right_api_client 1.5.22 → 1.5.23

data/CHANGELOG.md

@@ -1,7 +1,10 @@
 # CHANGELOG.md
 
 ## Next
- - <Your change here>
+
+## 1.5.23
+ - \#78 Prevent logging of credentials during login requests
+ - \#77 Add support for OAuth2 authentication via refresh token
 
 ## 1.5.22
  - \#76 Add ability to directly access attributes of a ResourceDetail

data/VERSION

@@ -1 +1 @@
-1.5.22
+1.5.23

data/lib/right_api_client/client.rb

@@ -12,6 +12,43 @@ require File.expand_path('../resources', __FILE__)
 require File.expand_path('../errors', __FILE__)
 require File.expand_path('../exceptions', __FILE__)
 
+# This is used to extend a temporary local copy of the client during login.
+# It overrides the post functionality, which in turn creates a new instance of RestClient::Request
+#   which is then extended to override log_request to keep creds from getting into our logs.
+module PostOverride
+  def post(payload, additional_headers={}, &block)
+    headers = (options[:headers] || {}).merge(additional_headers)
+    requestor =  ::RestClient::Request.new(options.merge(
+      :method => :post,
+      :url => url,
+      :payload => payload,
+      :headers => headers)
+    )
+    requestor.extend(LogOverride)
+    requestor.execute(&block)
+  end
+end
+
+# This is used to extend a new instance of RestClient::Request and override it's log_request.
+# Override version keeps email/password from getting into the logs.
+module LogOverride
+  def log_request
+   if RestClient.log
+      out = []
+      out << "RestClient.#{method} #{url.inspect}"
+      if !payload.nil?
+        if (payload.short_inspect.include? "email") || (payload.short_inspect.include? "password")
+          out << "<hidden credentials>"
+        else
+          out <<  payload.short_inspect
+        end
+      end
+      out << processed_headers.to_a.sort.map { |(k, v)| [k.inspect, v.inspect].join("=>") }.join(", ")
+      RestClient.log << out.join(', ') + "\n"
+    end
+  end
+end
+
 # RightApiClient has the generic get/post/delete/put calls that are used by resources
 module RightApi
   class Client
@@ -21,22 +58,60 @@ module RightApi
     DEFAULT_TIMEOUT = -1
     DEFAULT_MAX_ATTEMPTS = 5
 
-    ROOT_RESOURCE = '/api/session'
+    ROOT_RESOURCE  = '/api/session'
+    OAUTH_ENDPOINT = '/api/oauth2'
     ROOT_INSTANCE_RESOURCE = '/api/session/instance'
     DEFAULT_API_URL = 'https://my.rightscale.com'
 
     # permitted parameters for initializing
     AUTH_PARAMS = %w[
-      email password_base64 password account_id api_url api_version
-      cookies instance_token access_token timeout open_timeout max_attempts
+      email password_base64 password
+      instance_token
+      refresh_token access_token
+      cookies
+      account_id api_url api_version
+      timeout open_timeout max_attempts
       enable_retry rest_client_class
     ]
 
-    attr_reader :cookies, :instance_token, :access_token, :last_request, :timeout, :open_timeout, :max_attempts, :enable_retry
-    attr_accessor :account_id, :api_url
+    # @return [String] OAuth 2.0 refresh token if provided
+    attr_reader :refresh_token
 
-    def initialize(args)
+    # @return [String] OAuth 2.0 access token, if present
+    attr_reader :access_token
+
+    # @return [Time] expiry timestamp for OAuth 2.0 access token
+    attr_reader :access_token_expires_at
+
+    attr_accessor :account_id
+
+    # @return [String] Base API url, e.g. https://us-3.rightscale.com
+    attr_accessor :api_url
+
+    # @return [String] instance API token as included in user-data
+    attr_reader :instance_token
+
+    # @return [Hash] collection of API cookies
+    # @deprecated please use OAuth 2.0 refresh tokens instead of password-based authentication
+    attr_reader :cookies
+
+    # @return [Hash] debug information about the last request and response
+    attr_reader :last_request
+
+    # @return [Integer] number of seconds to wait for socket open
+    attr_reader :open_timeout
+
+    # @return [Integer] number of seconds to wait for API response
+    attr_reader :timeout
+
+    # @return [Integer] number of times to retry idempotent requests (iff enable_retry == true)
+    attr_reader :max_attempts
+
+    # @return [Boolean] whether to retry idempotent requests that fail
+    attr_reader :enable_retry
 
