ibm-cloud-sdk-core 3.20.6__py3-none-any.whl → 3.22.0__py3-none-any.whl

ibm_cloud_sdk_core/__init__.py

@@ -18,6 +18,7 @@ classes:
     BaseService: Abstract class for common functionality between each service.
     DetailedResponse: The object returned from successful service operations.
     IAMTokenManager: Requests and refreshes IAM tokens using an apikey, and optionally a client_id and client_secret.
+    IAMAssumeTokenManager: Requests and refreshes IAM tokens using an apikey and a trusted profile.
     JWTTokenManager: Abstract class for common functionality between each JWT token manager.
     CP4DTokenManager: Requests and refreshes CP4D tokens given a username and password.
     ApiException: Custom exception class for errors returned from service operations.
@@ -39,6 +40,7 @@ functions:
 from .base_service import BaseService
 from .detailed_response import DetailedResponse
 from .token_managers.iam_token_manager import IAMTokenManager
+from .token_managers.iam_assume_token_manager import IAMAssumeTokenManager
 from .token_managers.jwt_token_manager import JWTTokenManager
 from .token_managers.cp4d_token_manager import CP4DTokenManager
 from .token_managers.container_token_manager import ContainerTokenManager

ibm_cloud_sdk_core/authenticators/__init__.py

@@ -39,6 +39,7 @@ from .bearer_token_authenticator import BearerTokenAuthenticator
 from .container_authenticator import ContainerAuthenticator
 from .cp4d_authenticator import CloudPakForDataAuthenticator
 from .iam_authenticator import IAMAuthenticator
+from .iam_assume_authenticator import IAMAssumeAuthenticator
 from .vpc_instance_authenticator import VPCInstanceAuthenticator
 from .no_auth_authenticator import NoAuthAuthenticator
 from .mcsp_authenticator import MCSPAuthenticator

ibm_cloud_sdk_core/authenticators/authenticator.py

@@ -24,6 +24,7 @@ class Authenticator(ABC):
     AUTHTYPE_BASIC = 'basic'
     AUTHTYPE_BEARERTOKEN = 'bearerToken'
     AUTHTYPE_IAM = 'iam'
+    AUTHTYPE_IAM_ASSUME = 'iamAssume'
     AUTHTYPE_CONTAINER = 'container'
     AUTHTYPE_CP4D = 'cp4d'
     AUTHTYPE_VPC = 'vpc'

ibm_cloud_sdk_core/authenticators/basic_authenticator.py

@@ -1,6 +1,6 @@
 # coding: utf-8
 
-# Copyright 2019 IBM All Rights Reserved.
+# Copyright 2019, 2024 IBM All Rights Reserved.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -15,11 +15,15 @@
 # limitations under the License.
 
 import base64
+
 from requests import Request
 
+from ibm_cloud_sdk_core.logger import get_logger
 from .authenticator import Authenticator
 from ..utils import has_bad_first_or_last_char
 
+logger = get_logger()
+
 
 class BasicAuthenticator(Authenticator):
     """The BasicAuthenticator is used to add basic authentication information to requests.
@@ -41,6 +45,7 @@ class BasicAuthenticator(Authenticator):
         self.password = password
         self.validate()
         self.authorization_header = self.__construct_basic_auth_header()
+        logger.debug('Created new BasicAuthenticator instance!')
 
     def authentication_type(self) -> str:
         """Returns this authenticator's type ('basic')."""
@@ -81,3 +86,4 @@ class BasicAuthenticator(Authenticator):
         """
         headers = req.get('headers')
         headers['Authorization'] = self.authorization_header
+        logger.debug('Authenticated outbound request (type=%s)', self.authentication_type())

ibm_cloud_sdk_core/authenticators/bearer_token_authenticator.py

@@ -1,6 +1,6 @@
 # coding: utf-8
 
-# Copyright 2019 IBM All Rights Reserved.
+# Copyright 2019, 2024 IBM All Rights Reserved.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -16,8 +16,11 @@
 
 from requests import Request
 
+from ibm_cloud_sdk_core.logger import get_logger
 from .authenticator import Authenticator
 
