Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(IamAssumeAuthenticator): introduce a new authenticator #211

Merged
merged 12 commits into from
Oct 15, 2024
Merged

feat(IamAssumeAuthenticator): introduce a new authenticator #211

merged 12 commits into from
Oct 15, 2024

Conversation

pyrooka
Copy link
Member

@pyrooka pyrooka commented Oct 8, 2024

This commit introduces the new IAMAssumeAuthenticator which will fetch an IAM access token using the IAM get_token operation's "assume" grant type. The resulting access token allows the application to assume the identity of a trusted profile, similar to the "sudo" feature of Linux.

@pyrooka pyrooka force-pushed the nb/iam-assume-authenticator branch 2 times, most recently from c7a7a40 to acf5561 Compare October 8, 2024 13:49
@pyrooka
feat(IamAssumeAuthenticator): introduce a new authenticator
99ea907 
Signed-off-by: Norbert Biczo <pyrooka@users.noreply.github.com>
@pyrooka pyrooka force-pushed the nb/iam-assume-authenticator branch from acf5561 to 99ea907 Compare October 8, 2024 16:18
pyrooka added 2 commits October 8, 2024 19:18
@pyrooka
chore: add back removed properties
29b5dc5 
Signed-off-by: Norbert Biczo <pyrooka@users.noreply.github.com>
@pyrooka
chore: disallow unsupported parent methods, fix (new) linter issues
83e423a 
Signed-off-by: Norbert Biczo <pyrooka@users.noreply.github.com>
@pyrooka pyrooka requested review from dpopp07 and padamstx October 8, 2024 19:18
padamstx
padamstx approved these changes Oct 8, 2024
View reviewed changes
Copy link
Member

@padamstx padamstx left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, although I was able to demonstrate my reviewer's prowess by finding a couple of small typos 😂

Authentication.md Show resolved Hide resolved
Authentication.md Outdated Show resolved Hide resolved
Authentication.md Show resolved Hide resolved
Authentication.md Outdated Show resolved Hide resolved
ibm_cloud_sdk_core/authenticators/iam_assume_authenticator.py Show resolved Hide resolved
ibm_cloud_sdk_core/get_authenticator.py Show resolved Hide resolved
ibm_cloud_sdk_core/token_managers/iam_assume_token_manager.py Outdated Show resolved Hide resolved
ibm_cloud_sdk_core/token_managers/iam_assume_token_manager.py Outdated Show resolved Hide resolved
test/test_iam_assume_token_manager.py Outdated Show resolved Hide resolved
test/test_utils.py Show resolved Hide resolved
pyrooka added 2 commits October 9, 2024 13:51
@pyrooka
chore: fix typos
97e4d3b 
Signed-off-by: Norbert Biczo <pyrooka@users.noreply.github.com>
@pyrooka
chore: iam assume token manager test improvements
36425f9 
Signed-off-by: Norbert Biczo <pyrooka@users.noreply.github.com>
@pyrooka pyrooka force-pushed the nb/iam-assume-authenticator branch from 2d1548c to 36425f9 Compare October 9, 2024 13:10
padamstx
padamstx approved these changes Oct 9, 2024
View reviewed changes
Copy link
Member

@padamstx padamstx left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Still LGTM

dpopp07
dpopp07 approved these changes Oct 9, 2024
View reviewed changes
Copy link
Member

@dpopp07 dpopp07 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good! Just want to make sure we're handling the refresh token consistently with Node, and had one other question for my own edification

ibm_cloud_sdk_core/authenticators/container_authenticator.py
@@ -66,6 +66,7 @@ class ContainerAuthenticator(IAMRequestBasedAuthenticator):

def __init__(
self,
*,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What is this change doing? Appreciate your patience with my lack of Python knowledge 😅

Copy link
Member Author

@pyrooka pyrooka Oct 9, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Arguments before the asterisk are positional argument, so they can be passed like call_function(1, 2). Arguments after the * become keyword only, so they cannot be used in the previous way, only like this: call_function(a=1, b=2). It's not advised to have too many positional arguments because for example to specify the last one, you have to specify all the previous one too. Since they are used by their position not their keyword.
TLDR; there is a new pylint rule that complains about this.

