CLOUDP-278691: Credentials authentication (#429)

Author: wtrocki

Makefile

@@ -28,7 +28,7 @@ test-examples:
 .PHONY: fmt
 fmt:
 	@echo "==> Fixing source code with gofmt..."
-	gofmt -s -w  ./**/*.go
+	gofmt -s -w  ./**/**/*.go
 
 .PHONY: lint-fix
 lint-fix:

auth/credentials/api.go

@@ -0,0 +1,75 @@
+package credentials
+
+import (
+	"context"
+	"net/http"
+)
+
+// tokenAPIPath for obtaining OAuth Access Token from server
+//
+//nolint:gosec //url only
+const tokenAPIPath = "/api/oauth/token"
+
+// serverURL for atlas API
+const serverURL = "https://cloud.mongodb.com" + tokenAPIPath
+
+// AtlasTokenSourceOptions provides set of input arguments
+// for creation of credentials.TokenSource interface
+type AtlasTokenSourceOptions struct {
+	ClientID     string
+	ClientSecret string
+	// Custom Token source. InMemoryTokenCache being default
+	TokenCache LocalTokenCache
+
+	// Custom context. context.Background() will be used by default
+	Context *context.Context
+	// Custom base url for fetching Token using TokenSource. Reserved for internal use.
+	BaseURL *string
+}
+
+// NewTokenSourceWithOptions initializes an OAuthTokenSource with advanced credentials.AtlasTokenSourceOptions
+// Use this method to initialize custom OAuth Token Cache (filesystem).
+func NewTokenSourceWithOptions(opts AtlasTokenSourceOptions) TokenSource {
+	var tokenURL string
+	if opts.BaseURL != nil {
+		tokenURL = *opts.BaseURL + tokenAPIPath
+	} else {
+		tokenURL = serverURL
+	}
+	var ctx context.Context
+	if opts.Context == nil {
+		ctx = context.Background()
+	} else {
+		ctx = *opts.Context
+	}
+
+	return &OAuthTokenSource{
+		clientID:     opts.ClientID,
+		clientSecret: opts.ClientSecret,
+		tokenURL:     tokenURL,
+		tokenCache:   opts.TokenCache,
+		ctx:          ctx,
+	}
+}
+
+// NewTokenSource initializes OAuth Token Source that provides a way to obtain valid OAuth Tokens.
+// See credentials.NewTokenSourceWithOptions for advanced use cases.
+func NewTokenSource(clientID, clientSecret string) TokenSource {
+	return NewTokenSourceWithOptions(AtlasTokenSourceOptions{
+		ClientID:     clientID,
+		ClientSecret: clientSecret,
+		TokenCache:   &InMemoryTokenCache{},
+	})
+}
+
+// NewHTTPClientWithOAuthToken helper method for creating HTTP client with OAuth authentication support.
+// Use this method for performing requests using http.DefaultTransport.
+// For more advanced use cases please create your own credentials.OAuthCustomHTTPTransport.
+func NewHTTPClientWithOAuthToken(client TokenSource) *http.Client {
+	return &http.Client{
+		Transport: &OAuthCustomHTTPTransport{
+			UnderlyingTransport: http.DefaultTransport,
+			TokenSource:         client,
+		},
+	}
+}

auth/credentials/doc.go

@@ -0,0 +1,18 @@
+// Copyright 2024 MongoDB Inc
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+/*
+Package credentials provides an SDK internal client_credentials grant implementation https://datatracker.ietf.org/doc/html/rfc6749#section-1.3.4
+*/
+package credentials