+logger = get_logger()
+
 
 class BearerTokenAuthenticator(Authenticator):
     """The BearerTokenAuthenticator will add a user-supplied bearer token
@@ -37,6 +40,7 @@ class BearerTokenAuthenticator(Authenticator):
     def __init__(self, bearer_token: str) -> None:
         self.bearer_token = bearer_token
         self.validate()
+        logger.debug('Created BearerTokenAuthenticator instance!')
 
     def authentication_type(self) -> str:
         """Returns this authenticator's type ('bearertoken')."""
@@ -66,6 +70,7 @@ class BearerTokenAuthenticator(Authenticator):
         """
         headers = req.get('headers')
         headers['Authorization'] = 'Bearer {0}'.format(self.bearer_token)
+        logger.debug('Authenticated outbound request (type=%s)', self.authentication_type())
 
     def set_bearer_token(self, bearer_token: str) -> None:
         """Set a new bearer token to be sent in subsequent service operations.

ibm_cloud_sdk_core/authenticators/container_authenticator.py

@@ -66,6 +66,7 @@ class ContainerAuthenticator(IAMRequestBasedAuthenticator):
 
     def __init__(
         self,
+        *,
         cr_token_filename: Optional[str] = None,
         iam_profile_name: Optional[str] = None,
         iam_profile_id: Optional[str] = None,

ibm_cloud_sdk_core/authenticators/cp4d_authenticator.py

@@ -1,6 +1,6 @@
 # coding: utf-8
 
-# Copyright 2019 IBM All Rights Reserved.
+# Copyright 2019, 2024 IBM All Rights Reserved.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -15,13 +15,15 @@
 # limitations under the License.
 
 from typing import Dict, Optional
-
 from requests import Request
 
+from ibm_cloud_sdk_core.logger import get_logger
 from .authenticator import Authenticator
 from ..token_managers.cp4d_token_manager import CP4DTokenManager
 from ..utils import has_bad_first_or_last_char
 
+logger = get_logger()
+
 
 class CloudPakForDataAuthenticator(Authenticator):
     """The CloudPakForDataAuthenticator utilizes a username and password pair to
@@ -133,6 +135,7 @@ class CloudPakForDataAuthenticator(Authenticator):
         headers = req.get('headers')
         bearer_token = self.token_manager.get_token()
         headers['Authorization'] = 'Bearer {0}'.format(bearer_token)
+        logger.debug('Authenticated outbound request (type=%s)', self.authentication_type())
 
     def set_disable_ssl_verification(self, status: bool = False) -> None:
         """Set the flag that indicates whether verification of the server's SSL certificate should be

