ibm-cloud-sdk-core 3.16.0__py3-none-any.whl → 3.21.0__py3-none-any.whl

ibm_cloud_sdk_core/get_authenticator.py

@@ -1,6 +1,6 @@
 # coding: utf-8
 
-# Copyright 2019 IBM All Rights Reserved.
+# Copyright 2019, 2024 IBM All Rights Reserved.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -14,10 +14,21 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-from .authenticators import (Authenticator, BasicAuthenticator, BearerTokenAuthenticator, ContainerAuthenticator,
-                             CloudPakForDataAuthenticator, IAMAuthenticator, NoAuthAuthenticator,
-                             VPCInstanceAuthenticator)
+from .authenticators import (
+    Authenticator,
+    BasicAuthenticator,
+    BearerTokenAuthenticator,
+    ContainerAuthenticator,
+    CloudPakForDataAuthenticator,
+    IAMAuthenticator,
+    NoAuthAuthenticator,
+    VPCInstanceAuthenticator,
+    MCSPAuthenticator,
+)
 from .utils import read_external_sources
+from .logger import get_logger
+
+logger = get_logger()
 
 
 def get_authenticator_from_environment(service_name: str) -> Authenticator:
@@ -34,10 +45,13 @@ def get_authenticator_from_environment(service_name: str) -> Authenticator:
     Returns:
         The authenticator found from service information.
     """
+    logger.debug('Get authenticator from environment, key=%s', service_name)
     authenticator = None
     config = read_external_sources(service_name)
     if config:
         authenticator = __construct_authenticator(config)
+    if authenticator is not None:
+        logger.debug('Returning authenticator, type=%s', authenticator.authentication_type())
     return authenticator
 
 
@@ -59,12 +73,9 @@ def __construct_authenticator(config: dict) -> Authenticator:
     authenticator = None
 
     if auth_type == Authenticator.AUTHTYPE_BASIC.lower():
-        authenticator = BasicAuthenticator(
-            username=config.get('USERNAME'),
-            password=config.get('PASSWORD'))
+        authenticator = BasicAuthenticator(username=config.get('USERNAME'), password=config.get('PASSWORD'))
     elif auth_type == Authenticator.AUTHTYPE_BEARERTOKEN.lower():
-        authenticator = BearerTokenAuthenticator(
-            bearer_token=config.get('BEARER_TOKEN'))
+        authenticator = BearerTokenAuthenticator(bearer_token=config.get('BEARER_TOKEN'))
     elif auth_type == Authenticator.AUTHTYPE_CONTAINER.lower():
         authenticator = ContainerAuthenticator(
             cr_token_filename=config.get('CR_TOKEN_FILENAME'),
@@ -73,30 +84,37 @@ def __construct_authenticator(config: dict) -> Authenticator:
             url=config.get('AUTH_URL'),
             client_id=config.get('CLIENT_ID'),
             client_secret=config.get('CLIENT_SECRET'),
-            disable_ssl_verification=config.get(
-                'AUTH_DISABLE_SSL', 'false').lower() == 'true',
-            scope=config.get('SCOPE'))
+            disable_ssl_verification=config.get('AUTH_DISABLE_SSL', 'false').lower() == 'true',
+            scope=config.get('SCOPE'),
+        )
     elif auth_type == Authenticator.AUTHTYPE_CP4D.lower():
         authenticator = CloudPakForDataAuthenticator(
             username=config.get('USERNAME'),
             password=config.get('PASSWORD'),
             url=config.get('AUTH_URL'),
             apikey=config.get('APIKEY'),
-            disable_ssl_verification=config.get('AUTH_DISABLE_SSL', 'false').lower() == 'true')
+            disable_ssl_verification=config.get('AUTH_DISABLE_SSL', 'false').lower() == 'true',
+        )
     elif auth_type == Authenticator.AUTHTYPE_IAM.lower() and config.get('APIKEY'):
         authenticator = IAMAuthenticator(
             apikey=config.get('APIKEY'),
             url=config.get('AUTH_URL'),
             client_id=config.get('CLIENT_ID'),
             client_secret=config.get('CLIENT_SECRET'),
-            disable_ssl_verification=config.get(
-                'AUTH_DISABLE_SSL', 'false').lower() == 'true',
-            scope=config.get('SCOPE'))
+            disable_ssl_verification=config.get('AUTH_DISABLE_SSL', 'false').lower() == 'true',
+            scope=config.get('SCOPE'),
+        )
     elif auth_type == Authenticator.AUTHTYPE_VPC.lower():
         authenticator = VPCInstanceAuthenticator(
             iam_profile_crn=config.get('IAM_PROFILE_CRN'),
             iam_profile_id=config.get('IAM_PROFILE_ID'),
-            url=config.get('AUTH_URL'))
+            url=config.get('AUTH_URL'),
+        )
+    elif auth_type == Authenticator.AUTHTYPE_MCSP.lower():
+        authenticator = MCSPAuthenticator(
+            apikey=config.get('APIKEY'),
+            url=config.get('AUTH_URL'),
+        )
     elif auth_type == Authenticator.AUTHTYPE_NOAUTH.lower():
         authenticator = NoAuthAuthenticator()
 

