chore(oauth): use oauth to unify service-to-service authentication.

Author: duanhongyi

charts/controller/templates/_helpers.tpl

@@ -49,11 +49,6 @@ env:
     secretKeyRef:
       name: controller-creds
       key: django-secret-key
-- name: DRYCC_SERVICE_KEY
-  valueFrom:
-    secretKeyRef:
-      name: controller-creds
-      key: service-key
 {{- if (.Values.valkeyUrl) }}
 - name: DRYCC_VALKEY_URL
   valueFrom:
@@ -99,12 +94,6 @@ env:
   value: "postgres://$(DRYCC_PG_USER):$(DRYCC_PG_PASSWORD)@drycc-database-replica:5432/controller"
 {{- end }}
 {{- if (.Values.workflowManagerUrl) }}
-- name: WORKFLOW_MANAGER_URL
-  value: "{{ .Values.workflowManagerUrl }}"
-- name: WORKFLOW_MANAGER_ACCESS_KEY
-  value: "{{ .Values.workflowManagerAccessKey }}"
-- name: WORKFLOW_MANAGER_SECRET_KEY
-  value: "{{ .Values.workflowManagerSecretKey }}"
 {{- end }}
 - name: POD_IP
   valueFrom:

charts/controller/templates/controller-secret-creds.yaml

@@ -31,6 +31,5 @@ data:
   registry-username: {{ .Values.registryUsername | b64enc }}
   registry-password: {{ .Values.registryPassword | b64enc }}
   {{- end }}
-  service-key: {{ (include "common.secrets.lookup" (dict "secret" "controller-creds" "key" "service-key" "defaultValue" (randAlphaNum 64) "context" $)) }}
   django-secret-key: {{ (include "common.secrets.lookup" (dict "secret" "controller-creds" "key" "django-secret-key" "defaultValue" (randAlphaNum 64) "context" $)) }}
   deploy-hook-secret-key: {{ (include "common.secrets.lookup" (dict "secret" "controller-creds" "key" "deploy-hook-secret-key" "defaultValue" (randAlphaNum 64) "context" $)) }}

rootfs/api/exceptions.py

@@ -42,6 +42,8 @@ def custom_exception_handler(exc, context):
     # No response means DRF couldn't handle it
     # Output a generic 500 in a JSON format
     if response is None:
+        import traceback
+        traceback.print_exc()
         logging.exception('Uncaught Exception', exc_info=exc)
         set_rollback()
         return Response({'detail': 'Server Error'}, status=status.HTTP_500_INTERNAL_SERVER_ERROR)

rootfs/api/manager.py

@@ -15,8 +15,8 @@ class ManagerAPI(object):
     def __init__(self, timeout=3):
         self.timeout = timeout
         token = base64.b85encode(b"%s:%s" % (
-            settings.WORKFLOW_MANAGER_ACCESS_KEY.encode("utf8"),
-            settings.WORKFLOW_MANAGER_SECRET_KEY.encode("utf8"),
+            settings.SOCIAL_AUTH_DRYCC_KEY.encode("utf8"),
+            settings.SOCIAL_AUTH_DRYCC_SECRET.encode("utf8"),
         )).decode("utf8")
         self.headers = {
             'Content-Type': 'application/json',

rootfs/api/permissions.py

@@ -1,10 +1,16 @@
-import base64
-from rest_framework import permissions
+import requests
+import logging
+import urllib.parse
 from django.conf import settings
+from django.core.cache import cache
+from rest_framework import permissions
+
 from api import manager
 from api.models import blocklist
 from api.models.workspace import Workspace, WorkspaceMember
 
+logger = logging.getLogger(__name__)
+
 
 def get_app_status(app):
     block = blocklist.Blocklist.get_blocklist(app)
@@ -41,8 +47,9 @@ def has_object_permission(self, request, view, obj):
             return True
         elif getattr(obj, "user", None) == request.user:
             return True
-        elif isinstance(obj, Workspace) or hasattr(obj, 'workspace'):
-            workspace = obj if isinstance(obj, Workspace) else obj.workspace
+        elif isinstance(obj, Workspace) or hasattr(obj, 'workspace') or hasattr(obj, 'app'):
+            workspace = obj if isinstance(obj, Workspace) else getattr(
+                obj, "workspace", None) or getattr(getattr(obj, 'app', None), 'workspace', None)
             if request.method in ["GET", "HEAD", "OPTIONS"]:
                 allowed_roles = ["viewer", "member", "admin"]
             elif request.method in ["POST", "PUT", "PATCH"]:
@@ -55,34 +62,43 @@ def has_object_permission(self, request, view, obj):
         return False
 
