Merge pull request #543 from cloudant/542-iam-auth

Add iamApiKey option to ReplicatorBuilder

Author: tomblench

AndroidTest/app/build.gradle

@@ -85,7 +85,7 @@ dependencies {
     compile 'commons-io:commons-io:2.4'
     compile 'commons-codec:commons-codec:1.9'
     compile 'org.apache.commons:commons-lang3:3.3.2'
-    compile group: 'com.cloudant', name: 'cloudant-http', version:'2.7.0'
+    compile group: 'com.cloudant', name: 'cloudant-http', version:'latest.integration'
     compile 'com.google.code.findbugs:jsr305:3.0.0' //this is needed for some versions of android
     compile files('../../cloudant-sync-datastore-android-encryption/libs/sqlcipher.jar') //required sqlcipher lib
     compile files('../../cloudant-sync-datastore-android/libs/android-support-v4.jar')
@@ -108,6 +108,7 @@ dependencies {
 repositories {
     mavenLocal()
     mavenCentral()
+    maven { url "https://oss.sonatype.org/content/repositories/snapshots" }
 }
 
 task(uploadFixtures, type: AndroidExec) {

CHANGES.md

@@ -1,3 +1,9 @@
+# 2.1.0 (Unreleased)
+- [NEW] Added support for authenticating with IAM API keys. See
+  [README](https://github.com/cloudant/sync-android/blob/2.1.0/README.md) and the
+  [Bluemix documentation](https://console.bluemix.net/docs/services/Cloudant/guides/iam.html#ibm-cloud-identity-and-access-management)
+  for more details.
+
 # 2.0.2 (2017-06-20)
 - [FIXED] Removed cloudant-sync-datastore-android project dependency
   on com.google.android:android. This dependency was inadvertently

README.md

@@ -261,7 +261,20 @@ Read more in [the replication docs](https://github.com/cloudant/sync-android/blo
 ### Authentication
 
 Sync-android uses session cookies by default to authenticate with the server if
-credentials are provided with in the URL. If you want more fine-grained control over authentication, provide an interceptor to perform the authentication for each request. For example, if you are using middleware such as [Envoy][envoy], you can use
+credentials are provided with in the URL. 
+
+To use an IAM API key on IBM Bluemix, use the `iamApiKey` method when
+building the `Replicator` object:
+
+```java
+Replicator replicator = ReplicatorBuilder.push()
+  .from(ds)
+  .to(uri)
+  .iamApiKey("exampleApiKey")
+  .build();
+```
+
+If you want more fine-grained control over authentication, provide an interceptor to perform the authentication for each request. For example, if you are using middleware such as [Envoy][envoy], you can use
 the `BasicAuthInterceptor` to add basic authentication to requests.
 
 Example:

cloudant-sync-datastore-core/build.gradle

@@ -1,9 +1,13 @@
+repositories {
+    maven { url "https://oss.sonatype.org/content/repositories/snapshots" }
+}
+
 // ************ //
 // CORE PROJ
 // ************ //
 dependencies {
 
-    compile group: 'com.cloudant', name: 'cloudant-http', version:'2.7.0'
+    compile group: 'com.cloudant', name: 'cloudant-http', version:'latest.integration'
     compile group: 'com.fasterxml.jackson.core', name: 'jackson-databind', version:'2.1.1'
     compile group: 'commons-codec', name: 'commons-codec', version:'1.10'
     compile group: 'commons-io', name: 'commons-io', version:'2.4'

cloudant-sync-datastore-core/src/main/java/com/cloudant/sync/replication/ReplicatorBuilder.java

@@ -14,9 +14,11 @@
 
 package com.cloudant.sync.replication;
 
