Merge pull request openshift#8025 from miyamotoh/auth-with-platform-services-sdk

OCPBUGS-30200: Authn with platform-services-go-sdk for PowerVS

Author: openshift-merge-bot[bot]

go.mod

@@ -39,7 +39,6 @@ require (
 	github.com/go-openapi/strfmt v0.21.7
 	github.com/go-openapi/swag v0.22.9
 	github.com/go-playground/validator/v10 v10.13.0
-	github.com/golang-jwt/jwt v3.2.2+incompatible
 	github.com/golang/mock v1.7.0-rc.1
 	github.com/golang/protobuf v1.5.3
 	github.com/google/go-cmp v0.6.0

go.sum

@@ -440,8 +440,6 @@ github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zV
 github.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o=
 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
-github.com/golang-jwt/jwt v3.2.2+incompatible h1:IfV12K8xAKAnZqdXVzCZ+TOjboZ2keLg81eXfW3O+oY=
-github.com/golang-jwt/jwt v3.2.2+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzqecmYZeUEB8OUGHkxJ+I=
 github.com/golang-jwt/jwt/v4 v4.0.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg=
 github.com/golang-jwt/jwt/v4 v4.2.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg=
 github.com/golang-jwt/jwt/v4 v4.5.0 h1:7cYmW1XlMY7h7ii7UhUyChSgS5wUJEnm9uZVTGqOWzg=

pkg/asset/installconfig/powervs/session.go

@@ -5,24 +5,16 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
-	gohttp "net/http"
 	"os"
 	"path/filepath"
 	"strings"
 	"time"
 
 	survey "github.com/AlecAivazis/survey/v2"
-	"github.com/IBM-Cloud/bluemix-go"
-	"github.com/IBM-Cloud/bluemix-go/authentication"
-	"github.com/IBM-Cloud/bluemix-go/http"
-	"github.com/IBM-Cloud/bluemix-go/rest"
-	bxsession "github.com/IBM-Cloud/bluemix-go/session"
 	"github.com/IBM-Cloud/power-go-client/ibmpisession"
 	"github.com/IBM/go-sdk-core/v5/core"
 	"github.com/form3tech-oss/jwt-go"
 	"github.com/sirupsen/logrus"
-
-	"github.com/openshift/installer/pkg/types/powervs"
 )
 
 var (
@@ -33,7 +25,6 @@ var (
 
 // BxClient is struct which provides bluemix session details
 type BxClient struct {
-	*bxsession.Session
 	APIKey               string
 	Region               string
 	Zone                 string
@@ -67,28 +58,32 @@ type SessionVars struct {
 	PowerVSResourceGroup string
 }
 
-func authenticateAPIKey(sess *bxsession.Session) error {
-	config := sess.Config
-	tokenRefresher, err := authentication.NewIAMAuthRepository(config, &rest.Client{
-		DefaultHeader: gohttp.Header{
-			"User-Agent": []string{http.UserAgent()},
-		},
-	})
+func authenticateAPIKey(apikey string) (string, error) {
+	a, err := core.NewIamAuthenticatorBuilder().SetApiKey(apikey).Build()
 	if err != nil {
-		return err
+		return "", err
 	}
-	return tokenRefresher.AuthenticateAPIKey(config.BluemixAPIKey)
+	token, err := a.GetToken()
+	if err != nil {
+		return "", err
+	}
+	return token, nil
 }
 
-func fetchUserDetails(sess *bxsession.Session) (*User, error) {
-	config := sess.Config
+// FetchUserDetails returns User details from the given API key.
+func FetchUserDetails(apikey string) (*User, error) {
 	user := User{}
 	var bluemixToken string
 
