You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@openwhisk.apache.org by ta...@apache.org on 2019/11/14 19:44:34 UTC

[openwhisk-composer] 01/01: Add support for bearer token authentication

This is an automated email from the ASF dual-hosted git repository.

tardieu pushed a commit to branch token
in repository https://gitbox.apache.org/repos/asf/openwhisk-composer.git

commit c1192cc2bdbdc20e561dafe00b0ac499e27f4c4a
Author: Olivier Tardieu <ta...@users.noreply.github.com>
AuthorDate: Thu Nov 14 14:42:12 2019 -0500

    Add support for bearer token authentication
---
 bin/deploy.js    |  9 +++++++--
 client.js        | 22 ++++++++++++++++++++--
 docs/COMMANDS.md | 30 ++++++++++++++++++++++++++----
 3 files changed, 53 insertions(+), 8 deletions(-)

diff --git a/bin/deploy.js b/bin/deploy.js
index d0c3eb5..0230ce7 100755
--- a/bin/deploy.js
+++ b/bin/deploy.js
@@ -29,7 +29,7 @@ const path = require('path')
 
 const argv = minimist(process.argv.slice(2), {
   string: ['apihost', 'auth', 'source', 'annotation', 'annotation-file', 'debug', 'kind'],
-  boolean: ['insecure', 'version', 'overwrite'],
+  boolean: ['insecure', 'version', 'overwrite', 'basic', 'bearer'],
   alias: { auth: 'u', insecure: 'i', version: 'v', annotation: 'a', 'annotation-file': 'A', overwrite: 'w', timeout: 't', memory: 'm', logsize: 'l' }
 })
 
@@ -45,6 +45,8 @@ if (argv._.length !== 2 || path.extname(argv._[1]) !== '.json') {
   console.error('  -a, --annotation KEY=VALUE        add KEY annotation with VALUE')
   console.error('  -A, --annotation-file KEY=FILE    add KEY annotation with FILE content')
   console.error('  --apihost HOST                    API HOST')
+  console.error('  --basic                           force basic authentication')
+  console.error('  --bearer                          force bearer token authentication')
   console.error('  -i, --insecure                    bypass certificate checking')
   console.error('  --kind KIND                       the KIND of the conductor action runtime')
   console.error('  -l, --logsize LIMIT               the maximum log size LIMIT in MB for the conductor action (default 10)')
@@ -93,6 +95,9 @@ try {
   console.error(error)
   process.exit(400 - 256) // Bad Request
 }
+if (argv.basic && argv.bearer) {
+  throw Error('Must select either basic authentification of bearer token authentication')
+}
 if (typeof argv.timeout !== 'undefined' && typeof argv.timeout !== 'number') {
   throw Error('Timeout must be a number')
 }
@@ -102,7 +107,7 @@ if (typeof argv.memory !== 'undefined' && typeof argv.memory !== 'number') {
 if (typeof argv.logsize !== 'undefined' && typeof argv.logsize !== 'number') {
   throw Error('Maximum log size must be a number')
 }
-client(options).compositions.deploy(composition, argv.overwrite, argv.debug, argv.kind, argv.timeout, argv.memory, argv.logsize)
+client(options, argv.basic, argv.bearer).compositions.deploy(composition, argv.overwrite, argv.debug, argv.kind, argv.timeout, argv.memory, argv.logsize)
   .then(actions => {
     const names = actions.map(action => action.name)
     console.log(`ok: created action${actions.length > 1 ? 's' : ''} ${names}`)
diff --git a/client.js b/client.js
index 2d53776..2794e0f 100644
--- a/client.js
+++ b/client.js
@@ -26,11 +26,14 @@ const os = require('os')
 const path = require('path')
 
