Feature/Enable composer to deploy to IAM-based IBM Cloud Functions namespaces (#70)

* first draft for enabling IAM

* refactored iam-specific code fragments; adjusted gitignore; added prettier

* several code changes and improvements

* added correct license header; tweaked travis build config

Co-authored-by: Enrico Regge <[email protected]>

Author: nbaudis

Diff for: .gitignore

@@ -1,2 +1,5 @@
 node_modules
 openwhisk
+
+package-lock.json
+demo.json

Diff for: .prettierrc.js

@@ -0,0 +1,23 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+module.exports = {
+  singleQuote: true,
+  printWidth: 120,
+  semi: false,
+  trailingComma: 'none'
+};

Diff for: .travis.yml

@@ -17,21 +17,14 @@
 
 language: node_js
 node_js:
-  - 10
+  - 14
 services:
   - docker
-
-notifications:
-  email: false
-  webhooks:
-    urls:
-      # travis2slack webhook to enable DMs on openwhisk-team.slack.com to PR authors with TravisCI results
-      secure: "bv5wMNLWLTTwn02xUNGqOSVgDfU2ZzZ6dPHjeoLdkaCkeZYmT15FmXQ7GQ78Cql293Om35nZHc2t54Kxzyq+BWkfKZXo6oF60wxZjaHunipc/+F3CMi+QjFEU7IwMoGom9HFZsTfoYeVPcCaXGKuVD/DMZHfE9TI7kM3/XsDJO+DbHDMxdE7OZUx1lfSNwCIXQrGdQ1w2S4QDnfVbQwmzZXvdzYr0RdVp8jCC4TD5GKr0rP3YemWSlUOO91heAJL217EUlbUr2jcr90x/GRjcPOocX7TobSdxiynk64cKJOODKiacwhHMBICSEKOiMvUelah9hFmmq40wm/oqnJkBzD7SoHCr/P47WjHu8GVW1obGzCldPHKAxTHc0zBS31H10nwYLV7Fo/z7qM0AEwikT7oqHizZVf1U1ywggrBAFrSb/LJBgdSPa4iXPr6t1phUYc+dZX20a4deNyFiHdFaprMNhSiOY6/NgD1Z+4wTFUzVTW96FdinfnjGsdwV46WPP7a7v3wf+bag6+pnT0i6uLFXwUvBmyuvvRYFGKf8UsqIZ2aZKqHZzOLofgdnd8I/0HRPk42aq7GJ1pyA7MXpVnH7MLWyLKk1nNXrsWTdsn8INwox9JaQ3JiefjOovnPKaEWBa6qTfQALkk9uj2gLNsZvqTx3iKSQn747VFGlY0="
-
 env:
   global:
     - __OW_IGNORE_CERTS=true
     - REDIS=redis://172.17.0.1:6379
+    - IC_FN_CONFIG_FILE=./test/cf-plugin-config.json
 before_install:
   - ./travis/scancode.sh
 before_script:

Diff for: bin/deploy.js

@@ -46,7 +46,7 @@ if (argv._.length !== 2 || path.extname(argv._[1]) !== '.json') {
   console.error('  -A, --annotation-file KEY=FILE    add KEY annotation with FILE content')
   console.error('  --apihost HOST                    API HOST')
   console.error('  --apiversion VERSION              API VERSION')
-  console.error('  --basic                           force basic authentication')
+  console.error('  --basic                           force basic authentication. Note: this option can only be chosen for CF-based namespaces')
   console.error('  --bearer                          force bearer token authentication')
   console.error('  -i, --insecure                    bypass certificate checking')
   console.error('  --kind KIND                       the KIND of the conductor action runtime')

Diff for: client.js

@@ -22,17 +22,21 @@
 const conductor = require('./conductor')
 const fs = require('fs')
 const openwhisk = require('openwhisk')
+const ibmcloudUtils = require('./ibmcloud-utils')
 const os = require('os')
 const path = require('path')
 
+const NS_TYPE_CF = 'CF'
+const NS_TYPE_IAM = 'IAM'
+
 // return enhanced openwhisk client capable of deploying compositions
 module.exports = function (options, basic, bearer) {
   // try to extract apihost and key first from whisk property file file and then from process.env
   let apihost
   let apiversion
   let apikey
   let ignorecerts
-  let namespace = '_'
+  let namespace = ibmcloudUtils.getNamespaceId()
   let token
   let authHandler
 
@@ -49,31 +53,77 @@ module.exports = function (options, basic, bearer) {
           apiversion = parts[1]
         } else if (parts[0] === 'AUTH') {
           apikey = parts[1]
-        } else if (parts[0] === 'NAMESPACE') {
-          namespace = parts[1]
         } else if (parts[0] === 'APIGW_ACCESS_TOKEN') {
           token = parts[1]
         }
       }
     }
-  } catch (error) { }
+  } catch (error) {}
 
   if (process.env.__OW_API_HOST) apihost = process.env.__OW_API_HOST
   if (process.env.__OW_API_KEY) apikey = process.env.__OW_API_KEY
   if (process.env.__OW_NAMESPACE) namespace = process.env.__OW_NAMESPACE
   if (process.env.__OW_IGNORE_CERTS) ignorecerts = process.env.__OW_IGNORE_CERTS
   if (process.env.__OW_APIGW_TOKEN) token = process.env.__OW_APIGW_TOKEN
 
