feat: per-user secured Algolia API keys [BB-8083]

enterprise/api/v1/views.py

@@ -8,6 +8,7 @@
 from urllib.parse import quote_plus, unquote
 
 import jwt
+from algoliasearch.search_client import SearchClient
 from django_filters.rest_framework import DjangoFilterBackend
 from edx_rbac.decorators import permission_required
 from edx_rest_framework_extensions.auth.jwt.authentication import JwtAuthentication
@@ -525,6 +526,44 @@ def unlink_users(self, request, pk=None):  # pylint: disable=unused-argument
 
         return Response(status=HTTP_200_OK)
 
+    @action(detail=False)
+    def algolia_key(self, request, *args, **kwargs):
+        """
+        Returns an Algolia API key that is secured to only allow searching for
+        objects associated with enterprise customers that the user is linked to.
+
+        This endpoint is used with `frontend-app-learner-portal-enterprise` MFE
+        currently.
+        """
+
+        if not (api_key := getattr(settings, "ENTERPRISE_ALGOLIA_SEARCH_API_KEY", "")):
+            LOGGER.warning("Algolia search API key is not configured. To enable this view, "
+                           "set `ENTERPRISE_ALGOLIA_SEARCH_API_KEY` in settings.")
+            raise Http404
+
+        queryset = self.queryset.filter(
+            **{
+                self.USER_ID_FILTER: request.user.id,
+                "enterprise_customer_users__linked": True
+            }
+        ).values_list("uuid", flat=True)
+
+        if len(queryset) == 0:
+            raise NotFound(_("User is not linked to any enterprise customers."))
+
+        secured_key = SearchClient.generate_secured_api_key(
+            api_key,
+            {
+                "filters": " OR ".join(
+                    f"enterprise_customer_uuids:{enterprise_customer_uuid}"
+                    for enterprise_customer_uuid
+                    in queryset
+                ),
+            }
+        )
+
+        return Response({"key": secured_key}, status=HTTP_200_OK)
+
 
 class EnterpriseCourseEnrollmentViewSet(EnterpriseReadWriteModelViewSet):
     """

enterprise/settings/test.py

@@ -219,6 +219,8 @@ def root(*args):
     'status': 'published'
 }
 
+ENTERPRISE_ALGOLIA_SEARCH_API_KEY = 'test'
+
 SNOWFLAKE_SERVICE_USER = '[email protected]'
 SNOWFLAKE_SERVICE_USER_PASSWORD = 'secret'
 

requirements/dev.txt

@@ -8,6 +8,10 @@ alabaster==0.7.12
     # via
     #   -r requirements/doc.txt
     #   sphinx
+algoliasearch==2.6.3
+    # This has been copied from here: https://github.com/openedx/edx-platform/blob/176d0d885a4e182ff8c9607765891e78d459a5b8/requirements/constraints.txt#L91
+    # New versions of edx-enterprise has this requirement copied from edx-platform to `requirements/edx-platform-constraints.txt`,
+    # so we can remove this once we upgrade edx-enterprise. Normally, Palm already has this package installed, but not in test environment.
 amqp==5.1.1
     # via
     #   -r requirements/doc.txt

requirements/test.txt

@@ -11,6 +11,10 @@ aniso8601==9.0.1
     # via
     #   -r requirements/test-master.txt
     #   edx-tincan-py35
+algoliasearch==2.6.3
+    # This has been copied from here: https://github.com/openedx/edx-platform/blob/176d0d885a4e182ff8c9607765891e78d459a5b8/requirements/constraints.txt#L91
+    # New versions of edx-enterprise has this requirement copied from edx-platform to `requirements/edx-platform-constraints.txt`,
+    # so we can remove this once we upgrade edx-enterprise. Normally, Palm already has this package installed, but not in test environment.
 asgiref==3.5.2
     # via
     #   -r requirements/test-master.txt

tests/test_enterprise/api/test_views.py

@@ -2,6 +2,7 @@
 Tests for the `edx-enterprise` api module.
 """
 
