Merge pull request #403 from cloudant/feature-token-manager

Feature Branch: Add Token Manager

Author: smithsz

CHANGES.md

@@ -5,6 +5,8 @@
   temporary.
 - [FIXED] Ensure IAM API key can be correctly changed.
 - [FIXED] Callback with an error when a user cannot be authenticated using IAM.
+- [FIXED] Ensure authorization tokens are not unnecessarily requested.
+- [IMPROVED] Preemptively renew authorization tokens that are due to expire.
 
 # 4.2.1 (2019-08-29)
 - [FIXED] Include all built-in plugin modules in webpack bundle.

Jenkinsfile

@@ -1,5 +1,5 @@
 #!groovy
-// Copyright © 2017 IBM Corp. All rights reserved.
+// Copyright © 2017, 2019 IBM Corp. All rights reserved.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -101,16 +101,14 @@ stage('Publish') {
 
       // Upload using the NPM creds
       withCredentials([string(credentialsId: 'npm-mail', variable: 'NPM_EMAIL'),
-                       usernamePassword(credentialsId: 'npm-creds', passwordVariable: 'NPM_PASS', usernameVariable: 'NPM_USER')]) {
+                       usernamePassword(credentialsId: 'npm-creds', passwordVariable: 'NPM_TOKEN', usernameVariable: 'NPM_USER')]) {
         // Actions:
-        // 1. add the build ID to any snapshot version for uniqueness
-        // 2. install login helper
-        // 3. login to npm, using environment variables specified above
-        // 4. publish the build to NPM adding a snapshot tag if pre-release
+        // 1. create .npmrc file for publishing
+        // 2. add the build ID to any snapshot version for uniqueness
+        // 3. publish the build to NPM adding a snapshot tag if pre-release
         sh """
+          echo '//registry.npmjs.org/:_authToken=${NPM_TOKEN}' > .npmrc
           ${isReleaseVersion ? '' : ('npm version --no-git-tag-version ' + version + '.' + env.BUILD_ID)}
-          npm install --no-save npm-cli-login
-          ./node_modules/.bin/npm-cli-login
           npm publish ${isReleaseVersion ? '' : '--tag snapshot'}
         """
       }

README.md

@@ -392,6 +392,11 @@ var cloudant = Cloudant({ url: myurl, maxAttempt: 5, plugins: [ { iamauth: { iam
    This plugin will automatically exchange your IAM API key for a token. It will
    handle the authentication and ensure that the token is refreshed as required.
 
+   For example:
+   ```js
+   var cloudant = Cloudant({ url: 'https://examples.cloudant.com', plugins: { iamauth: { iamApiKey: 'xxxxxxxxxx' } } });
+   ```
+
    The production IAM token service at https://iam.cloud.ibm.com/identity/token is
    used by default. You can set `iamTokenUrl` in your plugin configuration to
    override this. To authenticate with the IAM token service set `iamClientId`
@@ -403,22 +408,6 @@ var cloudant = Cloudant({ url: myurl, maxAttempt: 5, plugins: [ { iamauth: { iam
    client request. It also increases the number of token exchange attempts and
    therefore may result in rate limiting by the IAM token service.
 
-   The retry behavior can be configured using the following options:
-
-    - `retryDelayMultiplier`
-
-      The multiplication factor used for increasing the timeout after each
-      subsequent attempt _(default: 2)_.
-
-    - `retryInitialDelayMsecs`
-
-      The initial retry delay in milliseconds _(default: 500)_.
-
-   For example:
-   ```js
-   var cloudant = Cloudant({ url: 'https://examples.cloudant.com', plugins: { iamauth: { iamApiKey: 'xxxxxxxxxx', retryDelayMultiplier: 4, retryInitialDelayMsecs: 100 } } });
-   ```
-
    If the IAM token cannot be retrieved after the configured number of retries
    (either because the IAM token service is down or the IAM API key is
    incorrect) then an error is returned to the client.

