-
Notifications
You must be signed in to change notification settings - Fork 0
/
api_client_sci.go
424 lines (361 loc) · 11.9 KB
/
api_client_sci.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
package bigdog
import (
"context"
"errors"
"fmt"
"log"
"net/http"
"sync"
"time"
)
var (
ErrAccessTokenRequiresRefresh = errors.New("access token requires refresh")
ErrAccessTokenCASInvalid = errors.New("invalid CAS provided")
ErrAccessTokenClientNil = errors.New("client cannot be nil")
ErrAccessTokenResponseEmpty = errors.New("empty response from login request")
accessTokenErrors = []error{
ErrAccessTokenRequiresRefresh,
ErrAccessTokenCASInvalid,
ErrAccessTokenClientNil,
ErrAccessTokenResponseEmpty,
}
accessTokenFatalErrors = []error{
ErrAccessTokenCASInvalid,
ErrAccessTokenClientNil,
ErrAccessTokenResponseEmpty,
}
)
type SCIAPIErrorDetails struct {
Name string `json:"name"`
Status int `json:"status"`
Message string `json:"message"`
Length int `json:"length"`
Severity string `json:"severity"`
Code string `json:"code"`
StatusCode int `json:"statusCode"`
File string `json:"file"`
Line int `json:"line"`
Routine string `json:"routine"`
}
type SCIAPIError struct {
ErrorDetails *SCIAPIErrorDetails `json:"error,omitempty"`
Err error `json:"err,omitempty"`
}
func (e *SCIAPIError) Is(err error) bool {
return e != nil && e.Err != nil && errors.Is(err, e.Err)
}
func (e *SCIAPIError) Unwrap() error {
if e == nil || e.Err == nil {
return nil
}
return e.Err
}
func (e *SCIAPIError) Error() string {
if e == nil {
return ""
}
if e.ErrorDetails != nil {
return fmt.Sprintf(
"name=%q; status=%d; length=%d; severity=%q; code=%q; statusCode=%d; file=%q; line=%d; routine=%q; message=%q",
e.ErrorDetails.Name,
e.ErrorDetails.Status,
e.ErrorDetails.Length,
e.ErrorDetails.Severity,
e.ErrorDetails.Code,
e.ErrorDetails.StatusCode,
e.ErrorDetails.File,
e.ErrorDetails.Line,
e.ErrorDetails.Routine,
e.ErrorDetails.Message,
)
}
if e.Err != nil {
return e.Err.Error()
}
return ""
}
func IsSCIAPIError(err error) bool {
for err != nil {
if serr, ok := err.(*SCIAPIError); ok && serr != nil {
return true
}
err = errors.Unwrap(err)
}
return false
}
func IsAccessTokenProviderError(err error) bool {
for _, aerr := range accessTokenErrors {
if errors.Is(err, aerr) {
return true
}
}
return false
}
func IsFatalAccessTokenProviderError(err error) bool {
for _, aerr := range accessTokenFatalErrors {
if errors.Is(err, aerr) {
return true
}
}
return false
}
type SCIAccessTokenCAS time.Duration
type SCIAccessTokenProvider interface {
// Current must return the current cas and token value, if and only if it is still valid.
Current() (SCIAccessTokenCAS, string, error)
// Refresh must do one of two things:
//
// If the provided CAS value is current, it must assume that its current state is no longer valid and try to do
// what is needed to get back to a state that Current is able to do what it needs to do.
//
// If the provided CAS value is NOT equal to the current state, it must assume that a refresh attempt has
// already been made in another process, and just return the current CAS value with no error.
//
// The client will only attempt a maximum of 2 times per execution:
//
// 1. If the FIRST Current call fails
// 2. If initial Current did not fail but SCI returned a 401, causing an Invalidate -> Refresh -> Current chain
// that will execute exactly 1 times.
