vagrant_cloud 3.1.1 → 3.1.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 06ac337d41c05fa0ab3f4dba19eb4b48369b7b21e87adea9beaf22c24d7a06ec
-  data.tar.gz: 20c9e7e4c6c6a045a34a5509e05e626a159069d76993d3f70bdf2f333a219083
+  metadata.gz: 013f62b5aeeb2125349790b206a2fc42ee6e60288bb28fab28aefa129af8c55c
+  data.tar.gz: a928446b785eb485285ba3e030589391cc3fd3e49fdeb15053677e58ff864e2e
 SHA512:
-  metadata.gz: 0c4fd65d40092ff9161d5330afda571efc2d852b23aedf7f8327d803eb2e096792999ebb3f69dd3cbce4663d5c6b79db121531737258084e18c634f626d25d35
-  data.tar.gz: 69eb59e4a61257533baf2707b998b29a6f88f8b37a4c54f6dea8daca3f19e0c93d479d68ae42a277f1ee3c972622625b380fbd7f5db9bfd8e212a583fa706118
+  metadata.gz: 58ae036121f99b0e1054e49deb30644510f1310ab55ea7f07d2be89b6b27287f4c5a933ff20199e1eb64556506d548677beb0e543d6a7bf5f8e3217698c12c99
+  data.tar.gz: 3de0d70c11834c2228c78201600f07354a788b563d378e222001c9fbc1651f40e4ae1c0d3346fd342ccad16cb48d8a5efd6471987ab5321d1dd71ed0644d9312

data/README.md

@@ -13,6 +13,14 @@ The Vagrant Cloud library provides two methods for interacting with the Vagrant
 first is direct interaction using a `VagrantCloud::Client` instance. The second is a basic
 model based approach using a `VagrantCloud::Account` instance.
 
+### Authentication
+
+The access token that is used for authenticated requests can be set in one of three ways:
+
+* Static access token set directly in the client
+* Static access token extracted from the `VAGRANT_CLOUD_TOKEN` environment variable 
+* Generated [HCP service principal](https://developer.hashicorp.com/hcp/docs/hcp/iam/service-principal) access token when `HCP_CLIENT_ID` and `HCP_CLIENT_SECRET` environment variables are set
+
 ### Direct Client
 
 The `VagrantCloud::Client` class contains all the underlying functionality which with

