Implement OpenID Connect Agent (oidc-agent) support

Author: alvarolopez

doc/source/user/shell.rst

@@ -4,9 +4,25 @@
 Authentication
 --------------
 
-Before using :program:`orpy`, put your a valid OpenID Connnect access token
-into the ``ORCHESTRATOR_TOKEN`` environment variable, so that we can use this
-token for authentication.
+In order to interact with the INDIGO PaaS Orchestrator we need to use an
+OpenID Connect access token from a trusted OpenID Connect provider at the
+orchestrator.
+
+Please either store your access token in ``ORCHESTRATOR_TOKEN`` or set the
+account to use with :program:`oidc-agent` in the ``OIDC_ACCOUNT`` and the
+socket path of the oidc-agent in the ``OIDC_SOCK`` environment variable::
+
+   export ORCHESTRATOR_TOKEN=<your access token>
+      OR
+   export OIDC_SOCK=<path to the oidc-agent socket>
+   export OIDC_ACCOUNT=<account to use>
+
+Usually, the ``OIDC_SOCK`` environmental variable is already exported if you
+are using :program:`oidc-agent`.
+
+As an alternative, you can pass the socket path and the account through the
+command line with the ``--oidc-agent-sock`` and ``--oidc-agent-account``
+parameters.
 
 Usage
 -----

orpy/client/client.py

@@ -20,6 +20,7 @@
 import json
 import logging
 import uuid
+import warnings
 
 import requests
 import six
@@ -46,16 +47,42 @@ def default(self, o):
 class OrpyClient(object):
     """An INDIGO-DataCloud PaaS orchestrator client class."""
 
-    def __init__(self, url, token, debug=False):
+    def __init__(self, url, oidc_agent=None, token=None, debug=False):
         """Initialization of OrpyClient object.
 
+        You MUST pass either a valid orpy.oidc.OpenIDConnectAgent object into
+        the oidc_agent parameter or a valid access token for authentication.
+        The former method is the preferred, you can create an object this way
+        (assuming that the oidc-agent account is named "oidc-agent-account":
+
+            from orpy import oidc
+            from orpy.client import client
+            oidc_agent = oidc.OpenIDConnectAgent("oidc-agent-account")
+
+            cli = client.OrpyClient(url, oidc_agent=oidc_agent)
+
+        Note that passing both will result in a warning, with the access token
+        passed in the token paramter ignored.
+
         :param str url: Orchestrator URL
-        :param str token: OpenID Connect access token to use for auth
+        :param orpy.oidc.OpenIDConnectAgent oidc_agent: OpenID Connect agent
+                                                        object to use for
+                                                        fetching access tokens
+        :param str token: OpenID Connect access token to use for auth.
         :param bool debug: whether to enable debug logging
         """
 
         self.url = url
-        self.token = token
+        self._token = token
+        self.oidc_agent = oidc_agent
+
+        if not any([oidc_agent, token]):
+            raise exceptions.InvalidUsage("Must pass either an oidc-agent "
+                                          "object or an access token.")
+        if all([oidc_agent, token]):
+            msg = ("Using both oidc-agent and access token means that the "
+                   "user provider token will be ignored.")
+            warnings.warn(msg, RuntimeWarning)
 
         self.http_debug = debug
 
@@ -81,6 +108,13 @@ def __init__(self, url, token, debug=False):
         self._json = _JSONEncoder()
         self.session = requests.Session()
 
+    @property
+    def token(self):
+        token = self._token
+        if self.oidc_agent is not None:
+            token = self.oidc_agent.get_token()["access_token"]
+        return token
+
     @property
     def deployments(self):
         """Interface to query for deployments.

orpy/exceptions.py

@@ -37,6 +37,7 @@ def __init__(self, message=None, **kwargs):
                     print("%s: %s" % (name, value))
                 six.reraise(exc_info[0], exc_info[1], exc_info[2])
 
+        message = "ERROR: " + message
         super(ClientException, self).__init__(message)
 
 

orpy/oidc.py

@@ -0,0 +1,73 @@
+# -*- coding: utf-8 -*-
+
+# Copyright 2019 Spanish National Research Council (CSIC)
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+import json
+import socket
+
+from orpy import exceptions
+from orpy import utils
+
+
+class OpenIDConnectAgent(object):
+    """Communicate with an OpenID Connect agent."""
+
+    def __init__(self, account, socket_path=None, validity=60):
+        """Initialize OpenID Connect Agent connection.
+
+        :param str account: Account name to use
+        :param str socket_path: Path to the oidc-agent UNIX socket
+        :param int validity: Minimum validity (minutes) for the token
+        """
+        self.account = account
+        self.validity = validity
+
+        if socket_path is None:
+            socket_path = utils.env("OIDC_SOCK")
+
+        self.socket_path = socket_path
+
+    def get_token(self):
+        """Communicate with the oidc agent and get an access token.
+
+        :returns: A dictionary containing the access token
+        :rtype: dict
+        """
+        message = {
+            "request": "access_token",
+            "account": self.account,
+            "min_valid_period": self.validity,
+            "application_hint": "orpy",
+        }
+        try:
+            self._sock = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
+            self._sock.connect(self.socket_path)
+            self._sock.sendall(json.dumps(message).encode())
+
+            data = ""
+            while True:
+                recv = self._sock.recv(16).decode()
+                if recv:
+                    data += recv
+                else:
+                    break
+        except socket.error as err:
+            raise err
+            raise exceptions.ClientException("Cannot communicate with the "
+                                             "oidc-agent: %s" % err)
+        finally:
+            self._sock.close()
+
+        return json.loads(data)

orpy/shell.py

@@ -25,6 +25,7 @@
 from cliff import help
 
 from orpy.client import client
+from orpy import oidc
 from orpy import utils
 from orpy import version
 
