fix: refactor container authenticator with recent design changes (#129)

This commit includes the following:
- the ComputeResourceAuthenticator was renamed to be ContainerAuthenticator to reflect
  the fact that it now supports only the IKS/ROKS ("container") use-case.
- the VPC-related aspects of the authenticator were removed
- the Authentication.md file is updated to reflect the latest design changes
Note that this commit does in fact include breaking changes, but the new authenticator should
not be used by any Go core users at this point, so this should have no impact to users.

.secrets.baseline

@@ -3,7 +3,7 @@
     "files": "package-lock.json|go.sum|^.secrets.baseline$",
     "lines": null
   },
-  "generated_at": "2021-07-27T13:23:24Z",
+  "generated_at": "2021-08-03T22:01:08Z",
   "plugins_used": [
     {
       "name": "AWSKeyDetector"
@@ -70,23 +70,23 @@
         "hashed_secret": "98635b2eaa2379f28cd6d72a38299f286b81b459",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 411,
+        "line_number": 385,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "91dfd9ddb4198affc5c194cd8ce6d338fde470e2",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 464,
+        "line_number": 438,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "47fcf185ee7e15fe05cae31fbe9e4ebe4a06a40d",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 470,
+        "line_number": 444,
         "type": "Secret Keyword",
         "verified_result": null
       }
@@ -96,7 +96,7 @@
         "hashed_secret": "bc2f74c22f98f7b6ffbc2f67453dbfa99bce9a32",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 512,
+        "line_number": 519,
         "type": "Secret Keyword",
         "verified_result": null
       }
@@ -238,7 +238,7 @@
         "hashed_secret": "2a68d46242baf9214502d1dc240a9075a7c6ed55",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 77,
+        "line_number": 76,
         "type": "Secret Keyword",
         "verified_result": null
       }
@@ -289,26 +289,62 @@
         "verified_result": null
       },
       {
-        "hashed_secret": "4c3d172901e4d1bddd4f67c2e5f659882d175fa2",
+        "hashed_secret": "d4c3d66fd0c38547a3c7a4c6bdc29c36911bc030",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 24,
+        "line_number": 44,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
-        "hashed_secret": "d4c3d66fd0c38547a3c7a4c6bdc29c36911bc030",
+        "hashed_secret": "8318df9ecda039deac9868adf1944a29a95c7114",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 44,
+        "line_number": 46,
+        "type": "Secret Keyword",
+        "verified_result": null
+      }
+    ],
+    "v5/core/container_authenticator.go": [
+      {
+        "hashed_secret": "3c81615afb40d1889fc2e1fff551a8b59b4e80ce",
+        "is_secret": false,
+        "is_verified": false,
+        "line_number": 96,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
-        "hashed_secret": "8318df9ecda039deac9868adf1944a29a95c7114",
+        "hashed_secret": "8b142a91cfb6e617618ad437cedf74a6745f8926",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 46,
+        "line_number": 139,
+        "type": "Secret Keyword",
+        "verified_result": null
+      }
+    ],
+    "v5/core/container_authenticator_test.go": [
+      {
+        "hashed_secret": "c8f0df25bade89c1873f5f01b85bcfb921443ac6",
+        "is_secret": false,
+        "is_verified": false,
+        "line_number": 39,
+        "type": "JSON Web Token",
+        "verified_result": null
+      },
+      {
+        "hashed_secret": "f0048c1e535178d8ba9760fd4139c2554ac53d99",
+        "is_secret": false,
+        "is_verified": false,
+        "line_number": 222,
+        "type": "Secret Keyword",
+        "verified_result": null
+      },
+      {
+        "hashed_secret": "10ef99be8df801b05b5933e121e85385edf6b98a",
+        "is_secret": false,
+        "is_verified": false,
+        "line_number": 571,
         "type": "Secret Keyword",
         "verified_result": null
       }
@@ -413,58 +449,6 @@
         "verified_result": null
       }
     ],
-    "v5/core/cr_authenticator.go": [
-      {
-        "hashed_secret": "3c81615afb40d1889fc2e1fff551a8b59b4e80ce",
-        "is_secret": false,
-        "is_verified": false,
-        "line_number": 107,
-        "type": "Secret Keyword",
-        "verified_result": null
-      },
-      {
-        "hashed_secret": "7ea6be9eecb6605329a1b1870c2fd2af9b896991",
-        "is_secret": false,
-        "is_verified": false,
-        "line_number": 125,
-        "type": "Secret Keyword",
-        "verified_result": null
-      }
-    ],
-    "v5/core/cr_authenticator_test.go": [
-      {
-        "hashed_secret": "c8f0df25bade89c1873f5f01b85bcfb921443ac6",
-        "is_secret": false,
-        "is_verified": false,
-        "line_number": 40,
-        "type": "JSON Web Token",
-        "verified_result": null
-      },
-      {
-        "hashed_secret": "a0281cd072cea8e80e7866b05dc124815760b6c9",
-        "is_secret": false,
-        "is_verified": false,
-        "line_number": 216,
-        "type": "Secret Keyword",
-        "verified_result": null
-      },
-      {
-        "hashed_secret": "1cef53b6f5a230f88f15e2213a257fe72d9545fd",
-        "is_secret": false,
-        "is_verified": false,
-        "line_number": 666,
-        "type": "Secret Keyword",
-        "verified_result": null
-      },
-      {
-        "hashed_secret": "de82580fcac7f6e7df7c1a14f47ff060f098826f",
-        "is_secret": false,
-        "is_verified": false,
-        "line_number": 740,
-        "type": "Secret Keyword",
-        "verified_result": null
-      }
-    ],
     "v5/core/gzip_test.go": [
       {
         "hashed_secret": "4912eabc958e1d066ed0b9c041a1a5f2eeb19f05",
@@ -664,15 +648,15 @@
         "hashed_secret": "4e44e97dae1aa4e93c01536f48bbd8602133a86d",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 67,
+        "line_number": 66,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "9e2659aa7e2b335ec6bdcf180f3b6f41f5191af5",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 72,
+        "line_number": 71,
         "type": "Secret Keyword",
         "verified_result": null
       }
@@ -728,7 +712,7 @@
       }
     ]
   },
-  "version": "0.13.1+ibm.39.dss",
+  "version": "0.13.1+ibm.40.dss",
   "word_list": {
     "file": null,
     "hash": null

