feat(oauth): use oauth to unify service-to-service authentication.

Author: duanhongyi

charts/passport/values.yaml

@@ -118,14 +118,34 @@ initApplications:
   key: ""
   secret: ""
   prefix: "drycc"
-  grant_type: "password"
+  grant_type: "internal"
+  client_type: "confidential"
+  allowed_scopes: "openid profile email manager:workspace manager:usage passport:message"
   redirect_uri: "/v2/complete/drycc/"
 - name: "grafana"
   key: ""
   secret: ""
   prefix: "drycc-grafana"
-  grant_type: "authorization-code"
+  grant_type: "internal"
+  client_type: "confidential"
+  allowed_scopes: "openid profile email controller:metrics controller:logs"
   redirect_uri: "/oauth2/callback"
+- name: "builder"
+  key: ""
+  secret: ""
+  prefix: ""
+  grant_type: "client-credentials"
+  client_type: "confidential"
+  allowed_scopes: "controller:hook"
+  redirect_uri: ""
+- name: "manager"
+  key: ""
+  secret: ""
+  prefix: ""
+  grant_type: "client-credentials"
+  client_type: "confidential"
+  allowed_scopes: "controller:blocklist"
+  redirect_uri: ""
 
 # Service
 service:

rootfs/api/admin.py

@@ -1,7 +1,22 @@
 from django.contrib import admin
 from django.contrib.auth.admin import UserAdmin as BaseUserAdmin
+from oauth2_provider.admin import ApplicationAdmin as BaseApplicationAdmin
 
-from .models import User, Message, MessagePreference
+from .models import User, Message, MessagePreference, Application
+
+
+try:
+    admin.site.unregister(Application)
+except admin.sites.NotRegistered:
+    pass
+
+
+@admin.register(Application)
+class ApplicationAdmin(BaseApplicationAdmin):
+    list_display = (
+        "id", "name", "user", "client_type",
+        "authorization_grant_type", "allowed_scopes",
+    )
 
 
 class UserAdmin(BaseUserAdmin):

rootfs/api/management/commands/create_oauth2_application.py

@@ -35,8 +35,9 @@ def handle(self, *args, **options):
                     'client_secret': self._get_creds(item, "secret", 60),
                     'user': user,
                     'redirect_uris': self._get_redirect_uri(item),
-                    'authorization_grant_type': item['grant_type'],
-                    'client_type': 'public',
+                    'authorization_grant_type': item.get('grant_type', 'public'),
+                    'client_type': item.get('client_type', 'public'),
+                    'allowed_scopes': item.get('allowed_scopes', ''),
                     'algorithm': 'RS256'
                 }
             )

rootfs/api/migrations/0005_application_allowed_scopes_and_internal_grant.py

@@ -0,0 +1,35 @@
+# Generated by Django 5.2.13 on 2026-05-09 12:00
+
+import django.db.models.deletion
+from django.conf import settings
+from django.db import migrations, models
+
+def forward_data_migration(apps, schema_editor):
+    Application = apps.get_model('api', 'Application')
+    oauth2_settings = getattr(settings, 'OAUTH2_PROVIDER', {})
+    default_provider_scopes_list = oauth2_settings.get("DEFAULT_SCOPES", ['openid', 'email', 'profile'])
+    default_provider_scopes = " ".join(default_provider_scopes_list)
+
+    for app in Application.objects.all():
+        if not app.allowed_scopes:
+            app.allowed_scopes = default_provider_scopes
+        
+        if app.name.lower() in ("controller", "grafana"):
+            app.authorization_grant_type = "internal"
+            
+        app.save()
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('api', '0004_alter_application_authorization_grant_type_message_and_more'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='application',
+            name='allowed_scopes',
+            field=models.TextField(blank=True, default=''),
+        ),
+        migrations.RunPython(forward_data_migration, reverse_code=migrations.RunPython.noop),
+    ]

rootfs/api/models.py

@@ -11,11 +11,16 @@ class User(AbstractUser):
 
 
 class Application(AbstractApplication):
+    GRANT_INTERNAL = "internal"
+    GRANT_TYPES = AbstractApplication.GRANT_TYPES + (
+        (GRANT_INTERNAL, _("Internal")),
+    )
+    allowed_scopes = models.TextField(blank=True, default="")
 
     def allows_grant_type(self, *grant_types):
-        return self.GRANT_AUTHORIZATION_CODE in grant_types or super().allows_grant_type(
-            *grant_types
-        )
+        if self.authorization_grant_type == self.GRANT_INTERNAL:
+            return True
+        return super().allows_grant_type(*grant_types)
 
 
 class Message(models.Model):

rootfs/api/oauth2_validators.py

@@ -3,6 +3,13 @@
 
 class CustomOAuth2Validator(OAuth2Validator):
 
