Add IBM Cloud Functions IAM support using CLI configuration file.

Author: jthomas

package.json

@@ -35,6 +35,7 @@
     "fs-extra": "^1.0.0",
     "get-stdin": "^5.0.1",
     "jszip": "^3.1.3",
+    "jws": "^3.2.2",
     "lodash": "^4.17.11",
     "moment": "^2.16.0",
     "openwhisk": "^3.19.0"

provider/cliTokenManager.js

@@ -0,0 +1,70 @@
+'use strict';
+
+"use strict";
+
+const jws = require('jws');
+const { exec } = require('child_process');
+const { readFileSync } = require('fs');
+const path = require('path');
+
+// Configuration file location for IBM Cloud CLI.
+// This will contain the current IAM tokens for the user.
+const DEFAULT_CONFIG_LOCATION = `.bluemix/config.json`
+
+// This class handles retrieving authentication tokens for IAM namespaces on IBM Cloud Functions.
+// Tokens are parsed from the configuration file used by the IBM Cloud CLI.
+// If tokens have expired, the CLI command `ibmcloud iam oauth-tokens` is executed.
+// This will automatically refresh the tokens in the configuration.
+module.exports = class CliTokenManager {
+  constructor(_exec = exec, _readFile = readFileSync) {
+    this.exec = _exec
+    this.readFile = _readFile
+    this.refresh_command = 'ibmcloud iam oauth-tokens'
+  }
+
+  getAuthHeader () {
+    const to_header = token => `Bearer ${token}`
+    const token = this.readTokenFromConfig()
+    if (this.isTokenExpired(token)) {
+      return this.refreshToken().then(to_header)
+    }
+
+    return Promise.resolve(to_header(token))
+  }
+
+  refreshToken () {
+    return new Promise((resolve, reject) => {
+      this.exec(this.refresh_command, error => {
+        if (error) {
+          const err_message = `IAM token from IBM Cloud CLI configuration file (.bluemix/config.json) has expired. `
+            + `Refresh failed using CLI command (ibmcloud iam oauth-tokens). Check error message for details: ${error}`
+          return reject(new Error(err_message))
+        }
+        resolve(this.readTokenFromConfig())
+      });
+    })
+  }
+
+  // IAM Tokens stored under the IAMToken field in configuration.
+  readTokenFromConfig (configPath = CliTokenManager.configFilePath()) {
+    const contents = this.readFile(configPath, 'utf-8')
+    const config = JSON.parse(contents)
+    const [prefix, token] = config.IAMToken.split(' ')
+    return token
+  }
+
+  isTokenExpired (token) {
+    const decoded = jws.decode(token, { json: true })
+    const expiry_time = decoded.payload.exp
+    const now = Math.floor(Date.now() / 1000)
+
+    return expiry_time <= now
+  }
+
+  // Support both platforms for configuration files.
+  static configFilePath (config_file = DEFAULT_CONFIG_LOCATION) {
+    const home_dir = process.env[(process.platform === 'win32') ? 'USERPROFILE' : 'HOME'];
+    const config_path = path.format({ dir: home_dir, base: config_file });
+    return config_path
+  }
+}

provider/openwhiskProvider.js

@@ -3,6 +3,7 @@
 const BbPromise = require('bluebird');
 const openwhisk = require('openwhisk')
 const IamTokenManager = require('@ibm-functions/iam-token-manager')
+const CliTokenManager = require('./cliTokenManager')
 const Credentials = require('./credentials');
 
 const constants = {
@@ -23,14 +24,20 @@ class OpenwhiskProvider {
     this.sdk = openwhisk
   }
 
+  // Returns OpenWhisk SDK client configured with authentication credentials.
+  // Auto-detects use of IAM namespaces when using IBM Cloud Functions and adds
+  // external auth handler to client.
   client() {
     if (this._client) return BbPromise.resolve(this._client)
 
     const ignore_certs = this.serverless.service.provider.ignore_certs || false
     return this.props().then(props => {
       if (props.hasOwnProperty('iam_namespace_api_key')) {
         const auth_handler = new IamTokenManager({ iamApikey: props.iam_namespace_api_key });
-        this._client = openwhisk({ apihost: props.apihost, auth_handler, namespace: props.namespace, ignore_certs });
+        this._client = openwhisk({ apihost: props.apihost, auth_handler, namespace: props.namespace });
+      } else if (this.isIBMCloudIAMProps(props)) {
+        const auth_handler = new CliTokenManager()
+        this._client = openwhisk({ apihost: props.apihost, auth_handler, namespace: props.namespace });
       } else {
         this.hasValidCreds(props)
         this._client = openwhisk({ apihost: props.apihost, api_key: props.auth, namespace: props.namespace, ignore_certs, apigw_token: props.apigw_access_token });
@@ -58,6 +65,12 @@ class OpenwhiskProvider {
     });
     return creds;
   }
+
+  // Auto-detect whether ~/.wskprops uses IBM Cloud IAM namespace (and therefore requires IAM auth handler).
+  // Namespace will be IAM NS ID rather than default namespace. Api host will end with ibm.com hostname.
+  isIBMCloudIAMProps (props) {
+    return props.namespace !== '_' && props.apihost.endsWith('cloud.ibm.com')
+  }
 }
 
