You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@openwhisk.apache.org by ta...@apache.org on 2019/11/14 19:44:34 UTC
[openwhisk-composer] 01/01: Add support for bearer token
authentication
This is an automated email from the ASF dual-hosted git repository.
tardieu pushed a commit to branch token
in repository https://gitbox.apache.org/repos/asf/openwhisk-composer.git
commit c1192cc2bdbdc20e561dafe00b0ac499e27f4c4a
Author: Olivier Tardieu <ta...@users.noreply.github.com>
AuthorDate: Thu Nov 14 14:42:12 2019 -0500
Add support for bearer token authentication
---
bin/deploy.js | 9 +++++++--
client.js | 22 ++++++++++++++++++++--
docs/COMMANDS.md | 30 ++++++++++++++++++++++++++----
3 files changed, 53 insertions(+), 8 deletions(-)
diff --git a/bin/deploy.js b/bin/deploy.js
index d0c3eb5..0230ce7 100755
--- a/bin/deploy.js
+++ b/bin/deploy.js
@@ -29,7 +29,7 @@ const path = require('path')
const argv = minimist(process.argv.slice(2), {
string: ['apihost', 'auth', 'source', 'annotation', 'annotation-file', 'debug', 'kind'],
- boolean: ['insecure', 'version', 'overwrite'],
+ boolean: ['insecure', 'version', 'overwrite', 'basic', 'bearer'],
alias: { auth: 'u', insecure: 'i', version: 'v', annotation: 'a', 'annotation-file': 'A', overwrite: 'w', timeout: 't', memory: 'm', logsize: 'l' }
})
@@ -45,6 +45,8 @@ if (argv._.length !== 2 || path.extname(argv._[1]) !== '.json') {
console.error(' -a, --annotation KEY=VALUE add KEY annotation with VALUE')
console.error(' -A, --annotation-file KEY=FILE add KEY annotation with FILE content')
console.error(' --apihost HOST API HOST')
+ console.error(' --basic force basic authentication')
+ console.error(' --bearer force bearer token authentication')
console.error(' -i, --insecure bypass certificate checking')
console.error(' --kind KIND the KIND of the conductor action runtime')
console.error(' -l, --logsize LIMIT the maximum log size LIMIT in MB for the conductor action (default 10)')
@@ -93,6 +95,9 @@ try {
console.error(error)
process.exit(400 - 256) // Bad Request
}
+if (argv.basic && argv.bearer) {
+ throw Error('Must select either basic authentification of bearer token authentication')
+}
if (typeof argv.timeout !== 'undefined' && typeof argv.timeout !== 'number') {
throw Error('Timeout must be a number')
}
@@ -102,7 +107,7 @@ if (typeof argv.memory !== 'undefined' && typeof argv.memory !== 'number') {
if (typeof argv.logsize !== 'undefined' && typeof argv.logsize !== 'number') {
throw Error('Maximum log size must be a number')
}
-client(options).compositions.deploy(composition, argv.overwrite, argv.debug, argv.kind, argv.timeout, argv.memory, argv.logsize)
+client(options, argv.basic, argv.bearer).compositions.deploy(composition, argv.overwrite, argv.debug, argv.kind, argv.timeout, argv.memory, argv.logsize)
.then(actions => {
const names = actions.map(action => action.name)
console.log(`ok: created action${actions.length > 1 ? 's' : ''} ${names}`)
diff --git a/client.js b/client.js
index 2d53776..2794e0f 100644
--- a/client.js
+++ b/client.js
@@ -26,11 +26,14 @@ const os = require('os')
const path = require('path')
// return enhanced openwhisk client capable of deploying compositions
-module.exports = function (options) {
+module.exports = function (options, basic, bearer) {
// try to extract apihost and key first from whisk property file file and then from process.env
let apihost
let apikey
let ignorecerts
+ let namespace = '_'
+ let token
+ let authHandler
try {
const wskpropsPath = process.env.WSK_CONFIG_FILE || path.join(os.homedir(), '.wskprops')
@@ -43,6 +46,10 @@ module.exports = function (options) {
apihost = parts[1]
} else if (parts[0] === 'AUTH') {
apikey = parts[1]
+ } else if (parts[0] === 'NAMESPACE') {