//
// Arguments:
//
// 0. the context provided to the original API call
// 1. the current SCI client
// 2. the CAS value seen from the calling routine's most recent action (could be from either Current or Invalidate)
Refresh(context.Context, *SCIClient, SCIAccessTokenCAS) (SCIAccessTokenCAS, APIResponseMeta, error)
// Invalidate will only be called if a 401 is seen after a refresh has been attempted, and should indicate to
// the implementor that whatever decoration the authenticator is current using is no longer considered valid by
// the SCI being queried
//
// Arguments:
//
// 0. the context provided to the original API call
// 1. the current SCI client
// 2. the CAS value seen from the calling routine's most recent action (could be from either Current or Refresh)
Invalidate(context.Context, *SCIClient, SCIAccessTokenCAS) (SCIAccessTokenCAS, APIResponseMeta, error)
}
type UsernamePasswordSCIAccessTokenProvider struct {
mu sync.RWMutex
username string
password string
retries uint
retryWait time.Duration
sessionTTL time.Duration
cas SCIAccessTokenCAS
expires time.Time
accessToken string
}
func NewUsernamePasswordSCIAccessTokenProvider(username, password string, retries uint, retryWait, sessionTTL time.Duration) *UsernamePasswordSCIAccessTokenProvider {
atp := new(UsernamePasswordSCIAccessTokenProvider)
atp.username = username
atp.password = password
atp.retries = retries
atp.retryWait = retryWait
atp.sessionTTL = sessionTTL
return atp
}
func (atp *UsernamePasswordSCIAccessTokenProvider) Username() string {
return atp.username
}
func (atp *UsernamePasswordSCIAccessTokenProvider) Password() string {
return atp.password
}
func (atp *UsernamePasswordSCIAccessTokenProvider) SessionTTL() time.Duration {
return atp.sessionTTL
}
// Current returns the current access token, if there is one.
func (atp *UsernamePasswordSCIAccessTokenProvider) Current() (SCIAccessTokenCAS, string, error) {
atp.mu.RLock()
defer atp.mu.RUnlock()
if atp.tokenValid() {
return atp.cas, atp.accessToken, nil
}
return atp.cas, "", NewAPIAuthProviderError(APIResponseMeta{}, ErrAccessTokenRequiresRefresh)
}
func (atp *UsernamePasswordSCIAccessTokenProvider) Refresh(ctx context.Context, client *SCIClient, cas SCIAccessTokenCAS) (SCIAccessTokenCAS, APIResponseMeta, error) {
atp.mu.Lock()
defer atp.mu.Unlock()
var (
loginRequest *SCIUserLoginRequest
loginResponse *SCIUserLoginResponseAPIResponse
loginMeta APIResponseMeta
err error
username = atp.username
password = atp.password
)
// if client is nil, fail immediately
if client == nil {
return atp.cas, loginMeta, NewAPIAuthProviderError(loginMeta, ErrAccessTokenClientNil)
}
// if incoming cas is greater than current cas, assume weirdness
if atp.cas < cas {
return atp.cas, loginMeta, NewAPIAuthProviderError(loginMeta, fmt.Errorf("%w: provided cas value is greater than possible", ErrAccessTokenCASInvalid))
}
// if stored cas is greater than incoming cas, assume delayed call and return OK
if atp.cas > cas {
return atp.cas, loginMeta, nil
}
loginRequest = &SCIUserLoginRequest{Username: &username, Password: &password}
loginResponse, err = client.SCI().SCIUserService().UserLogin(ctx, loginRequest, nil)
for i := uint(1); err != nil && i < atp.retries; i++ {
time.Sleep(atp.retryWait)
loginResponse, err = client.SCI().SCIUserService().UserLogin(ctx, loginRequest, nil)
}
if loginResponse != nil {
defer cleanupReadCloser(loginResponse)
loginMeta = loginResponse.ResponseMeta()
}
if err != nil {
atp.cas = atp.iterateCAS()
atp.accessToken = ""
atp.expires = time.Time{}
return atp.cas, loginMeta, NewAPIAuthProviderError(loginMeta, err)
}
if loginResponse == nil {
atp.cas = atp.iterateCAS()
atp.accessToken = ""
atp.expires = time.Time{}
return atp.cas, loginMeta, NewAPIAuthProviderError(loginMeta, ErrAccessTokenResponseEmpty)
}
// test if we need to hydrate response
if loginResponse.Data == nil {
if _, err = loginResponse.Hydrate(); err != nil {
atp.cas = atp.iterateCAS()
atp.accessToken = ""
atp.expires = time.Time{}
return atp.cas, loginMeta, NewAPIAuthProviderError(loginMeta, fmt.Errorf("%w: error unmarshalling response body: %v", ErrAccessTokenResponseEmpty, err))
}
}
if loginResponse.Data.Id == nil || *loginResponse.Data.Id == "" {
