From fa48fc74df88974360e3b460e84bc468f258358d Mon Sep 17 00:00:00 2001 From: Romain Beuque <556072+rbeuque74@users.noreply.github.com> Date: Fri, 22 Dec 2023 16:15:15 +0000 Subject: [PATCH] feat: add OAuth2 support Resolves #76 Signed-off-by: Romain Beuque <556072+rbeuque74@users.noreply.github.com> --- README.md | 58 ++++++- go.mod | 5 + go.sum | 23 +++ ovh/configuration.go | 44 +++++- ovh/configuration_test.go | 64 ++++++-- ovh/ovh.go | 80 +++++++--- ovh/ovh_test.go | 183 +++++++++++++++++++++- ovh/testdata/user_both.ini | 5 + ovh/testdata/user_oauth2.ini | 3 + ovh/testdata/user_oauth2_incompatible.ini | 3 + ovh/testdata/user_oauth2_invalid.ini | 3 + 11 files changed, 422 insertions(+), 49 deletions(-) create mode 100644 ovh/testdata/user_both.ini create mode 100644 ovh/testdata/user_oauth2.ini create mode 100644 ovh/testdata/user_oauth2_incompatible.ini create mode 100644 ovh/testdata/user_oauth2_invalid.ini diff --git a/README.md b/README.md index a440156..3adf3b2 100644 --- a/README.md +++ b/README.md @@ -61,6 +61,51 @@ Alternatively it is suggested to use configuration files or environment variables so that the same code may run seamlessly in multiple environments. Production and development for instance. +`go-ovh` supports two forms of authentication: +- OAuth2, using scopped service accounts, and compatible with OVHcloud IAM +- application key & application secret & consumer key + +### OAuth2 + +First, you need to generate a pair of valid `client_id` and `client_secret`: you +can proceed by [following this documentation](https://help.ovhcloud.com/csm/en-manage-service-account?id=kb_article_view&sysparm_article=KB0059343) + +Once you have retrieved your `client_id` and `client_secret`, you can create and edit +a configuration file that will be used by `go-ovh`. + +```ini +[default] +; general configuration: default endpoint +endpoint=ovh-eu + +[ovh-eu] +; configuration specific to 'ovh-eu' endpoint +client_id=my_client_id +client_secret=my_client_secret +``` + +The client will successively attempt to locate this configuration file in + +1. Current working directory: ``./ovh.conf`` +2. Current user's home directory: ``~/.ovh.conf`` +3. System wide configuration: ``/etc/ovh.conf`` + +Depending on the API you want to use, you may set the ``endpoint`` to: + +* ``ovh-eu`` for OVHcloud Europe API +* ``ovh-us`` for OVHcloud US API +* ``ovh-ca`` for OVHcloud Canada API + +This lookup mechanism makes it easy to overload credentials for a specific +project or user. + +### Application Key/Application Secret + +If you have completed successfully the __OAuth2__ part, you can continue to +[the Use the Lib part](https://github.com/ovh/go-ovh?tab=readme-ov-file#use-the-lib). + +This section will cover the legacy authentication method using application key and +application secret. This wrapper will first look for direct instanciation parameters then ``OVH_ENDPOINT``, ``OVH_APPLICATION_KEY``, ``OVH_APPLICATION_SECRET`` and ``OVH_CONSUMER_KEY`` environment variables. If either of these parameter is not @@ -98,7 +143,7 @@ The client will successively attempt to locate this configuration file in This lookup mechanism makes it easy to overload credentials for a specific project or user. -## Register your app +#### Register your app OVHcloud's API, like most modern APIs is designed to authenticate both an application and a user, without requiring the user to provide a password. Your application will be @@ -116,7 +161,7 @@ This process is detailed in the following section. Alternatively, you may only n to build an application for a single user. In this case you may generate all credentials at once. See below. -### Use the API on behalf of a user +##### Use the API on behalf of a user Visit [https://eu.api.ovh.com/createApp](https://eu.api.ovh.com/createApp) and create your app You'll get an