feat: separate org and cloud level auth

Signed-off-by: Ricky Moorhouse <[email protected]>

Author: rickymoorhouse

nets/apiconnect/apiconnect.go

@@ -35,6 +35,12 @@ var log = alog.UseChannel("apic")
 
 func (a *APIConnect) crdStatusMetrics(group, version, resource string, crdStatus prometheus.GaugeVec) {
 	subsystems := nets.GetCustomResourceList(group, version, resource, a.Config.Namespace)
+	
+	// Check if subsystems is nil to prevent segmentation fault
+	if subsystems == nil {
+		log.Log(alog.DEBUG, "No %s resources found in namespace %s", resource, a.Config.Namespace)
+		return
+	}
 
 	for _, subsystem := range subsystems.Items {
 		subsystemName := subsystem.Object["metadata"].(map[string]interface{})["name"].(string)

nets/main.go

@@ -29,6 +29,11 @@ type TokenResponse struct {
 	ExpiresIn   int    `json:"expires_in"`
 }
 
+type Token struct {
+	Token   string `json:"token"`
+	Expires int    `json:"expires"`
+}
+
 type Client struct {
 	Clientset kubernetes.Interface
 }
@@ -179,20 +184,17 @@ func GetCustomResourceList(group, version, resource, namespace string) *unstruct
 	return items
 }
 
-func GetToken(management_url string) (string, error) {
-	return getNewToken(management_url)
-}
-
-func getNewToken(management_url string) (string, error) {
-	secretPath := os.Getenv(("MGMT_CREDS"))
+func GetToken(management_url string, secretPath string) (Token, error) {
+	log.Log(alog.DEBUG, "Getting token using %s", secretPath)
 	clientId, _ := os.ReadFile(filepath.Clean(secretPath + "/client_id"))
 	clientSecret, _ := os.ReadFile(filepath.Clean(secretPath + "/client_secret"))
+	apikey, _ := os.ReadFile(filepath.Clean(secretPath + "/apikey"))
 	username, _ := os.ReadFile(filepath.Clean(secretPath + "/username"))
 	password, _ := os.ReadFile(filepath.Clean(secretPath + "/password"))
 	realm, _ := os.ReadFile(filepath.Clean(secretPath + "/realm"))
 	var postBody []byte
 	if (username != nil) && (password != nil) {
-		log.Log(alog.DEBUG, "Username and password are set")
+		log.Log(alog.DEBUG, "Using grant_type of password as username and password are set")
 		postBody, _ = json.Marshal(map[string]string{
 			"client_id":     string(clientId),
 			"client_secret": string(clientSecret),
@@ -201,7 +203,16 @@ func getNewToken(management_url string) (string, error) {
 			"realm":         string(realm),
 			"grant_type":    "password",
 		})
+	} else if apikey != nil {
+		log.Log(alog.INFO, "Using grant_type of api_key")
+		postBody, _ = json.Marshal(map[string]string{
+			"client_id":     string(clientId),
+			"api_key":       string(apikey),
+			"client_secret": string(clientSecret),
+			"grant_type":    "api_key",
+		})
 	} else {
+		log.Log(alog.INFO, "Using grant_type of client_credentials")
 		postBody, _ = json.Marshal(map[string]string{
 			"client_id":     string(clientId),
 			"client_secret": string(clientSecret),
@@ -223,23 +234,30 @@ func getNewToken(management_url string) (string, error) {
 
 	req, err := http.NewRequest("POST", url, tokenRequest)
 	if err != nil {
-		return "", err
+		return Token{}, err
 	} else {
 		req.Header.Set("Content-Type", "application/json")
 		req.Header.Set("Accept", "application/json")
 		response, err := client.Do(req)
 		if err != nil {
 			log.Log(alog.ERROR, err.Error())
-			return "", err
+			return Token{}, err
 		} else {
 			defer response.Body.Close()
-			var bearerToken TokenResponse
-			err = json.NewDecoder(response.Body).Decode(&bearerToken)
-			if err != nil {
-				log.Log(alog.ERROR, err.Error())
-				return "", err
+			if response.StatusCode != 200 {
+				return Token{}, fmt.Errorf("unexpected status - got %s, expected 200", response.Status)
+			} else {
+				var bearerToken TokenResponse
+				err = json.NewDecoder(response.Body).Decode(&bearerToken)
+				if err != nil {
+					log.Log(alog.ERROR, err.Error())
+					return Token{}, err
+				}
+
+				return Token{
+					Token:   bearerToken.AccessToken,
+					Expires: int(time.Now().Unix()) + bearerToken.ExpiresIn}, nil
 			}
-			return bearerToken.AccessToken, nil
 		}
 	}
 }

nets/main_test.go

@@ -21,7 +21,7 @@ func TestGetToken(t *testing.T) {
 	}))
 	defer server.Close()
 
-	token, err := GetToken(server.URL)
+	token, err := GetToken(server.URL, "")
 
 	testLogger.Log(alog.DEBUG, "fetched token: %s", token)
 	assert.Nil(err)

nets/manager/manager.go

@@ -4,6 +4,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"nets"
+	"os"
 	"strings"
 	"time"
 
