ibm-cloud-sdk-core 3.16.0__py3-none-any.whl → 3.21.0__py3-none-any.whl

ibm_cloud_sdk_core/token_managers/iam_token_manager.py

@@ -1,6 +1,6 @@
 # coding: utf-8
 
-# Copyright 2019 IBM All Rights Reserved.
+# Copyright 2019, 2024 IBM All Rights Reserved.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -17,6 +17,7 @@
 from typing import Dict, Optional
 
 from .iam_request_based_token_manager import IAMRequestBasedTokenManager
+from ..private_helpers import _build_user_agent
 
 
 class IAMTokenManager(IAMRequestBasedTokenManager):
@@ -60,19 +61,27 @@ class IAMTokenManager(IAMRequestBasedTokenManager):
         This can be used to obtain an access token with a specific scope.
     """
 
-    def __init__(self,
-                 apikey: str,
-                 *,
-                 url: Optional[str] = None,
-                 client_id: Optional[str] = None,
-                 client_secret: Optional[str] = None,
-                 disable_ssl_verification: bool = False,
-                 headers: Optional[Dict[str, str]] = None,
-                 proxies: Optional[Dict[str, str]] = None,
-                 scope: Optional[str] = None) -> None:
+    def __init__(
+        self,
+        apikey: str,
+        *,
+        url: Optional[str] = None,
+        client_id: Optional[str] = None,
+        client_secret: Optional[str] = None,
+        disable_ssl_verification: bool = False,
+        headers: Optional[Dict[str, str]] = None,
+        proxies: Optional[Dict[str, str]] = None,
+        scope: Optional[str] = None,
+    ) -> None:
         super().__init__(
-            url=url, client_id=client_id, client_secret=client_secret,
-            disable_ssl_verification=disable_ssl_verification, headers=headers, proxies=proxies, scope=scope)
+            url=url,
+            client_id=client_id,
+            client_secret=client_secret,
+            disable_ssl_verification=disable_ssl_verification,
+            headers=headers,
+            proxies=proxies,
+            scope=scope,
+        )
 
         self.apikey = apikey
 
@@ -80,3 +89,5 @@ class IAMTokenManager(IAMRequestBasedTokenManager):
         self.request_payload['grant_type'] = 'urn:ibm:params:oauth:grant-type:apikey'
         self.request_payload['apikey'] = self.apikey
         self.request_payload['response_type'] = 'cloud_iam'
+
+        self._set_user_agent(_build_user_agent('iam-authenticator'))

ibm_cloud_sdk_core/token_managers/jwt_token_manager.py

@@ -75,15 +75,7 @@ class JWTTokenManager(TokenManager, ABC):
         buffer = (exp - iat) * 0.2
         self.refresh_time = self.expire_time - buffer
 
-    def _request(self,
-                 method,
-                 url,
-                 *,
-                 headers=None,
-                 params=None,
-                 data=None,
-                 auth_tuple=None,
-                 **kwargs) -> dict:
+    def _request(self, method, url, *, headers=None, params=None, data=None, auth_tuple=None, **kwargs) -> dict:
         kwargs = dict({"timeout": 60}, **kwargs)
         kwargs = dict(kwargs, **self.http_config)
 
@@ -91,13 +83,8 @@ class JWTTokenManager(TokenManager, ABC):
             kwargs['verify'] = False
 
         response = requests.request(
-            method=method,
-            url=url,
-            headers=headers,
-            params=params,
-            data=data,
-            auth=auth_tuple,
-            **kwargs)
+            method=method, url=url, headers=headers, params=params, data=data, auth=auth_tuple, **kwargs
+        )
         if 200 <= response.status_code <= 299:
             return response.json()
 

