Adding IAM support for IBM Cloud Functions using explicit env var

OW_IAM_NAMESPACE_API_KEY is used to provide API key. This pulls in
the auth handler to manage retrieving IAM tokens at runtime.

Author: jthomas

README.md

@@ -6,12 +6,12 @@ This plugin enables support for the [Apache OpenWhisk platform](https://openwhis
 
 ## Getting Started
 
-### Register account with OpenWhisk
+### Register account with Apache OpenWhisk
 
-Before you can deploy your service to OpenWhisk, you need to have an account registered with the platform.
+Before you can deploy your service to Apache OpenWhisk, you need to have an account registered with the platform.
 
 - *Want to run the platform locally?* Please read the project's [*Quick Start*](https://github.com/openwhisk/openwhisk#quick-start) guide for deploying it locally.
-- *Want to use a hosted provider?* Please sign up for a free account with [IBM Cloud](https://console.ng.bluemix.net/) and then follow the instructions for getting access to [OpenWhisk on Bluemix](https://console.ng.bluemix.net/openwhisk/).
+- *Want to use a hosted provider?* Please [sign up](https://cloud.ibm.com/registration) for a free account with [IBM Cloud](https://cloud.ibm.com/) and then follow the instructions for getting access to [IBM Cloud Functions (Apache OpenWhisk)](https://cloud.ibm.com/openwhisk).
 
 ### Set up account credentials
 
@@ -25,6 +25,7 @@ Account credentials for OpenWhisk can be provided through a configuration file o
 - *OW_AUTH* - Authentication key, e.g. `xxxxxx:yyyyy`
 - *OW_NAMESPACE* - Namespace, defaults to user-provided credentials
 - *OW_APIGW_ACCESS_TOKEN* - API gateway access token (optional)
+- *OW_IAM_NAMESPACE_API_KEY* - IBM Cloud IAM API key (optional & overrides `auth`).
 
 ### Install Serverless Framework
 

package.json

@@ -29,6 +29,7 @@
   },
   "homepage": "https://github.com/serverless/serverless-openwhisk#readme",
   "dependencies": {
+    "@ibm-functions/iam-token-manager": "^1.0.3",
     "bluebird": "^3.4.6",
     "chalk": "^1.1.3",
     "fs-extra": "^1.0.0",

provider/credentials.js

@@ -3,7 +3,7 @@
 const path = require('path');
 const fs = require('fs-extra');
 
-const ENV_PARAMS = ['OW_APIHOST', 'OW_AUTH', 'OW_NAMESPACE', 'OW_APIGW_ACCESS_TOKEN'];
+const ENV_PARAMS = ['OW_APIHOST', 'OW_AUTH', 'OW_NAMESPACE', 'OW_APIGW_ACCESS_TOKEN', 'OW_IAM_NAMESPACE_API_KEY'];
 
 function getWskPropsFile() {
   const Home = process.env[(process.platform === 'win32') ? 'USERPROFILE' : 'HOME'];

provider/openwhiskProvider.js

@@ -2,6 +2,7 @@
 
 const BbPromise = require('bluebird');
 const openwhisk = require('openwhisk')
+const IamTokenManager = require('@ibm-functions/iam-token-manager')
 const Credentials = require('./credentials');
 
 const constants = {
@@ -26,8 +27,15 @@ class OpenwhiskProvider {
     if (this._client) return BbPromise.resolve(this._client)
 
     const ignore_certs = this.serverless.service.provider.ignore_certs || false
-    return this.props().then(this.hasValidCreds).then(wskProps => {
-      this._client = openwhisk({ apihost: wskProps.apihost, api_key: wskProps.auth, namespace: wskProps.namespace, ignore_certs, apigw_token: wskProps.apigw_access_token });
+    return this.props().then(props => {
+      if (props.hasOwnProperty('iam_namespace_api_key')) {
+        const auth_handler = new IamTokenManager({ iamApikey: props.iam_namespace_api_key });
+        this._client = openwhisk({ apihost: props.apihost, auth_handler, namespace: props.namespace, ignore_certs });
+      } else {
+        this.hasValidCreds(props)
+        this._client = openwhisk({ apihost: props.apihost, api_key: props.auth, namespace: props.namespace, ignore_certs, apigw_token: props.apigw_access_token });
+      }
+
       return this._client
     })
   }