 
-class IsServiceToken(permissions.BasePermission):
+class HasOAuthScope(permissions.BasePermission):
     """
-    The service token is used for internal communication between Drycc components,
-    such as the builder and Quickwit.
+    Object-level permission to allow only requests with specific OAuth scopes.
+    The required scopes are defined on the view as `required_oauth_scopes = ['scope1', 'scope2']`
     """
-
     def has_permission(self, request, view):
-        """
-        Return `True` if permission is granted, `False` otherwise.
-        """
-        auth_header = request.META.get('HTTP_X_DRYCC_SERVICE_KEY')
-        if not auth_header:
-            return False
-        return auth_header == settings.SERVICE_KEY
+        required_oauth_scopes = getattr(view, 'required_oauth_scopes', [])
+        if not required_oauth_scopes:
+            return True
 
+        auth_header = request.META.get('HTTP_AUTHORIZATION', '')
+        parts = auth_header.split()
+        if len(parts) == 2 and parts[0].lower() == 'bearer':
+            token = parts[1]
+        else:
+            return False
 
-class IsWorkflowManager(permissions.BasePermission):
-    """
-    View permission to allow workflow manager to perform actions
-    with a special HTTP header
-    """
+        scopes = self.get_token_scopes(token)
+        return set(required_oauth_scopes).issubset(scopes)
 
-    def has_permission(self, request, view):
-        if request.META.get("HTTP_AUTHORIZATION"):
-            token = request.META.get(
-                "HTTP_AUTHORIZATION").split(" ")[1].encode("utf8")
-            access_key, secret_key = base64.b85decode(token).decode("utf8").split(":")
-            if settings.WORKFLOW_MANAGER_ACCESS_KEY == access_key:
-                if settings.WORKFLOW_MANAGER_SECRET_KEY == secret_key:
-                    return True
-        return False
+    def get_token_scopes(self, token):
+        def _get_scopes():
+            endpoint = getattr(settings, 'SOCIAL_AUTH_DRYCC_OIDC_ENDPOINT', None)
+            if not endpoint:
+                return set()
+            oauth_introspect_url = urllib.parse.urljoin(endpoint + "/", "introspect/")
+            key = getattr(settings, 'SOCIAL_AUTH_DRYCC_KEY', '')
+            secret = getattr(settings, 'SOCIAL_AUTH_DRYCC_SECRET', '')
+            try:
+                resp = requests.post(
+                    oauth_introspect_url, auth=(key, secret), data={'token': token}, timeout=5)
+                if resp.status_code == 200:
+                    data = resp.json()
+                    if data.get("active"):
+                        return set(data.get("scope", "").split())
+            except Exception as e:
+                logger.info(f"Error introspecting token: {e}")
+            return set()
+        return cache.get_or_set(
+            f"drycc_oauth_scopes_v2_{token}", _get_scopes, settings.DRYCC_CACHE_USER_TIME)

rootfs/api/serializers/__init__.py

@@ -824,3 +824,9 @@ class Meta:
         model = models.workspace.WorkspaceInvitation
         fields = '__all__'
         read_only_fields = ['id', 'token', 'created']
+
+
+class BlocklistSerializer(serializers.ModelSerializer):
+    class Meta:
+        model = models.blocklist.Blocklist
+        fields = '__all__'

rootfs/api/settings/production.py

@@ -328,7 +328,6 @@ def randstr(k):
 SECRET_KEY = os.environ.get('DRYCC_SECRET_KEY', randstr(64))
 
 # Drycc service key
-SERVICE_KEY = os.environ.get('DRYCC_SERVICE_KEY', randstr(64))
 
 # Drycc cert key
 CERT_KEY_PATH = os.environ.get('DRYCC_CERT_KEY_PATH', '/etc/controller/cert/key')
@@ -442,11 +441,11 @@ def randstr(k):
 # social auth settings
 SOCIAL_AUTH_DRYCC_KEY = os.environ.get(
     "DRYCC_PASSPORT_KEY",
-    os.environ.get("SOCIAL_AUTH_DRYCC_KEY"),
+    os.environ.get("SOCIAL_AUTH_DRYCC_KEY", ""),
 )
 SOCIAL_AUTH_DRYCC_SECRET = os.environ.get(
     'DRYCC_PASSPORT_SECRET',
-    os.environ.get("SOCIAL_AUTH_DRYCC_SECRET"),
+    os.environ.get("SOCIAL_AUTH_DRYCC_SECRET", ""),
 )
 SOCIAL_AUTH_DRYCC_OIDC_ENDPOINT = os.environ.get(
     'SOCIAL_AUTH_DRYCC_OIDC_ENDPOINT',
@@ -485,5 +484,3 @@ def randstr(k):
 
 # Workflow-manager Configuration Options
 WORKFLOW_MANAGER_URL = os.environ.get('WORKFLOW_MANAGER_URL', None)
-WORKFLOW_MANAGER_ACCESS_KEY = os.environ.get('WORKFLOW_MANAGER_ACCESS_KEY', None)
-WORKFLOW_MANAGER_SECRET_KEY = os.environ.get('WORKFLOW_MANAGER_SECRET_KEY', None)

rootfs/api/settings/testing.py

@@ -70,8 +70,6 @@ def __getitem__(self, item):
 MIGRATION_MODULES = DisableMigrations()
 
