feat(oauth): use oauth to unify service-to-service authentication.

Author: duanhongyi

.gitignore

@@ -27,6 +27,7 @@ htmlcov/
 venv/
 
 .idea
+.sisyphus
 env/
 rootfs/web/yarn-error.log
 rootfs/node_modules/

charts/passport/templates/passport-job-upgrade.yaml

@@ -4,8 +4,6 @@ metadata:
   name: drycc-passport-job-upgrade
   annotations:
     component.drycc.cc/version: {{ .Values.imageTag }}
-    helm.sh/hook: post-install,post-upgrade,post-rollback
-    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
 spec:
   template:
     spec:

charts/passport/templates/passport-secret-creds.yaml

@@ -17,9 +17,8 @@ data:
   django-secret-key: {{ (include "common.secrets.lookup" (dict "secret" "passport-creds" "key" "django-secret-key" "defaultValue" (randAlphaNum 64) "context" $)) }}
   oidc-rsa-private-key: {{genPrivateKey "rsa" | b64enc}}
   {{- range $item := .Values.initApplications }}
-  {{- if ($item.prefix) }}
   {{- $name := ($item.name | replace " " "-" | lower) }}
   drycc-passport-{{$name}}-key: {{ (include "common.secrets.lookup" (dict "secret" "passport-creds" "key" (printf "drycc-passport-%s-key" $name) "defaultValue" ($item.key | default (randAlphaNum 40)) "context" $)) }}
   drycc-passport-{{$name}}-secret: {{ (include "common.secrets.lookup" (dict "secret" "passport-creds" "key" (printf "drycc-passport-%s-secret" $name) "defaultValue" ($item.secret | default (randAlphaNum 64)) "context" $)) }}
-  {{- end }}
+  drycc-passport-{{$name}}-scopes: {{ ($item.allowed_scopes | default "") | b64enc | quote }}
   {{- end }}

charts/passport/values.yaml

@@ -118,14 +118,34 @@ initApplications:
   key: ""
   secret: ""
   prefix: "drycc"
-  grant_type: "password"
+  grant_type: "internal"
+  client_type: "confidential"
+  allowed_scopes: "openid profile email manager:workspace manager:usage passport:message"
   redirect_uri: "/v2/complete/drycc/"
 - name: "grafana"
   key: ""
   secret: ""
   prefix: "drycc-grafana"
-  grant_type: "authorization-code"
+  grant_type: "internal"
+  client_type: "confidential"
+  allowed_scopes: "openid profile email controller:alerts controller:metrics controller:logs"
   redirect_uri: "/oauth2/callback"
+- name: "builder"
+  key: ""
+  secret: ""
+  prefix: ""
+  grant_type: "client-credentials"
+  client_type: "confidential"
+  allowed_scopes: "controller:hook"
+  redirect_uri: ""
+- name: "manager"
+  key: ""
+  secret: ""
+  prefix: ""
+  grant_type: "client-credentials"
+  client_type: "confidential"
+  allowed_scopes: "controller:blocklist"
+  redirect_uri: ""
 
 # Service
 service:

rootfs/api/admin.py

@@ -1,7 +1,22 @@
 from django.contrib import admin
 from django.contrib.auth.admin import UserAdmin as BaseUserAdmin
+from oauth2_provider.admin import ApplicationAdmin as BaseApplicationAdmin
 
-from .models import User, Message, MessagePreference
+from .models import User, Message, MessagePreference, Application
+
+
+try:
+    admin.site.unregister(Application)
+except admin.sites.NotRegistered:
+    pass
+
+
+@admin.register(Application)
+class ApplicationAdmin(BaseApplicationAdmin):
+    list_display = (
+        "id", "name", "user", "client_type",
+        "authorization_grant_type", "allowed_scopes",
+    )
 
 
 class UserAdmin(BaseUserAdmin):

rootfs/api/management/commands/create_oauth2_application.py

@@ -4,6 +4,7 @@
 import string
 import pathlib
 from django.contrib.auth import get_user_model
+from django.contrib.auth.hashers import check_password
 from django.core.management.base import BaseCommand
 from oauth2_provider.models import get_application_model
 