+    # Instantiate a new Client.
+    def initialize(args)
       raise 'This API client is only compatible with Ruby 1.8.7 and upwards.' if (RUBY_VERSION < '1.8.7')
 
       @api_url, @api_version = DEFAULT_API_URL, API_VERSION
@@ -55,8 +130,9 @@ module RightApi
       @rest_client = @rest_client_class.new(@api_url, :open_timeout => @open_timeout, :timeout => @timeout)
       @last_request = {}
 
-      # There are four options for login:
-      #  - credentials
+      # There are five options for login:
+      #  - user email/password (using plaintext or base64-obfuscated password)
+      #  - user OAuth refresh token
       #  - instance API token
       #  - existing user-supplied cookies
       #  - existing user-supplied OAuth access token
@@ -103,7 +179,7 @@ module RightApi
     end
 
     def to_s
-      "#<RightApi::Client>"
+      "#<RightApi::Client #{api_url}>"
     end
 
     # Log HTTP calls to file (file can be STDOUT as well)
@@ -127,7 +203,6 @@ module RightApi
     # so this is a workaround.
     #
     def resources(type, path)
-
       Resources.new(self, path, type)
     end
 
@@ -162,7 +237,7 @@ module RightApi
         end
       rescue ApiError => e
         if re_login?(e)
-          # Session cookie is expired or invalid
+          # Session is expired or invalid
           login()
           retry
         else
@@ -172,25 +247,36 @@ module RightApi
     end
 
     def login
-      params, path = if @instance_token
-        [ { 'instance_token' => @instance_token },
-          ROOT_INSTANCE_RESOURCE ]
+      account_href = "/api/accounts/#{@account_id}"
+
+      params, path =
+      if @refresh_token
+        [ {'grant_type' => 'refresh_token',
+           'refresh_token'=>@refresh_token},
+          OAUTH_ENDPOINT ]
+      elsif @instance_token
+          [ { 'instance_token' => @instance_token,
+              'account_href' => account_href },
+            ROOT_INSTANCE_RESOURCE ]
       elsif @password_base64
-        [ { 'email' => @email, 'password' => Base64.decode64(@password_base64) },
+        [ { 'email' => @email,
+            'password' => Base64.decode64(@password_base64),
+            'account_href' => account_href },
           ROOT_RESOURCE ]
       else
-        [ { 'email' => @email, 'password' => @password },
+        [ { 'email' => @email,
+            'password' => @password,
+            'account_href' => account_href },
           ROOT_RESOURCE ]
       end
-      params['account_href'] = "/api/accounts/#{@account_id}"
 
       response = nil
       attempts = 0
       begin
-        response = @rest_client[path].post(params, 'X-Api-Version' => @api_version) do |response, request, result, &block|
-          if response.code == 302
+        response = @rest_client[path].extend(PostOverride).post(params, 'X-Api-Version' => @api_version) do |response, request, result, &block|
+          if [301, 302, 307].include?(response.code)
             update_api_url(response)
-            response.follow_redirection(request, result, &block)
+            response = @rest_client[path].extend(PostOverride).post(params, 'X-Api-Version' => @api_version)
           else
             response.return!(request, result)
           end
@@ -202,17 +288,24 @@ module RightApi
         retry
       end
 
-      update_cookies(response)
+      if path == OAUTH_ENDPOINT
+        update_access_token(response)
+      else
+        update_cookies(response)
+      end
     end
 
     # Returns the request headers
     def headers
       h = {
         'X-Api-Version' => @api_version,
-        'X-Account' => @account_id,
         :accept => :json,
       }
 
+      if @account_id
+        h['X-Account'] = @account_id
+      end
+
       if @access_token
         h['Authorization'] = "Bearer #{@access_token}"
       elsif @cookies
@@ -230,6 +323,7 @@ module RightApi
     # Generic get
     # params are NOT read only
     def do_get(path, params={})
+      login if need_login?
 
