🚧(resource-server) Allow documents API via RS

src/backend/core/api/permissions.py

@@ -1,9 +1,11 @@
 """Permission handlers for the impress core app."""
 
+from django.conf import settings
 from django.core import exceptions
 from django.db.models import Q
 from django.http import Http404
 
+from lasuite.oidc_resource_server.authentication import ResourceServerAuthentication
 from rest_framework import permissions
 
 from core.models import DocumentAccess, RoleChoices, get_trashbin_cutoff
@@ -134,3 +136,38 @@ def has_object_permission(self, request, view, obj):
             raise Http404
 
         return has_permission
+
+
+class ResourceServerClientPermission(permissions.BasePermission):
+    """
+    Permission class for resource server views.
+
+    This provides a way to open the resource server views to a limited set of
+    Service Providers.
+
+    Note: we might add a more complex permission system in the future, based on
+    the Service Provider ID and the requested scopes.
+    """
+
+    def has_permission(self, request, view):
+        """
+        Check if the user is authenticated and the token introspection
+        provides an authorized Service Provider.
+        """
+        if not isinstance(
+            request.successful_authenticator, ResourceServerAuthentication
+        ):
+            # Not a resource server request
+            return True
+
+        # Check if the user is authenticated
+        if not request.user.is_authenticated:
+            return False
+
+        if view.action not in view.resource_server_actions:
+            return False
+
+        # When used as a resource server, the request has a token audience
+        return (
+            request.resource_server_token_audience in settings.OIDC_RS_ALLOWED_AUDIENCES
+        )

src/backend/core/api/viewsets.py

@@ -25,6 +25,7 @@
 import rest_framework as drf
 from botocore.exceptions import ClientError
 from lasuite.malware_detection import malware_detection
+from lasuite.oidc_resource_server.authentication import ResourceServerAuthentication
 from rest_framework import filters, status, viewsets
 from rest_framework import response as drf_response
 from rest_framework.permissions import AllowAny
@@ -431,6 +432,7 @@ class DocumentViewSet(
     pagination_class = Pagination
     permission_classes = [
         permissions.DocumentAccessPermission,
+        permissions.ResourceServerClientPermission,
     ]
     queryset = models.Document.objects.all()
     serializer_class = serializers.DocumentSerializer
@@ -440,6 +442,22 @@ class DocumentViewSet(
     list_serializer_class = serializers.ListDocumentSerializer
     trashbin_serializer_class = serializers.ListDocumentSerializer
     tree_serializer_class = serializers.ListDocumentSerializer
+    resource_server_actions = {
+        "list",
+        "retrieve",
+        "create_for_owner",
+    }
+
+    def get_authenticators(self):
+        """Allow resource server authentication for very specific actions."""
+        authenticators = super().get_authenticators()
+
+        # self.action does not exist yet
+        action = self.action_map[self.request.method.lower()]
+        if action in self.resource_server_actions:
+            authenticators.append(ResourceServerAuthentication())
+
+        return authenticators
 
     def annotate_is_favorite(self, queryset):
         """
@@ -671,7 +689,7 @@ def trashbin(self, request, *args, **kwargs):
         authentication_classes=[authentication.ServerToServerAuthentication],
         detail=False,
         methods=["post"],
-        permission_classes=[],
+        permission_classes=[permissions.IsAuthenticated],
         url_path="create-for-owner",
     )
     @transaction.atomic

src/backend/core/authentication/__init__.py

@@ -6,6 +6,15 @@
 from rest_framework.exceptions import AuthenticationFailed
 
 
+class AuthenticatedServer:
+    """
+    Simple class to represent an authenticated server to be used along the
+    IsAuthenticated permission.
+    """
+
+    is_authenticated = True
+
+
 class ServerToServerAuthentication(BaseAuthentication):
     """
     Custom authentication class for server-to-server requests.
@@ -39,13 +48,16 @@ def authenticate(self, request):
         # Validate token format and existence
         auth_parts = auth_header.split(" ")
         if len(auth_parts) != 2 or auth_parts[0] != self.TOKEN_TYPE:
-            raise AuthenticationFailed("Invalid authorization header.")
+            # Do not raise here to leave the door open for other authentication methods
+            return None
 
         token = auth_parts[1]
         if token not in settings.SERVER_TO_SERVER_API_TOKENS:
-            raise AuthenticationFailed("Invalid server-to-server token.")
+            # Do not raise here to leave the door open for other authentication methods
+            return None
 