 module.exports = OpenwhiskProvider;

provider/tests/cliTokenManager.js

@@ -0,0 +1,104 @@
+'use strict';
+
+const expect = require('chai').expect;
+const sinon = require('sinon');
+const fs = require('fs-extra');
+const chaiAsPromised = require('chai-as-promised');
+const CliTokenManager = require('../cliTokenManager.js');
+
+require('chai').use(chaiAsPromised);
+
+describe('CliTokenManager', () => {
+  describe('#getAuthHeader()', () => {
+    it('should return bearer token from configuration', () => {
+      const cliTokenManager = new CliTokenManager()
+      const token = 'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VySWQiOiJiMDhmODZhZi0zNWRhLTQ4ZjItOGZhYi1jZWYzOTA0NjYwYmQifQ.-xN_h82PHVTCMA9vdoHrcZxH-x5mb11y1537t3rGzcM'
+      cliTokenManager.readTokenFromConfig = () => token
+      cliTokenManager.isTokenExpired = () => false
+      const header = `Bearer ${token}`
+      return cliTokenManager.getAuthHeader().then(result => {
+        expect(result).to.equal(header);
+      })
+    });
+
+    it('should return refreshed bearer token when token is expired', () => {
+      const cliTokenManager = new CliTokenManager()
+      const token = 'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VySWQiOiJiMDhmODZhZi0zNWRhLTQ4ZjItOGZhYi1jZWYzOTA0NjYwYmQifQ.-xN_h82PHVTCMA9vdoHrcZxH-x5mb11y1537t3rGzcM'
+      cliTokenManager.readTokenFromConfig = () => null
+      cliTokenManager.isTokenExpired = () => true 
+      cliTokenManager.refreshToken = () => Promise.resolve(token)
+      const header = `Bearer ${token}`
+      return cliTokenManager.getAuthHeader().then(result => {
+        expect(result).to.equal(header);
+      })
+    });
+  })
+
+  describe('#readTokenFromConfig()', () => {
+    it('should return bearer token from default configuration file', () => {
+      const readFile = (path, format) => {
+        expect(path).to.equal(config_path)
+        expect(format).to.equal('utf-8')
+        return JSON.stringify({ IAMToken: `Bearer ${config_token}`}) 
+      }
+
+      const cliTokenManager = new CliTokenManager(null, readFile)
+      const config_token = 'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VySWQiOiJiMDhmODZhZi0zNWRhLTQ4ZjItOGZhYi1jZWYzOTA0NjYwYmQifQ.-xN_h82PHVTCMA9vdoHrcZxH-x5mb11y1537t3rGzcM'
+      const config_path = `~/.bluemix/config.json`
+      const token = cliTokenManager.readTokenFromConfig(config_path)
+      expect(token).to.equal(config_token)
+    });
+  });
+
+  describe('#isTokenExpired()', () => {
+    it('should return true for expired JWT tokens', () => {
+      const cliTokenManager = new CliTokenManager()
+      // created from http://jwtbuilder.jamiekurtz.com/
+      // JWT expired in 2000.
+      const expired_token = 'eyJraWQiOiIyMDE5MDIwNCIsImFsZyI6IlJTMjU2In0.eyJpYW1faWQiOiJJQk1pZC0yNzAwMDJQUzIxIiwiaWQiOiJJQk1pZC0yNzAwMDJQUzIxIiwicmVhbG1pZCI6IklCTWlkIiwiaWRlbnRpZmllciI6IjI3MDAwMlBTMjEiLCJnaXZlbl9uYW1lIjoiSmFtZXMiLCJmYW1pbHlfbmFtZSI6IlRob21hcyIsIm5hbWUiOiJKYW1lcyBUaG9tYXMiLCJlbWFpbCI6ImphbWVzLnRob21hc0B1ay5pYm0uY29tIiwic3ViIjoiamFtZXMudGhvbWFzQHVrLmlibS5jb20iLCJhY2NvdW50Ijp7InZhbGlkIjp0cnVlLCJic3MiOiI4ZDYzZmIxY2M1ZTk5ZTg2ZGQ3MjI5ZGRkZmExNjY0OSJ9LCJpYXQiOjE1NjM0NDAyMzEsImV4cCI6MTU2MzQ0MzgzMSwiaXNzIjoiaHR0cHM6Ly9pYW0uY2xvdWQuaWJtLmNvbS9pZGVudGl0eSIsImdyYW50X3R5cGUiOiJwYXNzd29yZCIsInNjb3BlIjoiaWJtIG9wZW5pZCIsImNsaWVudF9pZCI6ImJ4IiwiYWNyIjoxLCJhbXIiOlsicHdkIl19.DhgBTV_dxtSirpSoe-H_xXfxBKYIrxFqiu4eVluTq78Sqp9FCCQoMSuJBD0ysHsD-0sIp5yHq03-0DnAdldnD2YkFRwrDXY-9uG5cJGB1vH3l6X6BaWprGG-AcswqeTklnjCrRqIiUr5EU9odZAfwbDPYdoE21gudS2kMZoVgezJsUtYz2tJH-I-1JfbBPuTLLuhWVr4ZPP2GzOvI7xpWBVwMYmUviLrxD_-Gq2vJyly1rNBYA4VZKf1G46yT790EqRz9N3o18bmKUxDCP6ur2oVHwGNQy15fn8LsiylHf4s9p9yPuLtgExN6FcdMfPU8hUT1UWfaWssjpetk3crjA'
+      const expired = cliTokenManager.isTokenExpired(expired_token)
+      expect(expired).to.equal(true)
+    });
+    
+    it('should return false for non-expired JWT tokens', () => {
+      const cliTokenManager = new CliTokenManager()
+      // created from http://jwtbuilder.jamiekurtz.com/ - example JWT expires in 2100.
+      // I won't be around when this unit test starts failing...
+      const expired_token = 'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJPbmxpbmUgSldUIEJ1aWxkZXIiLCJpYXQiOjE1NjM0NTM2OTYsImV4cCI6NDExOTUxMTI5NiwiYXVkIjoid3d3LmV4YW1wbGUuY29tIiwic3ViIjoianJvY2tldEBleGFtcGxlLmNvbSIsIkdpdmVuTmFtZSI6IkpvaG5ueSIsIlN1cm5hbWUiOiJSb2NrZXQiLCJFbWFpbCI6Impyb2NrZXRAZXhhbXBsZS5jb20iLCJSb2xlIjpbIk1hbmFnZXIiLCJQcm9qZWN0IEFkbWluaXN0cmF0b3IiXX0.WNqaMqKIqkKXT731uGV8jnJmNj74qYUSiZeLLYl6ME0'
+      const expired = cliTokenManager.isTokenExpired(expired_token)
+      expect(expired).to.equal(false)
+    });
+  });
+
+  describe('#configFilePath()', () => {
+    it('should return default config location', () => {
+      const default_path = `${process.env['HOME']}/.bluemix/config.json`
+      expect(CliTokenManager.configFilePath()).to.equal(default_path)
+    });
+  });
+
+  describe('#refreshToken()', () => {
+    it('should return current token once command has executed', () => {
+      const cliTokenManager = new CliTokenManager()
+      const token = 'eyj0exaioijkv1qilcjhbgcioijiuzi1nij9.eyj1c2vyswqioijimdhmodzhzi0znwrhltq4zjitogzhyi1jzwyzota0njywymqifq.-xn_h82phvtcma9vdohrczxh-x5mb11y1537t3rgzcm'
+      cliTokenManager.readTokenFromConfig = () => token
+      cliTokenManager.exec = (cmd, cb) => {
+        expect(cmd).to.equal(cliTokenManager.refresh_command)
+        setTimeout(() => cb(), 0)
+      }
+     
+      return cliTokenManager.refreshToken().then(_token => {
+        expect(_token).to.equal(token)
+      })
+    });
+
+    it('should throw error when refresh token command fails', () => {
+      const cliTokenManager = new CliTokenManager()
+      cliTokenManager.exec = (_, cb) => {
+        setTimeout(() => cb(new Error("cmd failed")), 0)
+      }
+     
+      return expect(cliTokenManager.refreshToken()).to.eventually.be.rejectedWith(/^IAM token from IBM Cloud CLI/);
+    });
+  });
+});