application key and an application secret. To use the API you'll need a consumer key. @@ -178,7 +223,7 @@ func main() { } ``` -### Use the API for a single user +##### Use the API for a single user Alternatively, you may generate all creadentials at once, including the consumer key. You will typically want to do this when writing automation scripts for a single projects. @@ -309,9 +354,10 @@ client.Get("/xdsl/xdsl-yourservice", nil) ### Create a client -- Use ``ovh.NewClient()`` to have full controll over ther authentication -- Use ``ovh.NewEndpointClient()`` to create a client for a specific API and use credentials from config files or environment - Use ``ovh.NewDefaultClient()`` to create a client unsing endpoint and credentials from config files or environment +- Use ``ovh.NewEndpointClient()`` to create a client for a specific API and use credentials from config files or environment +- Use ``ovh.NewOAuth2Client()`` to have full control over their authentication, using OAuth2 authentication method +- Use ``ovh.NewClient()`` to have full control over their authentication, using legacy authentication method ### Query @@ -342,6 +388,8 @@ Or, for unauthenticated requests: ### Request consumer keys +__[Only valid for legacy authentication method]__ + Consumer keys may be restricted to a subset of the API. This allows to delegate the API to manage only a specific server or domain name for example. This is called "scoping" a consumer key. diff --git a/go.mod b/go.mod index 95cffcb..1789ecf 100644 --- a/go.mod +++ b/go.mod @@ -5,12 +5,17 @@ go 1.18 require ( github.com/jarcoal/httpmock v1.3.0 github.com/maxatome/go-testdeep v1.12.0 + golang.org/x/oauth2 v0.18.0 gopkg.in/ini.v1 v1.67.0 ) require ( github.com/davecgh/go-spew v1.1.1 // indirect + github.com/golang/protobuf v1.5.3 // indirect github.com/stretchr/testify v1.8.2 // indirect + golang.org/x/net v0.22.0 // indirect + google.golang.org/appengine v1.6.7 // indirect + google.golang.org/protobuf v1.31.0 // indirect ) retract ( diff --git a/go.sum b/go.sum index 751b155..8637b6c 100644 --- a/go.sum +++ b/go.sum @@ -1,6 +1,12 @@ github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk= +github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg= +github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= +github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38= github.com/jarcoal/httpmock v1.3.0 h1:2RJ8GP0IIaWwcC9Fp2BmVi8Kog3v2Hn7VXM3fTd+nuc= github.com/jarcoal/httpmock v1.3.0/go.mod h1:3yb8rc4BI7TCBhFY8ng0gjuLKJNquuDNiPaZjnENuYg= github.com/maxatome/go-testdeep v1.12.0 h1:Ql7Go8Tg0C1D/uMMX59LAoYK7LffeJQ6X2T04nTH68g= @@ -14,6 +20,23 @@ github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/ github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= github.com/stretchr/testify v1.8.2 h1:+h33VjcLVPDHtOdpUCuF+7gSuG3yGIftsP1YvFihtJ8= github.com/stretchr/testify v1.8.2/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= +golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= +golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks= +golang.org/x/net v0.22.0 h1:9sGLhx7iRIHEiX0oAJ3MRZMUCElJgy7Br1nO+AMN3Tc= +golang.org/x/net v0.22.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg= +golang.org/x/oauth2 v0.18.0 h1:09qnuIAgzdx1XplqJvW6CQqMCtGZykZWcXzPMPUusvI= +golang.org/x/oauth2 v0.18.0/go.mod h1:Wf7knwG0MPoWIMMBgFlEaSUDaKskp0dCfrlJRJXbBi8= +golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= +golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6c= +google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= +google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= +google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= +google.golang.org/protobuf v1.31.0 h1:g0LDEJHgrBl9N9r17Ru3sqWhkIx2NB67okBHPwC7hs8= +google.golang.org/protobuf v1.31.