@@ -14,9 +15,10 @@ import (
 
 type Manager struct {
 	nets.BaseNet
-	Config  ManagerNetConfig
-	metrics map[string]*prometheus.GaugeVec
-	token   string
+	Config     ManagerNetConfig
+	metrics    map[string]*prometheus.GaugeVec
+	cloudToken nets.Token
+	orgToken   nets.Token
 }
 
 type ManagerNetConfig struct {
@@ -100,7 +102,6 @@ type ConfiguredGatewayService struct {
 var version string
 
 var invokeAPI = nets.InvokeAPI
-var getToken = nets.GetToken
 
 var log = alog.UseChannel("apim")
 
@@ -127,9 +128,9 @@ func (m *Manager) registerMetrics() {
 func (m *Manager) getTopologyInfo(management_url string) (CloudTopology, error) {
 
 	url := fmt.Sprintf("%s/api/cloud/topology", management_url)
-	log.Log(alog.DEBUG, url)
+	log.Log(alog.DEBUG2, url)
 
-	response, err := invokeAPI(url, "", m.token)
+	response, err := invokeAPI(url, "", m.cloudToken.Token)
 	if err != nil {
 		log.Log(alog.ERROR, err.Error())
 		return CloudTopology{}, err
@@ -150,17 +151,17 @@ func (m *Manager) getTopologyInfo(management_url string) (CloudTopology, error)
 func (m *Manager) getWebhookStats(management_url string, org string, catalog string) {
 	///api/catalogs/{}/{}/configured-gateway-services?fields=add(gateway_processing_status,events)
 	url := fmt.Sprintf("%s/api/catalogs/%s/%s/configured-gateway-services?fields=add(gateway_processing_status,events)", management_url, org, catalog)
-	log.Log(alog.DEBUG, url)
+	log.Log(alog.DEBUG2, url)
 
-	response, err := invokeAPI(url, "", m.token)
+	response, err := invokeAPI(url, "", m.orgToken.Token)
 	if err != nil {
 		log.Log(alog.ERROR, err.Error())
 		return
 	} else {
 		defer response.Body.Close()
 		var cgsResponse ConfiguredGatewayServices
 		err = json.NewDecoder(response.Body).Decode(&cgsResponse)
-		log.Log(alog.DEBUG, "Webhook status total results:", cgsResponse.TotalResults)
+		log.Log(alog.DEBUG, "Webhook status total results: %v", cgsResponse.TotalResults)
 		for _, cgs := range cgsResponse.Results {
 			m.metrics["outstandingSent"].WithLabelValues(org, catalog, cgs.Name, cgs.ServiceVersion).Set(float64(cgs.GatewayProcessingStatus.OutstandingSentEvents))
 			m.metrics["outstandingQueued"].WithLabelValues(org, catalog, cgs.Name, cgs.ServiceVersion).Set(float64(cgs.GatewayProcessingStatus.OutstandingQueuedEvents))
@@ -195,6 +196,33 @@ func (m *Manager) publishTopologyMetrics(topologyCount CountStruct, managementNa
 	m.metrics["spaceGauge"].WithLabelValues(managementName, managementNamespace, scope, name).Set(topologyCount.Spaces)
 }
 
+func (m *Manager) getTokens(management_url string) error {
+	var err error
+
+	currentTimestamp := int(time.Now().Unix())
+
+	if m.cloudToken.Expires < currentTimestamp {
+		m.cloudToken, err = nets.GetToken(management_url, os.Getenv(("MGMT_CREDS")))
+		if err != nil {
+			log.Log(alog.ERROR, err.Error())
+			return err
+		}
+	} else {
+		log.Log(alog.DEBUG, "Using cached cloud token")
+	}
+	if m.orgToken.Expires < currentTimestamp {
+		m.orgToken, err = nets.GetToken(management_url, os.Getenv(("ORG_CREDS")))
+		if err != nil {
+			log.Log(alog.ERROR, err.Error())
+			m.orgToken = m.cloudToken // If org creds are not set use cloud creds
+			log.Log(alog.WARNING, "Using cloud token for org level API calls as org creds are not set")
+		}
+	} else {
+		log.Log(alog.DEBUG, "Using cached org token")
+	}
+	return nil
+}
+
 func (m *Manager) findAPIM() error {
 
 	apims := nets.GetCustomResourceList("management.apiconnect.ibm.com", "v1beta1", "managementclusters", m.Config.Namespace)
@@ -216,12 +244,7 @@ func (m *Manager) findAPIM() error {
 				}
 				log.Log(alog.INFO, "Override host set - using %s for manager", m.Config.Host)
 			}
-			var err error
-			m.token, err = getToken(management_url)
-			if err != nil {
-				log.Log(alog.ERROR, err.Error())
-				return err
-			}
+			m.getTokens(management_url)
 			topology, err := m.getTopologyInfo(management_url)
 			if err != nil {
 				log.Log(alog.ERROR, err.Error())

nets/manager/manager_test.go

@@ -126,7 +126,7 @@ func MockCustomResourceList(group, version, resource string) *unstructured.Unstr
 	return g
 }
 
-func MockGetToken(url string) (string, error) {
+func MockGetToken(url string, path string) (string, error) {
 	return "hello", nil
 }