auth/credentials/oauth.go

@@ -0,0 +1,160 @@
+package credentials
+
+import (
+	"context"
+	"encoding/base64"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"net/http"
+	"net/url"
+	"strings"
+	"time"
+)
+
+// Token represents the internal OAuth2 Token structure
+type Token struct {
+	AccessToken string    `json:"access_token"`
+	Expiry      time.Time `json:"expiry,omitempty"`
+	ExpiresIn   int       `json:"expires_in"`
+}
+
+// TokenSource interface allows to fetch valid OAuth Token.
+type TokenSource interface {
+	// GetValidToken retrieves the valid Token, refreshing it if necessary.
+	GetValidToken() (*Token, error)
+}
+
+// OAuthTokenSource manages the OAuth Token fetching and refreshing using a LocalTokenCache.
+type OAuthTokenSource struct {
+	clientID     string
+	clientSecret string
+	tokenURL     string
+	token        *Token
+	tokenCache   LocalTokenCache
+	ctx          context.Context
+}
+
+// GetValidToken retrieves the valid Token, refreshing it if necessary.
+func (c *OAuthTokenSource) GetValidToken() (*Token, error) {
+	// Try to retrieve the Token string from the Token source
+	tokenString, err := c.tokenCache.RetrieveToken(c.ctx)
+	if err != nil || tokenString == nil {
+		return c.refreshToken()
+	}
+
+	// Parse the Token string into the Token structure (mock parse operation)
+	c.token, err = parseToken(*tokenString)
+	if err != nil || c.token.expired() {
+		// Token is invalid or expired, refresh it
+		return c.refreshToken()
+	}
+
+	return c.token, nil
+}
+
+// refreshToken fetches a new Token and saves it using the Token source.
+func (c *OAuthTokenSource) refreshToken() (*Token, error) {
+	newToken, err := c.fetchToken()
+	if err != nil {
+		return nil, err
+	}
+
+	// Save the access Token string to the Token source
+	err = c.tokenCache.SaveToken(c.ctx, newToken.AccessToken)
+	if err != nil {
+		return nil, fmt.Errorf("failed to save Token: %w", err)
+	}
+
+	c.token = newToken
+	return newToken, nil
+}
+
+// fetchToken makes a manual POST request to Server (tokenUrl) to fetch the access Token.
+func (c *OAuthTokenSource) fetchToken() (*Token, error) {
+	data := url.Values{}
+	data.Set("grant_type", "client_credentials")
+
+	req, err := http.NewRequest("POST", c.tokenURL, strings.NewReader(data.Encode()))
+	if err != nil {
+		return nil, err
+	}
+	req.SetBasicAuth(c.clientID, c.clientSecret)
+	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+
+	client := &http.Client{}
+	resp, err := client.Do(req)
+	if err != nil {
+		return nil, err
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		return nil, errors.New("failed to obtain Token, status: " + resp.Status)
+	}
+
+	var tokenResp struct {
+		AccessToken string `json:"access_token"`
+		TokenType   string `json:"token_type"`
+		ExpiresIn   int    `json:"expires_in"`
+	}
+
+	if err := json.NewDecoder(resp.Body).Decode(&tokenResp); err != nil {
+		return nil, err
+	}
+
+	// Construct the Token with expiry time
+	token := &Token{
+		AccessToken: tokenResp.AccessToken,
+		ExpiresIn:   tokenResp.ExpiresIn,
+		Expiry:      time.Now().Add(time.Duration(tokenResp.ExpiresIn) * time.Second),
+	}
+	return token, nil
+}
+
+// Additional time for Access Tokens to not expire.
+const ExpiryDelta = 10 * time.Second
+
+// expired checks if the Token is close to expiring.
+func (t *Token) expired() bool {
+	if t.Expiry.IsZero() {
+		return false
+	}
+	return t.Expiry.Round(0).Add(-ExpiryDelta).Before(time.Now())
+}
+
+// Valid checks if the Token is still valid (present and not expired)
+func (t *Token) Valid() bool {
+	return t != nil && t.AccessToken != "" && !t.expired()
+}
+
+// ParseToken extracts expiry details from JWT Token
+func parseToken(accessToken string) (*Token, error) {
+	parts := strings.Split(accessToken, ".")
+	if len(parts) != 3 {
+		return nil, errors.New("invalid access Token format")
+	}
+
+	payload, err := base64.RawURLEncoding.DecodeString(parts[1])
+	if err != nil {
+		return nil, err
+	}
+
+	var tokenData struct {
+		Exp int64 `json:"exp"`
+	}
+	if err := json.Unmarshal(payload, &tokenData); err != nil {
+		return nil, err
+	}
+
+	expiry := time.Unix(tokenData.Exp, 0)
+	if time.Now().After(expiry) {
+		return nil, errors.New("Token has expired")
+	}
+
+	return &Token{
+		AccessToken: accessToken,
+		Expiry:      expiry,
+		ExpiresIn:   int(time.Until(expiry).Seconds()),
+	}, nil
+}