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/ini.v1 v1.67.0 h1:Dgnx+6+nfE+IfzjUEISNeydPJh9AXNNsWbGP9KzCsOA= gopkg.in/ini.v1 v1.67.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k= diff --git a/ovh/configuration.go b/ovh/configuration.go index 7dbea7a..2be8096 100644 --- a/ovh/configuration.go +++ b/ovh/configuration.go @@ -1,11 +1,14 @@ package ovh import ( + "context" + "errors" "fmt" "os" "os/user" "strings" + "golang.org/x/oauth2/clientcredentials" "gopkg.in/ini.v1" ) @@ -114,6 +117,27 @@ func (c *Client) loadConfig(endpointName string) error { c.ConsumerKey = getConfigValue(cfg, endpointName, "consumer_key", "") } + if c.ClientID == "" { + c.ClientID = getConfigValue(cfg, endpointName, "client_id", "") + } + + if c.ClientSecret == "" { + c.ClientSecret = getConfigValue(cfg, endpointName, "client_secret", "") + } + + if (c.ClientID != "") != (c.ClientSecret != "") { + return errors.New("invalid oauth2 config, both client_id and client_secret must be given") + } + if (c.AppKey != "") != (c.AppSecret != "") { + return errors.New("invalid authentication config, both application_key and application_secret must be given") + } + + if c.ClientID != "" && c.AppKey != "" { + return errors.New("can't use both application_key/application_secret and OAuth2 client_id/client_secret") + } else if c.ClientID == "" && c.AppKey == "" { + return errors.New("missing authentication information, you need to provide at least an application_key/application_secret or a client_id/client_secret") + } + // Load real endpoint URL by name. If endpoint contains a '/', consider it as a URL if strings.Contains(endpointName, "/") { c.endpoint = endpointName @@ -123,13 +147,21 @@ func (c *Client) loadConfig(endpointName string) error { // If we still have no valid endpoint, AppKey or AppSecret, return an error if c.endpoint == "" { - return fmt.Errorf("unknown endpoint '%s', consider checking 'Endpoints' list of using an URL", endpointName) + return fmt.Errorf("unknown endpoint '%s', consider checking 'Endpoints' list or using an URL", endpointName) } - if c.AppKey == "" { - return fmt.Errorf("missing application key, please check your configuration or consult the documentation to create one") - } - if c.AppSecret == "" { - return fmt.Errorf("missing application secret, please check your configuration or consult the documentation to create one") + + if c.ClientID != "" { + if _, ok := tokensURLs[c.endpoint]; !ok { + return fmt.Errorf("oauth2 authentication is not compatible with endpoint %q", c.endpoint) + } + + conf := &clientcredentials.Config{ + ClientID: c.ClientID, + ClientSecret: c.ClientSecret, + TokenURL: tokensURLs[c.endpoint], + } + + c.oauth2TokenSource = conf.TokenSource(context.Background()) } return nil diff --git a/ovh/configuration_test.go b/ovh/configuration_test.go index a08b0e5..c524cf7 100644 --- a/ovh/configuration_test.go +++ b/ovh/configuration_test.go @@ -7,14 +7,18 @@ import ( ) const ( - systemConf = "testdata/system.ini" - userPartialConf = "testdata/userPartial.ini" - userConf = "testdata/user.ini" - localPartialConf = "testdata/localPartial.ini" - localWithURLConf = "testdata/localWithURL.ini" - doesNotExistConf = "testdata/doesNotExist.ini" - invalidINIConf = "testdata/invalid.ini" - errorConf = "testdata" + systemConf = "testdata/system.ini" + userPartialConf = "testdata/userPartial.ini" + userConf = "testdata/user.ini" + userOAuth2Conf = "testdata/user_oauth2.ini" + userOAuth2InvalidConf = "testdata/user_oauth2_invalid.ini" + userOAuth2IncompatibleConfig = "testdata/user_oauth2_incompatible.ini" + userBothConf = "testdata/user_both.ini" + localPartialConf = "testdata/localPartial.ini" + localWithURLConf = "testdata/localWithURL.ini" + doesNotExistConf = "testdata/doesNotExist.ini" + invalidINIConf = "testdata/invalid.ini" + errorConf = "testdata" ) func setConfigPaths(t testing.TB, paths ...string) { @@ -60,7 +64,7 @@ func TestConfigFromNonExistingFile(t *testing.T) { client := Client{} err := client.loadConfig("ovh-eu") - td.CmpString(t, err, `missing application key, please check your configuration or consult the documentation to create one`) + td.CmpString(t, err, `missing authentication information, you need to provide at least an application_key/application_secret or a client_id/client_secret`) } func TestConfigFromInvalidINIFile(t *testing.T) { @@ -139,16 +143,16 @@ func TestMissingParam(t *testing.T) { client.endpoint = "" err := client.loadConfig("") - td.CmpString(t, err, `unknown endpoint '', consider checking 'Endpoints' list of using an URL`) + td.CmpString(t, err, `unknown endpoint '', consider checking 'Endpoints' list or using an URL`) client.AppKey = "" err = client.loadConfig("ovh-eu") - td.CmpString(t, err, `missing application key, please check your configuration or consult the documentation to create one`) + td.CmpString(t, err, `invalid authentication config, both application_key and application_secret must be given`) client.AppKey = "param" client.AppSecret = "" err = client.loadConfig("ovh-eu") - td.CmpString(t, err, `missing application secret, please check your configuration or consult the documentation to create one`) + td.CmpString(t, err, `invalid authentication config, both application_key and application_secret must be given`) } func TestConfigPaths(t *testing.T) { @@ -163,3 +167,39 @@ func TestConfigPaths(t *testing.T) { []interface{}{"", "file", "file.ini", "dir/file.ini", home + "/file.ini", "~typo.ini"}, ) } + +func TestConfigOAuth2(t *testing.T) { + setConfigPaths(t, userOAuth2Conf) + + client := Client{} + err := client.loadConfig("ovh-eu") + td.Require(t).CmpNoError(err) + td.Cmp(t, client, td.Struct(Client{ + ClientID: "foo", + ClientSecret: "bar", + })) +} + +func TestConfigInvalidBoth(t *testing.T) { + setConfigPaths(t, userBothConf) + + client := Client{} + err := client.loadConfig("ovh-eu") + td.CmpString(t, err, "can't use both application_key/application_secret and OAuth2 client_id/client_secret") +} + +func TestConfigOAuth2Invalid(t *testing.T) { + setConfigPaths(t, userOAuth2InvalidConf) + + client := Client{} + err := client.loadConfig("ovh-eu") + td.CmpString(t, err, "invalid oauth2 config, both client_id and client_secret must be given") +} + +func TestConfigOAuth2Incompatible(t *testing.T) { + setConfigPaths(t, userOAuth2IncompatibleConfig) + + client := Client{} + err := client.loadConfig("kimsufi-eu") + td.CmpString(t, err, `oauth2 authentication is not compatible with endpoint "https://eu.api.kimsufi.com/1.0"`) +} diff --git a/ovh/ovh.go b/ovh/ovh.go index 950fd37..0c47c32 100644 --- a/ovh/ovh.go +++ b/ovh/ovh.go @@ -14,6 +14,8 @@ import ( "strings" "sync/atomic" "time" + + "golang.org/x/oauth2" ) // getLocalTime is a function to be overwritten during the tests, it returns the time @@ -48,6 +50,12 @@ var Endpoints = map[string]string{ // Errors var ( ErrAPIDown = errors.New("go-ovh: the OVH API is not reachable: failed to get /auth/time response") + + tokensURLs = map[string]string{ + OvhEU: "https://www.ovh.com/auth/oauth2/token", + OvhCA: "https://ca.ovh.com/auth/oauth2/token", + OvhUS: "https://us.ovhcloud.com/auth/oauth2/token", + } ) // Client represents a client to call the OVH API @@ -63,8 +71,12 @@ type Client struct { // ConsumerKey holds the user/app specific token. It must have been validated before use. ConsumerKey string + ClientID string + ClientSecret string + // API endpoint - endpoint string + endpoint string + oauth2TokenSource oauth2.TokenSource // Client is the underlying HTTP client used to run the requests. It may be overloaded but a default one is instanciated in ``NewClient`` by default. Client *http.Client @@ -114,6 +126,21 @@ func NewDefaultClient() (*Client, error) { return NewClient("", "", "", "") } +func