+import base64
 import json
 import uuid
 from datetime import datetime, timedelta
@@ -113,6 +114,7 @@
 ENTERPRISE_LEARNER_LIST_ENDPOINT = reverse('enterprise-learner-list')
 ENTERPRISE_CUSTOMER_WITH_ACCESS_TO_ENDPOINT = reverse('enterprise-customer-with-access-to')
 ENTERPRISE_CUSTOMER_UNLINK_USERS_ENDPOINT = reverse('enterprise-customer-unlink-users', kwargs={'pk': FAKE_UUIDS[0]})
+ENTERPRISE_CUSTOMER_ALGOLIA_KEY_ENDPOINT = reverse('enterprise-customer-algolia-key')
 PENDING_ENTERPRISE_LEARNER_LIST_ENDPOINT = reverse('pending-enterprise-learner-list')
 LICENSED_ENTERPISE_COURSE_ENROLLMENTS_REVOKE_ENDPOINT = reverse(
     'licensed-enterprise-course-enrollment-license-revoke'
@@ -1670,6 +1672,52 @@ def test_unlink_users(self, enterprise_role, enterprise_uuid_for_role, is_relink
             assert enterprise_customer_user_2.is_relinkable == is_relinkable
             assert enterprise_customer_user_2.is_relinkable == is_relinkable
 
+    def test_algolia_key(self):
+        """
+        Tests that the endpoint algolia_key endpoint returns the correct secured key.
+        """
+
+        # Test that the endpoint returns 401 if the user is not logged in.
+        self.client.logout()
+        response = self.client.get(ENTERPRISE_CUSTOMER_ALGOLIA_KEY_ENDPOINT)
+        assert response.status_code == status.HTTP_401_UNAUTHORIZED
+
+        username = 'test_learner_portal_user'
+        self.create_user(username=username, is_staff=False)
+        self.client.login(username=username, password=TEST_PASSWORD)
+
+        # Test that the endpoint returns 404 if the Algolia Search API key is not set.
+        with override_settings(ENTERPRISE_ALGOLIA_SEARCH_API_KEY=None):
+            response = self.client.get(ENTERPRISE_CUSTOMER_ALGOLIA_KEY_ENDPOINT)
+            assert response.status_code == status.HTTP_404_NOT_FOUND
+
+        # Test that the endpoint returns 404 if the user is not linked to any enterprise.
+        response = self.client.get(ENTERPRISE_CUSTOMER_ALGOLIA_KEY_ENDPOINT)
+        assert response.status_code == status.HTTP_404_NOT_FOUND
+
+        # Test that the endpoint returns 200 if the user is linked to at least one enterprise.
+        enterprise_customer_1 = factories.EnterpriseCustomerFactory(uuid=FAKE_UUIDS[0])
+        enterprise_customer_2 = factories.EnterpriseCustomerFactory(uuid=FAKE_UUIDS[1])
+        factories.EnterpriseCustomerFactory(uuid=FAKE_UUIDS[2])  # extra unlinked enterprise
+
+        factories.EnterpriseCustomerUserFactory(
+            user_id=self.user.id,
+            enterprise_customer=enterprise_customer_1
+        )
+        factories.EnterpriseCustomerUserFactory(
+            user_id=self.user.id,
+            enterprise_customer=enterprise_customer_2
+        )
+
+        response = self.client.get(ENTERPRISE_CUSTOMER_ALGOLIA_KEY_ENDPOINT)
+        assert response.status_code == status.HTTP_200_OK
+
+        # Test that the endpoint returns the key encoding correct filters.
+        decoded_key = base64.b64decode(response.json()["key"]).decode("utf-8")
+        assert decoded_key.endswith(
+            f"filters=enterprise_customer_uuids%3A{FAKE_UUIDS[0]}+OR+enterprise_customer_uuids%3A{FAKE_UUIDS[1]}"
+        )
+
 
 @ddt.ddt
 @mark.django_db