Support reloading OAuth2 key file (#1441)

Author: RobertIndie

oauth2/auth_suite_test.go

@@ -58,6 +58,26 @@ func (te *MockTokenExchanger) ExchangeDeviceCode(_ context.Context,
 	return te.ReturnsTokens, te.ReturnsError
 }
 
+type MockGrantProvider struct {
+	keyFile *KeyFile
+}
+
+func (mgp *MockGrantProvider) GetGrant(audience string, opts *ClientCredentialsFlowOptions) (
+	*AuthorizationGrant, error) {
+	scopes := []string{mgp.keyFile.Scope}
+	if opts != nil && len(opts.AdditionalScopes) > 0 {
+		scopes = append(scopes, opts.AdditionalScopes...)
+	}
+	return &AuthorizationGrant{
+		Type:              GrantTypeClientCredentials,
+		Audience:          audience,
+		ClientID:          mgp.keyFile.ClientID,
+		ClientCredentials: mgp.keyFile,
+		TokenEndpoint:     oidcEndpoints.TokenEndpoint,
+		Scopes:            scopes,
+	}, nil
+}
+
 var oidcEndpoints = OIDCWellKnownEndpoints{
 	AuthorizationEndpoint:       "http://issuer/auth/authorize",
 	TokenEndpoint:               "http://issuer/auth/token",

oauth2/cache/cache.go

@@ -23,8 +23,6 @@ import (
 	"time"
 
 	"github.com/apache/pulsar-client-go/oauth2"
-	"github.com/apache/pulsar-client-go/oauth2/store"
-
 	"github.com/apache/pulsar-client-go/oauth2/clock"
 	xoauth2 "golang.org/x/oauth2"
 )
@@ -43,24 +41,24 @@ const (
 )
 
 // tokenCache implements a cache for the token associated with a specific audience.
-// it interacts with the store when the access token is near expiration or invalidated.
 // it is advisable to use a token cache instance per audience.
 type tokenCache struct {
-	clock     clock.Clock
-	lock      sync.Mutex
-	store     store.Store
-	audience  string
-	refresher oauth2.AuthorizationGrantRefresher
-	token     *xoauth2.Token
+	clock    clock.Clock
+	lock     sync.Mutex
+	audience string
+	token    *xoauth2.Token
+	flow     *oauth2.ClientCredentialsFlow
 }
 
-func NewDefaultTokenCache(store store.Store, audience string,
-	refresher oauth2.AuthorizationGrantRefresher) (CachingTokenSource, error) {
+func NewDefaultTokenCache(audience string,
+	flow *oauth2.ClientCredentialsFlow) (CachingTokenSource, error) {
+	if flow == nil {
+		return nil, fmt.Errorf("flow cannot be nil")
+	}
 	cache := &tokenCache{
-		clock:     clock.RealClock{},
-		store:     store,
-		audience:  audience,
-		refresher: refresher,
+		clock:    clock.RealClock{},
+		audience: audience,
+		flow:     flow,
 	}
 	return cache, nil
 }
@@ -77,56 +75,24 @@ func (t *tokenCache) Token() (*xoauth2.Token, error) {
 		return t.token, nil
 	}
 
-	// load from the store and use the access token if it isn't expired
-	grant, err := t.store.LoadGrant(t.audience)
+	grant, err := t.flow.Authorize(t.audience)
 	if err != nil {
-		return nil, fmt.Errorf("LoadGrant: %w", err)
-	}
-	t.token = grant.Token
-	if t.token != nil && t.validateAccessToken(*t.token) {
-		return t.token, nil
+		return nil, err
 	}
-
-	// obtain and cache a fresh access token
-	grant, err = t.refresher.Refresh(grant)
-	if err != nil {
-		return nil, fmt.Errorf("RefreshGrant: %w", err)
+	if grant.Token == nil {
+		return nil, fmt.Errorf("authorization succeeded but no token was returned")
 	}
 	t.token = grant.Token
-	err = t.store.SaveGrant(t.audience, *grant)
-	if err != nil {
-		// TODO log rather than throw
-		return nil, fmt.Errorf("SaveGrant: %w", err)
-	}
 
 	return t.token, nil
 }
 
-// InvalidateToken clears the access token (likely due to a response from the resource server).
-// Note that the token within the grant may contain a refresh token which should survive.
+// InvalidateToken clears the cached access token (likely due to a response from the resource server).
 func (t *tokenCache) InvalidateToken() error {
 	t.lock.Lock()
 	defer t.lock.Unlock()
 