@@ -14,7 +15,26 @@
 
 
 class Command(BaseCommand):
-    """Management command for create Oauth2 application"""
+    """Management command for create Oauth2 application.
+
+    Credential resolution order for ``client_id`` / ``client_secret``:
+
+    1. Explicit value from the init-applications JSON file (highest priority,
+       lets operators pin credentials via ``--set initApplications[...]``).
+    2. Mounted Kubernetes secret file at
+       ``/var/run/secrets/drycc/passport/drycc-passport-<name>-<key|secret>``.
+       This is the source of truth for credentials that the chart's
+       ``passport-creds`` Secret already exposes to every consumer (controller,
+       grafana, builder, manager, ...). Reading it here keeps the DB and the
+       Secret consistent for *every* application, including m2m apps that
+       have no public sub-domain (``prefix == ""``).
+    3. Newly generated random string (only when neither of the above is
+       available, e.g. local dev without the volume mount).
+
+    Note: ``prefix`` only controls how ``redirect_uri`` is composed. It is
+    intentionally NOT used to gate credential discovery -- m2m applications
+    legitimately have an empty prefix.
+    """
 
     def add_arguments(self, parser):
         super(Command, self).add_arguments(parser)
@@ -28,32 +48,55 @@ def handle(self, *args, **options):
         user = User.objects.filter(is_superuser=True).first()
         for item in json.loads(pathlib.Path(base_path).read_text()):
             name = item["name"]
-            _, updated = Application.objects.update_or_create(
-                name=name.lower(),
-                defaults={
-                    'client_id': self._get_creds(item, "key", 40),
-                    'client_secret': self._get_creds(item, "secret", 60),
-                    'user': user,
-                    'redirect_uris': self._get_redirect_uri(item),
-                    'authorization_grant_type': item['grant_type'],
-                    'client_type': 'public',
-                    'algorithm': 'RS256'
-                }
+            client_id = self._get_creds(item, "key", 40)
+            client_secret = self._get_creds(item, "secret", 60)
+            defaults = {
+                'client_id': client_id,
+                'user': user,
+                'redirect_uris': self._get_redirect_uri(item),
+                'authorization_grant_type': item.get('grant_type', 'public'),
+                'client_type': item.get('client_type', 'public'),
+                'allowed_scopes': item.get('allowed_scopes', ''),
+                'algorithm': 'RS256',
+            }
+            existing = Application.objects.filter(name=name.lower()).first()
+            secret_unchanged = (
+                existing is not None
+                and check_password(client_secret, existing.client_secret)
+            )
+            if not secret_unchanged:
+                defaults['client_secret'] = client_secret
+            _, created = Application.objects.update_or_create(
+                name=name.lower(), defaults=defaults,
             )
-            if updated:
-                self.stdout.write('Drycc % app created' % name)
+            if created:
+                self.stdout.write('Drycc %s app created' % name)
             else:
-                self.stdout.write('Drycc % app updated' % name)
+                self.stdout.write('Drycc %s app updated' % name)
 
     def _get_creds(self, item, suffix, size):
-        name, secret, prefix = item["name"], item[suffix], item["prefix"]
-        if not secret:
-            default_secret_path = os.path.join(
-                secrets_path, "drycc-passport-%s-%s" % (name, suffix))
-            if prefix and os.path.exists(default_secret_path):
-                secret = pathlib.Path(default_secret_path).read_text()
-            else:
-                secret = ''.join([random.choice(string.ascii_letters) for _ in range(size)])
+        name = item["name"]
+        secret = item.get(suffix)
+        if secret:
+            self.stdout.write(
+                '[%s/%s] credential source: init-config' % (name, suffix))
+            return secret
+
+        default_secret_path = os.path.join(
+            secrets_path, "drycc-passport-%s-%s" % (name, suffix))
+        if os.path.exists(default_secret_path):
+            # ``.strip()`` defends against trailing newlines that some
+            # tooling adds when materialising secrets onto disk.
+            secret = pathlib.Path(default_secret_path).read_text().strip()
+            self.stdout.write(
+                '[%s/%s] credential source: mounted-file (%s)'
+                % (name, suffix, default_secret_path))
+            return secret
+
+        secret = ''.join(random.choice(string.ascii_letters) for _ in range(size))
+        self.stdout.write(
+            '[%s/%s] credential source: generated-random '
+            '(no init value, no mounted file)' % (name, suffix))
         return secret
 
