feat: per-user secured Algolia API keys

Co-authored-by: Piotr Surowiec <[email protected]> (cherry picked from commit 3c9c3dc)
open-craft · Nov 18, 2023 · e67e61e · e67e61e
1 parent e74f608
commit e67e61e
Show file tree

Hide file tree

Showing 3 changed files with 89 additions and 0 deletions.
diff --git a/enterprise/api/v1/views.py b/enterprise/api/v1/views.py
@@ -7,6 +7,7 @@
 from urllib.parse import quote_plus, unquote
 
 import requests
+from algoliasearch.search_client import SearchClient
 from django_filters.rest_framework import DjangoFilterBackend
 from edx_rbac.decorators import permission_required
 from edx_rest_framework_extensions.auth.jwt.authentication import JwtAuthentication
@@ -451,6 +452,44 @@ def toggle_universal_link(self, request, pk=None):
         headers = self.get_success_headers(response_body)
         return Response(response_body, status=HTTP_200_OK, headers=headers)
 
+    @action(detail=False)
+    def algolia_key(self, request, *args, **kwargs):
+        """
+        Returns an Algolia API key that is secured to only allow searching for
+        objects associated with enterprise customers that the user is linked to.
+
+        This endpoint is used with `frontend-app-learner-portal-enterprise` MFE
+        currently.
+        """
+
+        if not (api_key := getattr(settings, "ENTERPRISE_ALGOLIA_SEARCH_API_KEY", "")):
+            LOGGER.warning("Algolia search API key is not configured. To enable this view, "
+                           "set `ENTERPRISE_ALGOLIA_SEARCH_API_KEY` in settings.")
+            raise Http404
+
+        queryset = self.queryset.filter(
+            **{
+                self.USER_ID_FILTER: request.user.id,
+                "enterprise_customer_users__linked": True
+            }
+        ).values_list("uuid", flat=True)
+
+        if len(queryset) == 0:
+            raise NotFound(_("User is not linked to any enterprise customers."))
+
+        secured_key = SearchClient.generate_secured_api_key(
+            api_key,
+            {
+                "filters": " OR ".join(
+                    f"enterprise_customer_uuids:{enterprise_customer_uuid}"
+                    for enterprise_customer_uuid
+                    in queryset
+                ),
+            }
+        )
+
+        return Response({"key": secured_key}, status=HTTP_200_OK)
+
 
 class EnterpriseCourseEnrollmentViewSet(EnterpriseReadWriteModelViewSet):
     """

diff --git a/enterprise/settings/test.py b/enterprise/settings/test.py
@@ -218,6 +218,8 @@ def root(*args):
     'status': 'published'
 }
 
+ENTERPRISE_ALGOLIA_SEARCH_API_KEY = 'test'
+
 TABLEAU_URL = 'http://localhost'
 TABLEAU_ADMIN_USER = 'edx'
 TABLEAU_ADMIN_USER_PASSWORD = 'edx'

diff --git a/tests/test_enterprise/api/test_views.py b/tests/test_enterprise/api/test_views.py
@@ -2,6 +2,7 @@
 Tests for the `edx-enterprise` api module.
 """
 
+import base64
 import json
 import uuid
 from datetime import datetime, timedelta
@@ -114,6 +115,7 @@
 ENTERPRISE_CUSTOMER_REPORTING_ENDPOINT = reverse('enterprise-customer-reporting-list')
 ENTERPRISE_LEARNER_LIST_ENDPOINT = reverse('enterprise-learner-list')
 ENTERPRISE_CUSTOMER_WITH_ACCESS_TO_ENDPOINT = reverse('enterprise-customer-with-access-to')
+ENTERPRISE_CUSTOMER_ALGOLIA_KEY_ENDPOINT = reverse('enterprise-customer-algolia-key')
 PENDING_ENTERPRISE_LEARNER_LIST_ENDPOINT = reverse('pending-enterprise-learner-list')
 LICENSED_ENTERPISE_COURSE_ENROLLMENTS_REVOKE_ENDPOINT = reverse(
     'licensed-enterprise-course-enrollment-license-revoke'
@@ -1608,6 +1610,52 @@ def test_partial_update(self, enterprise_role, enterprise_uuid_for_role, expecte
             enterprise_customer.refresh_from_db()
             assert enterprise_customer.slug == 'new-slug'
 
+    def test_algolia_key(self):
+        """
+        Tests that the endpoint algolia_key endpoint returns the correct secured key.
+        """
+
+        # Test that the endpoint returns 401 if the user is not logged in.
+        self.client.logout()
+        response = self.client.get(ENTERPRISE_CUSTOMER_ALGOLIA_KEY_ENDPOINT)
+        assert response.status_code == status.HTTP_401_UNAUTHORIZED
+
+        username = 'test_learner_portal_user'
+        self.create_user(username=username, is_staff=False)
+        self.client.login(username=username, password=TEST_PASSWORD)
+
+        # Test that the endpoint returns 404 if the Algolia Search API key is not set.
+        with override_settings(ENTERPRISE_ALGOLIA_SEARCH_API_KEY=None):
+            response = self.client.get(ENTERPRISE_CUSTOMER_ALGOLIA_KEY_ENDPOINT)
+            assert response.status_code == status.HTTP_404_NOT_FOUND
+
+        # Test that the endpoint returns 404 if the user is not linked to any enterprise.
+        response = self.client.get(ENTERPRISE_CUSTOMER_ALGOLIA_KEY_ENDPOINT)
+        assert response.status_code == status.HTTP_404_NOT_FOUND
+
+        # Test that the endpoint returns 200 if the user is linked to at least one enterprise.
+        enterprise_customer_1 = factories.EnterpriseCustomerFactory(uuid=FAKE_UUIDS[0])
+        enterprise_customer_2 = factories.EnterpriseCustomerFactory(uuid=FAKE_UUIDS[1])
+        factories.EnterpriseCustomerFactory(uuid=FAKE_UUIDS[2])  # extra unlinked enterprise
+
+        factories.EnterpriseCustomerUserFactory(
+            user_id=self.user.id,
+            enterprise_customer=enterprise_customer_1
+        )
+        factories.EnterpriseCustomerUserFactory(
+            user_id=self.user.id,
+            enterprise_customer=enterprise_customer_2
+        )
+
+        response = self.client.get(ENTERPRISE_CUSTOMER_ALGOLIA_KEY_ENDPOINT)
+        assert response.status_code == status.HTTP_200_OK
+
+        # Test that the endpoint returns the key encoding correct filters.
+        decoded_key = base64.b64decode(response.json()["key"]).decode("utf-8")
+        assert decoded_key.endswith(
+            f"filters=enterprise_customer_uuids%3A{FAKE_UUIDS[0]}+OR+enterprise_customer_uuids%3A{FAKE_UUIDS[1]}"
+        )
+
 
 @ddt.ddt
 @mark.django_db