fix: make iam assume authenticator immutable

Signed-off-by: Dustin Popp <dustinpopp@ibm.com>

.secrets.baseline

@@ -3,7 +3,7 @@
     "files": "package-lock.json|^.secrets.baseline$",
     "lines": null
   },
-  "generated_at": "2024-10-08T20:41:05Z",
+  "generated_at": "2024-10-10T20:59:14Z",
   "plugins_used": [
     {
       "name": "AWSKeyDetector"
@@ -191,28 +191,30 @@
         "verified_result": null
       }
     ],
-    "auth/authenticators/iam-request-based-authenticator.ts": [
+    "auth/authenticators/iam-request-based-authenticator-immutable.ts": [
       {
         "hashed_secret": "f84f793e0af9ade37c8b927bc5091e98f35bf821",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 78,
+        "line_number": 81,
         "type": "Secret Keyword",
         "verified_result": null
-      },
+      }
+    ],
+    "auth/authenticators/iam-request-based-authenticator.ts": [
       {
         "hashed_secret": "45c43fe97e3a06ab078b0eeff6fbe622cc417a25",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 89,
+        "line_number": 34,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "99833a8b234b57b886a9aef1dba187fdd7ceece8",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 91,
+        "line_number": 36,
         "type": "Secret Keyword",
         "verified_result": null
       }
@@ -287,6 +289,14 @@
         "line_number": 115,
         "type": "Secret Keyword",
         "verified_result": null
+      },
+      {
+        "hashed_secret": "45c43fe97e3a06ab078b0eeff6fbe622cc417a25",
+        "is_secret": false,
+        "is_verified": false,
+        "line_number": 168,
+        "type": "Secret Keyword",
+        "verified_result": null
       }
     ],
     "auth/token-managers/iam-request-based-token-manager.ts": [
@@ -528,23 +538,23 @@
         "hashed_secret": "a0da30f332dd7b7a26d1c0b4da5437fcd90bf49b",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 34,
+        "line_number": 33,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "9cea46b39bd44a1ef9f3e71bfe9e45c24d3300f6",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 151,
+        "line_number": 150,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "43ed4c2d8375dfc89e3dc8c917f404b9481d355b",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 355,
+        "line_number": 404,
         "type": "Secret Keyword",
         "verified_result": null
       }

auth/authenticators/container-authenticator.ts

@@ -124,4 +124,13 @@ export class ContainerAuthenticator extends IamRequestBasedAuthenticator {
   public authenticationType(): string {
     return Authenticator.AUTHTYPE_CONTAINER;
   }
+
+  /**
+   * Return the most recently stored refresh token.
+   *
+   * @returns the refresh token string
+   */
+  public getRefreshToken(): string {
+    return this.tokenManager.getRefreshToken();
+  }
 }

auth/authenticators/iam-assume-authenticator.ts

@@ -16,7 +16,10 @@
 
 import { Authenticator } from './authenticator';
 import { IamAssumeTokenManager } from '../token-managers';
-import { IamRequestOptions, IamRequestBasedAuthenticator } from './iam-request-based-authenticator';
+import {
+  IamRequestOptions,
+  IamRequestBasedAuthenticatorImmutable,
+} from './iam-request-based-authenticator-immutable';
 
 /** Configuration options for IAM Assume authentication. */
 export interface Options extends IamRequestOptions {
@@ -53,7 +56,7 @@ export interface Options extends IamRequestOptions {
  *
  *      Authorization: Bearer \<bearer-token\>
  */
-export class IamAssumeAuthenticator extends IamRequestBasedAuthenticator {
+export class IamAssumeAuthenticator extends IamRequestBasedAuthenticatorImmutable {
   protected tokenManager: IamAssumeTokenManager;
 
   /**

auth/authenticators/iam-authenticator.ts

@@ -83,4 +83,13 @@ export class IamAuthenticator extends IamRequestBasedAuthenticator {
   public authenticationType(): string {
     return Authenticator.AUTHTYPE_IAM;
   }
+
+  /**
+   * Return the most recently stored refresh token.
+   *
+   * @returns the refresh token string
+   */
+  public getRefreshToken(): string {
+    return this.tokenManager.getRefreshToken();
+  }
 }

auth/authenticators/iam-request-based-authenticator-immutable.ts

@@ -0,0 +1,86 @@
+/**
+ * (C) Copyright IBM Corp. 2024.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+import { IamRequestBasedTokenManager } from '../token-managers/iam-request-based-token-manager';
+import {
+  BaseOptions,
+  TokenRequestBasedAuthenticatorImmutable,
+} from './token-request-based-authenticator-immutable';
+
+/** Configuration options for IAM Request based authentication. */
+export interface IamRequestOptions extends BaseOptions {
+  /**
+   * The `clientId` and `clientSecret` fields are used to form a "basic"
+   * authorization header for IAM token requests.
+   */
+  clientId?: string;
+  /**
+   * The `clientId` and `clientSecret` fields are used to form a "basic"
+   * authorization header for IAM token requests.
+   */
+  clientSecret?: string;
+
+  /**
+   * The "scope" parameter to use when fetching the bearer token from the IAM token server.
+   */
+  scope?: string;
+}
+
+/**
+ * The IamRequestBasedAuthenticatorImmutable provides shared configuration and functionality
+ * for authenticators that interact with the IAM token service. This authenticator
+ * is not meant for use on its own.
+ */
+export class IamRequestBasedAuthenticatorImmutable extends TokenRequestBasedAuthenticatorImmutable {
+  protected tokenManager: IamRequestBasedTokenManager;
+
+  protected clientId: string;
+
+  protected clientSecret: string;
+
+  protected scope: string;
+
+  /**
+   *
+   * Create a new IamRequestBasedAuthenticatorImmutable instance.
+   *
+   * @param options - Configuration options for IAM authentication.
+   * This should be an object containing these fields:
+   * - url: (optional) the endpoint URL for the token service
+   * - disableSslVerification: (optional) a flag that indicates whether verification of the token server's SSL certificate
+   * should be disabled or not
+   * - headers: (optional) a set of HTTP headers to be sent with each request to the token service
+   * - clientId: (optional) the "clientId" and "clientSecret" fields are used to form a Basic
+   * Authorization header to be included in each request to the token service
+   * - clientSecret: (optional) the "clientId" and "clientSecret" fields are used to form a Basic
+   * Authorization header to be included in each request to the token service
+   * - scope: (optional) the "scope" parameter to use when fetching the bearer token from the token service
+   *
+   * @throws Error: the configuration options are not valid.
+   */
+  constructor(options: IamRequestOptions) {
+    // all parameters are optional
+    options = options || ({} as IamRequestOptions);
+
+    super(options);
+
+    this.clientId = options.clientId;
+    this.clientSecret = options.clientSecret;
+    this.scope = options.scope;
+
+    this.tokenManager = new IamRequestBasedTokenManager(options);
+  }
+}