provider/tests/index.js

@@ -2,3 +2,4 @@
 
 require('./openwhiskProvider');
 require('./credentials');
+require('./cliTokenManager');

provider/tests/openwhiskProvider.js

@@ -10,6 +10,7 @@ require('chai').use(chaiAsPromised);
 
 const OpenwhiskProvider = require('../openwhiskProvider');
 const Credentials = require('../credentials');
+const CliTokenManager = require('../cliTokenManager.js');
 
 describe('OpenwhiskProvider', () => {
   let openwhiskProvider;
@@ -105,6 +106,19 @@ describe('OpenwhiskProvider', () => {
         expect(client.actions.client.options.authHandler.iamApikey).to.be.deep.equal(API_KEY)
       })
     })
+
+    it('should support client auth using IBM Cloud CLI configuration file', () => {
+      openwhiskProvider._client = null
+      const API_KEY = 'some-key-value';
+      const creds = {apihost: 'region.functions.cloud.ibm.com', namespace: 'a34dd39e-e3de-4160-bbab-59ac345678ed'}
+      sandbox.stub(openwhiskProvider, "props").returns(BbPromise.resolve(creds))
+
+      return openwhiskProvider.client().then(client => {
+        expect(client.actions.client.options.namespace).to.be.deep.equal(creds.namespace)
+        expect(client.actions.client.options.api).to.be.deep.equal(`https://${creds.apihost}/api/v1/`)
+        expect(client.actions.client.options.authHandler instanceof CliTokenManager).to.be.equal(true)
+      })
+    })
   })
 
   describe('#props()', () => {