data/lib/vagrant_cloud/auth.rb

@@ -0,0 +1,140 @@
+require "oauth2"
+
+module VagrantCloud
+  class Auth
+
+    # Default authentication URL
+    DEFAULT_AUTH_URL = "https://auth.idp.hashicorp.com".freeze
+    # Default authorize path
+    DEFAULT_AUTH_PATH = "/oauth2/auth".freeze
+    # Default token path
+    DEFAULT_TOKEN_PATH = "/oauth2/token".freeze
+    # Number of seconds to pad token expiry
+    TOKEN_EXPIRY_PADDING = 5
+
+    # HCP configuration for generating authentication tokens
+    #
+    # @param [String] client_id Service principal client ID
+    # @param [String] client_secret Service principal client secret
+    # @param [String] auth_url Authentication URL end point
+    # @param [String] auth_path Authorization path (relative to end point)
+    # @param [String] token_path Token path (relative to end point)
+    HCPConfig = Struct.new(:client_id, :client_secret, :auth_url, :auth_path, :token_path, keyword_init: true) do
+      # Raise exception if any values are missing
+      def validate!
+        [:client_id, :client_secret, :auth_url, :auth_path, :token_path].each do |name|
+          raise ArgumentError,
+            "Missing required HCP authentication configuration value: HCP_#{name.to_s.upcase}" if self.send(name).to_s.empty?
+        end
+      end
+    end
+
+    # HCP token
+    #
+    # @param [String] token HCP token value
+    # @param [Integer] expires_at Epoch seconds
+    HCPToken = Struct.new(:token, :expires_at, keyword_init: true) do
+      # Raise exception if any values are missing
+      def validate!
+        [:token, :expires_at].each do |name|
+          raise ArgumentError,
+            "Missing required token value - #{name.inspect}" if self.send(name).nil?
+        end
+      end
+
+      # @return [Boolean] token is expired
+      # @note Will show token as expired TOKEN_EXPIRY_PADDING
+      # seconds prior to actual expiry
+      def expired?
+        validate!
+
+        Time.now.to_i > (expires_at - TOKEN_EXPIRY_PADDING)
+      end
+
+      # @return [Boolean] token is not expired
+      def valid?
+        !expired?
+      end
+    end
+
+    # Create a new auth instance
+    #
+    # @param [String] access_token Static access token
+    # @note If no access token is provided, the token will be extracted
+    # from the VAGRANT_CLOUD_TOKEN environment variable. If that value
+    # is not set, the HCP_CLIENT_ID and HCP_CLIENT_SECRET environment
+    # variables will be checked. If found, tokens will be generated as
+    # needed using the client id and secret. Otherwise, no token will
+    # will be available.
+    def initialize(access_token: nil)
+      @token = access_token
+
+      # The Vagrant Cloud token has precedence over
+      # anything else, so if it is set then it is
+      # the only value used.
+      @token = ENV["VAGRANT_CLOUD_TOKEN"] if @token.nil?
+
+      # If there is no token set, attempt to load HCP configuration
+      if @token.to_s.empty? && (ENV["HCP_CLIENT_ID"] || ENV["HCP_CLIENT_SECRET"])
+        @config = HCPConfig.new(
+          client_id: ENV["HCP_CLIENT_ID"],
+          client_secret: ENV["HCP_CLIENT_SECRET"],
+          auth_url: ENV.fetch("HCP_AUTH_URL", DEFAULT_AUTH_URL),
+          auth_path: ENV.fetch("HCP_AUTH_PATH", DEFAULT_AUTH_PATH),
+          token_path: ENV.fetch("HCP_TOKEN_PATH", DEFAULT_TOKEN_PATH)
+        )
+
+        # Validate configuration is populated
+        @config.validate!
+      end
+    end
+
+    # @return [String] authentication token
+    def token
+      # If a static token is defined, use that value
+      return @token if @token
+
+      # If no configuration is set, there is no auth to provide
+      return if @config.nil?
+
+      # If an HCP token exists and is not expired
+      return @hcp_token.token if @hcp_token&.valid?
+
+      # Generate a new HCP token
+      refresh_token!
+
+      @hcp_token.token
+    end
+
+    # @return [Boolean] Authentication token is available
+    def available?
+      !!(@token || @config)
+    end
+
+    private
+
+    # Refresh the HCP oauth2 token.
+    # @todo rescue exceptions and make them nicer
+    def refresh_token!
+      client = OAuth2::Client.new(
+        @config.client_id,
+        @config.client_secret,
+        site: @config.auth_url,
+        authorize_url: @config.auth_path,
+        token_url: @config.token_path,
+      )
+
+      begin
+        response = client.client_credentials.get_token
+        @hcp_token = HCPToken.new(
+          token: response.token,
+          expires_at: response.expires_at,
+        )
+      rescue OAuth2::Error => err
+        raise Error::AuthenticationError,
+          err.response.body.chomp,
+          err.response.status
+      end
+    end
+  end
+end

