WIP: Restricted OAuth Initial Design & Implementation

lms/djangoapps/grades/api/views.py

@@ -9,7 +9,10 @@
 from rest_framework.exceptions import AuthenticationFailed
 from rest_framework.generics import GenericAPIView, ListAPIView
 from rest_framework.response import Response
-
+from rest_framework.permissions import IsAuthenticated
+from edx_rest_framework_extensions.permissions import JWTRestrictedApplicationPermission
+from edx_rest_framework_extensions.authentication import JwtAuthentication
+from openedx.core.lib.api.authentication import OAuth2AuthenticationAllowInactiveUser
 from courseware.access import has_access
 from lms.djangoapps.courseware import courses
 from lms.djangoapps.courseware.exceptions import CourseAccessRedirect
@@ -160,6 +163,19 @@ class UserGradeView(GradeViewMixin, GenericAPIView):
         }]
 
     """
+    authentication_classes = (
+        JwtAuthentication,
+        OAuth2AuthenticationAllowInactiveUser,
+    )
+    permission_classes = (IsAuthenticated, JWTRestrictedApplicationPermission,)
+
+    # needed for passing JWTRestrictedApplicationPermission checks
+    # for RestrictedApplications (only). A RestrictedApplication can
+    # only call this method if it is allowed to receive a 'grades:read'
+    # scope
+    restricted_oauth_required = True
+    required_scopes = ['grades:read']
+
     def get(self, request, course_id):
         """
         Gets a course progress status.
@@ -171,6 +187,17 @@ def get(self, request, course_id):
         Return:
             A JSON serialized representation of the requesting user's current grade status.
         """
+        # See if the request has an explicit sattr(request, 'allowed_organizations'))
+        # which limits which OAuth2 clients can see the courses
+        # based on the association with a RestrictedApplication
+        if hasattr(request, 'auth') and hasattr(request, 'filters'):
+            course_key = CourseKey.from_string(course_id)
+            if course_key.org not in request.filters['content_org']:
+                return self.make_error_response(
+                    status_code=status.HTTP_403_FORBIDDEN,
+                    developer_message='The OAuth2 RestrictedApplication is not associated with org.',
+                    error_code='course_org_not_associated_with_calling_application'
+                )
 
         course = self._get_course(course_id, request.user, 'load')
         if isinstance(course, Response):

lms/envs/common.py

@@ -498,20 +498,22 @@
 OAUTH2_PROVIDER = {
     'OAUTH2_VALIDATOR_CLASS': 'openedx.core.djangoapps.oauth_dispatch.dot_overrides.validators.EdxOAuth2Validator',
     'REFRESH_TOKEN_EXPIRE_SECONDS': 20160,
+    'SCOPES_BACKEND_CLASS':'openedx.core.djangoapps.oauth_dispatch.scopes.DynamicScopes',
     'SCOPES': {
         'read': 'Read access',
         'write': 'Write access',
         'email': 'Know your email address',
         # conform profile scope message that is presented to end-user
         # to lms/templates/provider/authorize.html. This may be revised later.
         'profile': 'Know your name and username',
+        'grades:read': 'Retrieve your grades for your enrolled courses'
     },
     'REQUEST_APPROVAL_PROMPT': 'auto_even_if_expired',
 }
 # This is required for the migrations in oauth_dispatch.models
 # otherwise it fails saying this attribute is not present in Settings
-OAUTH2_PROVIDER_APPLICATION_MODEL = 'oauth2_provider.Application'
-
+##OAUTH2_PROVIDER_APPLICATION_MODEL = 'oauth2_provider.Application'
+OAUTH2_PROVIDER_APPLICATION_MODEL = 'oauth_dispatch.OauthRestrictedApplication'
 ################################## TEMPLATE CONFIGURATION #####################################
 # Mako templating
 import tempfile
@@ -2402,6 +2404,8 @@ def _make_locale_paths(settings):
     "reddit",
 ]
 
+DEFAULT_JWT_ISSUER = 'test-issuer-1',
+DEFAULT_RESTRICTED_JWT_ISSUER = 'test-issuer-2'
 # JWT Settings
 JWT_AUTH = {
     # TODO Set JWT_SECRET_KEY to a secure value. By default, SECRET_KEY will be used.
@@ -2416,6 +2420,18 @@ def _make_locale_paths(settings):
     'JWT_DECODE_HANDLER': 'edx_rest_framework_extensions.utils.jwt_decode_handler',
     # Number of seconds before JWT tokens expire
     'JWT_EXPIRATION': 30,
+    'JWT_ISSUERS': [
+        {
+            'ISSUER':'test-issuer-1',
+            'SECRET_KEY':'test-secret-key-1',
+            'AUDIENCE':'test-audience-1',
+        },
+        {
+            'ISSUER':'test-issuer-2',
+            'SECRET_KEY':'test-secret-key-2',
+            'AUDIENCE':'test-audience-2',
+        }
+    ]
 }
 