NewOAuth2Client(endpoint, clientID, clientSecret string) (*Client, error) { + client := Client{ + ClientID: clientID, + ClientSecret: clientSecret, + Client: &http.Client{}, + Timeout: DefaultTimeout, + } + + // Get and check the configuration + if err := client.loadConfig(endpoint); err != nil { + return nil, err + } + return &client, nil +} + func (c *Client) Endpoint() string { return c.endpoint } @@ -288,32 +315,43 @@ func (c *Client) NewRequest(method, path string, reqBody interface{}, needAuth b if body != nil { req.Header.Add("Content-Type", "application/json;charset=utf-8") } - req.Header.Add("X-Ovh-Application", c.AppKey) + if c.AppKey != "" { + req.Header.Add("X-Ovh-Application", c.AppKey) + } req.Header.Add("Accept", "application/json") // Inject signature. Some methods do not need authentication, especially /time, // /auth and some /order methods are actually broken if authenticated. if needAuth { - timeDelta, err := c.TimeDelta() - if err != nil { - return nil, err + if c.AppKey != "" { + timeDelta, err := c.TimeDelta() + if err != nil { + return nil, err + } + + timestamp := getLocalTime().Add(-timeDelta).Unix() + + req.Header.Add("X-Ovh-Timestamp", strconv.FormatInt(timestamp, 10)) + req.Header.Add("X-Ovh-Consumer", c.ConsumerKey) + + h := sha1.New() + h.Write([]byte(fmt.Sprintf("%s+%s+%s+%s+%s+%d", + c.AppSecret, + c.ConsumerKey, + method, + target, + body, + timestamp, + ))) + req.Header.Add("X-Ovh-Signature", fmt.Sprintf("$1$%x", h.Sum(nil))) + } else if c.ClientID != "" { + token, err := c.oauth2TokenSource.Token() + if err != nil { + return nil, fmt.Errorf("failed to retrieve OAuth2 Access Token: %w", err) + } + + req.Header.Set("Authorization", "Bearer "+token.AccessToken) } - - timestamp := getLocalTime().Add(-timeDelta).Unix() - - req.Header.Add("X-Ovh-Timestamp", strconv.FormatInt(timestamp, 10)) - req.Header.Add("X-Ovh-Consumer", c.ConsumerKey) - - h := sha1.New() - h.Write([]byte(fmt.Sprintf("%s+%s+%s+%s+%s+%d", - c.AppSecret, - c.ConsumerKey, - method, - target, - body, - timestamp, - ))) - req.Header.Add("X-Ovh-Signature", fmt.Sprintf("$1$%x", h.Sum(nil))) } // Send the request with requested timeout diff --git a/ovh/ovh_test.go b/ovh/ovh_test.go index 381d4d2..48e7fc6 100644 --- a/ovh/ovh_test.go +++ b/ovh/ovh_test.go @@ -5,8 +5,8 @@ import ( "encoding/json" "fmt" "io" - "io/ioutil" "net/http" + "os" "strconv" "strings" "testing" @@ -31,7 +31,7 @@ const ( // func sbody(s string) io.ReadCloser { - return ioutil.NopCloser(strings.NewReader(s)) + return io.NopCloser(strings.NewReader(s)) } // @@ -404,17 +404,17 @@ func TestConstructors(t *testing.T) { // Error: missing Endpoint client, err := NewClient("", MockApplicationKey, MockApplicationSecret, MockConsumerKey) assert.Nil(client) - assert.String(err, `unknown endpoint '', consider checking 'Endpoints' list of using an URL`) + assert.String(err, `unknown endpoint '', consider checking 'Endpoints' list or using an URL`) // Error: missing ApplicationKey client, err = NewClient("ovh-eu", "", MockApplicationSecret, MockConsumerKey) assert.Nil(client) - assert.String(err, `missing application key, please check your configuration or consult the documentation to create one`) + assert.String(err, `invalid authentication config, both application_key and application_secret must be given`) // Error: missing ApplicationSecret client, err = NewClient("ovh-eu", MockConsumerKey, "", MockConsumerKey) assert.Nil(client) - assert.String(err, `missing application secret, please check your configuration or consult the documentation to create one`) + assert.String(err, `invalid authentication config, both application_key and application_secret must be given`) // Next: success cases expected := td.Struct(&Client{ @@ -446,6 +446,46 @@ func TestConstructors(t *testing.T) { assert.Cmp(client, expected) } +func