ibm_cloud_sdk_core/authenticators/iam_assume_authenticator.py

@@ -0,0 +1,146 @@
+# coding: utf-8
+
+# Copyright 2024 IBM All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+from typing import Any, Dict, Optional
+
+from ibm_cloud_sdk_core.authenticators.iam_authenticator import IAMAuthenticator
+from ibm_cloud_sdk_core.token_managers.iam_assume_token_manager import IAMAssumeTokenManager
+
+from .authenticator import Authenticator
+from .iam_request_based_authenticator import IAMRequestBasedAuthenticator
+
+
+class IAMAssumeAuthenticator(IAMRequestBasedAuthenticator):
+    """IAMAssumeAuthenticator obtains an IAM access token using the IAM "get-token" operation's
+    "assume" grant type. The authenticator obtains an initial IAM access token from a
+    user-supplied apikey, then exchanges this initial IAM access token for another IAM access token
+    that has "assumed the identity" of the specified trusted profile.
+
+    The bearer token will be sent as an Authorization header in the form:
+
+        Authorization: Bearer <bearer-token>
+
+    Args:
+        apikey: The IAM api key.
+
+    Keyword Args:
+        iam_profile_id: the ID of the trusted profile
+        iam_profile_crn: the CRN of the trusted profile
+        iam_profile_name: the name of the trusted profile (must be used together with `iam_account_id`)
+        iam_account_id: the ID of the trusted profile (must be used together with `iam_profile_name`)
+        url: The URL representing the IAM token service endpoint. If not specified, a suitable default value is used.
+        client_id: The client_id and client_secret fields are used to form
+            a "basic" authorization header for IAM token requests. Defaults to None.
+        client_secret: The client_id and client_secret fields are used to form
+            a "basic" authorization header for IAM token requests. Defaults to None.
+        disable_ssl_verification: A flag that indicates whether verification of
+            the server's SSL certificate should be disabled or not. Defaults to False.
+        headers: Default headers to be sent with every IAM token request. Defaults to None.
+        proxies: Dictionary for mapping request protocol to proxy URL. Defaults to None.
+        proxies.http (optional): The proxy endpoint to use for HTTP requests.
+        proxies.https (optional): The proxy endpoint to use for HTTPS requests.
+        scope: The "scope" to use when fetching the bearer token from the IAM token server.
+            This can be used to obtain an access token with a specific scope.
+
+    Attributes:
+        token_manager (IAMTokenManager): Retrieves and manages IAM tokens from the endpoint specified by the url.
+
+    Raises:
+        TypeError: The `disable_ssl_verification` is not a bool.
+        ValueError: The `apikey`, `client_id`, and/or `client_secret` are not valid for IAM token requests or the
+            following keyword arguments are incorrectly specified:
+            `iam_profile_id`, `iam_profile_crn`, `iam_profile_name`, `iam_account_id`.
+    """
+
+    def __init__(
+        self,
+        apikey: str,
+        *,
+        iam_profile_id: Optional[str] = None,
+        iam_profile_crn: Optional[str] = None,
+        iam_profile_name: Optional[str] = None,
+        iam_account_id: Optional[str] = None,
+        url: Optional[str] = None,
+        client_id: Optional[str] = None,
+        client_secret: Optional[str] = None,
+        disable_ssl_verification: bool = False,
+        headers: Optional[Dict[str, str]] = None,
+        proxies: Optional[Dict[str, str]] = None,
+        scope: Optional[str] = None,
+    ) -> None:
+        # Check the type of `disable_ssl_verification`. Must be a bool.
+        if not isinstance(disable_ssl_verification, bool):
+            raise TypeError('disable_ssl_verification must be a bool')
+
+        self.token_manager = IAMAssumeTokenManager(
+            apikey,
+            iam_profile_id=iam_profile_id,
+            iam_profile_crn=iam_profile_crn,
+            iam_profile_name=iam_profile_name,
+            iam_account_id=iam_account_id,
+            url=url,
+            client_id=client_id,
+            client_secret=client_secret,
+            disable_ssl_verification=disable_ssl_verification,
+            headers=headers,
+            proxies=proxies,
+            scope=scope,
+        )
+
+        self.validate()
+
+    # Disable all setter methods, inherited from the parent class.
+    def __getattribute__(self, name: str) -> Any:
+        if name.startswith("set_"):
+            raise AttributeError(f"'{self.__class__.__name__}' has no attribute '{name}'")
+
+        return super().__getattribute__(name)
+
+    def authentication_type(self) -> str:
+        """Returns this authenticator's type ('iamAssume')."""
+        return Authenticator.AUTHTYPE_IAM_ASSUME
+
+    def validate(self) -> None:
+        """Validates the provided IAM related arguments.
+
+        Ensure the following:
+        - `apikey` of the IAMTokenManager is not `None`, and has no bad characters
+        - both `client_id` and `client_secret` are set if either of them are defined
+        - the correct number and type of IAM profile and IAM account options are specified
+
+        Raises:
+            ValueError: The apikey, client_id, and/or client_secret are not valid for IAM token requests.
+        """
+        # Create a temporary IAM authenticator that we can use to validate our delegate.
+        tmp_authenticator = IAMAuthenticator("")
+        tmp_authenticator.token_manager = self.token_manager.iam_delegate
+        tmp_authenticator.validate()
+        del tmp_authenticator
+
+        # Only one of the following arguments must be specified.
+        mutually_exclusive_attributes = [
+            self.token_manager.iam_profile_id,
+            self.token_manager.iam_profile_crn,
+            self.token_manager.iam_profile_name,
+        ]
+        if list(map(bool, mutually_exclusive_attributes)).count(True) != 1:
+            raise ValueError(
+                'Exactly one of `iam_profile_id`, `iam_profile_crn`, or `iam_profile_name` must be specified.'
+            )
+
+        # `iam_account_id` must be specified iff `iam_profile_name` is used.
+        if self.token_manager.iam_profile_name and not self.token_manager.iam_account_id:
+            raise ValueError('`iam_profile_name` and `iam_account_id` must be provided together, or not at all.')