@@ -42,6 +43,7 @@ def __init__(self):
 
         self.client = None
         self.token = None
+        self.oidc_agent = None
 
         # Patch command.Command to add a default auth_required = True
         command.Command.auth_required = True
@@ -62,9 +64,17 @@ def initialize_app(self, argv):
         for cmd in self.commands:
             self.command_manager.add_command(cmd.__name__.lower(), cmd)
         self.token = utils.env("ORCHESTRATOR_TOKEN")
+
+        if self.options.oidc_agent_sock and self.options.oidc_agent_account:
+            self.oidc_agent = oidc.OpenIDConnectAgent(
+                self.options.oidc_agent_account,
+                socket_path=self.options.oidc_agent_sock
+            )
+
         if self.client is None:
             self.client = client.OrpyClient(self.options.orchestrator_url,
-                                            self.token,
+                                            oidc_agent=self.oidc_agent,
+                                            token=self.token,
                                             debug=self.options.debug)
 
     def prepare_to_run_command(self, cmd):
@@ -76,21 +86,72 @@ def prepare_to_run_command(self, cmd):
                               "use --url or set the ORCHESTRATOR_URL "
                               "environment variable.")
 
-        if cmd.auth_required and not self.token:
-            self.parser.error("No token has been provided, please set the "
-                              "ORCHESTRATOR_TOKEN environment variable "
-                              "(see '%s help' for more details on how "
-                              "to set up authentication)" % self.parser.prog)
+        if cmd.auth_required:
+            if (not all([self.options.oidc_agent_sock,
+                         self.options.oidc_agent_account])) and not self.token:
+
+                self.parser.error("No oidc-agent has been set up or no access "
+                                  "token has been provided, please set the "
+                                  "ORCHESTRATOR_TOKEN environment variable or "
+                                  "set up an oidc-agent "
+                                  "(see '%s help' for more details on how "
+                                  "to set up authentication)" %
+                                  self.parser.prog)
 
     def build_option_parser(self, description, version):
+        auth_help = """Authentication:
+
+    In order to interact with the INDIGO PaaS Orchestrator we need to use an
+    OpenID Connect access token from a trusted OpenID Connect provider at the
+    orchestrator.
+
+    Please either store your access token in 'ORCHESTRATOR_TOKEN' or set the
+    account to use with oidc-agent in the 'OIDC_ACCOUNT' and the socket path
+    of the oidc-agent in the 'OIDC_SOCK' environment variable:
+
+        export ORCHESTRATOR_TOKEN=<your access token>
+            OR
+        export OIDC_SOCK=<path to the oidc-agent socket>
+        export OIDC_ACCOUNT=<account to use>
+
+    Usually, the OIDC_SOCK environmental variable is already exported if you
+    are using oidc-agent.
+
+    As an alternative, you can pass the socket path and the account through
+    the command line with the --oidc-agent-sock and --oidc-agent-account
+    parameters.
+
+"""
         parser = super(OrpyApp, self).build_option_parser(
             self.__doc__,
             version,
             argparse_kwargs={
-                "formatter_class": argparse.RawDescriptionHelpFormatter
+                "formatter_class": argparse.RawDescriptionHelpFormatter,
+                "epilog": auth_help,
             })
 
-        # service token auth argument
+        parser.add_argument(
+            '--oidc-agent-sock',
+            metavar='<oidc-agent-socket>',
+            dest='oidc_agent_sock',
+            default=utils.env('OIDC_SOCK'),
+            help='The path for the oidc-agent socket to use to get and renew '
+                 'access tokens from the OpenID Connect provider. This '
+                 'defaults to the OIDC_SOCK environment variable, that should '
+                 'be automatically set up if you are using oidc-agent. '
+                 'In order to use the oidc-agent you must also pass the '
+                 '--oidc-agent-account parameter, or set the OIDC_ACCOUNT '
+                 'environment variable.'
+        )
+        parser.add_argument(
+            '--oidc-agent-account',
+            metavar='<oidc-agent-account>',
+            dest='oidc_agent_account',
+            default=utils.env('OIDC_ACCOUNT'),
+            help='The oidc-agent account that we will use to get tokens from. '
+                 'In order to use the oidc-agent you must pass thos parameter '
+                 'or set the OIDC_ACCOUNT environment variable.'
+        )
         parser.add_argument(
             '--url',
             metavar='<orchestrator-url>',

releasenotes/notes/use-oidc-agent-bdfbb4d37788a455.yaml

@@ -0,0 +1,5 @@
+---
+features:
+  - |
+    Leverage oidc-agent to get the user's access token when interacting with
+    the INDIGO PaaS orchestrator.