+import com.cloudant.http.HttpConnectionInterceptor;
 import com.cloudant.http.HttpConnectionRequestInterceptor;
 import com.cloudant.http.HttpConnectionResponseInterceptor;
-import com.cloudant.http.interceptors.CookieInterceptor;
+import com.cloudant.http.internal.interceptors.CookieInterceptor;
+import com.cloudant.http.internal.interceptors.IamCookieInterceptor;
 import com.cloudant.http.internal.interceptors.UserAgentInterceptor;
 import com.cloudant.sync.documentstore.DocumentStore;
 import com.cloudant.sync.internal.replication.PullStrategy;
@@ -25,8 +27,10 @@
 import com.cloudant.sync.internal.util.Misc;
 
 import java.io.UnsupportedEncodingException;
+import java.net.MalformedURLException;
 import java.net.URI;
 import java.net.URISyntaxException;
+import java.net.URL;
 import java.net.URLDecoder;
 import java.util.ArrayList;
 import java.util.Arrays;
@@ -44,24 +48,31 @@ public abstract class ReplicatorBuilder<S, T, E> {
                     "META-INF/com.cloudant.sync.client.properties");
 
     private T target;
+
     private S source;
+
     private String username;
+
     private String password;
 
     private int id = ReplicatorImpl.NULL_ID;
+
     private List<HttpConnectionRequestInterceptor> requestInterceptors = new ArrayList
             <HttpConnectionRequestInterceptor>();
+
     private List<HttpConnectionResponseInterceptor> responseInterceptors = new ArrayList
             <HttpConnectionResponseInterceptor>();
 
+    private String iamApiKey = null;
+
     private ReplicatorBuilder(){
         requestInterceptors.add(USER_AGENT_INTERCEPTOR);
     }
 
-    private URI addCookieInterceptorIfRequired(URI uri) {
+    private int getDefaultPort(URI uri) {
+
         String uriProtocol = uri.getScheme();
-        String uriHost = uri.getHost();
-        String uriPath = uri.getRawPath();
+
 
         // assign default port if it hasn't been set
         // and check that we support the protocol
@@ -75,6 +86,10 @@ private URI addCookieInterceptorIfRequired(URI uri) {
                     "Protocol %s not supported", uriProtocol));
         }
 
+        return uriPort;
+    }
+
+    private void setUserInfo(URI uri) {
         if (uri.getUserInfo() != null && this.username == null && this.password == null) {
             String[] parts = uri.getRawUserInfo().split(":");
             if (parts.length == 2) {
@@ -86,16 +101,34 @@ private URI addCookieInterceptorIfRequired(URI uri) {
                     throw new RuntimeException(e);
                 }
             }
+
         }
+    }
 
+    private URI scrubUri(URI uri, String uriHost, String uriPath, String uriProtocol, int uriPort) {
         if(this.username == null && this.password == null){
             return uri;
         }
 
+        try {
+            //Remove user credentials from url
+            return new URI(uriProtocol
+                    + "://"
+                    + uriHost
+                    + ":"
+                    + uriPort
+                    + (uriPath != null ? uriPath : ""));
+        } catch (URISyntaxException use) {
+            throw new RuntimeException("Failed to construct URI", use);
+        }
+
+    }
+
+    private URI getBaseUri(String uriHost, String uriPath, String uriProtocol, int uriPort) {
         try {
             String path = uriPath == null ? "" : uriPath;
 
-            if(path.length() > 0) {
+            if (path.length() > 0) {
                 int index = path.lastIndexOf("/");
                 if (index == path.length() - 1) {
                     // we need to go back one
@@ -105,27 +138,43 @@ private URI addCookieInterceptorIfRequired(URI uri) {
                 path = path.substring(0, index);
             }
 
-            URI baseURI = new URI(uriProtocol, null, uriHost, uriPort, path, null, null);
-            CookieInterceptor ci = new CookieInterceptor(this.username, this.password, baseURI.toString());
-            requestInterceptors.add(ci);
-            responseInterceptors.add(ci);
+            return new URI(uriProtocol, null, uriHost, uriPort, path, null, null);
         } catch (URISyntaxException e) {
             throw new RuntimeException(e);
         }
+    }
 
-        try {
-            //Remove user credentials from url
-            return new URI(uriProtocol
-                    + "://"
-                    + uriHost
-                    + ":"
-                    + uriPort
-                    + (uriPath != null ? uriPath : ""));
-        } catch (URISyntaxException use) {
-            throw new RuntimeException("Failed to construct URI", use);
+    private void setAuthInterceptor(String uriHost, String uriPath, String uriProtocol, int uriPort) {
+        if (iamApiKey != null) {
+            URI baseURI = getBaseUri(uriHost, uriPath, uriProtocol, uriPort);
+            IamCookieInterceptor ici = new IamCookieInterceptor(iamApiKey, baseURI.toString());
+            requestInterceptors.add(ici);
+            responseInterceptors.add(ici);
+
+        } else if (this.username != null && this.password != null) {
+            URI baseURI = getBaseUri(uriHost, uriPath, uriProtocol, uriPort);
+            CookieInterceptor ci = new CookieInterceptor(this.username, this.password, baseURI.toString());
+            requestInterceptors.add(ci);
+            responseInterceptors.add(ci);
         }
     }
 