-  if (bearer || (!basic && namespace !== '_')) {
-    // switch from basic auth to bearer token
+  // check whether there is a CLI argument that overrides the API key retrieved from the config or env
+  if (options && options.api_key) apikey = options.api_key
+
+  // retrieve the namespace type
+  // we need to apply different authentication strategies for CF and IAM
+  const namespaceType = ibmcloudUtils.getNamespaceType()
+
+  //
+  // check for IAM-based namespaces, first
+  if (namespaceType === NS_TYPE_IAM) {
+    // for authentication, we'll use the user IAM access token
+    const iamToken = ibmcloudUtils.getIamAuthHeader()
+
+    // define an appropriate authentication handler for IAM
     authHandler = {
       getAuthHeader: () => {
-        return Promise.resolve(`Bearer ${token}`)
+        // use bearer token for IAM authentication
+        return Promise.resolve(iamToken)
       }
     }
+
+    // ignore the API key value, in case of an IAM-based namespace
+    apikey = undefined
+
+    //
+    // in case of CF-based namespaces, the user can opt-in for using bearer token authentication instead of using the default basic authentication
+  } else if (namespaceType === NS_TYPE_CF) {
+    if (bearer && !basic) {
+      // switch from basic auth to bearer token
+      authHandler = {
+        getAuthHeader: () => {
+          return Promise.resolve(`Bearer ${token}`)
+        }
+      }
+    } else if (apikey) {
+      // use basic auth
+      authHandler = {
+        getAuthHeader: () => {
+          const apiKeyBase64 = Buffer.from(apikey).toString('base64')
+          return Promise.resolve(`Basic ${apiKeyBase64}`)
+        }
+      }
+    }
+  }
+
+  const namespaceDisplayName = namespace || '_'
+
+  console.log(`deploying to ${namespaceType}-based namespace '${namespaceDisplayName}' ...`)
+
+  if (!authHandler) {
+    throw new Error(
+      `Failed to determine the authentication strategy for the ${namespaceType}-based namespace '${namespaceDisplayName}'`
+    )
   }
 
-  const wsk = openwhisk(Object.assign({ apihost, apiversion, api_key: apikey, auth_handler: authHandler, namespace, ignore_certs: ignorecerts }, options))
+  const wsk = openwhisk(
+    Object.assign({ apihost, apiversion, auth_handler: authHandler, namespace, ignore_certs: ignorecerts }, options)
+  )
   wsk.compositions = new Compositions(wsk)
   return wsk
 }
@@ -90,9 +140,17 @@ class Compositions {
       return Object.assign({}, action, httpOptions)
     }
 
-    const actions = (composition.actions || []).concat(conductor.generate(composition, debug, kind, timeout, memory, logs)).map(addHttpOptions)
-    return actions.reduce((promise, action) => promise.then(() => overwrite && this.actions.delete(action).catch(() => { }))
-      .then(() => this.actions.create(action)), Promise.resolve())
+    const actions = (composition.actions || [])
+      .concat(conductor.generate(composition, debug, kind, timeout, memory, logs))
+      .map(addHttpOptions)
+    return actions
+      .reduce(
+        (promise, action) =>
+          promise
+            .then(() => overwrite && this.actions.delete(action).catch(() => {}))
+            .then(() => this.actions.create(action)),
+        Promise.resolve()
+      )
       .then(() => actions)
   }
 }

Diff for: ibmcloud-utils.js

@@ -0,0 +1,74 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+'use strict'
+
+const fs = require('fs')
+const os = require('os')
+const path = require('path')
+
+const getCloudFunctionsConfig = () => {
+  try {
+    // read the ibm cloud functions cli config file
+    const ibmCloudFunctionsPropsPath =
+      process.env.IC_FN_CONFIG_FILE || path.join(os.homedir(), '.bluemix/plugins/cloud-functions/config.json')
+    const ibmCloudFunctionsConfig = JSON.parse(fs.readFileSync(ibmCloudFunctionsPropsPath, { encoding: 'utf8' }))
+
+    return ibmCloudFunctionsConfig
+  } catch (error) {
+    console.error('Could not open ibmcloud functions plugin config')
+    throw error
+  }
+}
+
+const getNamespaceType = () => {
+  return getCloudFunctionsConfig().WskCliNamespaceMode
+}
+
+const getNamespaceId = () => {
+  return getCloudFunctionsConfig().WskCliNamespaceId
+}
+
+/**
+ * return a Apache OpenWhisk Client SDK for JavaScript compliant authentication header token,
+ * which can be used within a custom authentication handler
+ * see https://github.com/apache/openwhisk-client-js#using-3rd-party-authentication-handler
+ * for further details
+ */
+const getIamAuthHeader = () => {
+  // for authentication, we'll use the user IAM access token
+  let iamToken
+  try {
+    // read the IAM Access token from the ibm cloud config file
+    const ibmCloudPropsPath = process.env.IC_CONFIG_FILE || path.join(os.homedir(), '.bluemix/config.json')
+    const ibmCloudConfig = JSON.parse(fs.readFileSync(ibmCloudPropsPath, { encoding: 'utf8' }))
+
+    iamToken = ibmCloudConfig.IAMToken
+  } catch (error) {
+    console.error('Could not open ibmcloud config')
+    throw error
+  }
+
+  // return an object that provides a getAuthHeader function to comply with the authentication handler interface
+  // required by OpenWhisk Client SDK for JavaScript
+  return iamToken
+}
+
+module.exports = {
+  getIamAuthHeader,
+  getNamespaceType,
+  getNamespaceId
+}

Diff for: test/cf-plugin-config.json

@@ -0,0 +1,3 @@
+{
+  "WskCliNamespaceMode": "CF"
+}