ibm_cloud_sdk_core/authenticators/iam_request_based_authenticator.py

@@ -1,6 +1,6 @@
 # coding: utf-8
 
-# Copyright 2019 IBM All Rights Reserved.
+# Copyright 2019, 2024 IBM All Rights Reserved.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -18,8 +18,11 @@ from typing import Dict
 
 from requests import Request
 
+from ibm_cloud_sdk_core.logger import get_logger
 from .authenticator import Authenticator
 
+logger = get_logger()
+
 
 class IAMRequestBasedAuthenticator(Authenticator):
     """The IAMRequestBasedAuthenticator class contains code that is common to all authenticators
@@ -60,6 +63,7 @@ class IAMRequestBasedAuthenticator(Authenticator):
         headers = req.get('headers')
         bearer_token = self.token_manager.get_token()
         headers['Authorization'] = 'Bearer {0}'.format(bearer_token)
+        logger.debug('Authenticated outbound request (type=%s)', self.authentication_type())
 
     def set_client_id_and_secret(self, client_id: str, client_secret: str) -> None:
         """Set the client_id and client_secret pair the token manager will use for IAM token requests.

ibm_cloud_sdk_core/authenticators/mcsp_authenticator.py

@@ -1,6 +1,6 @@
 # coding: utf-8
 
-# Copyright 2023 IBM All Rights Reserved.
+# Copyright 2023, 2024 IBM All Rights Reserved.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -18,9 +18,12 @@ from typing import Dict, Optional
 
 from requests import Request
 
+from ibm_cloud_sdk_core.logger import get_logger
 from .authenticator import Authenticator
 from ..token_managers.mcsp_token_manager import MCSPTokenManager
 
+logger = get_logger()
+
 
 class MCSPAuthenticator(Authenticator):
     """The MCSPAuthenticator uses an apikey to obtain an access token from the MCSP token server.
@@ -98,6 +101,7 @@ class MCSPAuthenticator(Authenticator):
         headers = req.get('headers')
         bearer_token = self.token_manager.get_token()
         headers['Authorization'] = 'Bearer {0}'.format(bearer_token)
+        logger.debug('Authenticated outbound request (type=%s)', self.authentication_type())
 
     def set_disable_ssl_verification(self, status: bool = False) -> None:
         """Set the flag that indicates whether verification of the server's SSL certificate should be

ibm_cloud_sdk_core/authenticators/vpc_instance_authenticator.py

@@ -1,6 +1,6 @@
 # coding: utf-8
 
-# Copyright 2021 IBM All Rights Reserved.
+# Copyright 2021, 2024 IBM All Rights Reserved.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -18,9 +18,12 @@ from typing import Optional
 
 from requests import Request
 
+from ibm_cloud_sdk_core.logger import get_logger
 from ..token_managers.vpc_instance_token_manager import VPCInstanceTokenManager
 from .authenticator import Authenticator
 