ibm_cloud_sdk_core/http_adapter.py

@@ -0,0 +1,28 @@
+import ssl
+
+from requests import certs
+from requests.adapters import HTTPAdapter, DEFAULT_POOLBLOCK
+from urllib3.util.ssl_ import create_urllib3_context
+
+
+class SSLHTTPAdapter(HTTPAdapter):
+    """Wraps the original HTTP adapter and adds additional SSL context."""
+
+    def __init__(self, *args, **kwargs):
+        self._disable_ssl_verification = kwargs.pop('_disable_ssl_verification', None)
+
+        super().__init__(*args, **kwargs)
+
+    def init_poolmanager(self, connections, maxsize, block=DEFAULT_POOLBLOCK, **pool_kwargs):
+        """Create and use custom SSL configuration."""
+
+        ssl_context = create_urllib3_context()
+        # NOTE: https://github.com/psf/requests/pull/6731/files#r1622893724
+        ssl_context.load_verify_locations(certs.where())
+        ssl_context.minimum_version = ssl.TLSVersion.TLSv1_2
+
+        if self._disable_ssl_verification:
+            ssl_context.check_hostname = False
+            ssl_context.verify_mode = ssl.CERT_NONE
+
+        super().init_poolmanager(connections, maxsize, block, ssl_context=ssl_context, **pool_kwargs)

ibm_cloud_sdk_core/logger.py

@@ -0,0 +1,85 @@
+# coding: utf-8
+
+# Copyright 2024 IBM All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import logging
+import re
+
+
+# This is the name of the primary logger used by the library.
+LOGGER_NAME = 'ibm-cloud-sdk-core'
+# Keywords that are redacted.
+REDACTED_KEYWORDS = [
+    "apikey",
+    "api_key",
+    "passcode",
+    "password",
+    "token",
+    "aadClientId",
+    "aadClientSecret",
+    "auth",
+    "auth_provider_x509_cert_url",
+    "auth_uri",
+    "client_email",
+    "client_id",
+    "client_x509_cert_url",
+    "key",
+    "project_id",
+    "secret",
+    "subscriptionId",
+    "tenantId",
+    "thumbprint",
+    "token_uri",
+]
+
+
+class LoggingFilter:
+    """Functions used to filter messages before they are logged."""
+
+    redacted_tokens = "|".join(REDACTED_KEYWORDS)
+    auth_header_pattern = re.compile(r"(?m)(Authorization|X-Auth\S*): ((.*?)(\r\n.*)|(.*))")
+    property_settings_pattern = re.compile(r"(?i)(" + redacted_tokens + r")=[^&]*(&|$)")
+    json_field_pattern = re.compile(r'(?i)"([^"]*(' + redacted_tokens + r')[^"_]*)":\s*"[^\,]*"')
+
+    @classmethod
+    def redact_secrets(cls, text: str) -> str:
+        """Replaces values of potential secret keywords with a placeholder value.
+        Args:
+            text (str): the string to check and process
+
+        Returns:
+            str: the safe, redacted string with all secrets masked out
+        """
+
+        placeholder = "[redacted]"
+        redacted = cls.auth_header_pattern.sub(r"\1: " + placeholder + r"\4", text)
+        redacted = cls.property_settings_pattern.sub(r"\1=" + placeholder + r"\2", redacted)
+        redacted = cls.json_field_pattern.sub(r'"\1":"' + placeholder + r'"', redacted)
+        return redacted
+
+    @classmethod
+    def filter_message(cls, s: str) -> str:
+        """Filters 's' prior to logging it as a debug message"""
+        # Redact secrets
+        s = LoggingFilter.redact_secrets(s)
+
+        # Replace CRLF characters with an actual newline to make the message more readable.
+        s = s.replace('\\r\\n', '\n')
+        return s
+
+
+def get_logger() -> logging.Logger:
+    """Returns the primary logger object instance used by the library."""
+    return logging.getLogger(LOGGER_NAME)