 # WORKFLOW_MANAGER_URL = "http://127.0.0.1:8000"
-WORKFLOW_MANAGER_ACCESS_KEY = "1234567890"
-WORKFLOW_MANAGER_SECRET_KEY = "1234567890"
 
 DRYCC_VOLUME_CLAIM_TEMPLATE = """
 {% if type == 'csi' %}

rootfs/api/tests/__init__.py

@@ -3,6 +3,7 @@
 import requests_mock
 import time
 import unittest
+from unittest import mock
 from os.path import dirname, realpath
 
 from django.test.runner import DiscoverRunner
@@ -38,10 +39,25 @@ def fake_responses(request, context):
     return response['text']
 
 
+def mock_get_token_scopes(self, token):
+    return {"controller:hook", "controller:blocklist", "controller:logs", "controller:metrics"}
+
+
+patcher = mock.patch('api.permissions.HasOAuthScope.get_token_scopes', mock_get_token_scopes)
+patcher.start()
+
 adapter = requests_mock.Adapter()
 adapter.register_uri('GET', '/', text=fake_responses)
 adapter.register_uri('GET', '/health', text=fake_responses)
 adapter.register_uri('GET', '/healthz', text=fake_responses)
+adapter.register_uri(
+    'POST',
+    requests_mock.ANY,
+    json={
+        "active": True,
+        "scope": "controller:hook controller:metrics controller:logs controller:blocklist"
+    }
+)
 
 # Root of the test directory (for files and such)
 TEST_ROOT = dirname(realpath(__file__))

rootfs/api/tests/test_workflow_manager.py rootfs/api/tests/test_blocklist.pyrootfs/api/tests/test_workflow_manager.py renamed to rootfs/api/tests/test_blocklist.py

@@ -4,9 +4,7 @@
 
 Run the tests with "./manage.py test api"
 """
-import base64
 from django.core.cache import cache
-from django.conf import settings
 from django.contrib.auth import get_user_model
 from api.tests import adapter, DryccTransactionTestCase
 import requests_mock
@@ -15,43 +13,58 @@
 
 
 @requests_mock.Mocker(real_http=True, adapter=adapter)
-class ManagerTest(DryccTransactionTestCase):
+class BlocklistTest(DryccTransactionTestCase):
     """Tests setting and updating config values"""
 
     fixtures = ['tests.json']
 
     def setUp(self):
+        from unittest.mock import patch
+        self.patcher = patch('api.apps_extra.social_core.backends.OauthCacheManager.get_user')
+        self.mock_get_user = self.patcher.start()
+        self.mock_get_user.return_value = User.objects.get(username='autotest')
 
         self.user = User.objects.get(username='autotest')
         self.token = self.get_or_create_token(self.user)
         self.client.credentials(HTTP_AUTHORIZATION='Token ' + self.token)
         self.app_id = self.create_app()
         self.user_id = 7
         # workflow manager token
-        token = base64.b85encode(b"%s:%s" % (
-            settings.WORKFLOW_MANAGER_ACCESS_KEY.encode("utf8"),
-            settings.WORKFLOW_MANAGER_SECRET_KEY.encode("utf8"),
-        )).decode("utf8")
-        self.client.credentials(HTTP_AUTHORIZATION='Token ' + token)
+        self.client.credentials(HTTP_AUTHORIZATION='Bearer mock_oauth_token')
 
     def tearDown(self):
+        self.patcher.stop()
+
         # make sure every test has a clean slate for k8s mocking
         cache.clear()
 
     def test_block(self, mock_requests):
         response = self.client.post(
-            '/v2/manager/{}/{}/block/'.format("apps", self.app_id),
-            data={'remark': 'Arrears blockade'},
+            '/v2/blocklists/',
+            data={'id': self.app_id, 'type': 1, 'remark': 'Arrears blockade'},
         )
         self.assertEqual(response.status_code, 201)
 
     def test_unblock(self, mock_requests):
         response = self.client.post(
-            '/v2/manager/{}/{}/block/'.format("apps", self.app_id),
-            data={'remark': 'Arrears blockade'},
+            '/v2/blocklists/',
+            data={'id': self.app_id, 'type': 1, 'remark': 'Arrears blockade'},
         )
         self.assertEqual(response.status_code, 201)
         response = self.client.delete(
-            '/v2/manager/{}/{}/unblock/'.format("apps", self.app_id),
+            '/v2/blocklists/app/{}/'.format(self.app_id),
         )
         self.assertEqual(response.status_code, 204)
+
+    def test_retrieve(self, mock_requests):
+        response = self.client.post(
+            '/v2/blocklists/',
+            data={'id': self.app_id, 'type': 1, 'remark': 'Arrears blockade'},
+        )
+        self.assertEqual(response.status_code, 201)
+        response = self.client.get(
+            '/v2/blocklists/app/{}/'.format(self.app_id),
+        )
+        self.assertEqual(response.status_code, 200)
+        self.assertEqual(response.data['id'], self.app_id)
+        self.assertEqual(response.data['type'], 1)