Merge pull request teamhephy#54 from jianxiaoguo/pr

feat(oauth): using passport authentication

Author: duanhongyi

charts/controller/templates/_helpers.tpl

@@ -82,8 +82,13 @@ env:
     secretKeyRef:
       name: database-creds
       key: password
+- name: DRYCC_DATABASE_NAME
+  valueFrom:
+    secretKeyRef:
+      name: database-creds
+      key: controller-database-name
 - name: DRYCC_DATABASE_URL
-  value: "postgres://$(DRYCC_DATABASE_USER):$(DRYCC_DATABASE_PASSWORD)@$(DRYCC_DATABASE_SERVICE_HOST):$(DRYCC_DATABASE_SERVICE_PORT)/$(DRYCC_DATABASE_USER)"
+  value: "postgres://$(DRYCC_DATABASE_USER):$(DRYCC_DATABASE_PASSWORD)@$(DRYCC_DATABASE_SERVICE_HOST):$(DRYCC_DATABASE_SERVICE_PORT)/$(DRYCC_DATABASE_NAME)"
 {{- end }}
 - name: WORKFLOW_NAMESPACE
   valueFrom:
@@ -149,6 +154,30 @@ env:
 - name: "DRYCC_RABBITMQ_URL"
   value: "amqp://$(DRYCC_RABBITMQ_USERNAME):$(DRYCC_RABBITMQ_PASSWORD)@drycc-rabbitmq-0.drycc-rabbitmq.{{$.Release.Namespace}}.svc.{{$.Values.global.cluster_domain}}:5672/drycc"
 {{- end }}
+{{- if eq .Values.global.passport_location "on-cluster"}}
+- name: "DRYCC_PASSPORT_DOMAIN"
+  value: drycc-passport.{{ .Values.global.platform_domain }}
+- name: "SOCIAL_AUTH_DRYCC_AUTHORIZATION_URL"
+  value: "$(DRYCC_PASSPORT_DOMAIN)/oauth/token/"
+- name: "SOCIAL_AUTH_DRYCC_ACCESS_API_URL"
+  value: "$(DRYCC_PASSPORT_DOMAIN)/users/"
+- name: "SOCIAL_AUTH_DRYCC_USERINFO_URL"
+  value: "$(DRYCC_PASSPORT_DOMAIN)/oauth/userinfo/"
+- name: "SOCIAL_AUTH_DRYCC_JWKS_URI"
+  value: "$(DRYCC_PASSPORT_DOMAIN)/oauth/.well-known/jwks.json"
+- name: "SOCIAL_AUTH_DRYCC_OIDC_ENDPOINT"
+  value: "$(DRYCC_PASSPORT_DOMAIN)/oauth"
+- name: SOCIAL_AUTH_DRYCC_CONTROLLER_KEY
+  valueFrom:
+    secretKeyRef:
+      name: passport-creds
+      key: social-auth-drycc-controller-key
+- name: SOCIAL_AUTH_DRYCC_CONTROLLER_SECRET
+  valueFrom:
+    secretKeyRef:
+      name: passport-creds
+      key: social-auth-drycc-controller-secret
+{{- end }}
 {{- range $key, $value := .Values.environment }}
 - name: {{ $key }}
   value: {{ $value | quote }}
@@ -168,4 +197,4 @@ resources:
     memory: {{.Values.limits_memory}}
 {{- end }}
 {{- end }}
-{{- end }}
+{{- end }}

charts/controller/templates/controller-cronjob-daily.yaml

@@ -7,9 +7,10 @@ metadata:
   annotations:
     component.drycc.cc/version: {{ .Values.image_tag }}
 spec:
-  failedJobsHistoryLimit: 1
   schedule: "0 0 * * *"
-  successfulJobsHistoryLimit: 3
+  concurrencyPolicy: {{ .Values.concurrency_policy }}
+  successfulJobsHistoryLimit: 1
+  failedJobsHistoryLimit: 1
   jobTemplate:
     spec:
       template:

