feat(auth): add token api

Author: duanhongyi

charts/controller/templates/_helpers.tpl

@@ -292,3 +292,70 @@ resources:
 {{- end }}
 {{- end }}
 {{- end }}
+
+{{/* Generate controller config default metrics */}}
+{{ define "controller.config.defaultMetrics" }}
+container_cpu_system_seconds_total: [instance, namespace, pod, container]
+container_cpu_usage_seconds_total: [instance, namespace, pod, container]
+container_cpu_user_seconds_total: [instance, namespace, pod, container]
+container_cpu_cfs_periods_total: [instance, namespace, pod, container]
+container_cpu_cfs_throttled_periods_total: [instance, namespace, pod, container]
+container_cpu_cfs_throttled_seconds_total: [instance, namespace, pod, container]
+container_fs_inodes_free: [instance, namespace, pod, container]
+container_fs_usage_bytes: [instance, namespace, pod, container]
+container_fs_inodes_total: [instance, namespace, pod, container]
+container_fs_io_current: [instance, namespace, pod, container]
+container_fs_io_time_seconds_total: [instance, namespace, pod, container]
+container_fs_io_time_weighted_seconds_total: [instance, namespace, pod, container]
+container_fs_limit_bytes: [instance, namespace, pod, container]
+container_fs_reads_bytes_total: [instance, namespace, pod, container]
+container_fs_read_seconds_total: [instance, namespace, pod, container]
+container_fs_reads_merged_total: [instance, namespace, pod, container]
+container_fs_reads_total: [instance, namespace, pod, container]
+container_fs_sector_reads_total: [instance, namespace, pod, container]
+container_fs_sector_writes_total: [instance, namespace, pod, container]
+container_fs_writes_bytes_total: [instance, namespace, pod, container]
+container_fs_write_seconds_total: [instance, namespace, pod, container]
+container_fs_writes_merged_total: [instance, namespace, pod, container]
+container_fs_writes_total: [instance, namespace, pod, container]
+container_blkio_device_usage_total: [instance, namespace, pod, container]
+container_memory_failures_total: [instance, namespace, pod, container]
+container_memory_failcnt: [instance, namespace, pod, container]
+container_memory_cache: [instance, namespace, pod, container]
+container_memory_mapped_file: [instance, namespace, pod, container]
+container_memory_max_usage_bytes: [instance, namespace, pod, container]
+container_memory_rss: [instance, namespace, pod, container]
+container_memory_swap: [instance, namespace, pod, container]
+container_memory_usage_bytes: [instance, namespace, pod, container]
+container_memory_working_set_bytes: [instance, namespace, pod, container]
+container_network_receive_bytes_total: [instance, namespace, pod, container]
+container_network_receive_errors_total: [instance, namespace, pod, container]
+container_network_receive_packets_dropped_total: [instance, namespace, pod, container]
+container_network_receive_packets_total: [instance, namespace, pod, container]
+container_network_transmit_bytes_total: [instance, namespace, pod, container]
+container_network_transmit_errors_total: [instance, namespace, pod, container]
+container_network_transmit_packets_dropped_total: [instance, namespace, pod, container]
+container_network_transmit_packets_total: [instance, namespace, pod, container]
+container_processes: [instance, namespace, pod, container]
+container_sockets: [instance, namespace, pod, container]
+container_file_descriptors: [instance, namespace, pod, container]
+container_threads: [instance, namespace, pod, container]
+container_threads_max: [instance, namespace, pod, container]
+container_ulimits_soft: [instance, namespace, pod, container]
+container_spec_cpu_period: [instance, namespace, pod, container]
+container_spec_cpu_shares: [instance, namespace, pod, container]
+container_spec_memory_limit_bytes: [instance, namespace, pod, container]
+container_spec_memory_reservation_limit_bytes: [instance, namespace, pod, container]
+container_spec_memory_swap_limit_bytes: [instance, namespace, pod, container]
+container_start_time_seconds: [instance, namespace, pod, container]
+container_last_seen: [instance, namespace, pod, container]
+container_accelerator_memory_used_bytes: [instance, namespace, pod, container]
+container_accelerator_memory_total_bytes: [instance, namespace, pod, container]
+container_accelerator_duty_cycle: [instance, namespace, pod, container]
+kube_pod_ips: [ip, ip_family, namespace, node, pod]
+kube_pod_container_status_running: [container, namespace, node, pod]
+kube_pod_container_status_ready: [container, namespace, node, pod]
+kube_pod_container_status_terminated: [container, namespace, node, pod]
+kube_pod_container_status_waiting: [container, namespace, node, pod]
+kube_pod_container_status_restarts_total: [container, namespace, node, pod]
+{{- end }}

charts/controller/templates/controller-api-deployment.yaml

@@ -84,3 +84,11 @@ spec:
             name: http
         {{- include "controller.limits" . | indent 8 }}
         {{- include "controller.envs" . | indent 8 }}
+        volumeMounts:
+        - name: controller-config
+          readOnly: false
+          mountPath: /etc/controller
+      volumes:
+      - name: controller-config
+        configMap:
+          name: controller-config

charts/controller/templates/controller-configmap.yaml

@@ -5,6 +5,12 @@ metadata:
   labels:
     heritage: drycc
 data:
+  metrics.json: |
+    {{- if .Values.config.metrics }}
+    {{- (tpl .Values.config.metrics $) | nindent 4 }}
+    {{- else}}
+    {{- include "controller.config.defaultMetrics" . | fromYaml | toPrettyJson | nindent 4 }}
+    {{- end }}
   limit-specs.json: |
     {{- if .Values.config.limitSpecs }}
     {{- (tpl .Values.config.limitSpecs $)  | nindent 4 }}

charts/controller/values.yaml

@@ -68,6 +68,7 @@ rabbitmqUrl: ""
 