ibm_cloud_sdk_core/token_managers/mcsp_token_manager.py

@@ -0,0 +1,108 @@
+# coding: utf-8
+
+# Copyright 2023, 2024 IBM All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import json
+from typing import Dict, Optional
+
+from ibm_cloud_sdk_core.logger import get_logger
+from ..private_helpers import _build_user_agent
+from .jwt_token_manager import JWTTokenManager
+
+logger = get_logger()
+
+
+class MCSPTokenManager(JWTTokenManager):
+    """The MCSPTokenManager accepts a user-supplied apikey and performs the necessary interactions with
+    the Multi-Cloud Saas Platform (MCSP) token service to obtain an MCSP access token (a bearer token).
+    When the access token expires, a new access token is obtained from the token server.
+
+    Keyword Arguments:
+        apikey: The apikey for authentication [required].
+        url: The endpoint for JWT token requests [required].
+        disable_ssl_verification: Disable ssl verification. Defaults to False.
+        headers: Headers to be sent with every service token request. Defaults to None.
+        proxies: Proxies to use for making request. Defaults to None.
+        proxies.http (optional): The proxy endpoint to use for HTTP requests.
+        proxies.https (optional): The proxy endpoint to use for HTTPS requests.
+    """
+
+    TOKEN_NAME = 'token'
+    OPERATION_PATH = '/siusermgr/api/1.0/apikeys/token'
+
+    def __init__(
+        self,
+        apikey: str,
+        url: str,
+        *,
+        disable_ssl_verification: bool = False,
+        headers: Optional[Dict[str, str]] = None,
+        proxies: Optional[Dict[str, str]] = None,
+    ) -> None:
+        self.apikey = apikey
+        self.headers = headers
+        if self.headers is None:
+            self.headers = {}
+        self.headers['Content-Type'] = 'application/json'
+        self.headers['Accept'] = 'application/json'
+        self.proxies = proxies
+        super().__init__(url, disable_ssl_verification=disable_ssl_verification, token_name=self.TOKEN_NAME)
+        self._set_user_agent(_build_user_agent('mcsp-authenticator'))
+
+    def request_token(self) -> dict:
+        """Makes a request for a token."""
+        required_headers = {
+            'User-Agent': self.user_agent,
+        }
+        request_headers = {}
+        if self.headers is not None and isinstance(self.headers, dict):
+            request_headers.update(self.headers)
+        request_headers.update(required_headers)
+
+        request_url = self.url + self.OPERATION_PATH
+        logger.debug('Invoking MCSP token service operation: %s', request_url)
+        response = self._request(
+            method='POST',
+            headers=request_headers,
+            url=request_url,
+            data=json.dumps({"apikey": self.apikey}),
+            proxies=self.proxies,
+        )
+        logger.debug('Returned from MCSP token service operation')
+        return response
+
+    def set_headers(self, headers: Dict[str, str]) -> None:
+        """Headers to be sent with every MCSP token request.
+
+        Args:
+            headers: The headers to be sent with every MCSP token request.
+        """
+        if isinstance(headers, dict):
+            self.headers = headers
+        else:
+            raise TypeError('headers must be a dictionary')
+
+    def set_proxies(self, proxies: Dict[str, str]) -> None:
+        """Sets the proxies the token manager will use to communicate with MCSP on behalf of the host.
+
+        Args:
+            proxies: Proxies to use for making request. Defaults to None.
+            proxies.http (optional): The proxy endpoint to use for HTTP requests.
+            proxies.https (optional): The proxy endpoint to use for HTTPS requests.
+        """
+        if isinstance(proxies, dict):
+            self.proxies = proxies
+        else:
+            raise TypeError('proxies must be a dictionary')

ibm_cloud_sdk_core/token_managers/token_manager.py

@@ -1,6 +1,6 @@
 # coding: utf-8
 
-# Copyright 2020 IBM All Rights Reserved.
+# Copyright 2020, 2024 IBM All Rights Reserved.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -21,8 +21,11 @@ from threading import Lock
 
 import requests
 
+from ibm_cloud_sdk_core.logger import get_logger
 from ..api_exception import ApiException
 
+logger = get_logger()
+
 
 # pylint: disable=too-many-instance-attributes
 class TokenManager(ABC):
@@ -49,14 +52,10 @@ class TokenManager(ABC):
         lock (Lock): Lock variable to serialize access to refresh/request times
         http_config (dict): A dictionary containing values that control the timeout, proxies, and etc of HTTP requests.
         access_token (str): The latest stored access token
+        user_agent (str): The User-Agent header value to be included in each outbound token request
     """
 
-    def __init__(
-            self,
-            url: str,
-            *,
-            disable_ssl_verification: bool = False
-    ):
+    def __init__(self, url: str, *, disable_ssl_verification: bool = False):
         self.url = url
         self.disable_ssl_verification = disable_ssl_verification
         self.expire_time = 0
@@ -65,6 +64,7 @@ class TokenManager(ABC):
         self.lock = Lock()
         self.http_config = {}
         self.access_token = None
+        self.user_agent = None
 
     def get_token(self) -> str:
         """Get a token to be used for authentication.
@@ -78,11 +78,15 @@ class TokenManager(ABC):
             str: A valid access token
         """
         if self._is_token_expired():
+            logger.debug('Performing synchronous token fetch')
             self.paced_request_token()
 
         if self._token_needs_refresh():
+            logger.debug('Performing background asynchronous token fetch')
             token_response = self.request_token()
             self._save_token_info(token_response)
+        else:
+            logger.debug('Using cached access token')
 
         return self.access_token
 
@@ -100,6 +104,12 @@ class TokenManager(ABC):
         else:
             raise TypeError('status must be a bool')
 
+    def _set_user_agent(self, user_agent: str = None) -> None:
+        self.user_agent = user_agent
+
+    def _get_user_agent(self) -> str:
+        return self.user_agent
+
     def paced_request_token(self) -> None:
         """
         Paces requests to request_token.
@@ -190,15 +200,7 @@ class TokenManager(ABC):
         """
         pass
 
-    def _request(self,
-                 method,
-                 url,
-                 *,
-                 headers=None,
-                 params=None,
-                 data=None,
-                 auth_tuple=None,
-                 **kwargs):
+    def _request(self, method, url, *, headers=None, params=None, data=None, auth_tuple=None, **kwargs):
         kwargs = dict({"timeout": 60}, **kwargs)
         kwargs = dict(kwargs, **self.http_config)
 
