Add option for client to authenticate with IAM token server.

Author: smithsz

CHANGES.md

@@ -1,3 +1,7 @@
+# UNRELEASED
+
+- [NEW] Added option for client to authenticate with IAM token server.
+
 # 2.10.2 (2018-12-19)
 
 - [FIXED] A performance regression deserializing JSON in version 2.10.1.

src/cloudant/_client_session.py

@@ -1,5 +1,5 @@
 #!/usr/bin/env python
-# Copyright (C) 2015, 2018 IBM Corp. All rights reserved.
+# Copyright (c) 2015, 2019 IBM Corp. All rights reserved.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -189,14 +189,18 @@ class IAMSession(ClientSession):
     This class extends ClientSession and provides IAM authentication.
     """
 
-    def __init__(self, api_key, server_url, **kwargs):
+    def __init__(self, api_key, server_url, client_id=None, client_secret=None,
+                 **kwargs):
         super(IAMSession, self).__init__(
             session_url=url_join(server_url, '_iam_session'),
             **kwargs)
 
         self._api_key = api_key
         self._token_url = os.environ.get(
             'IAM_TOKEN_URL', 'https://iam.bluemix.net/identity/token')
+        self._token_auth = None
+        if client_id and client_secret:
+            self._token_auth = (client_id, client_secret)
 
     @property
     def get_api_key(self):
@@ -277,7 +281,7 @@ def _get_access_token(self):
             resp = super(IAMSession, self).request(
                 'POST',
                 self._token_url,
-                auth=('bx', 'bx'),  # required for user API keys
+                auth=self._token_auth,
                 headers={'Accepts': 'application/json'},
                 data={
                     'grant_type': 'urn:ibm:params:oauth:grant-type:apikey',

src/cloudant/client.py

@@ -1,5 +1,5 @@
 #!/usr/bin/env python
-# Copyright (C) 2015, 2018 IBM Corp. All rights reserved.
+# Copyright (c) 2015, 2019 IBM Corp. All rights reserved.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -78,6 +78,10 @@ class CouchDB(dict):
         IAM authentication with server. Default is False.
         Use :func:`~cloudant.client.CouchDB.iam` to construct an IAM
         authenticated client.
+    :param string iam_client_id: Keyword argument, client ID to use when
+        authenticating with the IAM token server. Default is ``None``.
+    :param string iam_client_secret: Keyword argument, client secret to use when
+        authenticating with the IAM token server. Default is ``None``.
     """
     _DATABASE_CLASS = CouchDatabase
 
@@ -95,6 +99,8 @@ def __init__(self, user, auth_token, admin_party=False, **kwargs):
         self._auto_renew = kwargs.get('auto_renew', False)
         self._use_basic_auth = kwargs.get('use_basic_auth', False)
         self._use_iam = kwargs.get('use_iam', False)
+        self._iam_client_id = kwargs.get('iam_client_id', None)
+        self._iam_client_secret = kwargs.get('iam_client_secret', None)
         # If user/pass exist in URL, remove and set variables
         if not self._use_basic_auth and self.server_url:
             parsed_url = url_parse(kwargs.get('url'))
@@ -162,6 +168,8 @@ def connect(self):
                 self._auth_token,
                 self.server_url,
                 auto_renew=self._auto_renew,
+                client_id=self._iam_client_id,
+                client_secret=self._iam_client_secret,
                 timeout=self._timeout
             )
         else:
@@ -844,7 +852,8 @@ def bluemix(cls, vcap_services, instance_name=None, service_name=None, **kwargs)
         if hasattr(service, 'iam_api_key'):
             return Cloudant.iam(service.username,
                                 service.iam_api_key,
-                                url=service.url)
+                                url=service.url,
+                                **kwargs)
         return Cloudant(service.username,
                         service.password,
                         url=service.url,

tests/unit/iam_auth_tests.py

@@ -1,5 +1,5 @@
 #!/usr/bin/env python
-# Copyright (c) 2017 IBM. All rights reserved.
+# Copyright (c) 2017, 2019 IBM. All rights reserved.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -108,7 +108,38 @@ def test_iam_get_access_token(self, m_req):
         m_req.assert_called_once_with(
             'POST',
             iam._token_url,
-            auth=('bx', 'bx'),
+            auth=None,
+            headers={'Accepts': 'application/json'},
+            data={
+                'grant_type': 'urn:ibm:params:oauth:grant-type:apikey',
+                'response_type': 'cloud_iam',
+                'apikey': MOCK_API_KEY
+            }
+        )
+
+        self.assertEqual(access_token, MOCK_ACCESS_TOKEN)
+        self.assertTrue(m_response.raise_for_status.called)
+        mock_token_response_text.assert_called_with()
+
+    @mock.patch('cloudant._client_session.ClientSession.request')
+    def test_iam_get_access_token_with_iam_client_id_and_secret(self, m_req):
+        m_response = mock.MagicMock()
+        mock_token_response_text = mock.PropertyMock(return_value=MOCK_IAM_TOKEN_RESPONSE)
+        type(m_response).text = mock_token_response_text
+        m_req.return_value = m_response
+
+        iam_client_id = 'foo'
+        iam_client_secret = 'bar'
+
+        iam = IAMSession(MOCK_API_KEY, 'http://127.0.0.1:5984',
+                         client_id=iam_client_id,
+                         client_secret=iam_client_secret)
+        access_token = iam._get_access_token()
+
+        m_req.assert_called_once_with(
+            'POST',
+            iam._token_url,
+            auth=(iam_client_id, iam_client_secret),
             headers={'Accepts': 'application/json'},
             data={
                 'grant_type': 'urn:ibm:params:oauth:grant-type:apikey',