lib/client.js

@@ -129,9 +129,10 @@ class CloudantClient {
         debug(`Not adding duplicate plugin: '${Plugin.id}'`);
       } else {
         debug(`Adding plugin: '${Plugin.id}'`);
+        var creds = self._cfg.creds || {};
         self._plugins.push(
           // instantiate plugin
-          new Plugin(self._client, Object.assign({}, cfg))
+          new Plugin(self._client, Object.assign({ serverUrl: creds.outUrl }, cfg))
         );
         self._pluginIds.push(Plugin.id);
       }

lib/tokens/CookieTokenManager.js

@@ -0,0 +1,53 @@
+// Copyright © 2019 IBM Corp. All rights reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+'use strict';
+
+const debug = require('debug')('cloudant:tokens:cookietokenmanager');
+const TokenManager = require('./TokenManager');
+
+class CookieTokenManager extends TokenManager {
+  constructor(client, jar, sessionUrl, username, password) {
+    super(client, jar, sessionUrl);
+
+    this._username = username;
+    this._password = password;
+  }
+
+  _getToken(callback) {
+    debug('Submitting cookie token request.');
+    this._client({
+      url: this._sessionUrl,
+      method: 'POST',
+      form: {
+        name: this._username,
+        password: this._password
+      },
+      jar: this._jar
+    }, (error, response, body) => {
+      if (error) {
+        debug(error);
+        callback(error);
+      } else if (response.statusCode === 200) {
+        debug('Successfully renewed session cookie.');
+        callback(null, response);
+      } else {
+        let msg = `Failed to get cookie. Status code: ${response.statusCode}`;
+        debug(msg);
+        callback(new Error(msg), response);
+      }
+    });
+  }
+}
+
+module.exports = CookieTokenManager;

lib/tokens/IamTokenManager.js

@@ -0,0 +1,101 @@
+// Copyright © 2019 IBM Corp. All rights reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+'use strict';
+
+const a = require('async');
+const debug = require('debug')('cloudant:tokens:iamtokenmanager');
+const TokenManager = require('./TokenManager');
+
+class IAMTokenManager extends TokenManager {
+  constructor(client, jar, sessionUrl, iamTokenUrl, iamApiKey, iamClientId, iamClientSecret) {
+    super(client, jar, sessionUrl);
+
+    this._iamTokenUrl = iamTokenUrl;
+    this._iamApiKey = iamApiKey;
+    this._iamClientId = iamClientId;
+    this._iamClientSecret = iamClientSecret;
+  }
+
+  _getToken(done) {
+    var self = this;
+
+    debug('Making IAM session request.');
+    let accessToken;
+    a.series([
+      (callback) => {
+        let accessTokenAuth;
+        if (self._iamClientId && self._iamClientSecret) {
+          accessTokenAuth = { user: self._iamClientId, pass: self._iamClientSecret };
+        }
+        debug('Getting access token.');
+        self._client({
+          url: self._iamTokenUrl,
+          method: 'POST',
+          auth: accessTokenAuth,
+          headers: { 'Accepts': 'application/json' },
+          form: {
+            'grant_type': 'urn:ibm:params:oauth:grant-type:apikey',
+            'response_type': 'cloud_iam',
+            'apikey': self._iamApiKey
+          },
+          json: true
+        }, (error, response, body) => {
+          if (error) {
+            callback(error);
+          } else if (response.statusCode === 200) {
+            if (body.access_token) {
+              accessToken = body.access_token;
+              debug('Retrieved access token from IAM token service.');
+              callback(null, response);
+            } else {
+              callback(new Error('Invalid response from IAM token service'), response);
+            }
+          } else {
+            let msg = `Failed to acquire access token. Status code: ${response.statusCode}`;
+            callback(new Error(msg), response);
+          }
+        });
+      },
+      (callback) => {
+        debug('Perform IAM cookie based user login.');
+        self._client({
+          url: self._sessionUrl,
+          method: 'POST',
+          form: { 'access_token': accessToken },
+          jar: self._jar,
+          json: true
+        }, (error, response, body) => {
+          if (error) {
+            callback(error);
+          } else if (response.statusCode === 200) {
+            debug('Successfully renewed IAM session.');
+            callback(null, response);
+          } else {
+            let msg = `Failed to exchange IAM token with Cloudant. Status code: ${response.statusCode}`;
+            callback(new Error(msg), response);
+          }
+        });
+      }
+    ], (error, responses) => {
+      done(error, responses[responses.length - 1]);
+    });
+  }
+
+  setIamApiKey(newIamApiKey) {
+    this._iamApiKey = newIamApiKey;
+    this.attemptTokenRenewal = true;
+  }
+}
+
+module.exports = IAMTokenManager;