 # The footer URLs dictionary maps social footer names

openedx/core/djangoapps/oauth_dispatch/admin.py

@@ -5,7 +5,7 @@
 from django.contrib.admin import ModelAdmin, site
 from oauth2_provider import models
 
-from .models import RestrictedApplication
+from .models import RestrictedApplication, OauthRestrictOrganization, OauthRestrictedApplication
 
 
 def reregister(model_class):
@@ -52,17 +52,6 @@ class DOTRefreshTokenAdmin(ModelAdmin):
     search_fields = [u'token', u'user__username', u'access_token__token']
 
 
-@reregister(models.Application)
-class DOTApplicationAdmin(ModelAdmin):
-    """
-    Custom Application Admin
-    """
-    list_display = [u'name', u'user', u'client_type', u'authorization_grant_type', u'client_id']
-    list_filter = [u'client_type', u'authorization_grant_type']
-    raw_id_fields = [u'user']
-    search_fields = [u'name', u'user__username', u'client_id']
-
-
 @reregister(models.Grant)
 class DOTGrantAdmin(ModelAdmin):
     """
@@ -79,7 +68,28 @@ class RestrictedApplicationAdmin(ModelAdmin):
     """
     ModelAdmin for the Restricted Application
     """
-    list_display = [u'application']
-
+    list_display = [u'application', u'_org_associations']
 
 site.register(RestrictedApplication, RestrictedApplicationAdmin)
+
+
+@reregister(OauthRestrictedApplication)
+class OauthRestrictedApplicationAdmin(ModelAdmin):
+    """
+    ModelAdmin for the Restricted Application
+    """
+    list_display = [u'name', u'user', u'client_type', u'authorization_grant_type', u'client_id']
+    list_filter = [u'client_type', u'authorization_grant_type']
+    raw_id_fields = [u'user']
+    search_fields = [u'name', u'user__username', u'client_id']
+
+
+class OauthRestrictOrganizationAdmin(ModelAdmin):
+    """
+    ModelAdmin for the Restricted Application
+    """
+    list_display = [u'application','organization_type']
+    filter_horizontal = ('_org_associations',)
+
+site.register(OauthRestrictOrganization, OauthRestrictOrganizationAdmin)
+

openedx/core/djangoapps/oauth_dispatch/dot_overrides/validators.py

@@ -13,9 +13,9 @@
 from oauth2_provider.oauth2_validators import OAuth2Validator
 from pytz import utc
 from ratelimitbackend.backends import RateLimitMixin
-
-from ..models import RestrictedApplication
-
+from django.conf import settings
+from ..models import RestrictedApplication, OauthRestrictedApplication
+from openedx.core.djangoapps.oauth_dispatch.utils import is_oauth_scope_enforcement_enabled
 
 @receiver(pre_save, sender=AccessToken)
 def on_access_token_presave(sender, instance, *args, **kwargs):  # pylint: disable=unused-argument
@@ -25,11 +25,8 @@ def on_access_token_presave(sender, instance, *args, **kwargs):  # pylint: disab
 
     We do this as a pre-save hook on the ORM
     """
-
-    is_application_restricted = RestrictedApplication.objects.filter(application=instance.application).exists()
-    if is_application_restricted:
-        RestrictedApplication.set_access_token_as_expired(instance)
-
+    if not is_oauth_scope_enforcement_enabled():
+        OauthRestrictedApplication.set_access_token_as_expired(instance)
 
 # TODO: Remove Django 1.11 upgrade shim
 # SHIM: Allow users that are inactive to still authenticate while keeping rate-limiting functionality.
@@ -112,8 +109,7 @@ def save_bearer_token(self, token, request, *args, **kwargs):
 
         super(EdxOAuth2Validator, self).save_bearer_token(token, request, *args, **kwargs)
 
-        is_application_restricted = RestrictedApplication.objects.filter(application=request.client).exists()
-        if is_application_restricted:
+        if not is_oauth_scope_enforcement_enabled():
             # Since RestrictedApplications will override the DOT defined expiry, so that access_tokens
             # are always expired, we need to re-read the token from the database and then calculate the
             # expires_in (in seconds) from what we stored in the database. This value should be a negative
@@ -122,7 +118,6 @@ def save_bearer_token(self, token, request, *args, **kwargs):
             access_token = AccessToken.objects.get(token=token['access_token'])
             utc_now = datetime.utcnow().replace(tzinfo=utc)
             expires_in = (access_token.expires - utc_now).total_seconds()
-
             # assert that RestrictedApplications only issue expired tokens
             # blow up processing if we see otherwise
             assert expires_in < 0
@@ -132,3 +127,20 @@ def save_bearer_token(self, token, request, *args, **kwargs):
         # Restore the original request attributes
         request.grant_type = grant_type
         request.user = user
+
+    def validate_scopes(self, client_id, scopes, client, request, *args, **kwargs):
+        """
+        Override the DOT implementation to add checks to make sure that a
+        RestrictedApplication is not granted scopes that it has not been
+        permitted to do
+        """
+
+        restricted_application = RestrictedApplication.get_restricted_application(client)
+        if restricted_application:
+            # caller is restricted, so we must vet the allowed scopes for that restricted application
+            return set(scopes).issubset(restricted_application.allowed_scopes)
+
+        # not a restricted application, call into base implementation,
+        # which - basically - pulls the list of scopes from configuration settings as a global
+        # definition
+        return super(EdxOAuth2Validator, self).validate_scopes(client_id, scopes, client, request, *args, **kwargs)

