IBM Cloud IAM Support (#102)

* Enable authentication with IBM Cloud IAM

* Added IBM Cloud IAM auth example

* Changes from review

Author: PatrickDuncan

examples/dashboard_ibm_cloud.py

@@ -0,0 +1,82 @@
+#!/usr/bin/env python
+
+# This example uses IBM Cloud IAM authentication and makes a few calls to the
+# Dashboard API as validation. Creates, edits and then deletes a dashboard.
+
+import os
+import sys
+sys.path.insert(0, os.path.join(os.path.dirname(os.path.realpath(sys.argv[0])), '..'))
+from sdcclient import IbmAuthHelper, SdMonitorClient
+
+# Parse arguments.
+def usage():
+    print('usage: %s <endpoint-url> <apikey> <instance-guid>' % sys.argv[0])
+    print('endpoint-url: The endpoint URL that should point to IBM Cloud')
+    print('apikey: IBM Cloud IAM apikey that will be used to retrieve an access token')
+    print('instance-guid: GUID of an IBM Cloud Monitoring with Sysdig instance')
+    sys.exit(1)
+
+if len(sys.argv) != 4:
+    usage()
+
+URL = sys.argv[1]
+APIKEY = sys.argv[2]
+GUID = sys.argv[3]
+DASHBOARD_NAME = 'IBM Cloud IAM with Python Client Example'
+PANEL_NAME = 'CPU Over Time'
+
+# Instantiate the client with an IBM Cloud auth object
+ibm_headers = IbmAuthHelper.get_headers(URL, APIKEY, GUID)
+sdclient = SdMonitorClient(sdc_url=URL, custom_headers=ibm_headers)
+
+# Create an empty dashboard
+ok, res = sdclient.create_dashboard(DASHBOARD_NAME)
+
+# Check the result
+dashboard_configuration = None
+if ok:
+    print('Dashboard %d created successfully' % res['dashboard']['id'])
+    dashboard_configuration = res['dashboard']
+else:
+    print(res)
+    sys.exit(1)
+
+# Add a time series panel
+panel_type = 'timeSeries'
+metrics = [
+    {'id': 'proc.name'},
+    {'id': 'cpu.used.percent', 'aggregations': {'time': 'avg', 'group': 'avg'}}
+]
+ok, res = sdclient.add_dashboard_panel(
+    dashboard_configuration, PANEL_NAME, panel_type, metrics)
+
+# Check the result
+if ok:
+    print('Panel added successfully')
+    dashboard_configuration = res['dashboard']
+else:
+    print(res)
+    sys.exit(1)
+
+# Remove the time series panel
+ok, res = sdclient.remove_dashboard_panel(dashboard_configuration, PANEL_NAME)
+
+# Check the result
+if ok:
+    print('Panel removed successfully')
+    dashboard_configuration = res['dashboard']
+else:
+    print(res)
+    sys.exit(1)
+
+# Delete the dashboard
+ok, res = sdclient.delete_dashboard(dashboard_configuration)
+
+# Check the result
+if ok:
+    print('Dashboard deleted successfully')
+else:
+    print(res)
+    sys.exit(1)
+
+print('IBM Cloud IAM auth worked successfully!')

sdcclient/__init__.py

@@ -3,3 +3,4 @@
 from sdcclient._monitor_v1 import SdMonitorClientV1
 from sdcclient._secure import SdSecureClient
 from sdcclient._scanning import SdScanningClient
+from sdcclient.ibm_auth_helper import IbmAuthHelper

sdcclient/_common.py

@@ -10,22 +10,32 @@ class _SdcCommon(object):
         - **token**: A Sysdig Monitor/Secure API token from the *Sysdig Cloud API* section of the Settings page for `monitor <https://app.sysdigcloud.com/#/settings/user>`_ or .`secure <https://secure.sysdig.com/#/settings/user>`_.
         - **sdc_url**: URL for contacting the Sysdig API server. Set this in `On-Premises installs <https://support.sysdigcloud.com/hc/en-us/articles/206519903-On-Premises-Installation-Guide>`__.
         - **ssl_verify**: Whether to verify certificate. Set to False if using a self-signed certificate in an `On-Premises install <https://support.sysdigcloud.com/hc/en-us/articles/206519903-On-Premises-Installation-Guide>`__.
+        - **custom_headers**: [dict] Pass in custom headers. Useful for authentication and will override the default headers.
 