+logger = get_logger()
+
 
 class VPCInstanceAuthenticator(Authenticator):
     """VPCInstanceAuthenticator implements an authentication scheme in which it
@@ -89,6 +92,7 @@ class VPCInstanceAuthenticator(Authenticator):
         headers = req.get('headers')
         bearer_token = self.token_manager.get_token()
         headers['Authorization'] = 'Bearer {0}'.format(bearer_token)
+        logger.debug('Authenticated outbound request (type=%s)', self.authentication_type())
 
     def set_iam_profile_crn(self, iam_profile_crn: str) -> None:
         """Sets CRN of the IAM profile.

ibm_cloud_sdk_core/base_service.py

@@ -16,9 +16,10 @@
 
 import gzip
 import io
-import json as json_import
 import logging
+import json as json_import
 from http.cookiejar import CookieJar
+from http import client
 from os.path import basename
 from typing import Dict, List, Optional, Tuple, Union
 from urllib3.util.retry import Retry
@@ -42,13 +43,12 @@ from .utils import (
     GzipStream,
 )
 from .private_helpers import _build_user_agent
+from .logger import (
+    get_logger,
+    LoggingFilter,
+)
 
-# Uncomment this to enable http debugging
-# import http.client as http_client
-# http_client.HTTPConnection.debuglevel = 1
-
-
-logger = logging.getLogger(__name__)
+logger = get_logger()
 
 
 # pylint: disable=too-many-instance-attributes
@@ -92,7 +92,7 @@ class BaseService:
         self,
         *,
         service_url: str = None,
-        authenticator: Authenticator = None,
+        authenticator: Optional[Authenticator] = None,
         disable_ssl_verification: bool = False,
         enable_gzip_compression: bool = False,
     ) -> None:
@@ -114,6 +114,12 @@ class BaseService:
 
         self.http_client.mount('http://', self.http_adapter)
         self.http_client.mount('https://', self.http_adapter)
+        # If debug logging is requested, then trigger HTTP message logging as well.
+        if logger.isEnabledFor(logging.DEBUG):
+            client.HTTPConnection.debuglevel = 1
+            # Replace the `print` function in the HTTPClient module to
+            # use the debug logger instead of the bare Python print.
+            client.print = lambda *args: logger.debug(LoggingFilter.filter_message(" ".join(args)))
 
     def enable_retries(self, max_retries: int = 4, retry_interval: float = 30.0) -> None:
         """Enable automatic retries on the underlying http client used by the BaseService instance.
@@ -141,6 +147,7 @@ class BaseService:
         )
         self.http_client.mount('http://', self.http_adapter)
         self.http_client.mount('https://', self.http_adapter)
+        logger.debug('Enabled retries; max_retries=%d, max_retry_interval=%f', max_retries, retry_interval)
 
     def disable_retries(self):
         """Remove retry config from http_adapter"""
@@ -148,6 +155,7 @@ class BaseService:
         self.http_adapter = SSLHTTPAdapter(_disable_ssl_verification=self.disable_ssl_verification)
         self.http_client.mount('http://', self.http_adapter)
         self.http_client.mount('https://', self.http_adapter)
+        logger.debug('Disabled retries')
 
     def configure_service(self, service_name: str) -> None:
         """Look for external configuration of a service. Set service properties.
@@ -166,6 +174,8 @@ class BaseService:
         if not isinstance(service_name, str):
             raise ValueError('Service_name must be of type string.')
 
