fix(ibm): add ibm client (#271)

* build(deps): bump golang.org/x/net
* feat(ibm): add IBM client

Author: filiptubic

sysdig/internal/client/v2/client.go

@@ -17,23 +17,17 @@ import (
 )
 
 const (
-	AuthorizationHeader = "Authorization"
-	ContentTypeHeader   = "Content-Type"
-	ContentTypeJSON     = "application/json"
+	SysdigTeamIDHeader        = "SysdigTeamID"
+	AuthorizationHeader       = "Authorization"
+	ContentTypeHeader         = "Content-Type"
+	ContentTypeJSON           = "application/json"
+	ContentTypeFormURLEncoded = "x-www-form-urlencoded"
 )
 
 type Common interface {
 	TeamInterface
 }
 
-type Monitor interface {
-	Common
-}
-
-type Secure interface {
-	Common
-}
-
 type Requester interface {
 	Request(ctx context.Context, method string, url string, payload io.Reader) (*http.Response, error)
 }

sysdig/internal/client/v2/config.go

@@ -1,10 +1,14 @@
 package v2
 
 type config struct {
-	url          string
-	token        string
-	insecure     bool
-	extraHeaders map[string]string
+	url           string
+	token         string
+	insecure      bool
+	extraHeaders  map[string]string
+	teamID        string
+	ibmInstanceID string
+	ibmAPIKey     string
+	ibmIamURL     string
 }
 
 type ClientOption func(c *config)
@@ -33,6 +37,30 @@ func WithExtraHeaders(headers map[string]string) ClientOption {
 	}
 }
 
+func WithTeamID(teamID string) ClientOption {
+	return func(c *config) {
+		c.teamID = teamID
+	}
+}
+
+func WithIBMInstanceID(instanceID string) ClientOption {
+	return func(c *config) {
+		c.ibmInstanceID = instanceID
+	}
+}
+
+func WithIBMAPIKey(key string) ClientOption {
+	return func(c *config) {
+		c.ibmAPIKey = key
+	}
+}
+
+func WithIBMIamURL(url string) ClientOption {
+	return func(c *config) {
+		c.ibmIamURL = url
+	}
+}
+
 func configure(opts ...ClientOption) *config {
 	cfg := &config{}
 	for _, opt := range opts {