TestConstructorsOAuth2(t *testing.T) { + assert, require := td.AssertRequire(t) + + // Error: missing Endpoint + client, err := NewOAuth2Client("", "aaaaaaaa", "bbbbbbbbbbbbbbbbbbbbbbbbbbbb") + assert.Nil(client) + assert.String(err, `unknown endpoint '', consider checking 'Endpoints' list or using an URL`) + + // Error: missing Client ID + client, err = NewOAuth2Client("ovh-eu", "", "MockApplicationSecret") + assert.Nil(client) + assert.String(err, `invalid oauth2 config, both client_id and client_secret must be given`) + + // Error: missing Client Secret + client, err = NewOAuth2Client("ovh-eu", "aaaaaaaaaaaaaaa", "") + assert.Nil(client) + assert.String(err, `invalid oauth2 config, both client_id and client_secret must be given`) + + // Next: success cases + expected := td.Struct(&Client{ + ClientID: "aaaaaaaa", + ClientSecret: "bbbbbbbbbbbbbbbbbbbbbbbbbbbb", + endpoint: "https://eu.api.ovh.com/1.0", + }) + + // Nominal: full constructor + client, err = NewOAuth2Client("ovh-eu", "aaaaaaaa", "bbbbbbbbbbbbbbbbbbbbbbbbbbbb") + require.CmpNoError(err) + assert.Cmp(client, expected) + + // With NewEndpointClient + setConfigPaths(t, userOAuth2Conf) + client, err = NewEndpointClient("ovh-eu") + require.CmpNoError(err) + assert.Cmp(client, td.Struct(&Client{ + ClientID: "foo", + ClientSecret: "bar", + })) +} + func (ms *MockSuite) TestVersionInURL(assert, require *td.T) { // Signature checking mocks httpmock.RegisterResponder("GET", "https://eu.api.ovh.com/1.0/call", func(req *http.Request) (*http.Response, error) { @@ -492,3 +532,136 @@ func (ms *MockSuite) TestVersionInURL(assert, require *td.T) { require.CmpNoError(ms.client.Get("/v2/call", nil)) assertCallCount(assert, 1, 1, 1) } + +func TestOAuth2_503(t *testing.T) { + assert, require := td.AssertRequire(t) + + httpmock.Activate() + defer httpmock.DeactivateAndReset() + errHTML := `

test

` + httpmock.RegisterResponder("POST", "https://www.ovh.com/auth/oauth2/token", + httpmock.NewStringResponder(http.StatusServiceUnavailable, errHTML)) + + // Nominal: full constructor + client, err := NewOAuth2Client("ovh-eu", "aaaaaaaa", "bbbbbbbbbbbbbbbbbbbbbbbbbbbb") + require.CmpNoError(err) + + err = client.Get("/v1/auth/time", nil) + assert.String(err, "failed to retrieve OAuth2 Access Token: oauth2: cannot fetch token: 503\nResponse:

test

") +} + +func TestOAuth2_BadJSON(t *testing.T) { + assert, require := td.AssertRequire(t) + + httpmock.Activate() + defer httpmock.DeactivateAndReset() + errHTML := `

test

` + httpmock.RegisterResponder("POST", "https://www.ovh.com/auth/oauth2/token", + httpmock.NewStringResponder(http.StatusOK, errHTML)) + + // Nominal: full constructor + client, err := NewOAuth2Client("ovh-eu", "aaaaaaaa", "bbbbbbbbbbbbbbbbbbbbbbbbbbbb") + require.CmpNoError(err) + + err = client.Get("/v1/auth/time", nil) + assert.String(err, "failed to retrieve OAuth2 Access Token: oauth2: cannot parse json: invalid character '<' looking for beginning of value") +} + +func TestOAuth2_UnknownClient(t *testing.T) { + assert, require := td.AssertRequire(t) + + httpmock.Activate() + defer httpmock.DeactivateAndReset() + output := `{"error":"invalid_client", "error_description":"ovhcloud oauth2 client does not exists"}` + httpmock.RegisterResponder("POST", "https://www.ovh.com/auth/oauth2/token", + httpmock.NewStringResponder(http.StatusBadRequest, output)) + + // Nominal: full constructor + client, err := NewOAuth2Client("ovh-eu", "aaaaaaaa", "bbbbbbbbbbbbbbbbbbbbbbbbbbbb") + require.CmpNoError(err) + + err = client.Get("/v1/auth/time", nil) + assert.String(err, `failed to retrieve OAuth2 Access Token: oauth2: "invalid_client" "ovhcloud oauth2 client does not exists"`) +} + +func TestOAuth2_OK(t *testing.T) { + assert, require := td.AssertRequire(t) + + httpmock.Activate() + defer httpmock.DeactivateAndReset() + // expires_in set