ibm_cloud_sdk_core/private_helpers.py

@@ -0,0 +1,34 @@
+# coding: utf-8
+
+# Copyright 2024 IBM All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# from ibm_cloud_sdk_core.authenticators import Authenticator
+
+import platform
+from .version import __version__
+
+SDK_NAME = 'ibm-python-sdk-core'
+
+
+def _get_system_info() -> str:
+    return 'os.name={0} os.version={1} python.version={2}'.format(
+        platform.system(), platform.release(), platform.python_version()
+    )
+
+
+def _build_user_agent(component: str = None) -> str:
+    sub_component = ""
+    if component is not None:
+        sub_component = '/{0}'.format(component)
+    return '{0}{1}-{2} {3}'.format(SDK_NAME, sub_component, __version__, _get_system_info())

ibm_cloud_sdk_core/token_managers/container_token_manager.py

@@ -1,6 +1,6 @@
 # coding: utf-8
 
-# Copyright 2021 IBM All Rights Reserved.
+# Copyright 2021, 2024 IBM All Rights Reserved.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -14,13 +14,13 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-import logging
 from typing import Dict, Optional
 
+from ibm_cloud_sdk_core.logger import get_logger
 from .iam_request_based_token_manager import IAMRequestBasedTokenManager
+from ..private_helpers import _build_user_agent
 
-
-logger = logging.getLogger(__name__)
+logger = get_logger()
 
 
 class ContainerTokenManager(IAMRequestBasedTokenManager):
@@ -79,51 +79,64 @@ class ContainerTokenManager(IAMRequestBasedTokenManager):
         scope: The "scope" to use when fetching the bearer token from the IAM token server.
         This can be used to obtain an access token with a specific scope.
     """
-    DEFAULT_CR_TOKEN_FILENAME = '/var/run/secrets/tokens/vault-token'
-
-    def __init__(self,
-                 cr_token_filename: Optional[str] = None,
-                 iam_profile_name: Optional[str] = None,
-                 iam_profile_id: Optional[str] = None,
-                 url: Optional[str] = None,
-                 client_id: Optional[str] = None,
-                 client_secret: Optional[str] = None,
-                 disable_ssl_verification: bool = False,
-                 scope: Optional[str] = None,
-                 proxies: Optional[Dict[str, str]] = None,
-                 headers: Optional[Dict[str, str]] = None) -> None:
+
+    DEFAULT_CR_TOKEN_FILENAME1 = '/var/run/secrets/tokens/vault-token'
+    DEFAULT_CR_TOKEN_FILENAME2 = '/var/run/secrets/tokens/sa-token'
+
+    def __init__(
+        self,
+        cr_token_filename: Optional[str] = None,
+        iam_profile_name: Optional[str] = None,
+        iam_profile_id: Optional[str] = None,
+        url: Optional[str] = None,
+        client_id: Optional[str] = None,
+        client_secret: Optional[str] = None,
+        disable_ssl_verification: bool = False,
+        scope: Optional[str] = None,
+        proxies: Optional[Dict[str, str]] = None,
+        headers: Optional[Dict[str, str]] = None,
+    ) -> None:
         super().__init__(
-            url=url, client_id=client_id, client_secret=client_secret,
-            disable_ssl_verification=disable_ssl_verification, headers=headers, proxies=proxies, scope=scope)
+            url=url,
+            client_id=client_id,
+            client_secret=client_secret,
+            disable_ssl_verification=disable_ssl_verification,
+            headers=headers,
+            proxies=proxies,
+            scope=scope,
+        )
 