charts/controller/templates/controller-cronjob-hourly.yaml

@@ -0,0 +1,31 @@
+apiVersion: batch/v1beta1
+kind: CronJob
+metadata:
+  name: drycc-controller-cronjob-daily
+  labels:
+    heritage: drycc
+  annotations:
+    component.drycc.cc/version: {{ .Values.image_tag }}
+spec:
+  schedule: "0 */1 * * *"
+  concurrencyPolicy: {{ .Values.concurrency_policy }}
+  successfulJobsHistoryLimit: 1
+  failedJobsHistoryLimit: 1
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          restartPolicy: OnFailure
+          serviceAccount: drycc-controller
+          containers:
+          - image: {{.Values.image_registry}}/{{.Values.org}}/controller:{{.Values.image_tag}}
+            imagePullPolicy: {{.Values.pull_policy}}
+            name: drycc-controller-measure-app
+            command:
+              - /bin/bash
+              - -c
+            args:
+              - python -u /app/manage.py measure_app
+            {{- include "controller.envs" . | indent 12 }}
+            {{- include "controller.volumeMounts" . | indent 12 }}
+          {{- include "controller.volumes" . | indent 10 }}

charts/controller/values.yaml

@@ -22,6 +22,11 @@ app_storage_class: ""
 replicas: 1
 # Set celery replicas
 celery_replicas: 1
+# Set cronjob concurrencyPolicy
+# Allow (default): The cron job allows concurrently running jobs
+# Forbid: The cron job does not allow concurrent runs; if it is time for a new job run and the previous job run hasn't finished yet, the cron job skips the new job run
+# Replace: If it is time for a new job run and the previous job run hasn't finished yet, the cron job replaces the currently running job run with a new job run
+concurrency_policy: "Replace"
 # Configuring this will no longer use the built-in database component
 database_url: ""
 
@@ -30,6 +35,16 @@ database_url: ""
 # this is usually a non required setting.
 environment:
   RESERVED_NAMES: "drycc, drycc-builder, drycc-monitor-grafana"
+##　Oauth settings. If passport_location is off-cluster, set the following environment variables
+#  LOGIN_REDIRECT_URL: ""
+#  SOCIAL_AUTH_DRYCC_AUTHORIZATION_URL: ""
+#  SOCIAL_AUTH_DRYCC_ACCESS_TOKEN_URL: ""
+#  SOCIAL_AUTH_DRYCC_ACCESS_API_URL: ""
+#  SOCIAL_AUTH_DRYCC_USERINFO_URL: ""
+#  SOCIAL_AUTH_DRYCC_JWKS_URI: ""
+#  SOCIAL_AUTH_DRYCC_OIDC_ENDPOINT: ""
+#  SOCIAL_AUTH_DRYCC_KEY: ""
+#  SOCIAL_AUTH_DRYCC_SECRET: ""
 
 redis:
   replicas: 1
@@ -79,3 +94,4 @@ global:
   platform_domain: ""
   # Whether cert_manager is enabled to automatically generate controller certificates
   cert_manager_enabled: "true"
+  passport_location: "on-cluster"

rootfs/Dockerfile

@@ -9,7 +9,7 @@ RUN apk add --update --virtual .build-deps \
     cargo \
     libffi-dev \
     musl-dev \
-    openldap-dev \
+    openssl-dev \
   && pip3 install --disable-pip-version-check --no-cache-dir -r /app/requirements.txt \
   && runDeps="$( \
     scanelf --needed --nobanner --format '%n#p' --recursive /usr/local \

