Merge remote-tracking branch 'origin/main' into ndyakov/examples

Author: ndyakov

credentials_provider.go

@@ -27,6 +27,8 @@ type entraidCredentialsProvider struct {
 
 	// rwLock is a mutex that is used to synchronize access to the listeners slice.
 	rwLock sync.RWMutex // Mutex for synchronizing access to the listeners slice.
+
+	tmLock sync.Mutex
 }
 
 // onTokenNext is a method that is called when the token manager receives a new token.
@@ -60,15 +62,26 @@ func (e *entraidCredentialsProvider) onTokenError(err error) {
 //
 // Returns:
 // - auth.Credentials: The current credentials for the listener.
-// - auth.CancelProviderFunc: A function that can be called to unsubscribe the listener.
+// - auth.UnsubscribeFunc: A function that can be called to unsubscribe the listener.
 // - error: An error if the subscription fails, such as if the token cannot be retrieved.
 //
 // Note: If the listener is already subscribed, it will not receive duplicate notifications.
 func (e *entraidCredentialsProvider) Subscribe(listener auth.CredentialsListener) (auth.Credentials, auth.UnsubscribeFunc, error) {
-	// First try to get a token, only then subscribe the listener.
+	// check if the manager is working
+	// If the stopTokenManager is nil, the token manager is not started.
+	e.tmLock.Lock()
+	if e.stopTokenManager == nil {
+		stopTM, err := e.tokenManager.Start(tokenListenerFromCP(e))
+		if err != nil {
+			return nil, nil, fmt.Errorf("couldn't start token manager: %w", err)
+		}
+		e.stopTokenManager = stopTM
+	}
+	e.tmLock.Unlock()
+
 	token, err := e.tokenManager.GetToken(false)
 	if err != nil {
-		return nil, nil, err
+		return nil, nil, fmt.Errorf("couldn't get token: %w", err)
 	}
 
 	e.rwLock.Lock()
@@ -102,6 +115,7 @@ func (e *entraidCredentialsProvider) Subscribe(listener auth.CredentialsListener
 		// Clear the listeners slice if it's empty
 		if len(e.listeners) == 0 {
 			e.listeners = make([]auth.CredentialsListener, 0)
+			e.tmLock.Lock()
 			if e.stopTokenManager != nil {
 				err := e.stopTokenManager()
 				if err != nil {
@@ -111,6 +125,7 @@ func (e *entraidCredentialsProvider) Subscribe(listener auth.CredentialsListener
 				// This prevents multiple calls to stopTokenManager.
 				e.stopTokenManager = nil
 			}
+			e.tmLock.Unlock()
 		}
 		return nil
 	}
@@ -134,10 +149,11 @@ func NewCredentialsProvider(tokenManager manager.TokenManager, options Credentia
 		options:      options,
 		listeners:    make([]auth.CredentialsListener, 0),
 	}
-	stopTM, err := cp.tokenManager.Start(tokenListenerFromCP(cp))
+	// Start the token manager.
+	stop, err := tokenManager.Start(tokenListenerFromCP(cp))
 	if err != nil {
 		return nil, fmt.Errorf("couldn't start token manager: %w", err)
 	}
-	cp.stopTokenManager = stopTM
+	cp.stopTokenManager = stop
 	return cp, nil
 }

credentials_provider_test.go

@@ -343,7 +343,7 @@ func TestCredentialsProviderSubscribe(t *testing.T) {
 		mtm.On("GetToken", false).Return(testToken, nil)
 		mtm.On("Start", mock.Anything).
 			Run(mockTokenManagerLoop(mtm, tokenExpiration, testToken, nil)).
-			Return(manager.StopFunc(mtm.Stop), nil)
+			Return(manager.StopFunc(mtm.stop), nil)
 		provider, err := NewConfidentialCredentialsProvider(options)
 		require.NoError(t, err)
 		require.NotNil(t, provider)
@@ -396,7 +396,7 @@ func TestCredentialsProviderSubscribe(t *testing.T) {
 
 		mtm.On("Start", mock.Anything).
 			Run(mockTokenManagerLoop(mtm, tokenExpiration, nil, errTokenError)).
-			Return(manager.StopFunc(mtm.Stop), nil)
+			Return(manager.StopFunc(mtm.stop), nil)
 		provider, err := NewConfidentialCredentialsProvider(options)
 		require.NoError(t, err)
 		require.NotNil(t, provider)
@@ -467,7 +467,7 @@ func TestCredentialsProviderSubscribe(t *testing.T) {
 
 		mtm.On("Start", mock.Anything).
 			Run(mockTokenManagerLoop(mtm, tokenExpiration, nil, errTokenError)).
-			Return(manager.StopFunc(mtm.Stop), nil)
+			Return(manager.StopFunc(mtm.stop), nil)
 		provider, err := NewConfidentialCredentialsProvider(options)
 		require.NoError(t, err)
 		require.NotNil(t, provider)