         self.cr_token_filename = cr_token_filename
         self.iam_profile_name = iam_profile_name
         self.iam_profile_id = iam_profile_id
 
         self.request_payload['grant_type'] = 'urn:ibm:params:oauth:grant-type:cr-token'
+        self._set_user_agent(_build_user_agent('container-authenticator'))
 
     def retrieve_cr_token(self) -> str:
         """Retrieves the CR token for the current compute resource by reading it from the local file system.
 
         Raises:
-            Exception: Cannot retrieve the compute resource token from.
+            Exception: Error retrieving the compute resource token.
 
         Returns:
             A string which contains the compute resource token.
         """
-        cr_token_filename = self.cr_token_filename if self.cr_token_filename else self.DEFAULT_CR_TOKEN_FILENAME
-
-        logger.debug('Attempting to read CR token from file: %s',
-                      cr_token_filename)
-
         try:
-            with open(cr_token_filename, 'r', encoding='utf-8') as file:
-                cr_token = file.read()
+            cr_token = None
+            if self.cr_token_filename:
+                # If the user specified a filename, then use that.
+                cr_token = self.read_file(self.cr_token_filename)
+            else:
+                # If the user didn't specify a filename, then try our two defaults.
+                try:
+                    cr_token = self.read_file(self.DEFAULT_CR_TOKEN_FILENAME1)
+                except:
+                    cr_token = self.read_file(self.DEFAULT_CR_TOKEN_FILENAME2)
             return cr_token
-        # pylint: disable=broad-except
         except Exception as ex:
-            raise Exception(
-                'Unable to retrieve the CR token value from file {}: {}'.format(cr_token_filename, ex)) from None
+            # pylint: disable=broad-exception-raised
+            raise Exception('Unable to retrieve the CR token: {}'.format(ex)) from None
 
     def request_token(self) -> dict:
         """Retrieves a CR token value from the current compute resource,
@@ -132,11 +145,9 @@ class ContainerTokenManager(IAMRequestBasedTokenManager):
         Returns:
              A dictionary containing the bearer token to be subsequently used service requests.
         """
-        # Retrieve the CR token for this compute resource.
-        cr_token = self.retrieve_cr_token()
 
         # Set the request payload.
-        self.request_payload['cr_token'] = cr_token
+        self.request_payload['cr_token'] = self.retrieve_cr_token()
 
         if self.iam_profile_id:
             self.request_payload['profile_id'] = self.iam_profile_id
@@ -168,3 +179,22 @@ class ContainerTokenManager(IAMRequestBasedTokenManager):
             iam_profile_id: id of the linked trusted IAM profile to be used when obtaining the IAM access token
         """
         self.iam_profile_id = iam_profile_id
+
+    def read_file(self, filename: str) -> str:
+        """Read in the specified file and return the contents as a string.
+        Args:
+            filename: the name of the file to read
+        Returns:
+            The contents of the file as a string.
+        Raises:
+            Exception: An error occured reading the file.
+        """
+        try:
+            logger.debug('Attempting to read CR token from file: %s', filename)
+            with open(filename, 'r', encoding='utf-8') as file:
+                cr_token = file.read()
+            logger.debug('Successfully read CR token from file: %s', filename)
+            return cr_token
+        except Exception as ex:
+            # pylint: disable=broad-exception-raised
+            raise Exception('Error reading CR token from file {}: {}'.format(filename, ex)) from None

ibm_cloud_sdk_core/token_managers/cp4d_token_manager.py

@@ -1,6 +1,6 @@
 # coding: utf-8
 
-# Copyright 2019 IBM All Rights Reserved.
+# Copyright 2019, 2024 IBM All Rights Reserved.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -17,8 +17,12 @@
 import json
 from typing import Dict, Optional
 