data/lib/vagrant_cloud/client.rb

@@ -23,8 +23,6 @@ module VagrantCloud
       DEFAULT_INSTRUMENTOR
     end
 
-    # @return [String] Access token for Vagrant Cloud
-    attr_reader :access_token
     # @return [String] Base request path
     attr_reader :path_base
     # @return [String] URL for initializing connection
@@ -52,16 +50,12 @@ module VagrantCloud
       if @path_base.empty? || @path_base == API_V1_PATH || @path_base == API_V2_PATH
         @path_base = nil
       end
-      @access_token = access_token.dup.freeze if access_token
-      if !@access_token && ENV["VAGRANT_CLOUD_TOKEN"]
-        @access_token = ENV["VAGRANT_CLOUD_TOKEN"].dup.freeze
-      end
+      @auth = Auth.new(access_token: access_token)
       @retry_count = retry_count.nil? ? IDEMPOTENT_RETRIES : retry_count.to_i
       @retry_interval = retry_interval.nil? ? IDEMPOTENT_RETRY_INTERVAL : retry_interval.to_i
       @instrumentor = instrumentor.nil? ? Instrumentor::Collection.new : instrumentor
       headers = {}.tap do |h|
         h["Accept"] = "application/json"
-        h["Authorization"] = "Bearer #{@access_token}" if @access_token
         h["Content-Type"] = "application/json"
       end
       @connection_lock = Mutex.new
@@ -71,6 +65,11 @@ module VagrantCloud
       )
     end
 
+    # @return [String] Access token for Vagrant Cloud
+    def access_token
+      @auth.token
+    end
+
     # Use the remote connection
     #
     # @param [Boolean] wait Wait for the connection to be available
@@ -79,16 +78,28 @@ module VagrantCloud
     def with_connection(wait: true)
       raise ArgumentError,
         "Block expected but no block given" if !block_given?
+
+      # Adds authentication header to connection if available
+      set_authentication = ->(conn) {
+        if @auth.available?
+          conn.connection[:headers]["Authorization"] = "Bearer #{@auth.token}"
+        end
+      }
+
       if !wait
         raise Error::ClientError::ConnectionLockedError,
           "Connection is currently locked" if !@connection_lock.try_lock
+        set_authentication.call(@connection)
         begin
           yield @connection
         ensure
           @connection_lock.unlock
         end
       else
-        @connection_lock.synchronize { yield @connection }
+        @connection_lock.synchronize do
+          set_authentication.call(@connection)
+          yield @connection
+        end
       end
     end
 

data/lib/vagrant_cloud/error.rb

@@ -29,6 +29,13 @@ module VagrantCloud
       end
 
       class ConnectionLockedError < ClientError; end
+      class AuthenticationError < ClientError
+        def initialize(msg, http_code)
+          @error_arr = [msg]
+          @error_code = http_code.to_i
+          super(msg)
+        end
+      end
     end
 
     class BoxError < Error

data/lib/vagrant_cloud.rb

@@ -8,6 +8,7 @@ require "thread"
 
 module VagrantCloud
   autoload :Account, "vagrant_cloud/account"
+  autoload :Auth, "vagrant_cloud/auth"
   autoload :Box, "vagrant_cloud/box"
   autoload :Client, "vagrant_cloud/client"
   autoload :Data, "vagrant_cloud/data"

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: vagrant_cloud
 version: !ruby/object:Gem::Version
-  version: 3.1.1
+  version: 3.1.2
 platform: ruby
 authors:
 - HashiCorp
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2024-01-18 00:00:00.000000000 Z
+date: 2024-11-11 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: excon
@@ -17,42 +17,56 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.73'
+        version: '1.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.73'
+        version: '1.0'
 - !ruby/object:Gem::Dependency
   name: log4r
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.1.10
+        version: '1.1'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.1.10
+        version: '1.1'
 - !ruby/object:Gem::Dependency
   name: rexml
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 3.2.5
+        version: '3.3'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 3.2.5
+        version: '3.3'
+- !ruby/object:Gem::Dependency
+  name: oauth2
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
@@ -105,6 +119,7 @@ files:
 - README.md
 - lib/vagrant_cloud.rb
 - lib/vagrant_cloud/account.rb
+- lib/vagrant_cloud/auth.rb
 - lib/vagrant_cloud/box.rb
 - lib/vagrant_cloud/box/provider.rb
 - lib/vagrant_cloud/box/version.rb