rootfs/api/apps_extra/__init__.py

@@ -0,0 +1,124 @@
+from urllib.parse import quote
+
+from social_core.utils import sanitize_redirect, user_is_authenticated, \
+                   user_is_active, partial_pipeline_data, setting_url
+
+
+def do_auth(backend, redirect_name='next'):
+    # Save any defined next value into session
+    data = backend.strategy.request_data(merge=False)
+
+    # Save extra data into session.
+    for field_name in backend.setting('FIELDS_STORED_IN_SESSION', []):
+        if field_name in data:
+            backend.strategy.session_set(field_name, data[field_name])
+        else:
+            backend.strategy.session_set(field_name, None)
+    # uri = None
+    if redirect_name in data:
+        # Check and sanitize a user-defined GET/POST next field value
+        redirect_uri = data[redirect_name]
+        if backend.setting('SANITIZE_REDIRECTS', True):
+            allowed_hosts = backend.setting('ALLOWED_REDIRECT_HOSTS', []) + \
+                            [backend.strategy.request_host()]
+            redirect_uri = sanitize_redirect(allowed_hosts, redirect_uri)
+        backend.strategy.session_set(
+            redirect_name,
+            redirect_uri or backend.setting('LOGIN_REDIRECT_URL')
+        )
+    response = backend.start()
+    url = response.url.split('?')[1]
+
+    def form2json(form_data):
+        from urllib.parse import parse_qs, urlparse
+        query = urlparse('?' + form_data).query
+        params = parse_qs(query)
+        return {key: params[key][0] for key in params}
+    from django.core.cache import cache
+    cache.set("oidc_key_" + data.get('key', ''), form2json(url).get('state'), 60 * 10)
+    return response
+
+
+def do_complete(backend, login, user=None, redirect_name='next',
+                *args, **kwargs):
+    data = backend.strategy.request_data()
+
+    is_authenticated = user_is_authenticated(user)
+    user = user if is_authenticated else None
+
+    partial = partial_pipeline_data(backend, user, *args, **kwargs)
+    if partial:
+        user = backend.continue_pipeline(partial)
+        # clean partial data after usage
+        backend.strategy.clean_partial_pipeline(partial.token)
+    else:
+        user = backend.complete(user=user, *args, **kwargs)
+
+    # pop redirect value before the session is trashed on login(), but after
+    # the pipeline so that the pipeline can change the redirect if needed
+    redirect_value = backend.strategy.session_get(redirect_name, '') or \
+        data.get(redirect_name, '')
+
+    # check if the output value is something else than a user and just
+    # return it to the client
+    user_model = backend.strategy.storage.user.user_model()
+    if user and not isinstance(user, user_model):
+        return user
+
+    if is_authenticated:
+        if not user:
+            url = setting_url(backend, redirect_value, 'LOGIN_REDIRECT_URL')
+        else:
+            url = setting_url(backend, redirect_value,
+                              'NEW_ASSOCIATION_REDIRECT_URL',
+                              'LOGIN_REDIRECT_URL')
+    elif user:
+        if user_is_active(user):
+            # catch is_new/social_user in case login() resets the instance
+            is_new = getattr(user, 'is_new', False)
+            social_user = user.social_user
+            login(backend, user, social_user)
+            # store last login backend name in session
+            backend.strategy.session_set('social_auth_last_login_backend',
+                                         social_user.provider)
+
+            if is_new:
+                url = setting_url(backend,
+                                  'NEW_USER_REDIRECT_URL',
+                                  redirect_value,
+                                  'LOGIN_REDIRECT_URL')
+            else:
+                url = setting_url(backend, redirect_value,
+                                  'LOGIN_REDIRECT_URL')
+        else:
+            if backend.setting('INACTIVE_USER_LOGIN', False):
+                social_user = user.social_user
+                login(backend, user, social_user)
+            url = setting_url(backend, 'INACTIVE_USER_URL', 'LOGIN_ERROR_URL',
+                              'LOGIN_URL')
+    else:
+        url = setting_url(backend, 'LOGIN_ERROR_URL', 'LOGIN_URL')
+
+    if redirect_value and redirect_value != url:
+        redirect_value = quote(redirect_value)
+        url += ('&' if '?' in url else '?') + \
+            '{0}={1}'.format(redirect_name, redirect_value)
+
+    if backend.setting('SANITIZE_REDIRECTS', True):
+        allowed_hosts = backend.setting('ALLOWED_REDIRECT_HOSTS', []) + \
+                        [backend.strategy.request_host()]
+        url = sanitize_redirect(allowed_hosts, url) or \
+            backend.setting('LOGIN_REDIRECT_URL')
+    response = backend.strategy.redirect(url)
+    social_auth = user.social_auth.filter(provider='drycc').\
+        order_by('-modified').last()
+    response.set_cookie("name", user.username,
+                        max_age=social_auth.extra_data.get('expires_in'))
+    response.set_cookie("id_token", social_auth.extra_data.get('id_token'),
+                        max_age=social_auth.extra_data.get('expires_in'))
+    from django.core.cache import cache
+    cache.set("oidc_state_" + data.get('state'),
+              {'token': social_auth.extra_data.get('id_token', 'fail'),
+               'username': user.username},
+              60 * 10)
+    return response

rootfs/api/apps_extra/social_core/actions.py

@@ -35,9 +35,9 @@ def authenticate(self, request):
             return AnonymousUser(), None
 
