base64
-from rest_framework import permissions
+import logging
 from django.conf import settings
-from api import manager
+from rest_framework import permissions
+
+from api import clients
 from api.models import blocklist
 from api.models.workspace import Workspace, WorkspaceMember
 
+logger = logging.getLogger(__name__)
+
 
 def get_app_status(app):
     block = blocklist.Blocklist.get_blocklist(app)
     if block:
         return False, block.remark
     if settings.WORKFLOW_MANAGER_URL:
-        status = manager.WorkspaceAPI().get_status(app.workspace_id)
+        status = clients.WorkspaceAPI().get_status(app.workspace_id)
         if not status["is_active"]:
             return False, status["message"]
     return True, None
@@ -41,8 +44,9 @@ def has_object_permission(self, request, view, obj):
             return True
         elif getattr(obj, "user", None) == request.user:
             return True
-        elif isinstance(obj, Workspace) or hasattr(obj, 'workspace'):
-            workspace = obj if isinstance(obj, Workspace) else obj.workspace
+        elif isinstance(obj, Workspace) or hasattr(obj, 'workspace') or hasattr(obj, 'app'):
+            workspace = obj if isinstance(obj, Workspace) else getattr(
+                obj, "workspace", None) or getattr(getattr(obj, 'app', None), 'workspace', None)
             if request.method in ["GET", "HEAD", "OPTIONS"]:
                 allowed_roles = ["viewer", "member", "admin"]
             elif request.method in ["POST", "PUT", "PATCH"]:
@@ -55,34 +59,23 @@ def has_object_permission(self, request, view, obj):
         return False
 
 
-class IsServiceToken(permissions.BasePermission):
+class HasOAuthScope(permissions.BasePermission):
     """
-    The service token is used for internal communication between Drycc components,
-    such as the builder and Quickwit.
+    Object-level permission to allow only requests with specific OAuth scopes.
+    The required scopes are defined on the view as `required_oauth_scopes = ['scope1', 'scope2']`
     """
+    client = clients.PassportAPI()
 
     def has_permission(self, request, view):
-        """
-        Return `True` if permission is granted, `False` otherwise.
-        """
-        auth_header = request.META.get('HTTP_X_DRYCC_SERVICE_KEY')
-        if not auth_header:
-            return False
-        return auth_header == settings.SERVICE_KEY
-
-
-class IsWorkflowManager(permissions.BasePermission):
-    """
-    View permission to allow workflow manager to perform actions
-    with a special HTTP header
-    """
+        required_oauth_scopes = getattr(view, 'required_oauth_scopes', [])
+        if not required_oauth_scopes:
+            return True
 
-    def has_permission(self, request, view):
-        if request.META.get("HTTP_AUTHORIZATION"):
-            token = request.META.get(
-                "HTTP_AUTHORIZATION").split(" ")[1].encode("utf8")
-            access_key, secret_key = base64.b85decode(token).decode("utf8").split(":")
-            if settings.WORKFLOW_MANAGER_ACCESS_KEY == access_key:
-                if settings.WORKFLOW_MANAGER_SECRET_KEY == secret_key:
-                    return True
-        return False
+        auth_header = request.META.get('HTTP_AUTHORIZATION', '')
+        parts = auth_header.split()
+        if len(parts) == 2 and parts[0].lower() == 'bearer':
+            token = parts[1]
+        else:
+            return False
+        scopes = self.client.get_scopes(token)
+        return set(required_oauth_scopes).issubset(scopes)

rootfs/api/serializers/__init__.py

@@ -824,3 +824,9 @@ class Meta:
         model = models.workspace.WorkspaceInvitation
         fields = '__all__'
         read_only_fields = ['id', 'token', 'created']
+
+
+class BlocklistSerializer(serializers.ModelSerializer):
+    class Meta:
+        model = models.blocklist.Blocklist
+        fields = '__all__'

rootfs/api/settings/celery.py

@@ -58,6 +58,10 @@ class Config(object):
             'queue': 'controller.middle',
             'exchange': 'controller.priority', 'routing_key': 'controller.priority.middle',
         },
+        'api.tasks.dispatch_alert_message': {
+            'queue': 'controller.middle',
+            'exchange': 'controller.priority', 'routing_key': 'controller.priority.middle',
+        },
     },
     task_queues=(
         Queue(

rootfs/api/settings/production.py

@@ -328,7 +328,6 @@ def randstr(k):
 SECRET_KEY = os.environ.get('DRYCC_SECRET_KEY', randstr(64))
 
 # Drycc service key
-SERVICE_KEY = os.environ.get('DRYCC_SERVICE_KEY', randstr(64))
 
 # Drycc cert key
 CERT_KEY_PATH = os.environ.get('DRYCC_CERT_KEY_PATH', '/etc/controller/cert/key')
@@ -442,11 +441,11 @@ def randstr(k):
 # social auth settings
 SOCIAL_AUTH_DRYCC_KEY = os.environ.get(
     "DRYCC_PASSPORT_KEY",
-    os.environ.get("SOCIAL_AUTH_DRYCC_KEY"),
+    os.environ.get("SOCIAL_AUTH_DRYCC_KEY", ""),
 )
 SOCIAL_AUTH_DRYCC_SECRET = os.environ.get(
     'DRYCC_PASSPORT_SECRET',
-    os.environ.get("SOCIAL_AUTH_DRYCC_SECRET"),
+    os.environ.get("SOCIAL_AUTH_DRYCC_SECRET", ""),
 )
 SOCIAL_AUTH_DRYCC_OIDC_ENDPOINT = os.environ.get(
     'SOCIAL_AUTH_DRYCC_OIDC_ENDPOINT',
@@ -466,6 +465,10 @@ def randstr(k):
 )
 DRYCC_CACHE_USER_TIME = int(os.environ.get('DRYCC_CACHE_USER_TIME', 30 * 60))
 
+# OIDC scopes to request from the provider.
+# The provider must be configured to allow these scopes for the Grafana client.
+DRYCC_PASSPORT_SCOPES = os.environ.get('DRYCC_PASSPORT_SCOPES', '')
+
 # Rate limit for invitation emails: max LIMIT emails per WINDOW seconds per recipient address
 DRYCC_INVITATION_EMAIL_LIMIT = int(os.environ.get('DRYCC_INVITATION_EMAIL_LIMIT', 5))
 DRYCC_INVITATION_EMAIL_TIMEOUT = int(os.environ.get('DRYCC_INVITATION_EMAIL_TIMEOUT', 3600))
@@ -485,5 +488,3 @@ def randstr(k):
 
 # Workflow-manager Configuration Options
 WORKFLOW_MANAGER_URL = os.environ.get('WORKFLOW_MANAGER_URL', None)
-WORKFLOW_MANAGER_ACCESS_KEY = os.environ.get('WORKFLOW_MANAGER_ACCESS_KEY', None)
-WORKFLOW_MANAGER_SECRET_KEY = os.environ.get('WORKFLOW_MANAGER_SECRET_KEY', None)

rootfs/api/settings/testing.py

@@ -70,8 +70,6 @@ def __getitem__(self, item):
 MIGRATION_MODULES = DisableMigrations()
 
 # WORKFLOW_MANAGER_URL = "http://127.0.0.1:8000"
-WORKFLOW_MANAGER_ACCESS_KEY = "1234567890"
-WORKFLOW_MANAGER_SECRET_KEY = "1234567890"
 
 DRYCC_VOLUME_CLAIM_TEMPLATE = """
 {% if type == 'csi' %}