     def _get_redirect_uri(self, item):

rootfs/api/migrations/0005_application_allowed_scopes_and_internal_grant.py

@@ -0,0 +1,35 @@
+# Generated by Django 5.2.13 on 2026-05-09 12:00
+
+import django.db.models.deletion
+from django.conf import settings
+from django.db import migrations, models
+
+def forward_data_migration(apps, schema_editor):
+    Application = apps.get_model('api', 'Application')
+    oauth2_settings = getattr(settings, 'OAUTH2_PROVIDER', {})
+    default_provider_scopes_list = oauth2_settings.get("DEFAULT_SCOPES", ['openid', 'email', 'profile'])
+    default_provider_scopes = " ".join(default_provider_scopes_list)
+
+    for app in Application.objects.all():
+        if not app.allowed_scopes:
+            app.allowed_scopes = default_provider_scopes
+        
+        if app.name.lower() in ("controller", "grafana"):
+            app.authorization_grant_type = "internal"
+            
+        app.save()
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('api', '0004_alter_application_authorization_grant_type_message_and_more'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='application',
+            name='allowed_scopes',
+            field=models.TextField(blank=True, default=''),
+        ),
+        migrations.RunPython(forward_data_migration, reverse_code=migrations.RunPython.noop),
+    ]

rootfs/api/models.py

@@ -11,11 +11,21 @@ class User(AbstractUser):
 
 
 class Application(AbstractApplication):
+    GRANT_INTERNAL = "internal"
+    GRANT_TYPES = AbstractApplication.GRANT_TYPES + (
+        (GRANT_INTERNAL, _("Internal")),
+    )
+    allowed_scopes = models.TextField(blank=True, default="")
 
     def allows_grant_type(self, *grant_types):
-        return self.GRANT_AUTHORIZATION_CODE in grant_types or super().allows_grant_type(
-            *grant_types
-        )
+        if self.authorization_grant_type == self.GRANT_INTERNAL:
+            return True
+        return super().allows_grant_type(*grant_types)
+
+    def validate_grant_type(self, client_id, grant_type, client, request, *args, **kwargs):
+        if self.authorization_grant_type == self.GRANT_INTERNAL:
+            return True
+        return super().validate_grant_type(client_id, grant_type, client, request, *args, **kwargs)
 
 
 class Message(models.Model):

rootfs/api/oauth2_validators.py

@@ -3,6 +3,13 @@
 
 class CustomOAuth2Validator(OAuth2Validator):
 
+    def validate_scopes(self, client_id, scopes, client, request, *args, **kwargs):
+        if client.allowed_scopes:
+            allowed = set(client.allowed_scopes.split())
+            if not set(scopes).issubset(allowed):
+                return False
+        return super().validate_scopes(client_id, scopes, client, request, *args, **kwargs)
+
     oidc_claim_scope = OAuth2Validator.oidc_claim_scope
     oidc_claim_scope.update({
         "id": "profile",

rootfs/api/permissions.py

@@ -0,0 +1,32 @@
+from django.utils import timezone
+from rest_framework import permissions
+
+from oauth2_provider.models import AccessToken
+
+
+class HasOAuthScope(permissions.BasePermission):
+    """
+    Object-level permission to allow only requests with specific OAuth scopes.
+    The required scopes are defined on the view as `required_oauth_scopes = ['scope1', 'scope2']`
+    """
+    def has_permission(self, request, view):
+        required_oauth_scopes = getattr(view, 'required_oauth_scopes', [])
+        if not required_oauth_scopes:
+            return True
+
+        auth_header = request.META.get('HTTP_AUTHORIZATION', '')
+        parts = auth_header.split()
+        if len(parts) == 2 and parts[0].lower() == 'bearer':
+            token_string = parts[1]
+        else:
+            return False
+
+        scopes = self.get_token_scopes(token_string)
+        return set(required_oauth_scopes).issubset(scopes)
+
+    def get_token_scopes(self, token_string):
+        try:
+            access_token = AccessToken.objects.get(token=token_string, expires__gt=timezone.now())
+            return set(access_token.scope.split())
+        except AccessToken.DoesNotExist:
+            return set()