provider/tests/credentials.js

@@ -26,11 +26,12 @@ describe('#getWskProps()', () => {
       auth: 'user:pass',
       namespace: '[email protected]_dev',
       apigw_access_token: 'blahblahblahkey1234',
+      iam_namespace_api_key: 'some-api-key-value',
     };
 
     const wskProps =
       'APIHOST=openwhisk.ng.bluemix.net\[email protected]_dev\n'  +
-      'AUTH=user:pass\nAPIGW_ACCESS_TOKEN=blahblahblahkey1234\n';
+      'AUTH=user:pass\nAPIGW_ACCESS_TOKEN=blahblahblahkey1234\nIAM_NAMESPACE_API_KEY=some-api-key-value';
 
     it('when the default is used', () => {
       const home = process.env[(process.platform === 'win32') ? 'USERPROFILE' : 'HOME'];
@@ -62,7 +63,8 @@ describe('#getWskProps()', () => {
       apihost: 'blah.blah.com',
       auth: 'another_user:another_pass',
       namespace: '[email protected]',
-      apigw_access_token: 'some_access_token'
+      apigw_access_token: 'some_access_token',
+      iam_namespace_api_key: 'some_api_key'
     };
 
     sandbox.stub(fs, 'readFile', (path, encoding, cb) => {
@@ -73,6 +75,7 @@ describe('#getWskProps()', () => {
     process.env.OW_AUTH = 'another_user:another_pass';
     process.env.OW_NAMESPACE = '[email protected]';
     process.env.OW_APIGW_ACCESS_TOKEN = 'some_access_token';
+    process.env.OW_IAM_NAMESPACE_API_KEY = 'some_api_key';
 
     return expect(Credentials.getWskProps()).to.eventually.deep.equal(mockObject);
   });
@@ -82,11 +85,12 @@ describe('#getWskProps()', () => {
       apihost: 'blah.blah.com',
       auth: 'another_user:another_pass',
       namespace: '[email protected]',
-      apigw_access_token: 'some_access_token'
+      apigw_access_token: 'some_access_token',
+      iam_namespace_api_key: 'some_api_key'
     };
 
     const wskProps =
-      'APIHOST=openwhisk.ng.bluemix.net\[email protected]_dev\nAUTH=user:pass\nAPIGW_ACCESS_TOKEN=hello\n';
+      'APIHOST=openwhisk.ng.bluemix.net\[email protected]_dev\nAUTH=user:pass\nAPIGW_ACCESS_TOKEN=hello\nIAM_NAMESPACE_API_KEY=old_key';
 
     sandbox.stub(fs, 'readFile', (path, encoding, cb) => {
       cb(null, wskProps);
@@ -96,6 +100,7 @@ describe('#getWskProps()', () => {
     process.env.OW_AUTH = 'another_user:another_pass';
     process.env.OW_NAMESPACE = '[email protected]';
     process.env.OW_APIGW_ACCESS_TOKEN = 'some_access_token';
+    process.env.OW_IAM_NAMESPACE_API_KEY = 'some_api_key';
 
     return expect(Credentials.getWskProps()).to.eventually.deep.equal(mockObject);
   });

provider/tests/openwhiskProvider.js

@@ -91,6 +91,20 @@ describe('OpenwhiskProvider', () => {
         expect(client).to.be.equal(openwhiskProvider._client)
       })
     })
+
+    it('should support client auth using IBM Cloud IAM API key', () => {
+      openwhiskProvider._client = null
+      const API_KEY = 'some-key-value';
+      const creds = {iam_namespace_api_key: API_KEY, apihost: 'some_api', namespace: 'a34dd39e-e3de-4160-bbab-59ac345678ed'}
+      sandbox.stub(openwhiskProvider, "props").returns(BbPromise.resolve(creds))
+
+      return openwhiskProvider.client().then(client => {
+        expect(client.actions.client.options.namespace).to.be.deep.equal(creds.namespace)
+        expect(client.actions.client.options.api).to.be.deep.equal(`https://${creds.apihost}/api/v1/`)
+        expect(typeof client.actions.client.options.authHandler).to.not.equal('undefined')
+        expect(client.actions.client.options.authHandler.iamApikey).to.be.deep.equal(API_KEY)
+      })
+    })
   })
 
   describe('#props()', () => {