     **Returns**
         An object for further interactions with the Sysdig Monitor/Secure API. See methods below.
     '''
     lasterr = None
 
-    def __init__(self, token="", sdc_url='https://app.sysdigcloud.com', ssl_verify=True):
+    def __init__(self, token="", sdc_url='https://app.sysdigcloud.com', ssl_verify=True, custom_headers=None):
         self.token = os.environ.get("SDC_TOKEN", token)
-        self.hdrs = {'Authorization': 'Bearer ' + self.token, 'Content-Type': 'application/json'}
+        self.hdrs = self.__get_headers(custom_headers)
         self.url = os.environ.get("SDC_URL", sdc_url)
         self.ssl_verify = os.environ.get("SDC_SSL_VERIFY", None)
         if self.ssl_verify == None:
             self.ssl_verify = ssl_verify
         else:
             self.ssl_verify = self.ssl_verify.lower() == 'true'
 
+    def __get_headers(self, custom_headers):
+        headers = {
+            'Content-Type': 'application/json',
+            'Authorization': 'Bearer ' + self.token
+        }
+        if custom_headers:
+            headers.update(custom_headers)
+        return headers
+
     def _checkResponse(self, res):
         if res.status_code >= 300:
             errorcode = res.status_code

sdcclient/_monitor.py

@@ -13,8 +13,8 @@
 
 class SdMonitorClient(_SdcCommon):
 
-    def __init__(self, token="", sdc_url='https://app.sysdigcloud.com', ssl_verify=True):
-        super(SdMonitorClient, self).__init__(token, sdc_url, ssl_verify)
+    def __init__(self, token="", sdc_url='https://app.sysdigcloud.com', ssl_verify=True, custom_headers=None):
+        super(SdMonitorClient, self).__init__(token, sdc_url, ssl_verify, custom_headers)
         self.product = "SDC"
         self._dashboards_api_version = 'v2'
         self._dashboards_api_endpoint = '/api/{}/dashboards'.format(self._dashboards_api_version)

sdcclient/_scanning.py

@@ -15,8 +15,8 @@
 
 class SdScanningClient(_SdcCommon):
 
-    def __init__(self, token="", sdc_url='https://secure.sysdig.com', ssl_verify=True):
-        super(SdScanningClient, self).__init__(token, sdc_url, ssl_verify)
+    def __init__(self, token="", sdc_url='https://secure.sysdig.com', ssl_verify=True, custom_headers=None):
+        super(SdScanningClient, self).__init__(token, sdc_url, ssl_verify, custom_headers)
         self.product = "SDS"
 
     def add_image(self, image, force=False, dockerfile=None, annotations={}, autosubscribe=True):

sdcclient/_secure.py

@@ -11,8 +11,8 @@
 
 class SdSecureClient(_SdcCommon):
 
-    def __init__(self, token="", sdc_url='https://secure.sysdig.com', ssl_verify=True):
-        super(SdSecureClient, self).__init__(token, sdc_url, ssl_verify)
+    def __init__(self, token="", sdc_url='https://secure.sysdig.com', ssl_verify=True, custom_headers=None):
+        super(SdSecureClient, self).__init__(token, sdc_url, ssl_verify, custom_headers)
 
         self.customer_id = None
         self.product = "SDS"

sdcclient/ibm_auth_helper.py

@@ -0,0 +1,50 @@
+import requests
+
+class IbmAuthHelper():
+    '''Authenticate with IBM Cloud IAM.
+
+    **Arguments**
+        **url**: Sysdig endpoint URL that should point to IBM Cloud
+        **apikey**: IBM Cloud IAM apikey that will be used to retrieve an access token
+        **guid**: GUID of an IBM Cloud Monitoring with Sysdig instance
+
+    **Returns**
+        A dictionary that will authenticate you with the IBM Cloud IAM API.
+    '''
+
+    @staticmethod
+    def get_headers(url, apikey, guid):
+        iam_token = IbmAuthHelper.__get_iam_token(url, apikey)
+        return {
+          'Authorization': 'Bearer ' + iam_token,
+          'IBMInstanceID': guid
+        }
+
+    @staticmethod
+    def __get_iam_endpoint(url):
+        IAM_ENDPOINT = {
+            'stage': 'iam.test.cloud.ibm.com',
+            'prod': 'iam.cloud.ibm.com'
+        }
+        if '.test.' in url:
+            return IAM_ENDPOINT['stage']
+        else:
+            return IAM_ENDPOINT['prod']
+
+    @staticmethod
+    def __get_iam_token(url, apikey):
+        env_url = IbmAuthHelper.__get_iam_endpoint(url)
+        response = requests.post(
+            'https://' + env_url + '/identity/token',
+            data={
+                'grant_type': 'urn:ibm:params:oauth:grant-type:apikey',
+                'response_type': 'cloud_iam',
+                'apikey': apikey
+            },
+            headers={
+                'Accept': 'application/json'
+            })
+        if response.status_code == 200:
+            return response.json()['access_token']
+        else:
+            response.raise_for_status()