-	if strings.HasPrefix(config.IAMAccessToken, "Bearer") {
-		bluemixToken = config.IAMAccessToken[7:len(config.IAMAccessToken)]
+	iamToken, err := authenticateAPIKey(apikey)
+	if err != nil {
+		return &user, err
+	}
+
+	if strings.HasPrefix(iamToken, "Bearer ") {
+		bluemixToken = iamToken[len("Bearer "):]
 	} else {
-		bluemixToken = config.IAMAccessToken
+		bluemixToken = iamToken
 	}
 
 	token, err := jwt.Parse(bluemixToken, func(token *jwt.Token) (interface{}, error) {
@@ -121,29 +116,10 @@ func NewBxClient(survey bool) (*BxClient, error) {
 	c.Zone = sv.Zone
 	c.PowerVSResourceGroup = sv.PowerVSResourceGroup
 
-	bxSess, err := bxsession.New(&bluemix.Config{
-		BluemixAPIKey: sv.APIKey,
-	})
+	c.User, err = FetchUserDetails(c.APIKey)
 	if err != nil {
 		return nil, err
 	}
-	if bxSess == nil {
-		return nil, errors.New("failed to create bxsession.New in NewBxClient")
-	}
-
-	c.Session = bxSess
-
-	err = authenticateAPIKey(bxSess)
-	if err != nil {
-		return nil, err
-	}
-
-	c.User, err = fetchUserDetails(bxSess)
-	if err != nil {
-		return nil, err
-	}
-
-	c.Session.Config.Region = powervs.Regions[sv.Region].VPCRegion
 
 	return c, nil
 }

pkg/destroy/powervs/powervs.go

@@ -10,13 +10,7 @@ import (
 	"sync"
 	"time"
 
-	"github.com/IBM-Cloud/bluemix-go"
-	"github.com/IBM-Cloud/bluemix-go/api/resource/resourcev2/controllerv2"
-	"github.com/IBM-Cloud/bluemix-go/authentication"
 	"github.com/IBM-Cloud/bluemix-go/crn"
-	"github.com/IBM-Cloud/bluemix-go/http"
-	"github.com/IBM-Cloud/bluemix-go/rest"
-	bxsession "github.com/IBM-Cloud/bluemix-go/session"
 	"github.com/IBM-Cloud/power-go-client/clients/instance"
 	"github.com/IBM-Cloud/power-go-client/ibmpisession"
 	"github.com/IBM/go-sdk-core/v5/core"
@@ -28,7 +22,6 @@ import (
 	"github.com/IBM/platform-services-go-sdk/resourcecontrollerv2"
 	"github.com/IBM/platform-services-go-sdk/resourcemanagerv2"
 	"github.com/IBM/vpc-go-sdk/vpcv1"
-	"github.com/golang-jwt/jwt"
 	"github.com/sirupsen/logrus"
 	utilerrors "k8s.io/apimachinery/pkg/util/errors"
 	"k8s.io/apimachinery/pkg/util/wait"
@@ -74,42 +67,6 @@ type User struct {
 	generation int    `default:"2"`
 }
 
-func fetchUserDetails(bxSession *bxsession.Session, generation int) (*User, error) {
-	config := bxSession.Config
-	user := User{}
-	var bluemixToken string
-
-	if strings.HasPrefix(config.IAMAccessToken, "Bearer") {
-		bluemixToken = config.IAMAccessToken[7:len(config.IAMAccessToken)]
-	} else {
-		bluemixToken = config.IAMAccessToken
-	}
-
-	token, err := jwt.Parse(bluemixToken, func(token *jwt.Token) (interface{}, error) {
-		return "", nil
-	})
-	if err != nil && !strings.Contains(err.Error(), "key is of invalid type") {
-		return &user, err
-	}
-
-	claims := token.Claims.(jwt.MapClaims)
-	if email, ok := claims["email"]; ok {
-		user.Email = email.(string)
-	}
-	user.ID = claims["id"].(string)
-	user.Account = claims["account"].(map[string]interface{})["bss"].(string)
-	iss := claims["iss"].(string)
-	if strings.Contains(iss, "https://iam.cloud.ibm.com") {
-		user.cloudName = "bluemix"
-	} else {
-		user.cloudName = "staging"
-	}
-	user.cloudType = "public"
-
-	user.generation = generation
-	return &user, nil
-}
-
 // ClusterUninstaller holds the various options for the cluster we want to delete.
 type ClusterUninstaller struct {
 	APIKey         string
@@ -414,23 +371,14 @@ func (o *ClusterUninstaller) newAuthenticator(apikey string) (core.Authenticator
 