Yes, this changes the behavior a little, but I don't think this would be a breaking change. If we start getting negative feedback, we can restore the original behavior pretty easily and exclude the affected functions/methods from the linter.

test/test_iam_assume_token_manager.py
assert token_manager.request_payload.get('account_id') is None

# The final result should be the other access token, which belong to the "assume" request.
assert access_token == OTHER_ACCESS_TOKEN
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Will you add an assertion that the refresh token is not set?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch. It turned out I only made this change in the authenticator and not in the token manager, so all these properties were accessible: refresh_token, client_id, client_secret

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So is it also the case that the client ID and secret will, if set, be used in the IAM delegate request but not in the assume request?

@pyrooka pyrooka force-pushed the nb/iam-assume-authenticator branch from 66a9949 to 983e335 Compare October 9, 2024 16:41
pyrooka
pyrooka commented Oct 9, 2024
View reviewed changes
ibm_cloud_sdk_core/authenticators/iam_assume_authenticator.py Outdated
raise AttributeError(f"'IAMAssumeAuthenticator' has no attribute '{name}'")
raise AttributeError(f"'{self.__class__.__name__}' has no attribute '{name}'")
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Now we won't have to care about changing this if we decide to rename the class. :)

@pyrooka
fix: disable unsupported attributes in the new token manager class
872c678 
Signed-off-by: Norbert Biczo <pyrooka@users.noreply.github.com>
@pyrooka pyrooka force-pushed the nb/iam-assume-authenticator branch from 983e335 to 872c678 Compare October 9, 2024 16:43
pyrooka added 2 commits October 9, 2024 20:52
@pyrooka
fix: make sure the delegate has the same ssl config
a35431e 
Signed-off-by: Norbert Biczo <pyrooka@users.noreply.github.com>
@pyrooka
chore: use temporary IAM authenticator to validate our IAM delegate
481f59e 
Signed-off-by: Norbert Biczo <pyrooka@users.noreply.github.com>
@pyrooka pyrooka force-pushed the nb/iam-assume-authenticator branch from f9617ee to e8f1a42 Compare October 9, 2024 19:34
@pyrooka
chore: change a few things, fix a few things...
999ce92 
Signed-off-by: Norbert Biczo <pyrooka@users.noreply.github.com>
@pyrooka pyrooka force-pushed the nb/iam-assume-authenticator branch 2 times, most recently from ae7ead8 to db84a5e Compare October 10, 2024 16:01
@pyrooka
chore: disable all setter methods in the assume token manager and aut…
be503b6 
…henticator

Signed-off-by: Norbert Biczo <pyrooka@users.noreply.github.com>
@pyrooka
chore: update .secrets.baseline
85bc3f9 
Signed-off-by: Norbert Biczo <pyrooka@users.noreply.github.com>
@pyrooka pyrooka force-pushed the nb/iam-assume-authenticator branch from db84a5e to 85bc3f9 Compare October 10, 2024 16:11
padamstx
padamstx approved these changes Oct 11, 2024
View reviewed changes
Copy link
Member

@padamstx padamstx left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Latest changes look good.

@pyrooka
chore: a few small adjustments to increase our code coverage
5fa39f0 
Signed-off-by: Norbert Biczo <pyrooka@users.noreply.github.com>
@pyrooka pyrooka force-pushed the nb/iam-assume-authenticator branch from 5204511 to 5fa39f0 Compare October 15, 2024 13:49
@pyrooka pyrooka merged commit 29a8eb7 into main Oct 15, 2024
4 checks passed
@pyrooka pyrooka deleted the nb/iam-assume-authenticator branch October 15, 2024 14:14
ibm-devx-sdk pushed a commit that referenced this pull request Oct 15, 2024
@semantic-release-bot
chore(release): 3.22.0 release notes
ea2d733 
# [3.22.0](v3.21.0...v3.22.0) (2024-10-15)

### Features

* **IAMAssumeAuthenticator:** introduce a new authenticator ([#211](#211)) ([29a8eb7](29a8eb7))
@ibm-devx-sdk
Copy link

🎉 This PR is included in version 3.22.0 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dpopp07 dpopp07 dpopp07 approved these changes

@padamstx padamstx padamstx approved these changes

Assignees
No one assigned
Labels
released
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@pyrooka @ibm-devx-sdk @dpopp07 @padamstx