Pluggable credentials

credentials/credential_provider.cc

@@ -0,0 +1,117 @@
+/* credential_provider.cc
+   Jeremy Barnes, 5 November 2014
+   Copyright (c) 2014 Datacratic Inc.  All rights reserved.
+
+   Basic functionality to get credentials.
+*/
+
+#include "credential_provider.h"
+#include <mutex>
+
+using namespace std;
+
+namespace Datacratic {
+
+/*****************************************************************************/
+/* CREDENTIAL PROVIDER                                                       */
+/*****************************************************************************/
+
+CredentialProvider::
+~CredentialProvider()
+{
+}
+
+namespace {
+
+std::mutex providersLock;
+std::multimap<std::string, std::shared_ptr<CredentialProvider> > providers;
+
+} // file scope
+
+void
+CredentialProvider::
+registerProvider(const std::string & name,
+                 std::shared_ptr<CredentialProvider> provider)
+{
+    std::unique_lock<std::mutex> guard(providersLock);
+
+    auto prefixes = provider->getResourceTypePrefixes();
+
+    for (string prefix: prefixes)
+        providers.insert({ prefix, provider });
+}
+
+std::vector<Credential>
+getCredentials(const std::string & resourceType,
+               const std::string & resource,
+               const CredentialContext & context,
+               Json::Value extraData)
+{
+    std::unique_lock<std::mutex> guard(providersLock);
+
+    std::vector<Credential> result;
+
+    for (auto it = providers.lower_bound(resourceType);  it != providers.end();
+           ++it) {
+        if (resourceType.find(it->first) != 0)
+            break;  // not a prefix
+        auto creds = it->second->getSync(resourceType, resource, context,
+                                         extraData);
+        result.insert(result.end(), creds.begin(), creds.end());
+    }
+
+    return result;
+}
+
+Credential
+getCredential(const std::string & resourceType,
+              const std::string & resource,
+              const CredentialContext & context,
+              Json::Value extraData,
+              TimePeriod validTime)
+{
+    std::unique_lock<std::mutex> guard(providersLock);
+
+    cerr << "getCredential" << endl;
+
+    for (auto it = providers.begin(), end = providers.end();
+         it != end;  ++it) {
+        cerr << "testing " << it->first << " against " << resourceType
+             << " " << resource << endl;
+        if (resourceType.find(it->first) != 0)
+            break;  // not a prefix
+        cerr << "FOUND" << endl;
+
+        auto creds = it->second->getSync(resourceType, resource, context,
+                                         extraData);
+        if (!creds.empty()) {
+            cerr << "credentials for " << resourceType << " " << resource
+                 << " are " << endl << jsonEncode(creds[0]) << endl;
+            return creds[0];
+        }
+    }
+
+    for (auto it = providers.lower_bound(resourceType);  it != providers.end();
+           ++it) {
+        cerr << "testing " << it->first << " against " << resourceType
+             << endl;
+        if (resourceType.find(it->first) != 0)
+            break;  // not a prefix
+        cerr << "FOUND" << endl;
+
+        auto creds = it->second->getSync(resourceType, resource, context,
+                                         extraData);
+        if (!creds.empty()) {
+            cerr << "credentials for " << resourceType << " " << resource
+                 << " are " << endl << jsonEncode(creds[0]) << endl;
+            return creds[0];
+        }
+    }
+
+    throw ML::Exception("No credentials found for " + resourceType + " "
+                        + resource);
+}
+
+
+} // namespace Datacratic
+

credentials/credential_provider.h

@@ -0,0 +1,41 @@
+/* credential_provider.h                                           -*- C++ -*-
+   Jeremy Barnes, 5 November 2014
+   Copyright (c) 2014 Datacratic Inc.  All rights reserved.
+
+   Credential provider structure and registration.
+*/
+
+#include "soa/credentials/credentials.h"
+
+#pragma once
+
+namespace Datacratic {
+
+
+/*****************************************************************************/
+/* CREDENTIAL PROVIDER                                                       */
+/*****************************************************************************/
+
+/** Base class that can provide credentials to access a given resource.
+
+    Credentials are pluggable to allow for flexible scenarios.
+*/
+struct CredentialProvider {
+
+    virtual ~CredentialProvider();
+
+    virtual std::vector<std::string>
+    getResourceTypePrefixes() const = 0;
+
+    virtual std::vector<Credential>
+    getSync(const std::string & resourceType,
+            const std::string & resource,
+            const CredentialContext & context,
+            Json::Value extraData) const = 0;
+
+    static void registerProvider(const std::string & name,
+                                 std::shared_ptr<CredentialProvider> provider);
+};
+
+
+} // namespace Datacratic