+from ibm_cloud_sdk_core.logger import get_logger
+from ..private_helpers import _build_user_agent
 from .jwt_token_manager import JWTTokenManager
 
+logger = get_logger()
+
 
 class CP4DTokenManager(JWTTokenManager):
     """Token Manager of CloudPak for data.
@@ -48,19 +52,22 @@ class CP4DTokenManager(JWTTokenManager):
         proxies.https (str): The proxy endpoint to use for HTTPS requests.
         verify (str): The path to the certificate to use for HTTPS requests.
     """
+
     TOKEN_NAME = 'token'
     VALIDATE_AUTH_PATH = '/v1/authorize'
 
-    def __init__(self,
-                 username: str = None,
-                 password: str = None,
-                 url: str = None,
-                 *,
-                 apikey: str = None,
-                 disable_ssl_verification: bool = False,
-                 headers: Optional[Dict[str, str]] = None,
-                 proxies: Optional[Dict[str, str]] = None,
-                 verify: Optional[str] = None) -> None:
+    def __init__(
+        self,
+        username: str = None,
+        password: str = None,
+        url: str = None,
+        *,
+        apikey: str = None,
+        disable_ssl_verification: bool = False,
+        headers: Optional[Dict[str, str]] = None,
+        proxies: Optional[Dict[str, str]] = None,
+        verify: Optional[str] = None,
+    ) -> None:
         self.username = username
         self.password = password
         self.verify = verify
@@ -72,23 +79,29 @@ class CP4DTokenManager(JWTTokenManager):
             self.headers = {}
         self.headers['Content-Type'] = 'application/json'
         self.proxies = proxies
-        super().__init__(url, disable_ssl_verification=disable_ssl_verification,
-                         token_name=self.TOKEN_NAME)
+        super().__init__(url, disable_ssl_verification=disable_ssl_verification, token_name=self.TOKEN_NAME)
+        self._set_user_agent(_build_user_agent('cp4d-authenticator'))
 
     def request_token(self) -> dict:
-        """Makes a request for a token.
-        """
+        """Makes a request for a token."""
+        required_headers = {
+            'User-Agent': self.user_agent,
+        }
+        request_headers = {}
+        if self.headers is not None and isinstance(self.headers, dict):
+            request_headers.update(self.headers)
+        request_headers.update(required_headers)
+
+        logger.debug('Invoking CP4D token service operation: %s', self.url)
         response = self._request(
             method='POST',
-            headers=self.headers,
+            headers=request_headers,
             url=self.url,
-            data=json.dumps({
-                "username": self.username,
-                "password": self.password,
-                "api_key": self.apikey
-            }),
+            data=json.dumps({"username": self.username, "password": self.password, "api_key": self.apikey}),
             proxies=self.proxies,
-            verify=self.verify)
+            verify=self.verify,
+        )
+        logger.debug('Returned from CP4D token service operation')
         return response
 
     def set_headers(self, headers: Dict[str, str]) -> None:

ibm_cloud_sdk_core/token_managers/iam_request_based_token_manager.py

@@ -1,6 +1,6 @@
 # coding: utf-8
 
-# Copyright 2019 IBM All Rights Reserved.
+# Copyright 2019, 2024 IBM All Rights Reserved.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -16,10 +16,13 @@
 
 from typing import Dict, Optional
 
+from ibm_cloud_sdk_core.logger import get_logger
 from .jwt_token_manager import JWTTokenManager
 
+logger = get_logger()
 