-        # Authentication is successful, but no user is authenticated
+        # Authentication is successful
+        return AuthenticatedServer(), token
 
     def authenticate_header(self, request):
         """Return the WWW-Authenticate header value."""

src/backend/core/urls.py

@@ -4,6 +4,7 @@
 from django.urls import include, path, re_path
 
 from lasuite.oidc_login.urls import urlpatterns as oidc_urls
+from lasuite.oidc_resource_server.urls import urlpatterns as resource_server_urls
 from rest_framework.routers import DefaultRouter
 
 from core.api import viewsets
@@ -44,6 +45,7 @@
             [
                 *router.urls,
                 *oidc_urls,
+                *resource_server_urls,
                 re_path(
                     r"^documents/(?P<resource_id>[0-9a-z-]*)/",
                     include(document_related_router.urls),

src/backend/impress/settings.py

@@ -327,7 +327,6 @@ class Base(Configuration):
 
     REST_FRAMEWORK = {
         "DEFAULT_AUTHENTICATION_CLASSES": (
-            "mozilla_django_oidc.contrib.drf.OIDCAuthentication",
             "rest_framework.authentication.SessionAuthentication",
         ),
         "DEFAULT_PARSER_CLASSES": [
@@ -586,6 +585,65 @@ class Base(Configuration):
         default=True, environ_name="ALLOW_LOGOUT_GET_METHOD", environ_prefix=None
     )
 
+    # OIDC - Docs as a resource server
+    OIDC_OP_URL = values.Value(
+        default=None, environ_name="OIDC_OP_URL", environ_prefix=None
+    )
+    OIDC_OP_INTROSPECTION_ENDPOINT = values.Value(
+        environ_name="OIDC_OP_INTROSPECTION_ENDPOINT", environ_prefix=None
+    )
+    OIDC_VERIFY_SSL = values.BooleanValue(
+        default=True, environ_name="OIDC_VERIFY_SSL", environ_prefix=None
+    )
+    OIDC_TIMEOUT = values.IntegerValue(
+        default=3, environ_name="OIDC_TIMEOUT", environ_prefix=None
+    )
+    OIDC_PROXY = values.Value(None, environ_name="OIDC_PROXY", environ_prefix=None)
+
+    OIDC_RS_BACKEND_CLASS = "lasuite.oidc_resource_server.backend.ResourceServerBackend"
+    OIDC_RS_AUDIENCE_CLAIM = values.Value(  # The claim used to identify the audience
+        default="client_id", environ_name="OIDC_RS_AUDIENCE_CLAIM", environ_prefix=None
+    )
+    OIDC_RS_PRIVATE_KEY_STR = values.Value(
+        default=None,
+        environ_name="OIDC_RS_PRIVATE_KEY_STR",
+        environ_prefix=None,
+    )
+    OIDC_RS_ENCRYPTION_KEY_TYPE = values.Value(
+        default="RSA",
+        environ_name="OIDC_RS_ENCRYPTION_KEY_TYPE",
+        environ_prefix=None,
+    )
+    OIDC_RS_ENCRYPTION_ALGO = values.Value(
+        default="RSA-OAEP",
+        environ_name="OIDC_RS_ENCRYPTION_ALGO",
+        environ_prefix=None,
+    )
+    OIDC_RS_ENCRYPTION_ENCODING = values.Value(
+        default="A256GCM",
+        environ_name="OIDC_RS_ENCRYPTION_ENCODING",
+        environ_prefix=None,
+    )
+    OIDC_RS_CLIENT_ID = values.Value(
+        None, environ_name="OIDC_RS_CLIENT_ID", environ_prefix=None
+    )
+    OIDC_RS_CLIENT_SECRET = values.Value(
+        None,
+        environ_name="OIDC_RS_CLIENT_SECRET",
+        environ_prefix=None,
+    )
+    OIDC_RS_SIGNING_ALGO = values.Value(
+        default="ES256", environ_name="OIDC_RS_SIGNING_ALGO", environ_prefix=None
+    )
+    OIDC_RS_SCOPES = values.ListValue(
+        [], environ_name="OIDC_RS_SCOPES", environ_prefix=None
+    )
+    OIDC_RS_ALLOWED_AUDIENCES = values.ListValue(
+        default=[],
+        environ_name="OIDC_RS_ALLOWED_AUDIENCES",
+        environ_prefix=None,
+    )
+
     # AI service
     AI_FEATURE_ENABLED = values.BooleanValue(
         default=False, environ_name="AI_FEATURE_ENABLED", environ_prefix=None