feat(oauth2): add authorization code for any grant type

Author: duanhongyi

charts/passport/templates/passport-job-upgrade.yaml

@@ -37,6 +37,11 @@ spec:
         - |
           python -u /workspace/manage.py cluster_lock lock
           python -u /workspace/manage.py migrate --noinput
+          if [ "${ADMIN_USERNAME}" ] && [ "${ADMIN_PASSWORD}" ] && [ "${ADMIN_EMAIL}" ]; then
+            echo "Create administrator"
+            python /workspace/manage.py createadminuser --username "${ADMIN_USERNAME}" --password "${ADMIN_PASSWORD}" --noinput --email "${ADMIN_EMAIL}"
+          fi
+          python /workspace/manage.py create_oauth2_application --path /etc/drycc/passport/init-applications.json
           python -u /workspace/manage.py cluster_lock unlock
         {{- end }}
         {{- include "passport.limits" . | indent 8 }}

rootfs/api/management/commands/create_oauth2_application.py

@@ -5,10 +5,11 @@
 import pathlib
 from django.contrib.auth import get_user_model
 from django.core.management.base import BaseCommand
-from oauth2_provider.models import Application
+from oauth2_provider.models import get_application_model
 
 
 User = get_user_model()
+Application = get_application_model()
 secrets_path = "/var/run/secrets/drycc/passport"
 
 

rootfs/api/migrations/0002_application.py

@@ -0,0 +1,38 @@
+# Generated by Django 4.2.10 on 2024-04-11 08:22
+
+from django.conf import settings
+from django.db import migrations, models
+import django.db.models.deletion
+import oauth2_provider.generators
+import oauth2_provider.models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('api', '0001_initial'),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='Application',
+            fields=[
+                ('id', models.BigAutoField(primary_key=True, serialize=False)),
+                ('client_id', models.CharField(db_index=True, default=oauth2_provider.generators.generate_client_id, max_length=100, unique=True)),
+                ('redirect_uris', models.TextField(blank=True, help_text='Allowed URIs list, space separated')),
+                ('post_logout_redirect_uris', models.TextField(blank=True, help_text='Allowed Post Logout URIs list, space separated')),
+                ('client_type', models.CharField(choices=[('confidential', 'Confidential'), ('public', 'Public')], max_length=32)),
+                ('authorization_grant_type', models.CharField(choices=[('authorization-code', 'Authorization code'), ('implicit', 'Implicit'), ('password', 'Resource owner password-based'), ('client-credentials', 'Client credentials'), ('openid-hybrid', 'OpenID connect hybrid')], max_length=32)),
+                ('client_secret', oauth2_provider.models.ClientSecretField(blank=True, db_index=True, default=oauth2_provider.generators.generate_client_secret, help_text='Hashed on Save. Copy it now if this is a new secret.', max_length=255)),
+                ('name', models.CharField(blank=True, max_length=255)),
+                ('skip_authorization', models.BooleanField(default=False)),
+                ('created', models.DateTimeField(auto_now_add=True)),
+                ('updated', models.DateTimeField(auto_now=True)),
+                ('algorithm', models.CharField(blank=True, choices=[('', 'No OIDC support'), ('RS256', 'RSA with SHA-2 256'), ('HS256', 'HMAC with SHA-2 256')], default='', max_length=5)),
+                ('user', models.ForeignKey(blank=True, null=True, on_delete=django.db.models.deletion.CASCADE, related_name='%(app_label)s_%(class)s', to=settings.AUTH_USER_MODEL)),
+            ],
+            options={
+                'abstract': False,
+            },
+        ),
+    ]

rootfs/api/models.py

@@ -2,6 +2,16 @@
 from django.contrib.auth.models import AbstractUser
 from django.utils.translation import gettext_lazy as _
 
+from oauth2_provider.models import AbstractApplication
+
 
 class User(AbstractUser):
     email = models.EmailField(_('email address'), unique=True)
+
+
+class Application(AbstractApplication):
+
+    def allows_grant_type(self, *grant_types):
+        return self.GRANT_AUTHORIZATION_CODE in grant_types or super().allows_grant_type(
+            *grant_types
+        )

rootfs/api/settings/production.py

@@ -323,6 +323,7 @@
     "DEFAULT_SCOPES": ['openid', ],
     "DEFAULT_CODE_CHALLENGE_METHOD": 'S256',
 }
+OAUTH2_PROVIDER_APPLICATION_MODEL = 'api.Application'
 # Redis Configuration
 DRYCC_REDIS_ADDRS = os.environ.get('DRYCC_REDIS_ADDRS', '127.0.0.1:6379').split(",")
 DRYCC_REDIS_PASSWORD = os.environ.get('DRYCC_REDIS_PASSWORD', '')

rootfs/api/views.py

@@ -23,6 +23,7 @@
 from rest_framework.exceptions import AuthenticationFailed
 from rest_framework.response import Response
 from rest_framework.viewsets import ModelViewSet
+from oauth2_provider.models import AccessToken
 
 from api import serializers
 from api.forms import AuthenticationForm, RegistrationForm
@@ -261,7 +262,6 @@ def get_queryset(self, *args, **kwargs):
 
 
 class UserTokensTemplateView(ListViewSet):
-    from oauth2_provider.models import AccessToken
     model = AccessToken
     serializer_class = serializers.UserTokensSerializer
     order_by = '-created'
@@ -273,7 +273,6 @@ def retrieve(self, request, *args, **kwargs):
 
 
 class UserTokenDeleteView(ListViewSet):
-    from oauth2_provider.models import AccessToken
     model = AccessToken
 
     def destroy(self, request, *args, **kwargs):

rootfs/bin/boot

@@ -26,16 +26,6 @@ echo ""
 echo "Collect static files in a single location:"
 python manage.py collectstatic --noinput
 
-echo ""
-if [ "${ADMIN_USERNAME}" ] && [ "${ADMIN_PASSWORD}" ] && [ "${ADMIN_EMAIL}" ]; then
-  echo "Create administrator"
-  python /workspace/manage.py createadminuser --username "${ADMIN_USERNAME}" --password "${ADMIN_PASSWORD}" --noinput --email "${ADMIN_EMAIL}"
-fi
-
-echo ""
-echo "Create application for drycc controller "
-python /workspace/manage.py create_oauth2_application --path /etc/drycc/passport/init-applications.json
-
 # spawn a gunicorn server in the background
 echo ""
 echo "Starting up Gunicorn"