Add IAM Token based authentication

Author: cjbj

CHANGELOG.md

@@ -8,6 +8,10 @@
   stack](https://oracle.github.io/node-oracledb/doc/api.html#properrstack). PR#1467
   (Slawomir Osoba).
 
+- Added support for [token based
+  authentication](https://oracle.github.io/node-oracledb/doc/api.html#tokenbasedauth)
+  when establishing pool based connections and standalone connections.
+
 - Added code to keep the method name in internally bound functions.
   PR #1466 (Slawomir Osoba).
 

binding.gyp

@@ -8,6 +8,7 @@
              "src/njsAqMessage.c",
              "src/njsAqQueue.c",
              "src/njsBaton.c",
+             "src/njsTokenCallback.c",
              "src/njsConnection.c",
              "src/njsDbObject.c",
              "src/njsErrors.c",

doc/api.md

@@ -109,5 +109,7 @@ File Name                                                 | Description
 [`sessiontagging1.js`](sessiontagging1.js)                | Simple pooled connection tagging for setting session state
 [`sessiontagging2.js`](sessiontagging2.js)                | More complex example of pooled connection tagging for setting session state
 [`soda1.js`](soda1.js)                                    | Basic Simple Oracle Document Access (SODA) example
+[`tokenbasedauth.js`](tokenbasedauth.js)                  | Shows standalone connection using token based authentication
+[`tokenbasedauthpool.js`](tokenbasedauthpool.js)          | Shows connection pooling using token based authentication
 [`version.js`](version.js)                                | Shows the node-oracledb version attributes
 [`webapp.js`](webapp.js)                                  | A simple web application using a connection pool

examples/README.md

@@ -0,0 +1,125 @@
+/* Copyright (c) 2022, Oracle and/or its affiliates. */
+
+/******************************************************************************
+ *
+ * You may not use the identified files except in compliance with the Apache
+ * License, Version 2.0 (the "License.")
+ *
+ * You may obtain a copy of the License at
+ * http://www.apache.org/licenses/LICENSE-2.0.
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * NAME
+ *   tokenbasedauth.js
+ *
+ * DESCRIPTION
+ *   This script shows standalone connection using token based authentication
+ *   to Oracle Autonomous Database from Oracle Compute Infrastructure.
+ *
+ *   For more information refer to
+ *   https://oracle.github.io/node-oracledb/doc/api.html#tokenbasedauth
+ *
+ * PREREQUISITES
+ *   - node-oracledb 5.4 or later.
+ *
+ *   - Oracle Client libraries 19.14 (or later), or 21.5 (or later).
+ *
+ *   - The Oracle Cloud Infrastructure command line interface (OCI-CLI).  The
+ *     command line interface (CLI) is a tool that enables you to work with
+ *     Oracle Cloud Infrastructure objects and services at a command line, see
+ *     https://docs.oracle.com/en-us/iaas/Content/API/Concepts/cliconcepts.htm
+ *
+ *   - Set these environment variables (see the code explanation):
+ *     NODE_ORACLEDB_ACCESS_TOKEN_LOC
+ *     NODE_ORACLEDB_CONNECTIONSTRING
+ *
+ *****************************************************************************/
+
+const fs = require('fs');
+const oracledb = require('oracledb');
+const { execSync } = require('child_process');
+
+// Execute the OCI-CLI command to generate a token.
+// This should create two files "token" and "oci_db_key.pem".
+// On Linux the default file location is "~/.oci/db-token".  You should set
+// NODE_ORACLEDB_ACCESS_TOKEN_LOC to this directory, or to the directory where
+// you move the files.
+try {
+  const cmdResult = execSync('oci iam db-token get', { encoding: 'utf-8' });
+  console.log(cmdResult);
+} catch (err) {
+  console.log(err);
+}
+
+// User defined function for reading token and private key values generated by
+// the OCI-CLI.
+function getToken() {
+  const tokenPath = process.env.NODE_ORACLEDB_ACCESS_TOKEN_LOC + '/token';
+  const privateKeyPath = process.env.NODE_ORACLEDB_ACCESS_TOKEN_LOC +
+      '/oci_db_key.pem';
+
+  let token = '';
+  let privateKey = '';
+  try {
+    // Read token file
+    token = fs.readFileSync(tokenPath, 'utf8');
+    // Read private key file
+    const privateKeyFileContents = fs.readFileSync(privateKeyPath, 'utf-8');
+    privateKeyFileContents.split(/\r?\n/).forEach(line => {
+      if (line != '-----BEGIN PRIVATE KEY-----' &&
+        line != '-----END PRIVATE KEY-----')
+        privateKey = privateKey.concat(line);
+    });
+  } catch (err) {
+    console.error(err);
+  }
+
+  const tokenBasedAuthData = {
+    token         : token,
+    privateKey    : privateKey
+  };
+  return tokenBasedAuthData;
+}
+
+async function run() {
+  let connection;
+  // Get token and private key.
+  let accessTokenObj = getToken();
+
+  // Configuration for token based authentication:
+  //   accessToken:   The token values
+  //   externalAuth:  Must be set to true for token based authentication.
+  //   connectString: The NODE_ORACLEDB_CONNECTIONSTRING environment variable
+  //                  set to the Oracle Net alias or connect descriptor of your
+  //                  Oracle Autonomous Database.
+  const config = {
+    accessToken        : accessTokenObj,
+    externalAuth       : true,
+    connectString      : process.env.NODE_ORACLEDB_CONNECTIONSTRING
+  };
+
+  try {
+    connection = await oracledb.getConnection(config);
+    const sql = `SELECT TO_CHAR(current_date, 'DD-Mon-YYYY HH24:MI') AS D
+                 FROM DUAL`;
+    const result = await connection.execute(sql);
+    console.log("Result is:\n", result);
+  } catch (err) {
+    console.error(err);
+  } finally {
+    try {
+      if (connection)
+        await connection.close();
+    } catch (err) {
+      console.error(err.message);
+    }
+  }
+}
+
+run();