-	previous := t.token
 	t.token = nil
-
-	// clear from the store the access token that was returned earlier (unless the store has since been updated)
-	if previous == nil || previous.AccessToken == "" {
-		return nil
-	}
-	grant, err := t.store.LoadGrant(t.audience)
-	if err != nil {
-		return fmt.Errorf("LoadGrant: %w", err)
-	}
-	if grant.Token != nil && grant.Token.AccessToken == previous.AccessToken {
-		grant.Token.Expiry = time.Unix(0, 0).Add(expiryDelta)
-		err = t.store.SaveGrant(t.audience, *grant)
-		if err != nil {
-			// TODO log rather than throw
-			return fmt.Errorf("SaveGrant: %w", err)
-		}
-	}
 	return nil
 }
 

oauth2/client_credentials_flow.go

@@ -30,11 +30,10 @@ import (
 // ClientCredentialsFlow takes care of the mechanics needed for getting an access
 // token using the OAuth 2.0 "Client Credentials Flow"
 type ClientCredentialsFlow struct {
-	options                ClientCredentialsFlowOptions
-	oidcWellKnownEndpoints OIDCWellKnownEndpoints
-	keyfile                *KeyFile
-	exchanger              ClientCredentialsExchanger
-	clock                  clock.Clock
+	options       ClientCredentialsFlowOptions
+	exchanger     ClientCredentialsExchanger
+	grantProvider GrantProvider
+	clock         clock.Clock
 }
 
 // ClientCredentialsProvider abstracts getting client credentials
@@ -47,29 +46,24 @@ type ClientCredentialsExchanger interface {
 	ExchangeClientCredentials(req ClientCredentialsExchangeRequest) (*TokenResult, error)
 }
 
+// GrantProvider abstracts the creation of authorization grants from credentials
+type GrantProvider interface {
+	GetGrant(audience string, options *ClientCredentialsFlowOptions) (*AuthorizationGrant, error)
+}
+
 type ClientCredentialsFlowOptions struct {
 	KeyFile          string
 	AdditionalScopes []string
 }
 
-func newClientCredentialsFlow(
-	options ClientCredentialsFlowOptions,
-	keyfile *KeyFile,
-	oidcWellKnownEndpoints OIDCWellKnownEndpoints,
-	exchanger ClientCredentialsExchanger,
-	clock clock.Clock) *ClientCredentialsFlow {
-	return &ClientCredentialsFlow{
-		options:                options,
-		oidcWellKnownEndpoints: oidcWellKnownEndpoints,
-		keyfile:                keyfile,
-		exchanger:              exchanger,
-		clock:                  clock,
-	}
+// DefaultGrantProvider provides authorization grants by loading credentials from a key file
+type DefaultGrantProvider struct {
 }
 
-// NewDefaultClientCredentialsFlow provides an easy way to build up a default
-// client credentials flow with all the correct configuration.
-func NewDefaultClientCredentialsFlow(options ClientCredentialsFlowOptions) (*ClientCredentialsFlow, error) {
+// GetGrant creates an authorization grant by loading credentials from the key file and
+// merging the scopes from both the options and the key file configuration
+func (p *DefaultGrantProvider) GetGrant(audience string, options *ClientCredentialsFlowOptions) (
+	*AuthorizationGrant, error) {
 	credsProvider := NewClientCredentialsProviderFromKeyFile(options.KeyFile)
 	keyFile, err := credsProvider.GetClientCredentials()
 	if err != nil {
@@ -80,39 +74,58 @@ func NewDefaultClientCredentialsFlow(options ClientCredentialsFlowOptions) (*Cli
 	if err != nil {
 		return nil, err
 	}
+	// Merge the scopes of the options AdditionalScopes with the scopes read from the keyFile config
+	var scopesToAdd []string
+	if len(options.AdditionalScopes) > 0 {
+		scopesToAdd = append(scopesToAdd, options.AdditionalScopes...)
+	}
+
+	if keyFile.Scope != "" {
+		scopesSplit := strings.Fields(keyFile.Scope)
+		scopesToAdd = append(scopesToAdd, scopesSplit...)
+	}
+
+	return &AuthorizationGrant{
+		Type:              GrantTypeClientCredentials,
+		Audience:          audience,
+		ClientID:          keyFile.ClientID,
+		ClientCredentials: keyFile,
+		TokenEndpoint:     wellKnownEndpoints.TokenEndpoint,
+		Scopes:            scopesToAdd,
+	}, nil
+}
+
+func newClientCredentialsFlow(
+	options ClientCredentialsFlowOptions,
+	exchanger ClientCredentialsExchanger,
+	grantProvider GrantProvider,
+	clock clock.Clock) *ClientCredentialsFlow {
+	return &ClientCredentialsFlow{
+		options:       options,
+		exchanger:     exchanger,
+		grantProvider: grantProvider,
+		clock:         clock,
+	}
+}
+
+// NewDefaultClientCredentialsFlow provides an easy way to build up a default
+// client credentials flow with all the correct configuration.
+func NewDefaultClientCredentialsFlow(options ClientCredentialsFlowOptions) (*ClientCredentialsFlow, error) {
 