to 11 seconds. Will test that token are well renewed. + // golang.org/x/oauth2 has internal 10 seconds period that it will use to renew the token before actual expiration + output := `{"access_token":"cccccccccccccccc", "token_type":"Bearer", "expires_in":11,"scope":"all"}` + httpmock.RegisterResponder("POST", "https://www.ovh.com/auth/oauth2/token", + httpmock.NewStringResponder(http.StatusOK, output)) + httpmock.RegisterResponder("GET", "https://eu.api.ovh.com/v1/auth/time", + func(req *http.Request) (*http.Response, error) { + assert.Cmp(req.Header.Get("Authorization"), "Bearer cccccccccccccccc") + resp, err := httpmock.NewJsonResponse(http.StatusOK, map[string]string{ + "hello": "world", + }) + require.CmpNoError(err) + return resp, nil + }) + + // Nominal: full constructor + client, err := NewOAuth2Client("ovh-eu", "aaaaaaaa", "bbbbbbbbbbbbbbbbbbbbbbbbbbbb") + require.CmpNoError(err) + + out := map[string]string{} + err = client.Get("/v1/auth/time", &out) + require.CmpNoError(err) + assert.Cmp(out, map[string]string{ + "hello": "world", + }) + + assert.Cmp(httpmock.GetCallCountInfo(), map[string]int{ + "POST https://www.ovh.com/auth/oauth2/token": 1, + "GET https://eu.api.ovh.com/v1/auth/time": 1, + }, "no token at this time, retrieving the token") + + httpmock.ZeroCallCounters() + + err = client.Get("/v1/auth/time", &out) + require.CmpNoError(err) + assert.Cmp(httpmock.GetCallCountInfo(), map[string]int{ + "GET https://eu.api.ovh.com/v1/auth/time": 1, + "POST https://www.ovh.com/auth/oauth2/token": 0, + }, "token is still valid, no call to retrieve new token") + + // waiting 3 seconds, to get below the 10 seconds period + time.Sleep(time.Second + 100*time.Millisecond) + + httpmock.ZeroCallCounters() + + err = client.Get("/v1/auth/time", &out) + require.CmpNoError(err) + assert.Cmp(httpmock.GetCallCountInfo(), map[string]int{ + "GET https://eu.api.ovh.com/v1/auth/time": 1, + "POST https://www.ovh.com/auth/oauth2/token": 1, + }, "token is considered as expired, renewing token") +} + +func TestOAuth2_ForReal(t *testing.T) { + assert, require := td.AssertRequire(t) + + if os.Getenv("OAUTH2_CLIENT_ID") == "" && os.Getenv("OAUTH2_CLIENT_SECRET") == "" { + t.SkipNow() + } + + clientID, clientSecret := os.Getenv("OAUTH2_CLIENT_ID"), os.Getenv("OAUTH2_CLIENT_SECRET") + + // Nominal: full constructor + client, err := NewOAuth2Client("ovh-eu", clientID, clientSecret) + require.CmpNoError(err) + + type outType struct { + Identities []string + } + out := outType{} + err = client.Get("/v1/auth/details", &out) + require.CmpNoError(err) + require.Gte(len(out.Identities), 1) + assert.Contains(out.Identities[0], "/oauth2-") + assert.Contains(out.Identities[0], ":identity:credential:") +} diff --git a/ovh/testdata/user_both.ini b/ovh/testdata/user_both.ini new file mode 100644 index 0000000..b0fa43a --- /dev/null +++ b/ovh/testdata/user_both.ini @@ -0,0 +1,5 @@ +[ovh-eu] +application_key=user +application_secret=user +client_id=foo +client_secret=bar \ No newline at end of file diff --git a/ovh/testdata/user_oauth2.ini b/ovh/testdata/user_oauth2.ini new file mode 100644 index 0000000..0501976 --- /dev/null +++ b/ovh/testdata/user_oauth2.ini @@ -0,0 +1,3 @@ +[ovh-eu] +client_id=foo +client_secret=bar \ No newline at end of file diff --git a/ovh/testdata/user_oauth2_incompatible.ini b/ovh/testdata/user_oauth2_incompatible.ini new file mode 100644 index 0000000..2bfcebb --- /dev/null +++ b/ovh/testdata/user_oauth2_incompatible.ini @@ -0,0 +1,3 @@ +[kimsufi-eu] +client_id=foo +client_secret=bar \ No newline at end of file diff --git a/ovh/testdata/user_oauth2_invalid.ini b/ovh/testdata/user_oauth2_invalid.ini new file mode 100644 index 0000000..9d7b564 --- /dev/null +++ b/ovh/testdata/user_oauth2_invalid.ini @@ -0,0 +1,3 @@ +[ovh-eu] +client_id=foo +client_secret= \ No newline at end of file