 
-class DryccTokenAuthentication(TokenAuthentication):
+class DryccOIDCAuthentication(TokenAuthentication):
     def authenticate(self, request):
-        if 'manager' in request.META.get('HTTP_USER_AGENT', ''):
+        if 'Drycc' in request.META.get('HTTP_USER_AGENT', ''):
             auth = get_authorization_header(request).split()
 
             if not auth or auth[0].lower() != self.keyword.lower().encode():
@@ -57,7 +57,7 @@ def authenticate(self, request):
                 raise exceptions.AuthenticationFailed(msg)
             return cache.get_or_set(
                 token, lambda: self._get_user(token), settings.OAUTH_CACHE_USER_TIME), None  # noqa
-        return super(DryccTokenAuthentication, self).authenticate(request)  # noqa
+        return super(DryccOIDCAuthentication, self).authenticate(request)  # noqa
 
     @staticmethod
     def _get_user(key):

rootfs/api/authentication.py

@@ -1,6 +1,10 @@
+from django.conf import settings
 from django.contrib.auth import get_user_model
 from django.core.exceptions import ObjectDoesNotExist
 
+from social_core.backends.oauth import BaseOAuth2
+from social_core.backends.open_id_connect import OpenIdConnectAuth
+
 from api import serializers
 from api.oauth import OAuthManager
 
@@ -29,3 +33,71 @@ def get_user(self, user_id):
         except ObjectDoesNotExist:
             pass
         return user
+
+
+class DryccOAuth(BaseOAuth2):
+    """Drycc OAuth authentication backend"""
+    name = 'drycc'
+    AUTHORIZATION_URL = settings.SOCIAL_AUTH_DRYCC_AUTHORIZATION_URL
+    ACCESS_TOKEN_URL = settings.SOCIAL_AUTH_DRYCC_ACCESS_TOKEN_URL
+    ACCESS_TOKEN_METHOD = 'POST'
+    SCOPE_SEPARATOR = ','
+    EXTRA_DATA = [
+        ('id', 'id'),
+        ('access_token', 'access_token'),
+        ('refresh_token', 'refresh_token'),
+        ('expires_in', 'expires_in'),
+        ('token_type', 'token_type'),
+        ('id_token', 'id_token'),
+        ('scope', 'scope'),
+    ]
+
+    def get_user_details(self, response):
+        """Return user details from GitHub account"""
+        print(response)
+        return {
+            'username': response.get('username'),
+            'email': response.get('email') or '',
+            'first_name': response.get('first_name'),
+            'last_name': response.get('last_name'),
+            'is_superuser': response.get('is_superuser'),
+            'is_staff': response.get('is_staff'),
+            'is_active': response.get('is_active'),
+        }
+
+    def user_data(self, access_token, *args, **kwargs):
+        """Loads user data from service"""
+        url = settings.SOCIAL_AUTH_DRYCC_ACCESS_API_URL
+        return self.get_json(url, headers={
+            'authorization': 'Bearer ' + access_token})
+
+    def get_user_id(self, details, response):
+        """Use user account id as unique id"""
+        return response.get('id')
+
+
+class DryccOIDC(OpenIdConnectAuth):
+    """Drycc Openid Connect authentication backend"""
+    name = 'drycc'
+    AUTHORIZATION_URL = settings.SOCIAL_AUTH_DRYCC_AUTHORIZATION_URL
+    ACCESS_TOKEN_URL = settings.SOCIAL_AUTH_DRYCC_ACCESS_TOKEN_URL
+    USERINFO_URL = settings.SOCIAL_AUTH_DRYCC_USERINFO_URL
+    JWKS_URI = settings.SOCIAL_AUTH_DRYCC_JWKS_URI
+    OIDC_ENDPOINT = settings.SOCIAL_AUTH_DRYCC_OIDC_ENDPOINT
+    DEFAULT_SCOPE = ['openid']
+    EXTRA_DATA = [
+        ('id', 'id'),
+        ('access_token', 'access_token'),
+        ('refresh_token', 'refresh_token'),
+        ('expires_in', 'expires_in'),
+        ('token_type', 'token_type'),
+        ('id_token', 'id_token'),
+        ('scope', 'scope'),
+    ]
+
+    from social_core.utils import cache
+
+    @cache(ttl=86400)
+    def oidc_config(self):
+        return self.get_json(self.OIDC_ENDPOINT +
+                             '/.well-known/openid-configuration/')

rootfs/api/backend.py

@@ -29,6 +29,9 @@ def _query_stream(flux_script: str) -> Iterator[FluxRecord]:
         except ApiException as e:
             logger.exception(e)
             yield from []
+        except Exception as e:
+            logger.exception(e)
+            yield from []
         else:
             yield from records