@@ -206,13 +208,8 @@ class TokenManager(ABC):
             kwargs['verify'] = False
 
         response = requests.request(
-            method=method,
-            url=url,
-            headers=headers,
-            params=params,
-            data=data,
-            auth=auth_tuple,
-            **kwargs)
+            method=method, url=url, headers=headers, params=params, data=data, auth=auth_tuple, **kwargs
+        )
         if 200 <= response.status_code <= 299:
             return response
 

ibm_cloud_sdk_core/token_managers/vpc_instance_token_manager.py

@@ -1,6 +1,6 @@
 # coding: utf-8
 
-# Copyright 2021 IBM All Rights Reserved.
+# Copyright 2021, 2024 IBM All Rights Reserved.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -15,13 +15,13 @@
 # limitations under the License.
 
 import json
-import logging
 from typing import Optional
 
+from ibm_cloud_sdk_core.logger import get_logger
+from ..private_helpers import _build_user_agent
 from .jwt_token_manager import JWTTokenManager
 
-
-logger = logging.getLogger(__name__)
+logger = get_logger()
 
 
 class VPCInstanceTokenManager(JWTTokenManager):
@@ -52,18 +52,19 @@ class VPCInstanceTokenManager(JWTTokenManager):
         url (str, optional): The VPC Instance Metadata Service's base endpoint URL.
     """
 
-    METADATA_SERVICE_VERSION = '2021-09-20'
+    METADATA_SERVICE_VERSION = '2022-03-01'
     DEFAULT_IMS_ENDPOINT = 'http://169.254.169.254'
     TOKEN_NAME = 'access_token'
+    IAM_EXPIRATION_WINDOW = 10
 
-    def __init__(self,
-                 iam_profile_crn: Optional[str] = None,
-                 iam_profile_id: Optional[str] = None,
-                 url: Optional[str] = None) -> None:
+    def __init__(
+        self, iam_profile_crn: Optional[str] = None, iam_profile_id: Optional[str] = None, url: Optional[str] = None
+    ) -> None:
         if not url:
             url = self.DEFAULT_IMS_ENDPOINT
 
         super().__init__(url, token_name=self.TOKEN_NAME)
+        self._set_user_agent(_build_user_agent('vpc-instance-authenticator'))
 
         self.iam_profile_crn = iam_profile_crn
         self.iam_profile_id = iam_profile_id
@@ -91,18 +92,19 @@ class VPCInstanceTokenManager(JWTTokenManager):
         headers = {
             'Content-Type': 'application/json',
             'Accept': 'application/json',
-            'Authorization': 'Bearer ' + instance_identity_token
+            'Authorization': 'Bearer ' + instance_identity_token,
+            'User-Agent': self._get_user_agent(),
         }
 
-        logger.debug(
-            'Invoking VPC \'create_iam_token\' operation: %s', url)
+        logger.debug('Invoking VPC \'create_iam_token\' operation: %s', url)
         response = self._request(
             method='POST',
             url=url,
             headers=headers,
             params={'version': self.METADATA_SERVICE_VERSION},
-            data=json.dumps(request_payload) if request_payload else None)
-        logger.debug('Returned from VPC \'create_iam_token\' operation."')
+            data=json.dumps(request_payload) if request_payload else None,
+        )
+        logger.debug('Returned from VPC \'create_iam_token\' operation.')
 
         return response
 
@@ -138,18 +140,35 @@ class VPCInstanceTokenManager(JWTTokenManager):
             'Content-type': 'application/json',
             'Accept': 'application/json',
             'Metadata-Flavor': 'ibm',
+            'User-Agent': self._get_user_agent(),
         }
 
         request_body = {'expires_in': 300}
 
-        logger.debug(
-            'Invoking VPC \'create_access_token\' operation: %s', url)
+        logger.debug('Invoking VPC \'create_access_token\' operation: %s', url)
         response = self._request(
             method='PUT',
             url=url,
             headers=headers,
             params={'version': self.METADATA_SERVICE_VERSION},
-            data=json.dumps(request_body))
-        logger.debug('Returned from VPC \'create_access_token\' operation."')
+            data=json.dumps(request_body),
+        )
+        logger.debug('Returned from VPC \'create_access_token\' operation.')
 
         return response['access_token']
+
+    def _is_token_expired(self) -> bool:
+        """
+        Returns true iff the current cached token is expired.
+        We'll consider an access token as expired when we reach its IAM server-reported expiration time
+        minus our expiration window (10 secs).
+        We do this to avoid using an access token that might expire in the middle of a long-running transaction
+        within an IBM Cloud service.
+
+        Returns
+        -------
+        bool
+            True if token is expired; False otherwise
+        """
+        current_time = self._get_current_time()
+        return current_time >= (self.expire_time - self.IAM_EXPIRATION_WINDOW)