 # limit specs, plans config
 config:
+  metrics: ""
   limitSpecs: ""
   limitPlans: ""
 

rootfs/api/apps_extra/social_core/actions.py

@@ -7,7 +7,6 @@
     user_is_active,
     user_is_authenticated,
 )
-from api.oauth import TokenManager
 
 
 def do_auth(backend, redirect_name="next"):
@@ -40,8 +39,9 @@ def form2json(form_data):
         query = urlparse("?" + form_data).query
         params = parse_qs(query)
         return {key: params[key][0] for key in params}
-    manager = TokenManager()
-    manager.set_state(data.get("key", ""), form2json(url).get("state"))
+    from api.backend import OauthCacheManager
+    oauth_cache_manager = OauthCacheManager()
+    oauth_cache_manager.set_state(data.get("key", ""), form2json(url).get("state"))
     return response
 
 
@@ -129,8 +129,9 @@ def do_complete(backend, login, user=None, redirect_name="next", *args, **kwargs
     if social_auth and social_auth.extra_data:
         extra_data = json.loads(social_auth.extra_data) if \
             isinstance(social_auth.extra_data, str) else social_auth.extra_data
-    manager = TokenManager()
-    manager.set_token(data.get("state"), extra_data.get("access_token", "fail"), user.username)
+    from api.backend import OauthCacheManager
+    oauth_cache_manager = OauthCacheManager()
+    oauth_cache_manager.set_token(data.get("state"), extra_data)
     return response
 
 

rootfs/api/authentication.py

@@ -1,14 +1,11 @@
 import logging
-from django.conf import settings
 from django.contrib.auth.models import AnonymousUser
 from django.core.cache import cache
 from django.utils.translation import gettext_lazy
 from rest_framework import authentication
-from rest_framework.authentication import TokenAuthentication, \
-    get_authorization_header
+from rest_framework.authentication import get_authorization_header
 from rest_framework import exceptions
 
-
 logger = logging.getLogger(__name__)
 
 
@@ -21,44 +18,63 @@ def authenticate(self, request):
         return AnonymousUser(), None
 
 
-class DryccAuthentication(TokenAuthentication):
+class DryccAuthentication(authentication.BaseAuthentication):
 
-    def authenticate(self, request):
-        if 'Drycc' in request.META.get('HTTP_USER_AGENT', ''):
-            auth = get_authorization_header(request).split()
-
-            if not auth or auth[0].lower() != self.keyword.lower().encode():
-                return None
+    keywords = ('token', 'bearer')
 
+    def parse_header(self, request):
+        try:
+            auth = get_authorization_header(request).split()
+            if not auth or auth[0].decode().lower() not in self.keywords:
+                return None, None
             if len(auth) == 1:
                 msg = gettext_lazy('Invalid token header. No credentials provided.')
                 raise exceptions.AuthenticationFailed(msg)
             elif len(auth) > 2:
                 msg = gettext_lazy(
                     'Invalid token header. Token string should not contain spaces.')
                 raise exceptions.AuthenticationFailed(msg)
+            return auth[0].decode().lower(), auth[1].decode()
+        except UnicodeError:
+            msg = gettext_lazy(
+                'Invalid token header. Token string should not contain invalid characters.')
+            raise exceptions.AuthenticationFailed(msg)
 
-            try:
-                token = auth[1].decode()
-            except UnicodeError:
-                msg = gettext_lazy(
-                    'Invalid token header. Token string should not contain invalid characters.')
-                raise exceptions.AuthenticationFailed(msg)
-            return self.sync_user(token), None
-        return super(DryccAuthentication, self).authenticate(request)
+    def authenticate(self, request):
+        token_type, token = self.parse_header(request)
+        if token_type is None or token is None:
+            return None
+        if token_type == 'bearer':  # drycc oauth access token
+            from api.backend import OauthCacheManager
+            return OauthCacheManager().get_user(token), token
+        # drycc token
+        user = cache.get(token, None)
+        if not user:
+            return self.authenticate_credentials(token)
+        return user, token
+
+    def authenticate_credentials(self, key):
+        from api.models.base import Token
+        try:
+            token = Token.objects.select_related('owner').get(key=key)
+        except Token.DoesNotExist:
+            raise exceptions.AuthenticationFailed(gettext_lazy('Invalid token.'))
+        if not token.owner.is_active:
+            raise exceptions.AuthenticationFailed(gettext_lazy('User inactive or deleted.'))
+        if token.expires():
+            from api.backend import OauthCacheManager
+            token.refresh_token()
+            user = OauthCacheManager().get_user(token.oauth['access_token'])
+            cache.set(token, user, timeout=token.oauth['expires_in'])
+            return user, token.key
+        return (token.owner, token.key)
 
-    @staticmethod
-    def sync_user(token):
-        def _sync_user(token):
-            from api import serializers
-            from api.oauth import OAuthManager
-            try:
-                user_info = OAuthManager().get_user_by_token(token)
-                if not user_info.get('email'):
-                    user_info['email'] = OAuthManager().get_email_by_token(token)
-                user, _ = serializers.UserSerializer.update_or_create(user_info)
-                return user
-            except Exception as e:
-                logger.info(e)
-                raise exceptions.AuthenticationFailed(gettext_lazy('Verify token fail.'))
-        return cache.get_or_set(token, lambda: _sync_user(token), settings.OAUTH_CACHE_USER_TIME)
+    def authenticate_header(self, request):
+        keyword = self.keywords[0]
+        try:
+            auth = self.parse_header(request)
+            if auth[0]:
+                keyword = auth[0]
+        except exceptions.AuthenticationFailed:
+            pass
+        return keyword