 // return enhanced openwhisk client capable of deploying compositions
-module.exports = function (options) {
+module.exports = function (options, basic, bearer) {
   // try to extract apihost and key first from whisk property file file and then from process.env
   let apihost
   let apikey
   let ignorecerts
+  let namespace = '_'
+  let token
+  let authHandler
 
   try {
     const wskpropsPath = process.env.WSK_CONFIG_FILE || path.join(os.homedir(), '.wskprops')
@@ -43,6 +46,10 @@ module.exports = function (options) {
           apihost = parts[1]
         } else if (parts[0] === 'AUTH') {
           apikey = parts[1]
+        } else if (parts[0] === 'NAMESPACE') {
+          namespace = parts[1]
+        } else if (parts[0] === 'APIGW_ACCESS_TOKEN') {
+          token = parts[1]
         }
       }
     }
@@ -50,9 +57,20 @@ module.exports = function (options) {
 
   if (process.env.__OW_API_HOST) apihost = process.env.__OW_API_HOST
   if (process.env.__OW_API_KEY) apikey = process.env.__OW_API_KEY
+  if (process.env.__OW_NAMESPACE) namespace = process.env.__OW_NAMESPACE
   if (process.env.__OW_IGNORE_CERTS) ignorecerts = process.env.__OW_IGNORE_CERTS
+  if (process.env.__OW_APIGW_TOKEN) token = process.env.__OW_APIGW_TOKEN
 
-  const wsk = openwhisk(Object.assign({ apihost, api_key: apikey, ignore_certs: ignorecerts }, options))
+  if (bearer || (!basic && namespace !== '_')) {
+    // switch from basic auth to bearer token
+    authHandler = {
+      getAuthHeader: () => {
+        return Promise.resolve(`Bearer ${token}`)
+      }
+    }
+  }
+
+  const wsk = openwhisk(Object.assign({ apihost, api_key: apikey, auth_handler: authHandler, namespace, ignore_certs: ignorecerts }, options))
   wsk.compositions = new Compositions(wsk)
   return wsk
 }
diff --git a/docs/COMMANDS.md b/docs/COMMANDS.md
index 7b64e15..2850e2a 100644
--- a/docs/COMMANDS.md
+++ b/docs/COMMANDS.md
@@ -75,6 +75,8 @@ Flags:
   -a, --annotation KEY=VALUE        add KEY annotation with VALUE
   -A, --annotation-file KEY=FILE    add KEY annotation with FILE content
   --apihost HOST                    API HOST
+  --basic                           force basic authentication
+  --bearer                          force bearer token authentication
   -i, --insecure                    bypass certificate checking
   --kind KIND                       the KIND of the conductor action runtime
   -l, --logsize LIMIT               the maximum log size LIMIT in MB for the conductor action (default 10)
@@ -133,17 +135,37 @@ specifying the OpenWhisk instance to use:
   -i, --insecure                    bypass certificate checking
   -u, --auth KEY                    authorization KEY
 ```
+In addition the `deploy` command supports the flags:
+```
+  --basic                           force basic authentication
+  --bearer                          force bearer token authentication
+```
 If the `--apihost` flag is absent, the environment variable `__OW_API_HOST` is
 used in its place. If neither is available, the `deploy` command extracts the
-`APIHOST` key from the whisk property file for the current user.
+`APIHOST` key from the whisk property file.
 
 If the `--insecure` flag is set or the environment variable `__OW_IGNORE_CERTS`
 is set to `true`, the `deploy` command ignores SSL certificates validation
 failures.
 
-If the `--auth` flag is absent, the environment variable `__OW_API_KEY` is used
-in its place. If neither is available, the `deploy` command extracts the `AUTH`
-key from the whisk property file for the current user.
+The default target namespace is the value of environment variable
+`__OW_NAMESPACE` if defined. If not, it is the value of the `NAMESPACE` property
+in the whisk property file if present. Otherwise, the default `_` value is used.
+
+If the `--basic` flag is set, the `deploy` command uses basic authentication. If
+the `--bearer` flag is set, the `deploy` command uses bearer token
+authentication. If neither flag is set, the `deploy` command uses basic
+authentication only if the default target namespace is `_`. Setting both flags
+is an error.
+
+For basic authentication, the authentication key is obtained from the `--auth`
+flag. If the `--auth` flag is absent, the environment variable `__OW_API_KEY` is
+used in its place. If neither is available, the `deploy` command extracts the
+`AUTH` key from the whisk property file.
+
+For bearer token authentication, the token is either the value of the
+environment variable `__OW_APIGW_TOKEN` if defined or the value of property
+`APIGW_ACCESS_TOKEN` in the whisk property file.
 
 The default path for the whisk property file is `$HOME/.wskprops`. It can be
 altered by setting the `WSK_CONFIG_FILE` environment variable.