+    def validate_scopes(self, client_id, scopes, client, request, *args, **kwargs):
+        if client.allowed_scopes:
+            allowed = set(client.allowed_scopes.split())
+            if not set(scopes).issubset(allowed):
+                return False
+        return super().validate_scopes(client_id, scopes, client, request, *args, **kwargs)
+
     oidc_claim_scope = OAuth2Validator.oidc_claim_scope
     oidc_claim_scope.update({
         "id": "profile",

rootfs/api/permissions.py

@@ -0,0 +1,32 @@
+from django.utils import timezone
+from rest_framework import permissions
+
+from oauth2_provider.models import AccessToken
+
+
+class HasOAuthScope(permissions.BasePermission):
+    """
+    Object-level permission to allow only requests with specific OAuth scopes.
+    The required scopes are defined on the view as `required_oauth_scopes = ['scope1', 'scope2']`
+    """
+    def has_permission(self, request, view):
+        required_oauth_scopes = getattr(view, 'required_oauth_scopes', [])
+        if not required_oauth_scopes:
+            return True
+
+        auth_header = request.META.get('HTTP_AUTHORIZATION', '')
+        parts = auth_header.split()
+        if len(parts) == 2 and parts[0].lower() == 'bearer':
+            token_string = parts[1]
+        else:
+            return False
+
+        scopes = self.get_token_scopes(token_string)
+        return set(required_oauth_scopes).issubset(scopes)
+
+    def get_token_scopes(self, token_string):
+        try:
+            access_token = AccessToken.objects.get(token=token_string, expires__gt=timezone.now())
+            return set(access_token.scope.split())
+        except AccessToken.DoesNotExist:
+            return set()

rootfs/api/serializers.py

@@ -98,3 +98,21 @@ class Meta:
         fields = ['email_alerts', 'push_alerts', 'webhook_url',
                   'notify_security', 'notify_system', 'notify_product',
                   'notify_alert', 'notify_service']
+
+
+class ServiceMessageSerializer(MessageSerializer):
+    username = serializers.CharField(write_only=True)
+
+    class Meta(MessageSerializer.Meta):
+        fields = MessageSerializer.Meta.fields + ['username']
+
+    def create(self, validated_data):
+        from django.contrib.auth import get_user_model
+        User = get_user_model()
+        username = validated_data.pop('username')
+        try:
+            user = User.objects.get(username=username)
+        except User.DoesNotExist:
+            raise serializers.ValidationError({"username": "User not found."})
+        validated_data['user'] = user
+        return super().create(validated_data)

rootfs/api/settings/production.py

@@ -329,6 +329,13 @@
         "email": "Email",
         "profile": "Profile",
         "openid": "OpenID Connect scope",
+        "controller:hook": "Controller Hook",
+        "controller:blocklist": "Controller Blocklist",
+        "controller:logs": "Controller Logs",
+        "controller:metrics": "Controller Metrics",
+        "manager:workspace": "Manager Workspace",
+        "manager:usage": "Manager Usage",
+        "passport:message": "Passport Message",
     },
     "DEFAULT_SCOPES": ['openid', 'email', 'profile'],
     "DEFAULT_CODE_CHALLENGE_METHOD": 'S256',

rootfs/api/tests/test_views.py

@@ -492,8 +492,40 @@ def test_list_messages_supports_limit_offset_pagination(self):
         self.assertEqual(len(response.data['results']), 1)
         self.assertEqual(response.data['count'], 2)
 
-    def test_create_message_for_current_user(self):
-        response = self.client.post(reverse('user_messages-list'), {
+    def test_service_message_create(self):
+        from api.models import Application
+        from urllib.parse import urlencode
+
+        # Setup application
+        Application.objects.create(
+            name='test_app',
+            client_type='confidential',
+            client_id='my_test_client_id',
+            client_secret='my_test_client_secret',
+            authorization_grant_type='client-credentials',
+            user=self.user
+        )
+
+        # 1. Fetch access token via client-credentials flow
+        data = urlencode({
+            'grant_type': 'client_credentials',
+            'client_id': 'my_test_client_id',
+            'client_secret': 'my_test_client_secret',
+            'scope': 'passport:message'
+        })
+
+        token_response = self.client.post(
+            '/oauth/token/',
+            data=data,
+            content_type='application/x-www-form-urlencoded'
+        )
+
+        self.assertEqual(token_response.status_code, 200, token_response.json())
+        access_token = token_response.json()['access_token']
+
+        # 2. Use the access token to create a message
+        response = self.client.post('/messages/', {
+            'username': self.user.username,
             'category': 'alert',
             'title': 'Created from API',
             'content': 'API created content',
@@ -502,12 +534,10 @@ def test_create_message_for_current_user(self):
             'is_read': False,
             'action_link': '/messages',
             'action_text': 'Open',
-        })
+        }, HTTP_AUTHORIZATION=f'Bearer {access_token}')
 
-        self.assertEqual(response.status_code, status.HTTP_201_CREATED)
-        created = Message.objects.get(id=response.data['id'])
-        self.assertEqual(created.user, self.user)
-        self.assertEqual(created.category, 'alert')
+        self.assertEqual(response.status_code, 201)
+        self.assertTrue(Message.objects.filter(user=self.user, title='Created from API').exists())
 
     def test_mark_all_messages_as_read(self):
         response = self.client.put(reverse('user_messages-mark-all-read'))