entraid_test.go

@@ -48,7 +48,7 @@ func (m *fakeTokenManager) GetToken(forceRefresh bool) (*token.Token, error) {
 			rawTokenString,
 			time.Now().Add(tokenExpiration),
 			time.Now(),
-			int64(100*time.Millisecond),
+			int64(tokenExpiration.Seconds()),
 		)
 	}
 	return m.token, m.err
@@ -84,7 +84,7 @@ func (m *fakeTokenManager) Start(listener manager.TokenListener) (manager.StopFu
 	}, nil
 }
 
-func (m *fakeTokenManager) Stop() error {
+func (m *fakeTokenManager) stop() error {
 	return nil
 }
 
@@ -163,7 +163,7 @@ func (m *mockTokenManager) Start(listener manager.TokenListener) (manager.StopFu
 	m.lock.Unlock()
 	return args.Get(0).(manager.StopFunc), args.Error(1)
 }
-func (m *mockTokenManager) Stop() error {
+func (m *mockTokenManager) stop() error {
 	m.lock.Lock()
 	defer m.lock.Unlock()
 	if m.listener == nil {

internal/errors.go

@@ -3,7 +3,6 @@ package internal
 import "fmt"
 
 var ErrInvalidIDPResponse = fmt.Errorf("invalid identity provider response")
-var ErrInvalidIDPResponseType = fmt.Errorf("invalid identity provider response type")
 var ErrAuthResultNotFound = fmt.Errorf("auth result not found")
 var ErrAccessTokenNotFound = fmt.Errorf("access token not found")
 var ErrRawTokenNotFound = fmt.Errorf("raw token not found")

internal/idp_response.go

@@ -36,17 +36,17 @@ func NewIDPResp(resultType string, result interface{}) (*IDPResp, error) {
 		default:
 			return nil, fmt.Errorf("invalid auth result type: expected public.AuthResult or *public.AuthResult, got %T", result)
 		}
+		r.rawTokenVal = r.authResultVal.AccessToken
 	case "AccessToken":
 		switch v := result.(type) {
 		case *azcore.AccessToken:
 			r.accessTokenVal = v
-			r.rawTokenVal = v.Token
 		case azcore.AccessToken:
 			r.accessTokenVal = &v
-			r.rawTokenVal = v.Token
 		default:
 			return nil, fmt.Errorf("invalid access token type: expected azcore.AccessToken or *azcore.AccessToken, got %T", result)
 		}
+		r.rawTokenVal = r.accessTokenVal.Token
 	case "RawToken":
 		switch v := result.(type) {
 		case string:

internal/utils.go

@@ -1,6 +1,10 @@
 package internal
 
 // IsClosed checks if a channel is closed.
+//
+// NOTE: It returns true if the channel is closed as well
+// as if the channel is not empty. Used internally
+// to check if the channel is closed.
 func IsClosed(ch <-chan struct{}) bool {
 	select {
 	case <-ch:

manager/defaults.go

@@ -3,6 +3,7 @@ package manager
 import (
 	"errors"
 	"fmt"
+	"math"
 	"net"
 	"os"
 	"time"
@@ -13,6 +14,7 @@ import (
 )
 
 const (
+	DefaultRequestTimeout                = 30 * time.Second
 	DefaultExpirationRefreshRatio        = 0.7
 	DefaultRetryOptionsMaxAttempts       = 3
 	DefaultRetryOptionsBackoffMultiplier = 2.0
@@ -85,91 +87,79 @@ func defaultTokenManagerOptionsOr(options TokenManagerOptions) TokenManagerOptio
 	if options.ExpirationRefreshRatio == 0 {
 		options.ExpirationRefreshRatio = DefaultExpirationRefreshRatio
 	}
+	if options.RequestTimeout == 0 {
+		options.RequestTimeout = DefaultRequestTimeout
+	}
 	return options
 }
 
 type defaultIdentityProviderResponseParser struct{}
 
 // ParseResponse parses the response from the identity provider and extracts the token.
 // It takes an IdentityProviderResponse as an argument and returns a Token and an error if any.
-// The IdentityProviderResponse contains the raw token and the expiration time.
+// The raw token is extracted based on the IdentityProviderResponse Type and then
+// is parsed as a JWT token to extract the claims.
 func (*defaultIdentityProviderResponseParser) ParseResponse(response shared.IdentityProviderResponse) (*token.Token, error) {
 	if response == nil {
 		return nil, fmt.Errorf("identity provider response cannot be nil")
 	}
 