+    // - set default port if needed and validate protocol (http(s))
+    // - scrub out username and password if given, and pass it into cookie interceptor or discard it if we're doing IAM
+    // - add IAM interceptor if needed
+    // - else add cookie interceptor if needed
+    private URI addAuthInterceptorIfRequired(URI uri) {
+
+        String uriProtocol = uri.getScheme();
+        String uriHost = uri.getHost();
+        String uriPath = uri.getRawPath();
+
+        int uriPort = getDefaultPort(uri);
+        setUserInfo(uri);
+        setAuthInterceptor(uriHost, uriPath, uriProtocol, uriPort);
+        return scrubUri(uri, uriHost, uriPath, uriProtocol, uriPort);
+    }
+
     /**
      * A Push Replication Builder
      */
@@ -146,7 +195,7 @@ public Replicator build() {
                     "Source and target cannot be null");
 
             // add cookie interceptor and remove creds from URI if required
-            super.target = super.addCookieInterceptorIfRequired(super.target);
+            super.target = super.addAuthInterceptorIfRequired(super.target);
 
             PushStrategy pushStrategy = new PushStrategy(super.source.database(),
                     super.target,
@@ -203,6 +252,7 @@ public Push pushAttachmentsInline(PushAttachmentsInline pushAttachmentsInline) {
             this.pushAttachmentsInline = pushAttachmentsInline;
             return this;
         }
+
     }
 
     /**
@@ -225,7 +275,7 @@ public Replicator build() {
                     "Source and target cannot be null");
 
             // add cookie interceptor and remove creds from URI if required
-            super.source = super.addCookieInterceptorIfRequired(super.source);
+            super.source = super.addAuthInterceptorIfRequired(super.source);
 
             PullStrategy pullStrategy = new PullStrategy(super.source,
                     super.target.database(),
@@ -316,6 +366,30 @@ public E withId(int id) {
         return (E) this;
     }
 
+    /**
+     * <p>
+     *     Sets the IAM API key to use for authenticating requests.
+     * </p>
+     * <p>
+     *     Note: the replicator will only use IAM to authenticate requests. This means that the
+     *     userinfo part of the URL, if set, will be ignored.
+     * </p>
+     * <p>
+     *     See the
+     *     <a href="https://console.bluemix.net/docs/services/Cloudant/guides/iam.html#ibm-cloud-identity-and-access-management" target="_blank">
+     *         Bluemix Identity and Access Management
+     *     </a> documentation for more details.
+     * </p>
+     *
+     * @param iamApiKey The API key
+     * @return This instance of {@link ReplicatorBuilder}
+     */
+    public E iamApiKey(String iamApiKey) {
+        this.iamApiKey = iamApiKey;
+        //noinspection unchecked
+        return (E) this;
+    }
+
     /**
      * Variable argument version of {@link #addRequestInterceptors(List)}
      * @param interceptors The request interceptors to add.

cloudant-sync-datastore-core/src/test/java/com/cloudant/common/TestOptions.java

@@ -102,4 +102,6 @@ public class TestOptions {
     public static final Boolean IGNORE_AUTH_HEADERS = Boolean.valueOf(
             System.getProperty("test.couch.ignore.auth.headers", Boolean.TRUE.toString()));
 
+    public static final String COUCH_IAM_API_KEY = System.getProperty("test.couch.iam.api.key");
+
 }

cloudant-sync-datastore-core/src/test/java/com/cloudant/http/HttpTest.java

@@ -17,7 +17,7 @@
 import com.cloudant.common.CouchTestBase;
 import com.cloudant.common.RequireRunningCouchDB;
 import com.cloudant.common.TestOptions;
-import com.cloudant.http.interceptors.CookieInterceptor;
+import com.cloudant.http.internal.interceptors.CookieInterceptor;
 import com.cloudant.sync.internal.mazha.CouchClient;
 import com.cloudant.sync.internal.mazha.CouchConfig;
 import com.cloudant.sync.internal.util.JSONUtils;

cloudant-sync-datastore-core/src/test/java/com/cloudant/sync/internal/mazha/CouchConfig.java