+ namespace = parts[1]
+ } else if (parts[0] === 'APIGW_ACCESS_TOKEN') {
+ token = parts[1]
}
}
}
@@ -50,9 +57,20 @@ module.exports = function (options) {
if (process.env.__OW_API_HOST) apihost = process.env.__OW_API_HOST
if (process.env.__OW_API_KEY) apikey = process.env.__OW_API_KEY
+ if (process.env.__OW_NAMESPACE) namespace = process.env.__OW_NAMESPACE
if (process.env.__OW_IGNORE_CERTS) ignorecerts = process.env.__OW_IGNORE_CERTS
+ if (process.env.__OW_APIGW_TOKEN) token = process.env.__OW_APIGW_TOKEN
- const wsk = openwhisk(Object.assign({ apihost, api_key: apikey, ignore_certs: ignorecerts }, options))
+ if (bearer || (!basic && namespace !== '_')) {
+ // switch from basic auth to bearer token
+ authHandler = {
+ getAuthHeader: () => {
+ return Promise.resolve(`Bearer ${token}`)
+ }
+ }
+ }
+
+ const wsk = openwhisk(Object.assign({ apihost, api_key: apikey, auth_handler: authHandler, namespace, ignore_certs: ignorecerts }, options))
wsk.compositions = new Compositions(wsk)
return wsk
}
diff --git a/docs/COMMANDS.md b/docs/COMMANDS.md
index 7b64e15..2850e2a 100644
--- a/docs/COMMANDS.md
+++ b/docs/COMMANDS.md
@@ -75,6 +75,8 @@ Flags:
-a, --annotation KEY=VALUE add KEY annotation with VALUE
-A, --annotation-file KEY=FILE add KEY annotation with FILE content
--apihost HOST API HOST
+ --basic force basic authentication
+ --bearer force bearer token authentication
-i, --insecure bypass certificate checking
--kind KIND the KIND of the conductor action runtime
-l, --logsize LIMIT the maximum log size LIMIT in MB for the conductor action (default 10)
@@ -133,17 +135,37 @@ specifying the OpenWhisk instance to use:
-i, --insecure bypass certificate checking
-u, --auth KEY authorization KEY
```
+In addition the `deploy` command supports the flags:
+```
+ --basic force basic authentication
+ --bearer force bearer token authentication
+```
If the `--apihost` flag is absent, the environment variable `__OW_API_HOST` is
used in its place. If neither is available, the `deploy` command extracts the
-`APIHOST` key from the whisk property file for the current user.
+`APIHOST` key from the whisk property file.
If the `--insecure` flag is set or the environment variable `__OW_IGNORE_CERTS`
is set to `true`, the `deploy` command ignores SSL certificates validation
failures.
-If the `--auth` flag is absent, the environment variable `__OW_API_KEY` is used
-in its place. If neither is available, the `deploy` command extracts the `AUTH`
-key from the whisk property file for the current user.
+The default target namespace is the value of environment variable
+`__OW_NAMESPACE` if defined. If not, it is the value of the `NAMESPACE` property
+in the whisk property file if present. Otherwise, the default `_` value is used.
+
+If the `--basic` flag is set, the `deploy` command uses basic authentication. If
+the `--bearer` flag is set, the `deploy` command uses bearer token
+authentication. If neither flag is set, the `deploy` command uses basic
+authentication only if the default target namespace is `_`. Setting both flags
+is an error.
+
+For basic authentication, the authentication key is obtained from the `--auth`
+flag. If the `--auth` flag is absent, the environment variable `__OW_API_KEY` is
+used in its place. If neither is available, the `deploy` command extracts the
+`AUTH` key from the whisk property file.
+
+For bearer token authentication, the token is either the value of the
+environment variable `__OW_APIGW_TOKEN` if defined or the value of property
+`APIGW_ACCESS_TOKEN` in the whisk property file.
The default path for the whisk property file is `$HOME/.wskprops`. It can be
altered by setting the `WSK_CONFIG_FILE` environment variable.