examples/tokenbasedauth.js

@@ -0,0 +1,170 @@
+/* Copyright (c) 2022, Oracle and/or its affiliates. */
+
+/******************************************************************************
+ *
+ * You may not use the identified files except in compliance with the Apache
+ * License, Version 2.0 (the "License.")
+ *
+ * You may obtain a copy of the License at
+ * http://www.apache.org/licenses/LICENSE-2.0.
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * NAME
+ *   tokenbasedauthpool.js
+ *
+ * DESCRIPTION
+ *   This script shows connection pooling with token based authentication to
+ *   Oracle Autonomous Database from Oracle Compute Infrastructure. It shows
+ *   how to create a connection pool and update expired tokens.
+ *
+ *   For more information refer to
+ *   https://oracle.github.io/node-oracledb/doc/api.html#tokenbasedauth
+ *
+ * PREREQUISITES
+ *   - node-oracledb 5.4 or later.
+ *
+ *   - Oracle Client libraries 19.14 (or later), or 21.5 (or later).
+ *
+ *   - The Oracle Cloud Infrastructure command line interface (OCI-CLI).  The
+ *     command line interface (CLI) is a tool that enables you to work with
+ *     Oracle Cloud Infrastructure objects and services at a command line, see
+ *     https://docs.oracle.com/en-us/iaas/Content/API/Concepts/cliconcepts.htm
+ *
+ *   - Set these environment variables (see the code explanation):
+ *     NODE_ORACLEDB_ACCESS_TOKEN_LOC
+ *     NODE_ORACLEDB_CONNECTIONSTRING
+ *
+ *****************************************************************************/
+
+const fs = require('fs');
+const oracledb = require('oracledb');
+const { execSync } = require('child_process');
+
+// Execute the OCI-CLI command to generate a token.
+// This should create two files "token" and "oci_db_key.pem"
+// On Linux the default file location is "~/.oci/db-token".  You should set
+// NODE_ORACLEDB_ACCESS_TOKEN_LOC to this directory, or to the directory where
+// you move the files.
+try {
+  const cmdResult = execSync('oci iam db-token get', { encoding: 'utf-8' });
+  console.log(cmdResult);
+} catch (err) {
+  console.log(err);
+}
+
+// User defined function for reading token and private key values generated by
+// the OCI-CLI.
+function getToken() {
+  const tokenPath = process.env.NODE_ORACLEDB_ACCESS_TOKEN_LOC + '/token';
+  const privateKeyPath = process.env.NODE_ORACLEDB_ACCESS_TOKEN_LOC +
+      '/oci_db_key.pem';
+
+  let token = '';
+  let privateKey = '';
+  try {
+    // Read token file
+    token = fs.readFileSync(tokenPath, 'utf8');
+    // Read private key file
+    const privateKeyFileContents = fs.readFileSync(privateKeyPath, 'utf-8');
+    privateKeyFileContents.split(/\r?\n/).forEach(line => {
+      if (line != '-----BEGIN PRIVATE KEY-----' &&
+          line != '-----END PRIVATE KEY-----')
+        privateKey = privateKey.concat(line);
+    });
+  } catch (err) {
+    console.error(err);
+  }
+
+  const tokenBasedAuthData = {
+    token         : token,
+    privateKey    : privateKey
+  };
+  return tokenBasedAuthData;
+}
+
+// User defined callback function which is invoked by node-oracledb when a
+// token expires and the pool needs to create new connections
+function tokenCallback() {
+  return getToken();
+}
+
+async function run() {
+  // Get token and private key for initial pool creation.
+  const accessTokenData = getToken();
+
+  // Configuration for token based authentication:
+  //   accessToken:         The initial token values
+  //   accessTokenCallback: A callback function to provide a refreshed token
+  //   externalAuth:        Must be set to true for token based authentication
+  //   homogeneous:         Must be set to true for token based authentication
+  //   connectString:       The NODE_ORACLEDB_CONNECTIONSTRING environment
+  //                        variable set to the Oracle Net alias or connect
+  //                        descriptor of your Oracle Autonomous Database
+  const config = {
+    accessToken         : accessTokenData,
+    accessTokenCallback : tokenCallback,
+    externalAuth        : true,
+    homogeneous         : true,
+    connectString       : process.env.NODE_ORACLEDB_CONNECTIONSTRING,
+  };
+
+  try {
+
+    // Create pool using token based authentication
+    await oracledb.createPool(config);
+
+    // A real app would call createConnection() multiple times over a long
+    // period of time.  During this time the pool may grow.  If the initial
+    // token has expired, node-oracledb will automatically call the
+    // accessTokenCallback function allowing you to update the token.
+    await createConnection();
+
+  } catch (err) {
+    console.error(err);
+  } finally {
+    await closePoolAndExit();
+  }
+}
+
+async function createConnection() {
+  let connection;
+  try {
+    // Get a connection from the default pool
+    connection = await oracledb.getConnection();
+    const sql = `SELECT TO_CHAR(current_date, 'DD-Mon-YYYY HH24:MI') AS D
+                 FROM DUAL`;
+    const result = await connection.execute(sql);
+    console.log("Result is:\n", result);
+  } catch (err) {
+    console.error(err);
+  } finally {
+    if (connection) {
+      // Put the connection back in the pool
+      await connection.close();
+    }
+  }
+}
+
+async function closePoolAndExit() {
+  console.log('\nTerminating');
+  try {
+    // Get the pool from the pool cache and close it
+    await oracledb.getPool().close(0);
+    process.exit(0);
+  } catch (err) {
+    console.error(err.message);
+    process.exit(1);
+  }
+}
+
+process
+  .once('SIGTERM', closePoolAndExit)
+  .once('SIGINT', closePoolAndExit);
+
+run();