lib/tokens/TokenManager.js

@@ -0,0 +1,115 @@
+// Copyright © 2019 IBM Corp. All rights reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+'use strict';
+
+const debug = require('debug')('cloudant:tokens:tokenmanager');
+const cookie = require('cookie');
+const EventEmitter = require('events');
+
+class TokenManager {
+  constructor(client, jar, sessionUrl) {
+    this._client = client;
+    this._jar = jar;
+    this._sessionUrl = sessionUrl;
+
+    this._attemptTokenRenewal = true;
+    this._isTokenRenewing = false;
+
+    this._tokenExchangeEE = new EventEmitter().setMaxListeners(Infinity);
+  }
+
+  _autoRenew(defaultMaxAgeSecs) {
+    debug('Auto renewing token now...');
+    this._renew().then((response) => {
+      let maxAgeSecs = cookie.parse(response.headers['set-cookie'][0])['Max-Age'] || defaultMaxAgeSecs;
+      let delayMSecs = maxAgeSecs / 2 * 1000;
+      debug(`Renewing token in ${delayMSecs} milliseconds.`);
+      setTimeout(this._autoRenew.bind(this), delayMSecs).unref();
+    }).catch((error) => {
+      debug(`Failed to auto renew token - ${error}. Retrying in 60 seconds.`);
+      setTimeout(this._autoRenew.bind(this), 60000).unref();
+    });
+  }
+
+  _getToken(callback) {
+    // ** Method to be implemented by _all_ subclasses of `TokenManager` **
+    throw new Error('Not implemented.');
+  }
+
+  // Renew the token.
+  _renew() {
+    if (!this._isTokenRenewing) {
+      this._isTokenRenewing = true;
+      this._tokenExchangeEE.removeAllListeners();
+      debug('Starting token renewal.');
+      this._getToken((error, response) => {
+        if (error) {
+          this._tokenExchangeEE.emit('error', error, response);
+        } else {
+          this._tokenExchangeEE.emit('success', response);
+          this._attemptTokenRenewal = false;
+        }
+        debug('Finished token renewal.');
+        this._isTokenRenewing = false;
+      });
+    }
+    return new Promise((resolve, reject) => {
+      this._tokenExchangeEE.once('success', resolve);
+      this._tokenExchangeEE.once('error', (error, response) => {
+        error.response = response;
+        reject(error);
+      });
+    });
+  }
+
+  // Getter for `attemptTokenRenewal`.
+  // - `true`  A renewal attempt will be made on the next `renew` request.
+  // - `false` No renewal attempt will be made on the next `renew`
+  //           request. Instead the last good renewal response will be returned
+  //           to the client.
+  get attemptTokenRenewal() {
+    return this._attemptTokenRenewal;
+  }
+
+  // Getter for `isTokenRenewing`.
+  // - `true`  A renewal attempt is in progress.
+  // - `false` There are no in progress renewal attempts.
+  get isTokenRenewing() {
+    return this._isTokenRenewing;
+  }
+
+  // Settter for `attemptTokenRenewal`.
+  set attemptTokenRenewal(newAttemptTokenRenewal) {
+    this._attemptTokenRenewal = newAttemptTokenRenewal;
+  }
+
+  // Renew the token if `attemptTokenRenewal` is `true`. Otherwise this is a
+  // no-op so just resolve the promise.
+  renewIfRequired() {
+    if (this._attemptTokenRenewal) {
+      return this._renew();
+    } else {
+      return new Promise((resolve) => {
+        resolve();
+      });
+    }
+  }
+
+  // Start the auto renewal timer.
+  startAutoRenew(defaultMaxAgeSecs) {
+    this._autoRenew(defaultMaxAgeSecs || 3600);
+  }
+}
+
+module.exports = TokenManager;

package-lock.json

@@ -26,6 +26,7 @@
     "@types/request": "^2.47.0",
     "async": "2.1.2",
     "concat-stream": "^1.6.0",
+    "cookie": "^0.4.0",
     "debug": "^3.1.0",
     "lockfile": "1.0.3",
     "nano": "^8.1.0",