openedx/core/djangoapps/oauth_dispatch/migrations/0002_auto_20180503_0349.py

@@ -0,0 +1,33 @@
+# -*- coding: utf-8 -*-
+# Generated by Django 1.11.12 on 2018-05-03 07:49
+from __future__ import unicode_literals
+
+from django.conf import settings
+from django.db import migrations, models
+import django.db.models.deletion
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('organizations', '0006_auto_20171207_0259'),
+        ('oauth_dispatch', '0001_initial'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='restrictedapplication',
+            name='_allowed_scopes',
+            field=models.TextField(null=True),
+        ),
+        migrations.AddField(
+            model_name='restrictedapplication',
+            name='_org_associations',
+            field=models.ForeignKey(default=b'', on_delete=django.db.models.deletion.CASCADE, to='organizations.Organization'),
+        ),
+        migrations.AlterField(
+            model_name='restrictedapplication',
+            name='application',
+            field=models.OneToOneField(on_delete=django.db.models.deletion.CASCADE, related_name='restricted_application', to=settings.OAUTH2_PROVIDER_APPLICATION_MODEL),
+        ),
+    ]

openedx/core/djangoapps/oauth_dispatch/migrations/0002_auto_20180515_1350.py

@@ -0,0 +1,54 @@
+# -*- coding: utf-8 -*-
+# Generated by Django 1.11.12 on 2018-05-15 17:50
+from __future__ import unicode_literals
+
+from django.conf import settings
+from django.db import migrations, models
+import django.db.models.deletion
+import oauth2_provider.generators
+import oauth2_provider.validators
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('organizations', '0006_auto_20171207_0259'),
+        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
+        migrations.swappable_dependency(settings.OAUTH2_PROVIDER_APPLICATION_MODEL),
+        ('oauth_dispatch', '0001_initial'),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='OauthRestrictedApplication',
+            fields=[
+                ('id', models.AutoField(auto_created=True, primary_key=True, serialize=False, verbose_name='ID')),
+                ('client_id', models.CharField(db_index=True, default=oauth2_provider.generators.generate_client_id, max_length=100, unique=True)),
+                ('redirect_uris', models.TextField(blank=True, help_text='Allowed URIs list, space separated', validators=[oauth2_provider.validators.validate_uris])),
+                ('client_type', models.CharField(choices=[('confidential', 'Confidential'), ('public', 'Public')], max_length=32)),
+                ('authorization_grant_type', models.CharField(choices=[('authorization-code', 'Authorization code'), ('implicit', 'Implicit'), ('password', 'Resource owner password-based'), ('client-credentials', 'Client credentials')], max_length=32)),
+                ('client_secret', models.CharField(blank=True, db_index=True, default=oauth2_provider.generators.generate_client_secret, max_length=255)),
+                ('name', models.CharField(blank=True, max_length=255)),
+                ('skip_authorization', models.BooleanField(default=False)),
+                ('allowed_scope', models.TextField(blank=True)),
+                ('user', models.ForeignKey(blank=True, null=True, on_delete=django.db.models.deletion.CASCADE, related_name='oauth_dispatch_oauthrestrictedapplication', to=settings.AUTH_USER_MODEL)),
+            ],
+            options={
+                'abstract': False,
+            },
+        ),
+        migrations.CreateModel(
+            name='OauthRestrictOrganization',
+            fields=[
+                ('id', models.AutoField(auto_created=True, primary_key=True, serialize=False, verbose_name='ID')),
+                ('organization_type', models.CharField(choices=[(b'content_provider', 'Content Provider'), (b'user_provider', 'User Provider')], default=b'content_provider', max_length=32)),
+                ('_org_associations', models.ManyToManyField(to='organizations.Organization')),
+                ('application', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, to=settings.OAUTH2_PROVIDER_APPLICATION_MODEL)),
+            ],
+        ),
+        migrations.AlterField(
+            model_name='restrictedapplication',
+            name='application',
+            field=models.OneToOneField(on_delete=django.db.models.deletion.CASCADE, related_name='restricted_application', to=settings.OAUTH2_PROVIDER_APPLICATION_MODEL),
+        ),
+    ]