sysdig/internal/client/v2/ibm.go

@@ -0,0 +1,113 @@
+package v2
+
+import (
+	"context"
+	"fmt"
+	"io"
+	"net/http"
+	"net/url"
+	"strings"
+	"time"
+)
+
+const (
+	IBMInstanceIDHeader   = "IBMInstanceID"
+	IBMIAMPath            = "/identity/token"
+	IBMGrantTypeFormValue = "grant_type"
+	IBMApiKeyFormValue    = "apikey"
+	IBMAPIKeyGrantType    = "urn:ibm:params:oauth:grant-type:apikey"
+)
+
+type IBMCommon interface {
+	Common
+}
+
+type IBMMonitor interface {
+	IBMCommon
+}
+
+type IBMAccessToken string
+type UnixTimestamp int64
+
+type IBMRequest struct {
+	config          *config
+	httpClient      *http.Client
+	tokenExpiration UnixTimestamp
+	token           IBMAccessToken
+}
+
+type IAMTokenResponse struct {
+	AccessToken string `json:"access_token"`
+	Expiration  int64  `json:"expiration"`
+}
+
+func (ir *IBMRequest) getIBMIAMToken() (IBMAccessToken, error) {
+	if UnixTimestamp(time.Now().Unix()) < ir.tokenExpiration {
+		return ir.token, nil
+	}
+
+	data := url.Values{}
+	data.Set(IBMGrantTypeFormValue, IBMAPIKeyGrantType)
+	data.Set(IBMApiKeyFormValue, ir.config.ibmAPIKey)
+	identityURL := fmt.Sprintf("%s%s", ir.config.ibmIamURL, IBMIAMPath)
+
+	r, err := http.NewRequest(http.MethodPost, identityURL, strings.NewReader(data.Encode()))
+	if err != nil {
+		return "", err
+	}
+
+	r.Header.Set(ContentTypeHeader, ContentTypeFormURLEncoded)
+
+	resp, err := request(ir.httpClient, ir.config, r)
+	if err != nil {
+		return "", err
+	}
+	defer resp.Body.Close()
+
+	iamToken, err := Unmarshal[IAMTokenResponse](resp.Body)
+	if err != nil {
+		return "", err
+	}
+
+	ir.token = IBMAccessToken(iamToken.AccessToken)
+	ir.tokenExpiration = UnixTimestamp(iamToken.Expiration)
+
+	return ir.token, nil
+}
+
+func (ir *IBMRequest) Request(ctx context.Context, method string, url string, payload io.Reader) (*http.Response, error) {
+	r, err := http.NewRequest(method, url, payload)
+	if err != nil {
+		return nil, err
+	}
+
+	token, err := ir.getIBMIAMToken()
+	if err != nil {
+		return nil, err
+	}
+
+	r = r.WithContext(ctx)
+	if ir.config.teamID != "" {
+		r.Header.Set(SysdigTeamIDHeader, ir.config.teamID)
+	}
+	r.Header.Set(IBMInstanceIDHeader, ir.config.ibmInstanceID)
+	r.Header.Set(AuthorizationHeader, fmt.Sprintf("Bearer %s", token))
+	r.Header.Set(ContentTypeHeader, ContentTypeJSON)
+
+	return request(ir.httpClient, ir.config, r)
+}
+
+func newIBMClient(opts ...ClientOption) *Client {
+	cfg := configure(opts...)
+	return &Client{
+		config: cfg,
+		requester: &IBMRequest{
+			config:     cfg,
+			httpClient: newHTTPClient(cfg),
+		},
+	}
+}
+
+func NewIBMMonitor(opts ...ClientOption) IBMMonitor {
+	return newIBMClient(opts...)
+}

sysdig/internal/client/v2/ibm_test.go

@@ -0,0 +1,87 @@
+package v2
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+	"time"
+)
+
+func TestIBMClient_DoIBMRequest(t *testing.T) {
+	testTable := []struct {
+		TokenExpiration  int64
+		Iterations       int
+		ExpectedIAMCalls int
+	}{
+		{
+			TokenExpiration:  time.Now().Add(-time.Hour).Unix(),
+			Iterations:       3,
+			ExpectedIAMCalls: 3,
+		},
+		{
+			TokenExpiration:  time.Now().Add(time.Hour).Unix(),
+			Iterations:       3,
+			ExpectedIAMCalls: 1,
+		},
+	}
+	for _, testCase := range testTable {
+		instanceID := "instance ID"
+		apiKey := "api key"
+		token := "token"
+		teamID := "team ID"
+		iamEndpointCalled := 0
+		server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			if r.URL.Path == IBMIAMPath {
+				iamEndpointCalled++
+				data, err := json.Marshal(IAMTokenResponse{
+					AccessToken: token,
+					Expiration:  testCase.TokenExpiration,
+				})
+				if err != nil {
+					t.Errorf("failed to create IAM response, err: %v", err)
+				}
+
+				_, err = w.Write(data)
+				if err != nil {
+					t.Errorf("failed to create IAM response, err: %v", err)
+				}
+				return
+			}
+
+			if value := r.Header.Get(AuthorizationHeader); value != fmt.Sprintf("Bearer %s", token) {
+				t.Errorf("invalid authorization header, %v", value)
+			}
+			if value := r.Header.Get(IBMInstanceIDHeader); value != instanceID {
+				t.Errorf("expected instance id %v, got %v", instanceID, value)
+			}
+			if value := r.Header.Get(SysdigTeamIDHeader); value != teamID {
+				t.Errorf("expected team id %v, got %v", teamID, value)
+			}
+		}))
+
+		c := newIBMClient(
+			WithIBMInstanceID(instanceID),
+			WithIBMAPIKey(apiKey),
+			WithIBMIamURL(server.URL),
+			WithURL(server.URL),
+			WithTeamID(teamID),
+		)
+
+		url := fmt.Sprintf("%s/foo/bar", server.URL)
+		for i := 0; i < testCase.Iterations; i++ {
+			_, err := c.requester.Request(context.Background(), http.MethodGet, url, nil)
+			if err != nil {
+				t.Errorf("got error while sending request, err: %v", err)
+			}
+		}
+
+		if iamEndpointCalled != testCase.ExpectedIAMCalls {
+			t.Errorf("expected IAM calls %d, got %d", testCase.ExpectedIAMCalls, iamEndpointCalled)
+		}
+
+		server.Close()
+	}
+}