examples/tokenbasedauthpool.js

@@ -199,6 +199,39 @@ async function createPool(poolAttrs) {
     tempUsedPoolAliases[poolAlias] = true;
   }
 
+  if (adjustedPoolAttrs.accessToken !== undefined) {
+    // token and privateKey must be set for token based
+    // authentication
+    if (adjustedPoolAttrs.accessToken.token === undefined ||
+        adjustedPoolAttrs.accessToken.token === '' ||
+        adjustedPoolAttrs.accessToken.privateKey === undefined ||
+        adjustedPoolAttrs.accessToken.privateKey === '') {
+      throw new Error(nodbUtil.getErrorMessage('NJS-084'));
+    }
+
+    // cannot set username or password for token based authentication
+    if (adjustedPoolAttrs.user !== undefined ||
+        adjustedPoolAttrs.password !== undefined) {
+      throw new Error(nodbUtil.getErrorMessage('NJS-084'));
+    }
+
+    // homogeneous and externalAuth must be set to true for token based
+    // authentication
+    if (adjustedPoolAttrs.homogeneous === false ||
+        adjustedPoolAttrs.externalAuth === false) {
+      throw new Error(nodbUtil.getErrorMessage('NJS-085'));
+    }
+
+    adjustedPoolAttrs.token = adjustedPoolAttrs.accessToken.token;
+    adjustedPoolAttrs.privateKey =
+        adjustedPoolAttrs.accessToken.privateKey;
+  }
+
+  if (adjustedPoolAttrs.accessToken === undefined &&
+      adjustedPoolAttrs.accessTokenCallback !== undefined) {
+    throw new Error(nodbUtil.getErrorMessage('NJS-084'));
+  }
+
   try {
     const pool = await this._createPool(adjustedPoolAttrs);
 
@@ -271,6 +304,32 @@ async function getConnection(a1) {
 
   // otherwise, create a new standalone connection
   } else {
+    if (connAttrs.accessToken !== undefined) {
+      // token and privateKey must be set for token based
+      // authentication
+      if (connAttrs.accessToken.token === undefined ||
+          connAttrs.accessToken.token === '' ||
+          connAttrs.accessToken.privateKey === undefined ||
+          connAttrs.accessToken.privateKey === '') {
+        throw new Error(nodbUtil.getErrorMessage('NJS-084'));
+      }
+
+      // cannot set username or password for token based authentication
+      if (connAttrs.user !== undefined ||
+          connAttrs.password !== undefined) {
+        throw new Error(nodbUtil.getErrorMessage('NJS-084'));
+      }
+
+      // externalAuth must be set to true for token based authentication
+      if (connAttrs.externalAuth === false) {
+        throw new Error(nodbUtil.getErrorMessage('NJS-086'));
+      }
+
+      connAttrs.token = connAttrs.accessToken.token;
+      connAttrs.privateKey =
+        connAttrs.accessToken.privateKey;
+    }
+
     try {
       return await this._getConnection(connAttrs);
     } catch (err) {