Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature/app api access #1384

Merged
merged 36 commits into from
Dec 2, 2024
Merged

Feature/app api access #1384

merged 36 commits into from
Dec 2, 2024

Conversation

michaeljcollinsuk
Copy link
Contributor

@michaeljcollinsuk michaeljcollinsuk commented Nov 8, 2024
edited
Loading

📝 Summary

This PR contains implementation of ministryofjustice/analytical-platform#5777

These changes will allow app admins to create a machine to machine Auth0 client that use the client credential grant flow to retrieve an access token for the Control Panel API. More details about m2m authorization via Auth0 can be found here https://auth0.com/blog/using-m2m-authorization/.

When a machine-to-machine client is created, it is granted specific permissions that only allow it access specific app-related endpoints. Apps will have access to endpoints that will allow them to:

  • Retrieve details about their app
  • List app customers
  • Add app customers
  • Delete app customers

The permissions that are granted to the M2M apps have been created manually in the auth0 dev tenant, for the Control Panel localhost and dev API applications. These will need to be added to the alpha auth0 tenant before deploying to production.

Merging this PR will have the following side-effects:

  • Opens up the Control Panel API to programatic use for the first time
  • Number of Auth0 clients could increase by up to 2x the number of apps (if all app owners decided they wanted control panel API access)

🔍 What should the reviewer concentrate on?

  • Creation of the machine-to-machine client via the manage app page
  • Obtaining and rotating client secrets
  • Using the provided client credentials to retrieve an access token and make successful requests to the Control Panel API
  • The details provided from each endpoint

🧑‍💻 How should the reviewer test these changes?

  • In your local .env file, change or add OIDC_CPANEL_API_AUDIENCE to "control-panel-localhost". This ensures that when the M2M client is created, it is granted permissions for the localhost API application in auth0, rather than the dev application.
  • Run control panel locally
  • You will need to have an app registered within control panel - register one if you don't already have one
  • Visit the manage app page, and scroll down to the Machine-to-machine API Access section
  • Use the button to create the M2M client. Store the provided credentials somewhere secure.
  • You then need to use these credentials to obtain an access token via Auth0. See the docs with code examples - I like to use Postman for testing API's so you may want to try this.
  • When making the request to obtain an access token, along with your client credentials, ensure you set you will need to:
  • When you have successfully retrieved an access token, you are ready to test the API endpoints. Only views/viewsets that use the AppJwtPermissions should be accessible.
  • When testing, make sure that you have the app running locally use the localhost domain. For example: http://localhost:8000/api/cpanel/v1/apps/app_name/<app-name-here>/
  • To test retrieving/adding/deleting customers, you will need to make sure the app has a relevant auth client setup - if not, you can create one from the manage app page.

📚 Documentation status

  • No changes to the documentation are required
  • This PR includes all relevant documentation
  • Documentation will be added in the future because ... (see subtask)

@michaeljcollinsuk michaeljcollinsuk mentioned this pull request Nov 8, 2024
Closed
2 tasks
@michaeljcollinsuk michaeljcollinsuk linked an issue Nov 22, 2024 that may be closed by this pull request
Spike: AP Control Panel API access ministryofjustice/analytical-platform#5777
Closed
2 tasks
@michaeljcollinsuk michaeljcollinsuk marked this pull request as ready for review November 25, 2024 15:52
jamesstottmoj
jamesstottmoj previously approved these changes Nov 26, 2024
View reviewed changes
Copy link
Contributor

@jamesstottmoj jamesstottmoj left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tested locally. Followed instructions and could access API and customer endpoints.

Encountered no issues

@michaeljcollinsuk michaeljcollinsuk force-pushed the feature/app-api-access branch 2 times, most recently from 57c417c to b0e8005 Compare November 29, 2024 14:32
@michaeljcollinsuk
Create a M2M client in Auth0
5bc45d1 
Update Auth0 client to allow creation of M2M applications
@michaeljcollinsuk
TODO some notes about next steps in the code
f66d8f0
@michaeljcollinsuk
Initial working implementation creating M2M client
de98137
@michaeljcollinsuk
Avoid creating duplicate m2m clients for an app
fdf7014
@michaeljcollinsuk
Update details shown in template
8c44be2
@michaeljcollinsuk
Fix tests following update to get_or_create
63cac25
@michaeljcollinsuk
Update permissions check for app API access
0dce1ec
@michaeljcollinsuk
Update permissions for app by name viewset
e01adb7
@michaeljcollinsuk
Add extra actions to the app by name endpoint
e9adc72
@michaeljcollinsuk
Display M2M credentials and rotate client secret
e948d21 
One time display client credentials for M2M clients and allow the client
secret to be rotated.
@michaeljcollinsuk
Handle error when client grant already exists
25e7025
@michaeljcollinsuk
Update API scopes
bbd24ed
@michaeljcollinsuk
Remove comments
6ec0335
@michaeljcollinsuk
Catch failed client secret rotation
6a1605d 
If the client secret rotation fails because the
client cannot be found, remove the stored client
ID and ask the user to try creating a new one.
@michaeljcollinsuk
Add button to delete M2M client
fae3aca
@michaeljcollinsuk
Add M2MClientMixin
43d69be 
Share behavious via a mixin rather than inheriting
from the same view. Filter the app queryset to
objects that the request user is an admin for.
@michaeljcollinsuk
Add permission tests for M2M views
baf80f9
@michaeljcollinsuk
Remove queryset filtering on M2M views
aaabd0b 
To keep consistency with the rest of the views,
allow permission checks to be done using rules.
@michaeljcollinsuk
Add test for successful M2M client creation
23ee690
@michaeljcollinsuk
Add further tests for M2M views
9e694b3
@michaeljcollinsuk
Add test for auth0 setup m2m client
0d36f1e
@michaeljcollinsuk michaeljcollinsuk merged commit 2845adb into main Dec 2, 2024
12 checks passed
@michaeljcollinsuk michaeljcollinsuk deleted the feature/app-api-access branch December 2, 2024 11:59
@michaeljcollinsuk michaeljcollinsuk mentioned this pull request Dec 3, 2024
Merged
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jamesstottmoj jamesstottmoj jamesstottmoj approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Spike: AP Control Panel API access
2 participants
@michaeljcollinsuk @jamesstottmoj