-#pylint: disable=too-many-instance-attributes
+
+# pylint: disable=too-many-instance-attributes
 class IAMRequestBasedTokenManager(JWTTokenManager):
     """The IamRequestBasedTokenManager class contains code relevant to any token manager that
     interacts with the IAM service to manage a token. It stores information relevant to all
@@ -60,21 +63,25 @@ class IAMRequestBasedTokenManager(JWTTokenManager):
         scope: The "scope" to use when fetching the bearer token from the IAM token server.
         This can be used to obtain an access token with a specific scope.
     """
+
     DEFAULT_IAM_URL = 'https://iam.cloud.ibm.com'
     OPERATION_PATH = "/identity/token"
-
-    def __init__(self,
-                 url: Optional[str] = None,
-                 client_id: Optional[str] = None,
-                 client_secret: Optional[str] = None,
-                 disable_ssl_verification: bool = False,
-                 headers: Optional[Dict[str, str]] = None,
-                 proxies: Optional[Dict[str, str]] = None,
-                 scope: Optional[str] = None) -> None:
+    IAM_EXPIRATION_WINDOW = 10
+
+    def __init__(
+        self,
+        url: Optional[str] = None,
+        client_id: Optional[str] = None,
+        client_secret: Optional[str] = None,
+        disable_ssl_verification: bool = False,
+        headers: Optional[Dict[str, str]] = None,
+        proxies: Optional[Dict[str, str]] = None,
+        scope: Optional[str] = None,
+    ) -> None:
         if not url:
             url = self.DEFAULT_IAM_URL
         if url.endswith(self.OPERATION_PATH):
-            url = url[:-len(self.OPERATION_PATH)]
+            url = url[: -len(self.OPERATION_PATH)]
         self.url = url
         self.client_id = client_id
         self.client_secret = client_secret
@@ -83,8 +90,7 @@ class IAMRequestBasedTokenManager(JWTTokenManager):
         self.proxies = proxies
         self.scope = scope
         self.request_payload = {}
-        super().__init__(
-            self.url, disable_ssl_verification=disable_ssl_verification, token_name='access_token')
+        super().__init__(self.url, disable_ssl_verification=disable_ssl_verification, token_name='access_token')
 
     def request_token(self) -> dict:
         """Request an IAM OAuth token given an API Key.
@@ -95,12 +101,15 @@ class IAMRequestBasedTokenManager(JWTTokenManager):
         Returns:
              A dictionary containing the bearer token to be subsequently used service requests.
         """
-        headers = {
-            'Content-type': 'application/x-www-form-urlencoded',
-            'Accept': 'application/json'
+        required_headers = {
+            'Content-Type': 'application/x-www-form-urlencoded',
+            'Accept': 'application/json',
+            'User-Agent': self._get_user_agent(),
         }
+        request_headers = {}
         if self.headers is not None and isinstance(self.headers, dict):
-            headers.update(self.headers)
+            request_headers.update(self.headers)
+        request_headers.update(required_headers)
 
         data = dict(self.request_payload)
 
@@ -112,13 +121,17 @@ class IAMRequestBasedTokenManager(JWTTokenManager):
         if self.client_id and self.client_secret:
             auth_tuple = (self.client_id, self.client_secret)
 
+        request_url = (self.url + self.OPERATION_PATH) if self.url else self.url
+        logger.debug('Invoking IAM get_token operation: %s', request_url)
         response = self._request(
             method='POST',
-            url=(self.url + self.OPERATION_PATH) if self.url else self.url,
-            headers=headers,
+            url=request_url,
+            headers=request_headers,
             data=data,
             auth_tuple=auth_tuple,
-            proxies=self.proxies)
+            proxies=self.proxies,
+        )
+        logger.debug('Returned from IAM get_token operation')
         return response
 
     def set_client_id_and_secret(self, client_id: str, client_secret: str) -> None:
@@ -167,3 +180,19 @@ class IAMRequestBasedTokenManager(JWTTokenManager):
             value: A space seperated string that makes up the scope parameter.
         """
         self.scope = value
+
+    def _is_token_expired(self) -> bool:
+        """
+        Returns true iff the current cached token is expired.
+        We'll consider an access token as expired when we reach its IAM server-reported expiration time
+        minus our expiration window (10 secs).
+        We do this to avoid using an access token that might expire in the middle of a long-running transaction
+        within an IBM Cloud service.
+
+        Returns
+        -------
+        bool
+            True if token is expired; False otherwise
+        """
+        current_time = self._get_current_time()
+        return current_time >= (self.expire_time - self.IAM_EXPIRATION_WINDOW)