Authentication.md

@@ -256,18 +256,18 @@ service := exampleservicev1.NewExampleServiceV1(options)
 ```
 
 
-## Compute Resource Authentication
-The `ComputeResourceAuthenticator` is intended to be used by application code
-running inside a compute resource (a VM) in which a secure compute resource
-token (CR token) has been injected by the compute resource
-provider (e.g. IBM Kubernetes Service (IKS), VPC Gen2 Virtual Server Instances (VSI), etc.).
+## Container Authentication
+The `ContainerAuthenticator` is intended to be used by application code
+running inside a compute resource managed by the IBM Kubernetes Service (IKS)
+in which a secure compute resource token (CR token) has been stored in a file
+within the compute resource's local file system.
 The CR token is similar to an IAM apikey except that it is managed automatically by
-the compute resource provider.
+the compute resource provider (IKS).
 This allows the application developer to:
 - avoid storing credentials in application code, configuraton files or a password vault
 - avoid managing or rotating credentials
 
-The `ComputeResourceAuthenticator` will retrieve the CR token from
+The `ContainerAuthenticator` will retrieve the CR token from
 the compute resource in which the application is running, and will then perform
 the necessary interactions with the IAM token service to obtain an IAM access token
 using the IAM "get token" operation with grant-type `cr-token`.
@@ -278,39 +278,12 @@ The IAM access token is added to each outbound request in the `Authorization` he
    Authorization: Bearer <IAM-access-token>
 ```
 
-### Compute Resource Token Retrieval Algorithm
-The `ComputeResourceAuthenticator` will retrieve a fresh CR token value each time it needs
-to obtain a new access token from the IAM token service.
-It will do this according to the following algorithm:
-
-1. First, the authenticator will attempt to read the CR token value from a file in the
-compute resource's local file system.
-By default, the authenticator will use the filename `/var/run/secrets/tokens/vault-token`, but this
-can be overridden by setting the `CRTokenFilename` property (described below).
-If a suitable CR token value is obtained from this step, then the authenticator will use this value.
-Otherwise, the authenticator will proceed to step 2 below.
-
-2. If no CR token was obtained from step 1 above, then the authenticator will attempt to invoke the
-`PUT /instance_identity/v1/token` (aka `create_access_token`) operation from the compute resource's
-local Instance Metadata Service.  The CR token value is obtained from the `access_token`
-field of the operation response.
-By default, the authenticator will use `http://169.254.169.254` as the base endpoint URL for this
-invocation, but this can be overridden by setting the
-`InstanceMetadataServiceURL` property (described below).
-If a suitable CR token value is obtained from this step, then the authenticator will use this value.
-Otherwise, an error is reported and the authentication fails.
-
 ### Properties
 