+        logger.debug('Configuring BaseService instance with service name: %s', service_name)
+
         config = read_external_sources(service_name)
         if config.get('URL'):
             self.set_service_url(config.get('URL'))
@@ -184,6 +194,7 @@ class BaseService:
 
     def _set_user_agent_header(self, user_agent_string: str) -> None:
         self.user_agent_header = {'User-Agent': user_agent_string}
+        logger.debug('Set User-Agent: %s', user_agent_string)
 
     def set_http_config(self, http_config: dict) -> None:
         """Sets the http config dictionary.
@@ -225,6 +236,7 @@ class BaseService:
         )
         self.http_client.mount('http://', self.http_adapter)
         self.http_client.mount('https://', self.http_adapter)
+        logger.debug('Disabled SSL verification in HTTP client')
 
     def set_service_url(self, service_url: str) -> None:
         """Set the url the service will make HTTP requests too.
@@ -243,6 +255,7 @@ class BaseService:
         if service_url is not None:
             service_url = service_url.rstrip('/')
         self.service_url = service_url
+        logger.debug('Set service URL: %s', service_url)
 
     def get_http_client(self) -> requests.sessions.Session:
         """Get the http client session currently used by the service.
@@ -305,7 +318,7 @@ class BaseService:
         # Check to see if the caller specified the 'stream' argument.
         stream_response = kwargs.get('stream') or False
 
-        # Remove the keys we set manually, don't let the user to overwrite these.
+        # Remove the keys we set manually, don't let the user overwrite these.
         reserved_keys = ['method', 'url', 'headers', 'params', 'cookies']
         silent_keys = ['headers']
         for key in reserved_keys:
@@ -314,8 +327,12 @@ class BaseService:
                 if key not in silent_keys:
                     logger.warning('"%s" has been removed from the request', key)
         try:
+            logger.debug('Sending HTTP request message')
+
             response = self.http_client.request(**request, cookies=self.jar, **kwargs)
 
+            logger.debug('Received HTTP response message, status code %d', response.status_code)
+
             # Process a "success" response.
             if 200 <= response.status_code <= 299:
                 if response.status_code == 204 or request['method'] == 'HEAD':
@@ -455,6 +472,7 @@ class BaseService:
                         file_tuple = (filename, file_tuple[1], file_tuple[2])
                 new_files.append((part_name, file_tuple))
         request['files'] = new_files
+        logger.debug('Prepared request [%s %s]', request['method'], request['url'])
         return request
 
     @staticmethod
@@ -490,4 +508,4 @@ class BaseService:
 
     @staticmethod
     def _encode_path_vars(*args) -> None:
-        return (requests.utils.quote(x, safe='') for x in args)
+        return BaseService.encode_path_vars(*args)

ibm_cloud_sdk_core/get_authenticator.py

@@ -1,6 +1,6 @@
 # coding: utf-8
 
-# Copyright 2019 IBM All Rights Reserved.
+# Copyright 2019, 2024 IBM All Rights Reserved.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -21,11 +21,15 @@ from .authenticators import (
     ContainerAuthenticator,
     CloudPakForDataAuthenticator,
     IAMAuthenticator,
+    IAMAssumeAuthenticator,
     NoAuthAuthenticator,
     VPCInstanceAuthenticator,
     MCSPAuthenticator,
 )
 from .utils import read_external_sources
+from .logger import get_logger
+
+logger = get_logger()
 
 
 def get_authenticator_from_environment(service_name: str) -> Authenticator:
@@ -42,13 +46,17 @@ def get_authenticator_from_environment(service_name: str) -> Authenticator:
     Returns:
         The authenticator found from service information.
     """
+    logger.debug('Get authenticator from environment, key=%s', service_name)
     authenticator = None
     config = read_external_sources(service_name)
     if config:
         authenticator = __construct_authenticator(config)
+    if authenticator is not None:
+        logger.debug('Returning authenticator, type=%s', authenticator.authentication_type())
     return authenticator
 