auth/authenticators/iam-request-based-authenticator.ts

@@ -1,5 +1,5 @@
 /**
- * (C) Copyright IBM Corp. 2019, 202e.
+ * (C) Copyright IBM Corp. 2019, 2024.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -14,73 +14,18 @@
  * limitations under the License.
  */
 
-import { IamRequestBasedTokenManager } from '../token-managers/iam-request-based-token-manager';
-import { BaseOptions, TokenRequestBasedAuthenticator } from './token-request-based-authenticator';
+import { OutgoingHttpHeaders } from 'http';
+import { IamRequestBasedAuthenticatorImmutable } from './iam-request-based-authenticator-immutable';
 
-/** Configuration options for IAM Request based authentication. */
-export interface IamRequestOptions extends BaseOptions {
-  /**
-   * The `clientId` and `clientSecret` fields are used to form a "basic"
-   * authorization header for IAM token requests.
-   */
-  clientId?: string;
-  /**
-   * The `clientId` and `clientSecret` fields are used to form a "basic"
-   * authorization header for IAM token requests.
-   */
-  clientSecret?: string;
-
-  /**
-   * The "scope" parameter to use when fetching the bearer token from the IAM token server.
-   */
-  scope?: string;
-}
+/** Shared configuration options for IAM Request based authentication. */
+export { IamRequestOptions } from './iam-request-based-authenticator-immutable';
 
 /**
  * The IamRequestBasedAuthenticator provides shared configuration and functionality
  * for authenticators that interact with the IAM token service. This authenticator
  * is not meant for use on its own.
  */
-export class IamRequestBasedAuthenticator extends TokenRequestBasedAuthenticator {
-  protected tokenManager: IamRequestBasedTokenManager;
-
-  protected clientId: string;
-
-  protected clientSecret: string;
-
-  protected scope: string;
-
-  /**
-   *
-   * Create a new IamRequestBasedAuthenticator instance.
-   *
-   * @param options - Configuration options for IAM authentication.
-   * This should be an object containing these fields:
-   * - url: (optional) the endpoint URL for the token service
-   * - disableSslVerification: (optional) a flag that indicates whether verification of the token server's SSL certificate
-   * should be disabled or not
-   * - headers: (optional) a set of HTTP headers to be sent with each request to the token service
-   * - clientId: (optional) the "clientId" and "clientSecret" fields are used to form a Basic
-   * Authorization header to be included in each request to the token service
-   * - clientSecret: (optional) the "clientId" and "clientSecret" fields are used to form a Basic
-   * Authorization header to be included in each request to the token service
-   * - scope: (optional) the "scope" parameter to use when fetching the bearer token from the token service
-   *
-   * @throws Error: the configuration options are not valid.
-   */
-  constructor(options: IamRequestOptions) {
-    // all parameters are optional
-    options = options || ({} as IamRequestOptions);
-
-    super(options);
-
-    this.clientId = options.clientId;
-    this.clientSecret = options.clientSecret;
-    this.scope = options.scope;
-
-    this.tokenManager = new IamRequestBasedTokenManager(options);
-  }
-
+export class IamRequestBasedAuthenticator extends IamRequestBasedAuthenticatorImmutable {
   /**
    * Setter for the mutually inclusive "clientId" and the "clientSecret" fields.
    * @param clientId - the "clientId" value used to form a Basic Authorization header for IAM token requests
@@ -107,11 +52,31 @@ export class IamRequestBasedAuthenticator extends TokenRequestBasedAuthenticator
   }
 
   /**
-   * Return the most recently stored refresh token.
+   * Set the flag that indicates whether verification of the server's SSL
+   * certificate should be disabled or not.
+   *
+   * @param value - a flag that indicates whether verification of the
+   *   token server's SSL certificate should be disabled or not.
+   */
+  public setDisableSslVerification(value: boolean): void {
+    // if they try to pass in a non-boolean value,
+    // use the "truthy-ness" of the value
+    this.disableSslVerification = Boolean(value);
+    this.tokenManager.setDisableSslVerification(this.disableSslVerification);
+  }
+
+  /**
+   * Set headers.
    *
-   * @returns the refresh token string
+   * @param headers - a set of HTTP headers to be sent with each outbound token server request.
+   * Overwrites previous default headers.
    */
-  public getRefreshToken(): string {
-    return this.tokenManager.getRefreshToken();
+  public setHeaders(headers: OutgoingHttpHeaders): void {
+    if (typeof headers !== 'object') {
+      // do nothing, for now
+      return;
+    }
+    this.headers = headers;
+    this.tokenManager.setHeaders(this.headers);
   }
 }