@@ -20,12 +20,16 @@
 
 package com.cloudant.sync.internal.mazha;
 
+import com.cloudant.common.TestOptions;
 import com.cloudant.http.HttpConnectionRequestInterceptor;
 import com.cloudant.http.HttpConnectionResponseInterceptor;
-import com.cloudant.http.interceptors.CookieInterceptor;
+import com.cloudant.http.internal.interceptors.CookieInterceptor;
+import com.cloudant.http.internal.interceptors.IamCookieInterceptor;
 
+import java.net.MalformedURLException;
 import java.net.URI;
 import java.net.URISyntaxException;
+import java.net.URL;
 import java.util.ArrayList;
 import java.util.Collections;
 import java.util.List;
@@ -52,8 +56,8 @@ public class CouchConfig {
 
     public CouchConfig(URI rootUri) {
         this(rootUri,
-                Collections.<HttpConnectionRequestInterceptor>emptyList(),
-                Collections.<HttpConnectionResponseInterceptor>emptyList(),
+                new ArrayList<HttpConnectionRequestInterceptor>(),
+                new ArrayList<HttpConnectionResponseInterceptor>(),
                 null,
                 null);
     }
@@ -68,10 +72,16 @@ public CouchConfig(URI rootUri,
         this.responseInterceptors = responseInterceptors;
         this.username = username;
         this.password = password;
-
+        if (TestOptions.COUCH_IAM_API_KEY != null) {
+            int slash = this.rootUri.toString().lastIndexOf("/");
+            String root = this.rootUri.toString().substring(0, slash);
+            IamCookieInterceptor ici = new IamCookieInterceptor(TestOptions.COUCH_IAM_API_KEY,
+                    root);
+            this.requestInterceptors.add(ici);
+            this.responseInterceptors.add(ici);
+        }
     }
 
-
     public List<HttpConnectionRequestInterceptor> getRequestInterceptors(boolean includeCookie) {
         CookieInterceptor cookieInterceptor = buildCookieInterceptor();
         if (includeCookie && cookieInterceptor != null) {

cloudant-sync-datastore-core/src/test/java/com/cloudant/sync/internal/mazha/SpecifiedCouch.java

@@ -22,7 +22,6 @@
 import static com.cloudant.common.TestOptions.COUCH_USERNAME;
 import static com.cloudant.common.TestOptions.HTTP_PROTOCOL;
 
-import com.cloudant.http.interceptors.CookieInterceptor;
 import com.cloudant.http.HttpConnectionRequestInterceptor;
 import com.cloudant.http.HttpConnectionResponseInterceptor;
 
@@ -53,8 +52,8 @@ public static CouchConfig defaultConfig(String dbName){
                 uriString = String.format("%s://%s:%s/%s", HTTP_PROTOCOL, COUCH_HOST, COUCH_PORT, dbName);
             }
             CouchConfig config = new CouchConfig(new URI(uriString),
-                    Collections.<HttpConnectionRequestInterceptor>emptyList(),
-                    Collections.<HttpConnectionResponseInterceptor>emptyList(),
+                    new ArrayList<HttpConnectionRequestInterceptor>(),
+                    new ArrayList<HttpConnectionResponseInterceptor>(),
                     COUCH_USERNAME,
                     COUCH_PASSWORD);
             return config;

cloudant-sync-datastore-core/src/test/java/com/cloudant/sync/internal/replication/CompactedDBReplicationTest.java

@@ -56,6 +56,7 @@ public void replicationFromCompactedDB() throws Exception{
         // skip test if we are doing cookie auth, we don't have the interceptor chain to do it
         // when we call ClientTestUtils.executeHttpPostRequest
         if(TestOptions.COOKIE_AUTH){return;}
+        if(TestOptions.COUCH_IAM_API_KEY != null){return;}
 
         String documentName;
         Bar bar = BarUtils.createBar(remoteDb, "Bob", 12);