 func (o *ClusterUninstaller) loadSDKServices() error {
 	var (
-		bxSession             *bxsession.Session
-		tokenProviderEndpoint = "https://iam.cloud.ibm.com" //nolint:gosec // not a credential despite `token` in its name
-		tokenRefresher        *authentication.IAMAuthRepository
-		err                   error
-		ctrlv2                controllerv2.ResourceControllerAPIV2
-		resourceClientV2      controllerv2.ResourceServiceInstanceRepository
-		authenticator         core.Authenticator
-		versionDate           = "2023-07-04"
-		tgOptions             *transitgatewayapisv1.TransitGatewayApisV1Options
-		serviceName           string
+		err           error
+		authenticator core.Authenticator
+		versionDate   = "2023-07-04"
+		tgOptions     *transitgatewayapisv1.TransitGatewayApisV1Options
+		serviceName   string
 	)
 
 	defer func() {
-		o.Logger.Debugf("loadSDKServices: bxSession = %v", bxSession)
-		o.Logger.Debugf("loadSDKServices: tokenRefresher = %v", tokenRefresher)
-		o.Logger.Debugf("loadSDKServices: ctrlv2 = %v", ctrlv2)
-		o.Logger.Debugf("loadSDKServices: resourceClientV2 = %v", resourceClientV2)
 		o.Logger.Debugf("loadSDKServices: o.ServiceGUID = %v", o.ServiceGUID)
 		o.Logger.Debugf("loadSDKServices: o.piSession = %v", o.piSession)
 		o.Logger.Debugf("loadSDKServices: o.instanceClient = %v", o.instanceClient)
@@ -446,43 +394,11 @@ func (o *ClusterUninstaller) loadSDKServices() error {
 		return fmt.Errorf("loadSDKServices: missing APIKey in metadata.json")
 	}
 
-	bxSession, err = bxsession.New(&bluemix.Config{
-		BluemixAPIKey:         o.APIKey,
-		TokenProviderEndpoint: &tokenProviderEndpoint,
-		Debug:                 false,
-	})
-	if err != nil {
-		return fmt.Errorf("loadSDKServices: bxsession.New: %w", err)
-	}
-
-	tokenRefresher, err = authentication.NewIAMAuthRepository(bxSession.Config, &rest.Client{
-		DefaultHeader: gohttp.Header{
-			"User-Agent": []string{http.UserAgent()},
-		},
-	})
-	if err != nil {
-		return fmt.Errorf("loadSDKServices: authentication.NewIAMAuthRepository: %w", err)
-	}
-	err = tokenRefresher.AuthenticateAPIKey(bxSession.Config.BluemixAPIKey)
-	if err != nil {
-		return fmt.Errorf("loadSDKServices: tokenRefresher.AuthenticateAPIKey: %w", err)
-	}
-
-	user, err := fetchUserDetails(bxSession, 2)
+	user, err := powervs.FetchUserDetails(o.APIKey)
 	if err != nil {
 		return fmt.Errorf("loadSDKServices: fetchUserDetails: %w", err)
 	}
 
-	ctrlv2, err = controllerv2.New(bxSession)
-	if err != nil {
-		return fmt.Errorf("loadSDKServices: controllerv2.New: %w", err)
-	}
-
-	resourceClientV2 = ctrlv2.ResourceServiceInstanceV2()
-	if err != nil {
-		return fmt.Errorf("loadSDKServices: ctrlv2.ResourceServiceInstanceV2: %w", err)
-	}
-
 	authenticator, err = o.newAuthenticator(o.APIKey)
 	if err != nil {
 		return err