credentials/credentials.cc

@@ -0,0 +1,42 @@
+/** credentials.cc
+    Jeremy Barnes, 5 November 2014
+    Copyright (c) 2014 Datacratic Inc.  All rights reserved.
+
+*/
+
+#include "credentials.h"
+#include "soa/types/basic_value_descriptions.h"
+
+using namespace std;
+
+namespace Datacratic {
+
+DEFINE_STRUCTURE_DESCRIPTION(Credential);
+
+CredentialDescription::
+CredentialDescription()
+{
+    addField("provider", &Credential::provider,
+             "Provider of credentials");
+    addField("protocol", &Credential::protocol,
+             "Protocol to use to access the service");
+    addField("location", &Credential::location,
+             "Location of the service");
+    addField("id", &Credential::id,
+             "User ID to use to access the service");
+    addField("secret", &Credential::secret,
+             "Secret key to use to access the service");
+    addField("extra", &Credential::extra,
+             "Extra configuration needed to access the service");
+    addField("validUntil", &Credential::validUntil,
+             "Time until which the credential is valid");
+}
+
+DEFINE_STRUCTURE_DESCRIPTION(CredentialContext);
+
+CredentialContextDescription::
+CredentialContextDescription()
+{
+}
+
+} // namespace Datacratic

credentials/credentials.h

@@ -0,0 +1,50 @@
+/* credentials.h                                                   -*- C++ -*-
+   Jeremy Barnes, 5 November 2014
+
+   A pluggable mechanism for getting credentials.
+*/
+
+#pragma once
+
+#include "soa/types/value_description.h"
+#include "soa/types/date.h"
+#include "soa/types/periodic_utils.h"
+
+namespace Datacratic {
+
+struct Credential {
+    std::string provider; ///< Path through which credential was obtained
+    std::string protocol; ///< Protocol to use to get to service
+    std::string location; ///< URI to call to get resource
+    std::string id;       ///< User ID
+    std::string secret;   ///< Password / secret / etc
+
+    Json::Value extra;    ///< Other fields
+
+    Date validUntil;
+};
+
+DECLARE_STRUCTURE_DESCRIPTION(Credential);
+
+struct CredentialContext {
+};
+
+DECLARE_STRUCTURE_DESCRIPTION(CredentialContext);
+
+/** Return credentials for the given resource of the given resource type.
+
+    If none are available, then returns an empty list.
+*/
+std::vector<Credential>
+getCredentials(const std::string & resourceType,
+               const std::string & resource,
+               const CredentialContext & context,
+               Json::Value extraData = Json::Value());
+
+Credential getCredential(const std::string & resourceType,
+                         const std::string & resource,
+                         const CredentialContext & context = CredentialContext(),
+                         Json::Value extraData = Json::Value(),
+                         TimePeriod validTime = "99999d");
+
+} // namespace Datacratic

credentials/credentials.mk

@@ -0,0 +1,11 @@
+# credentials makefile
+# Jeremy Barnes, 5 November 2014
+# Copyright (c) 2014 Datacratic Inc.  All rights reserved.
+
+LIBCREDENTIALS_SOURCES := \
+	credentials.cc credential_provider.cc
+
+LIBCREDENTIALS_LINK := \
+	arch utils types value_description
+
+$(eval $(call library,credentials,$(LIBCREDENTIALS_SOURCES),$(LIBCREDENTIALS_LINK)))

service/aws.cc

@@ -23,15 +23,6 @@
 using namespace std;
 using namespace ML;
 
-
-namespace {
-
-std::mutex awsCredentialsLock;
-std::map<string, std::string> awsCredentials;
-
-} // file scope
-
-
 namespace Datacratic {
 
 template<class Hash>
@@ -595,32 +586,4 @@ performGet(RestParams && params,
                            resultSelector);
 }
 
-void registerAwsCredentials(const string & accessKeyId,
-                            const string & accessKey)
-{
-    unique_lock<mutex> guard(awsCredentialsLock);
-
-    string & entry = awsCredentials[accessKeyId];
-    if (entry.empty()) {
-        entry = accessKey;
-    }
-    else {
-        if (entry != accessKey) {
-            throw ML::Exception("access key id '%s' already registered with a"
-                                " different key", accessKeyId.c_str());
-        }
-    }
-}
-
-string getAwsAccessKey(const string & accessKeyId)
-{
-    auto it = awsCredentials.find(accessKeyId);
-    if (it == awsCredentials.end()) {
-        throw ML::Exception("no access key registered for id '%s'",
-                            accessKeyId.c_str());
-    }
-
-    return it->second;
-}
-
 } // namespace Datacratic

service/aws.h

@@ -174,12 +174,4 @@ struct AwsBasicApi : public AwsApi {
     HttpRestProxy proxy;
 };
 
-/** Register an AWS access key for future referencing in urls or association
- * with buckets */
-void registerAwsCredentials(const std::string & accessKeyId,
-                            const std::string & accessKey);
-
-/** Returns the key associated with the access key id */
-std::string getAwsAccessKey(const std::string & accessKeyId);
-
 } // namespace Datacratic

service/named_endpoint.cc

@@ -39,7 +39,9 @@ NamedEndpoint::
 publishAddress(const std::string & address,
                const Json::Value & addressConfig)
 {
-    ExcAssert(config);
+    // If we didn't set up a configuration endpoint or name, then just no-op
+    if (!config)
+        return;
 
     //cerr << "publishing " << address << " with " << addressConfig << endl;
     config->setUnique(endpointName + "/" + address,