atp.cas = atp.iterateCAS()
atp.accessToken = ""
atp.expires = time.Time{}
return atp.cas, loginMeta, NewAPIAuthProviderError(loginMeta, ErrAccessTokenResponseEmpty)
}
atp.cas = atp.iterateCAS()
atp.accessToken = *loginResponse.Data.Id
atp.expires = time.Now().Add(atp.sessionTTL)
return atp.cas, loginMeta, nil
}
func (atp *UsernamePasswordSCIAccessTokenProvider) Invalidate(ctx context.Context, client *SCIClient, cas SCIAccessTokenCAS) (SCIAccessTokenCAS, APIResponseMeta, error) {
atp.mu.Lock()
defer atp.mu.Unlock()
var (
logoutResp APIResponse
logoutMeta APIResponseMeta
err error
)
if atp.cas < cas {
return atp.cas, logoutMeta, NewAPIAuthProviderError(logoutMeta, fmt.Errorf("%w: provided cas value is greater than possible", ErrAccessTokenCASInvalid))
}
if atp.cas > cas {
return atp.cas, logoutMeta, nil
}
if atp.accessToken != "" {
logoutResp, err = client.SCI().SCIUserService().UserLogout(ctx, atp.accessToken)
if logoutResp != nil {
cleanupReadCloser(logoutResp)
logoutMeta = logoutResp.ResponseMeta()
}
if err != nil {
err = NewAPIAuthProviderError(logoutMeta, err)
}
atp.cas = atp.iterateCAS()
atp.accessToken = ""
atp.expires = time.Time{}
}
return atp.cas, logoutMeta, err
}
func (atp *UsernamePasswordSCIAccessTokenProvider) tokenValid() bool {
return atp.accessToken != "" && time.Now().Before(atp.expires)
}
func (*UsernamePasswordSCIAccessTokenProvider) iterateCAS() SCIAccessTokenCAS {
return SCIAccessTokenCAS(time.Now().UnixNano())
}
type SCIClientConfig struct {
// Address [required]
//
// Full address of service, including scheme and port
Address string
// PathPrefix [optional]
//
// Custom path prefix to prepend to all api calls. Default is to leave this blank.
PathPrefix string
// Debug [optional]
//
// Set to true to enable debug logging
Debug bool
// DisableAutoHydrate [bool]
//
// If true, response bodies will no longer automatically hydrated into the returned response models. This enables
// you to instead use the response models as Readers to receive the raw bytes of the response in favor of having
// then unmarshalled if you don't need it.
DisableAutoHydrate bool
// Logger [optional]
//
// Logger to use. Leave blank for no logging
Logger *log.Logger
// HTTPClient [optional]
HTTPClient *http.Client
// ServiceTicketProvider [required]
//
// ServiceTicketProvider to use to handle request auth session
AccessTokenProvider SCIAccessTokenProvider
// EventListener [optional]
//
// If defined, an event will be fired upon the completion of each request.
EventListener APIClientEventListener
}
type SCIClient struct {
*baseClient
atp SCIAccessTokenProvider
}
func NewSCIClient(config *SCIClientConfig) *SCIClient {
c := new(SCIClient)
c.baseClient = newBaseClient(config.Address, config.PathPrefix, config.Debug, config.DisableAutoHydrate, config.Logger, config.HTTPClient, config.EventListener)
c.atp = config.AccessTokenProvider
return c
}
func (c *SCIClient) AccessTokenProvider() SCIAccessTokenProvider {
return c.atp
}
func (c *SCIClient) SCI() *SCIService {
return NewSCIService(c)
}
func (c *SCIClient) Do(ctx context.Context, request *APIRequest, mutators ...RequestMutator) (*http.Response, time.Duration, error) {
var (
cas SCIAccessTokenCAS
accessToken string
err error
start = time.Now()
)
if request.Authenticated {
if cas, accessToken, err = c.atp.Current(); err != nil {
if c.debug {
c.log.Printf("Error fetching current access token: %v", err)
}
if !errors.Is(err, ErrAccessTokenRequiresRefresh) {
return nil, time.Now().Sub(start), err
}
// always invalidate, just in case...
if cas, _, err = c.atp.Invalidate(ctx, c, cas); err != nil {
if c.debug {
c.log.Printf("Error invalidating existing access token: %v", err)
}
}
if cas, _, err = c.atp.Refresh(ctx, c, cas); err != nil {
if c.debug {
c.log.Printf("Error refreshing access token: %v", err)
}
return nil, time.Now().Sub(start), err
} else if cas, accessToken, err = c.atp.Current(); err != nil {
if c.debug {
c.log.Printf("Error fetching current access token after refresh: %v", err)
}
return nil, time.Now().Sub(start), err
}
}
}
resp, err := c.do(ctx, request, SCIAccessTokenQueryParameter, accessToken, mutators...)
return resp, time.Now().Sub(start), err
}