 
+# pylint: disable=too-many-branches
 def __construct_authenticator(config: dict) -> Authenticator:
     # Determine the authentication type if not specified explicitly.
     if config.get('AUTH_TYPE'):
@@ -98,6 +106,19 @@ def __construct_authenticator(config: dict) -> Authenticator:
             disable_ssl_verification=config.get('AUTH_DISABLE_SSL', 'false').lower() == 'true',
             scope=config.get('SCOPE'),
         )
+    elif auth_type == Authenticator.AUTHTYPE_IAM_ASSUME.lower():
+        authenticator = IAMAssumeAuthenticator(
+            apikey=config.get('APIKEY'),
+            iam_profile_id=config.get('IAM_PROFILE_ID'),
+            iam_profile_crn=config.get('IAM_PROFILE_CRN'),
+            iam_profile_name=config.get('IAM_PROFILE_NAME'),
+            iam_account_id=config.get('IAM_ACCOUNT_ID'),
+            url=config.get('AUTH_URL'),
+            client_id=config.get('CLIENT_ID'),
+            client_secret=config.get('CLIENT_SECRET'),
+            disable_ssl_verification=config.get('AUTH_DISABLE_SSL', 'false').lower() == 'true',
+            scope=config.get('SCOPE'),
+        )
     elif auth_type == Authenticator.AUTHTYPE_VPC.lower():
         authenticator = VPCInstanceAuthenticator(
             iam_profile_crn=config.get('IAM_PROFILE_CRN'),

ibm_cloud_sdk_core/logger.py

@@ -0,0 +1,85 @@
+# coding: utf-8
+
+# Copyright 2024 IBM All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import logging
+import re
+
+
+# This is the name of the primary logger used by the library.
+LOGGER_NAME = 'ibm-cloud-sdk-core'
+# Keywords that are redacted.
+REDACTED_KEYWORDS = [
+    "apikey",
+    "api_key",
+    "passcode",
+    "password",
+    "token",
+    "aadClientId",
+    "aadClientSecret",
+    "auth",
+    "auth_provider_x509_cert_url",
+    "auth_uri",
+    "client_email",
+    "client_id",
+    "client_x509_cert_url",
+    "key",
+    "project_id",
+    "secret",
+    "subscriptionId",
+    "tenantId",
+    "thumbprint",
+    "token_uri",
+]
+
+
+class LoggingFilter:
+    """Functions used to filter messages before they are logged."""
+
+    redacted_tokens = "|".join(REDACTED_KEYWORDS)
+    auth_header_pattern = re.compile(r"(?m)(Authorization|X-Auth\S*): ((.*?)(\r\n.*)|(.*))")
+    property_settings_pattern = re.compile(r"(?i)(" + redacted_tokens + r")=[^&]*(&|$)")
+    json_field_pattern = re.compile(r'(?i)"([^"]*(' + redacted_tokens + r')[^"_]*)":\s*"[^\,]*"')
+
+    @classmethod
+    def redact_secrets(cls, text: str) -> str:
+        """Replaces values of potential secret keywords with a placeholder value.
+        Args:
+            text (str): the string to check and process
+
+        Returns:
+            str: the safe, redacted string with all secrets masked out
+        """
+
+        placeholder = "[redacted]"
+        redacted = cls.auth_header_pattern.sub(r"\1: " + placeholder + r"\4", text)
+        redacted = cls.property_settings_pattern.sub(r"\1=" + placeholder + r"\2", redacted)
+        redacted = cls.json_field_pattern.sub(r'"\1":"' + placeholder + r'"', redacted)
+        return redacted
+
+    @classmethod
+    def filter_message(cls, s: str) -> str:
+        """Filters 's' prior to logging it as a debug message"""
+        # Redact secrets
+        s = LoggingFilter.redact_secrets(s)
+
+        # Replace CRLF characters with an actual newline to make the message more readable.
+        s = s.replace('\\r\\n', '\n')
+        return s
+
+
+def get_logger() -> logging.Logger:
+    """Returns the primary logger object instance used by the library."""
+    return logging.getLogger(LOGGER_NAME)