 	tokenRetriever := NewTokenRetriever(&http.Client{})
 	return newClientCredentialsFlow(
 		options,
-		keyFile,
-		*wellKnownEndpoints,
 		tokenRetriever,
+		&DefaultGrantProvider{},
 		clock.RealClock{}), nil
 }
 
 var _ Flow = &ClientCredentialsFlow{}
 
 func (c *ClientCredentialsFlow) Authorize(audience string) (*AuthorizationGrant, error) {
-	var err error
-
-	// Merge the scopes of the options AdditionalScopes with the scopes read from the keyFile config
-	var scopesToAdd []string
-	if len(c.options.AdditionalScopes) > 0 {
-		scopesToAdd = append(scopesToAdd, c.options.AdditionalScopes...)
-	}
-
-	if c.keyfile.Scope != "" {
-		scopesSplit := strings.Split(c.keyfile.Scope, " ")
-		scopesToAdd = append(scopesToAdd, scopesSplit...)
-	}
-
-	grant := &AuthorizationGrant{
-		Type:              GrantTypeClientCredentials,
-		Audience:          audience,
-		ClientID:          c.keyfile.ClientID,
-		ClientCredentials: c.keyfile,
-		TokenEndpoint:     c.oidcWellKnownEndpoints.TokenEndpoint,
-		Scopes:            scopesToAdd,
+	grant, err := c.grantProvider.GetGrant(audience, &c.options)
+	if err != nil {
+		return nil, err
 	}
 
 	// test the credentials and obtain an initial access token

oauth2/client_credentials_flow_test.go

@@ -54,25 +54,26 @@ var _ = ginkgo.Describe("ClientCredentialsFlow", func() {
 
 		var mockClock clock.Clock
 		var mockTokenExchanger *MockTokenExchanger
+		var mockGrantProvider *MockGrantProvider
 
 		ginkgo.BeforeEach(func() {
 			mockClock = testing.NewFakeClock(time.Unix(0, 0))
 			expectedTokens := TokenResult{AccessToken: "accessToken", RefreshToken: "refreshToken", ExpiresIn: 1234}
 			mockTokenExchanger = &MockTokenExchanger{
 				ReturnsTokens: &expectedTokens,
 			}
+			mockGrantProvider = &MockGrantProvider{
+				keyFile: &clientCredentials,
+			}
 		})
 
 		ginkgo.It("invokes TokenExchanger with credentials", func() {
-			additionalScope := "additional_scope"
 			provider := newClientCredentialsFlow(
 				ClientCredentialsFlowOptions{
-					KeyFile:          "test_keyfile",
-					AdditionalScopes: []string{additionalScope},
+					KeyFile: "test_keyfile",
 				},
-				&clientCredentials,
-				oidcEndpoints,
 				mockTokenExchanger,
+				mockGrantProvider,
 				mockClock,
 			)
 
@@ -83,7 +84,7 @@ var _ = ginkgo.Describe("ClientCredentialsFlow", func() {
 				ClientID:      clientCredentials.ClientID,
 				ClientSecret:  clientCredentials.ClientSecret,
 				Audience:      "test_audience",
-				Scopes:        []string{additionalScope, clientCredentials.Scope},
+				Scopes:        []string{clientCredentials.Scope},
 			}))
 		})
 
@@ -92,9 +93,8 @@ var _ = ginkgo.Describe("ClientCredentialsFlow", func() {
 				ClientCredentialsFlowOptions{
 					KeyFile: "test_keyfile",
 				},
-				&clientCredentials,
-				oidcEndpoints,
 				mockTokenExchanger,
+				mockGrantProvider,
 				mockClock,
 			)
 
@@ -112,9 +112,8 @@ var _ = ginkgo.Describe("ClientCredentialsFlow", func() {
 				ClientCredentialsFlowOptions{
 					KeyFile: "test_keyfile",
 				},
-				&clientCredentials,
-				oidcEndpoints,
 				mockTokenExchanger,
+				mockGrantProvider,
 				mockClock,
 			)