sysdig/internal/client/v2/sysdig.go

@@ -12,6 +12,18 @@ type SysdigRequest struct {
 	httpClient *http.Client
 }
 
+type SysdigCommon interface {
+	Common
+}
+
+type SysdigMonitor interface {
+	SysdigCommon
+}
+
+type SysdigSecure interface {
+	SysdigCommon
+}
+
 func (sr *SysdigRequest) Request(ctx context.Context, method string, url string, payload io.Reader) (*http.Response, error) {
 	r, err := http.NewRequest(method, url, payload)
 	if err != nil {
@@ -25,11 +37,11 @@ func (sr *SysdigRequest) Request(ctx context.Context, method string, url string,
 	return request(sr.httpClient, sr.config, r)
 }
 
-func NewMonitor(opts ...ClientOption) Monitor {
+func NewSysdigMonitor(opts ...ClientOption) SysdigMonitor {
 	return newSysdigClient(opts...)
 }
 
-func NewSecure(opts ...ClientOption) Secure {
+func NewSysdigSecure(opts ...ClientOption) SysdigSecure {
 	return newSysdigClient(opts...)
 }
 

sysdig/provider.go

@@ -8,6 +8,7 @@ import (
 )
 
 func Provider() *schema.Provider {
+	undocumentedCodeMsg := "You are using undocumented provider argument which can change in future releases. Please do not use it."
 	return &schema.Provider{
 		Schema: map[string]*schema.Schema{
 			"sysdig_secure_api_token": {
@@ -47,6 +48,42 @@ func Provider() *schema.Provider {
 				Optional: true,
 				Elem:     &schema.Schema{Type: schema.TypeString},
 			},
+			"ibm_monitor_url": {
+				Type:        schema.TypeString,
+				Optional:    true,
+				DefaultFunc: schema.EnvDefaultFunc("SYSDIG_IBM_MONITOR_URL", nil),
+				Deprecated:  undocumentedCodeMsg,
+			},
+			"ibm_monitor_iam_url": {
+				Type:        schema.TypeString,
+				Optional:    true,
+				DefaultFunc: schema.EnvDefaultFunc("SYSDIG_IBM_MONITOR_IAM_URL", nil),
+				Deprecated:  undocumentedCodeMsg,
+			},
+			"ibm_monitor_instance_id": {
+				Type:        schema.TypeString,
+				Optional:    true,
+				DefaultFunc: schema.EnvDefaultFunc("SYSDIG_IBM_MONITOR_INSTANCE_ID", nil),
+				Deprecated:  undocumentedCodeMsg,
+			},
+			"ibm_monitor_api_key": {
+				Type:        schema.TypeString,
+				Optional:    true,
+				DefaultFunc: schema.EnvDefaultFunc("SYSDIG_IBM_MONITOR_API_KEY", nil),
+				Deprecated:  undocumentedCodeMsg,
+			},
+			"ibm_monitor_insecure_tls": {
+				Type:        schema.TypeBool,
+				Optional:    true,
+				DefaultFunc: schema.EnvDefaultFunc("SYSDIG_IBM_MONITOR_INSECURE_TLS", nil),
+				Deprecated:  undocumentedCodeMsg,
+			},
+			"ibm_monitor_team_id": {
+				Type:        schema.TypeString,
+				Optional:    true,
+				DefaultFunc: schema.EnvDefaultFunc("SYSDIG_IBM_MONITOR_TEAM_ID", nil),
+				Deprecated:  undocumentedCodeMsg,
+			},
 		},
 		ResourcesMap: map[string]*schema.Resource{
 			"sysdig_user":          resourceSysdigUser(),