 	var username, password, rawToken string
 	var expiresOn time.Time
-	now := time.Now().UTC()
+	now := time.Now().UTC().Truncate(time.Second).Add(time.Second)
 
 	switch response.Type() {
 	case shared.ResponseTypeAuthResult:
 		authResult, err := response.(shared.AuthResultIDPResponse).AuthResult()
 		if err != nil {
 			return nil, fmt.Errorf("failed to get auth result: %w", err)
 		}
-		if authResult.ExpiresOn.IsZero() {
-			return nil, fmt.Errorf("auth result expiration time is not set")
-		}
-		if authResult.IDToken.Oid == "" {
-			return nil, fmt.Errorf("auth result OID is empty")
-		}
-		rawToken = authResult.IDToken.RawToken
-		username = authResult.IDToken.Oid
-		password = rawToken
-		expiresOn = authResult.ExpiresOn.UTC()
 
-	case shared.ResponseTypeRawToken, shared.ResponseTypeAccessToken:
-		var tokenStr string
-		var err error
-		if response.Type() == shared.ResponseTypeRawToken {
-			tokenStr, err = response.(shared.RawTokenIDPResponse).RawToken()
-			if err != nil {
-				return nil, fmt.Errorf("failed to get raw token: %w", err)
-			}
-		}
-		if response.Type() == shared.ResponseTypeAccessToken {
-			accessToken, err := response.(shared.AccessTokenIDPResponse).AccessToken()
-			if err != nil {
-				return nil, fmt.Errorf("failed to get access token: %w", err)
-			}
-			if accessToken.Token == "" {
-				return nil, fmt.Errorf("access token value is empty")
-			}
-			tokenStr = accessToken.Token
-			expiresOn = accessToken.ExpiresOn.UTC()
-		}
-
-		if tokenStr == "" {
-			return nil, fmt.Errorf("raw token is empty")
+		expiresOn = authResult.ExpiresOn.UTC()
+		rawToken = authResult.AccessToken
+	case shared.ResponseTypeAccessToken:
+		accessToken, err := response.(shared.AccessTokenIDPResponse).AccessToken()
+		if err != nil {
+			return nil, fmt.Errorf("failed to get access token: %w", err)
 		}
 
-		claims := struct {
-			jwt.RegisteredClaims
-			Oid string `json:"oid,omitempty"`
-		}{}
-
-		// Parse the token to extract claims, but note that signature verification
-		// should be handled by the identity provider
-		_, _, err = jwt.NewParser().ParseUnverified(tokenStr, &claims)
+		rawToken = accessToken.Token
+		expiresOn = accessToken.ExpiresOn.UTC()
+	case shared.ResponseTypeRawToken:
+		tokenStr, err := response.(shared.RawTokenIDPResponse).RawToken()
 		if err != nil {
-			return nil, fmt.Errorf("failed to parse JWT token: %w", err)
+			return nil, fmt.Errorf("failed to get raw token: %w", err)
 		}
+		rawToken = tokenStr
+	default:
+		return nil, fmt.Errorf("unsupported response type: %s", response.Type())
+	}
 
-		if claims.Oid == "" {
-			return nil, fmt.Errorf("JWT token does not contain OID claim")
-		}
+	if rawToken == "" {
+		return nil, fmt.Errorf("raw token is empty")
+	}
 
-		rawToken = tokenStr
-		username = claims.Oid
-		password = rawToken
+	// Parse JWT
+	claims := struct {
+		jwt.RegisteredClaims
+		Oid string `json:"oid,omitempty"`
+	}{}
+
+	// Parse the token to extract claims, but note that signature verification
+	// should be handled by the identity provider
+	_, _, err := jwt.NewParser().ParseUnverified(rawToken, &claims)
+	if err != nil {
+		return nil, fmt.Errorf("failed to parse JWT token: %w", err)
+	}
 
-		if expiresOn.IsZero() && claims.ExpiresAt != nil {
-			expiresOn = claims.ExpiresAt.UTC()
-		}
+	if claims.Oid == "" {
+		return nil, fmt.Errorf("JWT token does not contain OID claim")
+	}
 
-	default:
-		return nil, fmt.Errorf("unsupported response type: %s", response.Type())
+	username = claims.Oid
+	password = rawToken
+	if expiresOn.IsZero() && claims.ExpiresAt != nil {
+		expiresOn = claims.ExpiresAt.UTC()
 	}
 
 	if expiresOn.IsZero() {
@@ -187,6 +177,6 @@ func (*defaultIdentityProviderResponseParser) ParseResponse(response shared.Iden
 		rawToken,
 		expiresOn,
 		now,
-		int64(time.Until(expiresOn).Seconds()),
+		int64(math.Ceil(time.Until(expiresOn).Seconds())),
 	), nil
 }