-- CRTokenFilename: (optional) the name of the file containing the injected CR token value
-(applies to the IKS use-case).
+- CRTokenFilename: (optional) the name of the file containing the injected CR token value.
 If not specified, then `/var/run/secrets/tokens/vault-token` is used as the default value.
 The application must have `read` permissions on the file containing the CR token value.
 
-- InstanceMetadataServiceURL: (optional) the base endpoint URL to be used for invoking
-operations of the compute resource's local Instance Metadata Service (applies to the VSI use-case).
-If not specified, then `http://169.254.169.254` is used as the default value.
-
 - IAMProfileName: (optional) the name of the linked trusted IAM profile to be used when obtaining the
 IAM access token (a CR token might map to multiple IAM profiles).
 One of `IAMProfileName` or `IAMProfileID` must be specified.
@@ -320,10 +293,11 @@ IAM access token (a CR token might map to multiple IAM profiles).
 One of `IAMProfileName` or `IAMProfileID` must be specified.
 
 - URL: (optional) The base endpoint URL of the IAM token service.
-The default value of this property is the "prod" IAM token service endpoint (`https://iam.cloud.ibm.com`).
+The default value of this property is the "prod" IAM token service endpoint
+(`https://iam.cloud.ibm.com`).
 
 - ClientId/ClientSecret: (optional) The `ClientId` and `ClientSecret` fields are used to form a 
-"basic auth" Authorization header for interactions with the IAM token server. If neither field 
+"basic auth" Authorization header for interactions with the IAM token service. If neither field 
 is specified, then no Authorization header will be sent with token server requests.  These fields 
 are optional, but must be specified together.
 
@@ -347,9 +321,9 @@ import {
 }
 ...
 // Create the authenticator.
-authenticator := &core.ComputeResourceAuthenticator{
-    IAMProfileName: "iam-user123",
-}
+authenticator := core.NewContainerAuthenticatorBuilder().
+	SetIAMProfileName("iam-user123").
+	Build()
 
 // Create the service options struct.
 options := &exampleservicev1.ExampleServiceV1Options{
@@ -365,7 +339,7 @@ service := exampleservicev1.NewExampleServiceV1(options)
 ### Configuration example
 External configuration:
 ```
-export EXAMPLE_SERVICE_AUTH_TYPE=crauth
+export EXAMPLE_SERVICE_AUTH_TYPE=container
 export EXAMPLE_SERVICE_IAM_PROFILE_NAME=iam-user123
 ```
 Application code:

v5/core/authenticator_factory.go

@@ -34,7 +34,7 @@ func GetAuthenticatorFromEnvironment(credentialKey string) (authenticator Authen
 		if properties[PROPNAME_APIKEY] != "" {
 			authType = AUTHTYPE_IAM
 		} else {
-			authType = AUTHTYPE_CRAUTH
+			authType = AUTHTYPE_CONTAINER
 		}
 	}
 
@@ -45,8 +45,8 @@ func GetAuthenticatorFromEnvironment(credentialKey string) (authenticator Authen
 		authenticator, err = newBearerTokenAuthenticatorFromMap(properties)
 	} else if strings.EqualFold(authType, AUTHTYPE_IAM) {
 		authenticator, err = newIamAuthenticatorFromMap(properties)
-	} else if strings.EqualFold(authType, AUTHTYPE_CRAUTH) {
-		authenticator, err = newComputeResourceAuthenticatorFromMap(properties)
+	} else if strings.EqualFold(authType, AUTHTYPE_CONTAINER) {
+		authenticator, err = newContainerAuthenticatorFromMap(properties)
 	} else if strings.EqualFold(authType, AUTHTYPE_CP4D) {
 		authenticator, err = newCloudPakForDataAuthenticatorFromMap(properties)
 	} else if strings.EqualFold(authType, AUTHTYPE_NOAUTH) {