       # Resource id is a special param as it needs to be added to the path
       path = add_id_and_params_to_path(path, params)
@@ -280,6 +374,8 @@ module RightApi
 
     # Generic post
     def do_post(path, params={})
+      login if need_login?
+
       params = fix_array_of_hashes(params)
 
       req, res, resource_type, body = nil
@@ -334,6 +430,8 @@ module RightApi
 
     # Generic delete
     def do_delete(path, params={})
+      login if need_login?
+
       # Resource id is a special param as it needs to be added to the path
       path = add_id_and_params_to_path(path, params)
 
@@ -367,6 +465,8 @@ module RightApi
 
     # Generic put
     def do_put(path, params={})
+      login if need_login?
+
       params = fix_array_of_hashes(params)
 
       req, res, resource_type, body = nil
@@ -396,14 +496,31 @@ module RightApi
       end
     end
 
+    # Determine whether the client needs a fresh round of authentication based on state of
+    # cookies/tokens and their expiration timestamps.
+    #
+    # @return [Boolean] true if re-login is suggested
+    def need_login?
+      (@refresh_token && @refresh_token_expires_at && @refresh_token_expires_at - Time.now < 900) ||
+      (@cookies.respond_to?(:empty?) && @cookies.empty?)
+    end
+
+    # Determine whether an exception can be fixed by logging in again.
+    #
+    # @return [Boolean] true if re-login is appropriate
     def re_login?(e)
-      # cannot successfully re-login with only an access token; we want the
-      # expiration error to be raised.
-      return false if @access_token
-      e.message.index('403') && e.message =~ %r(.*Session cookie is expired or invalid)
+      auth_error =
+        (e.message.index('403') && e.message =~ %r(.*Session cookie is expired or invalid)) ||
+        e.message.index('401')
+
+      renewable_creds =
+        (@instance_token || (@email && (@password || @password_base64)) || @refresh_token)
+
+      auth_error && renewable_creds
     end
 
-    # returns the resource_type
+    # @param [String] content_type an HTTP Content-Type header
+    # @return [String] the resource_type associated with content_type
     def get_resource_type(content_type)
       content_type.scan(/\.rightscale\.(.*)\+json/)[0][0]
     end
@@ -411,17 +528,23 @@ module RightApi
     # Makes sure the @cookies have a timestamp.
     #
     def timestamp_cookies
-
       return unless @cookies
 
       class << @cookies; attr_accessor :timestamp; end
       @cookies.timestamp = Time.now
     end
 
+    # Sets the @access_token and @access_token_expires_at
+    #
+    def update_access_token(response)
+      h = JSON.load(response)
+      @access_token = String(h['access_token'])
+      @access_token_expires_at = Time.at(Time.now.to_i + Integer(h['expires_in']))
+    end
+
     # Sets the @cookies (and timestamp it).
     #
     def update_cookies(response)
-
       return unless response.cookies
 
       (@cookies ||= {}).merge!(response.cookies)
@@ -432,7 +555,6 @@ module RightApi
     # A helper class for error details
     #
     class ErrorDetails
-
       attr_reader :method, :path, :params, :request, :response
 
       def initialize(me, pt, ps, rq, rs)

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: right_api_client
 version: !ruby/object:Gem::Version
-  version: 1.5.22
+  version: 1.5.23
   prerelease: 
 platform: ruby
 authors:
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2014-09-19 00:00:00.000000000 Z
+date: 2014-10-15 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: json
@@ -174,7 +174,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: '0'
       segments:
       - 0
-      hash: -3655721947136781612
+      hash: 681643300708536250
 required_rubygems_version: !ruby/object:Gem::Requirement
   none: false
   requirements: