Add ServicePrincipalAuthManager

Author: neelmehta247

.gitlab-ci.yml

@@ -1,4 +1,4 @@
 include:
   - project: 'devplat-pr-32/gitlab-central'
-    ref: '738bbbe05f297917a13f00438750d15b6d4303d9'
+    ref: 'c4fa68ec4048428bbc5dff3a40e1b5227b8c5e9e'
     file: '/splunk-cloud-sdk-python/.gitlab-ci.yml'

requirements.txt

@@ -2,9 +2,9 @@ asn1crypto==0.24.0
 atomicwrites==1.3.0
 attrs==19.1.0
 certifi==2019.3.9
-coverage==4.5.3
 cffi==1.12.3
 chardet==3.0.4
+coverage==4.5.3
 cryptography==2.6.1
 entrypoints==0.3
 flake8==3.7.7
@@ -16,6 +16,7 @@ py==1.8.0
 pycodestyle==2.5.0
 pycparser==2.19
 pyflakes==2.1.1
+PyJWT==1.7.1
 pytest==4.5.0
 pytest-asyncio==0.10.0
 requests==2.22.0

splunk_sdk/auth/__init__.py

@@ -1,2 +1,2 @@
-from splunk_sdk.auth.auth_manager import AuthManager, PKCEAuthManager, ClientAuthManager, TokenAuthManager
-
+from splunk_sdk.auth.auth_manager import AuthManager, PKCEAuthManager, ClientAuthManager, TokenAuthManager, \
+    ServicePrincipalAuthManager

splunk_sdk/auth/auth_manager.py

@@ -12,10 +12,12 @@
 import base64
 import hashlib
 import json
+import jwt
 import os
 import urllib
 import time
-from datetime import datetime
+import uuid
+from datetime import datetime, timezone, timedelta
 from abc import ABC, abstractmethod
 from typing import Optional
 
@@ -428,6 +430,7 @@ def __init__(self, access_token, token_type='Bearer', expires_in=None,
     def authenticate(self) -> AuthContext:
         return self._context
 
+
 class RefreshTokenAuthManager(AuthManager):
     def __init__(self, client_id, refresh_token, host, scope="openid", requests_hooks=None):
         super().__init__(host, client_id, requests_hooks=requests_hooks)
@@ -448,3 +451,47 @@ def authenticate(self):
 
         response = self._post_token(**data)
         return AuthContext(**response.json())
+
+
+class ServicePrincipalAuthManager(AuthManager):
+    def __init__(self, host, principal_name, key, kid, algorithm="ES256", **kwargs):
+        """
+        Creates an AuthManager that uses Service Principals to authenticate.
+
+        principal_name is the principal_name of the authenticating service principal
+        key is the PEM formatted private key registered with the service principal
+        kid is the key_id of `key`
+        algorithm is the algorithm that generated `key`
+        """
+        super().__init__(host=host, client_id=None, **kwargs)
+        self._principal_name = principal_name
+        self._key = key
+        self._kid = kid
+        self._algorithm = algorithm
+
+    def authenticate(self):
+        """Authenticate using the "client assertion" flow."""
+        if not self._principal_name:
+            raise ValueError("missing principal_name")
+        if not self._key:
+            raise ValueError("missing key")
+        if not self._kid:
+            raise ValueError("missing kid")
+        if not self._algorithm:
+            raise ValueError("missing algorithm")
+
+        # Client assertion expires in 10 minutes
+        ten_minutes_from_now = datetime.now(timezone.utc) + timedelta(minutes=10)
+        jwt_payload = {"sub": self._principal_name, "iss": self._principal_name, "jti": str(uuid.uuid4()),
+                       "exp": int(ten_minutes_from_now.timestamp()), "aud": [self._url(PATH_TOKEN)]}
+
+        client_assertion = jwt.encode(payload=jwt_payload, key=self._key, algorithm=self._algorithm,
+                                      headers={"kid": self._kid})
+
+        data = {"grant_type": "client_credentials", "client_assertion": client_assertion.decode("utf-8"),
+                "client_assertion_type": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer"}
+
+        response = self._post_token(**data)
+        if response.status_code != 200:
+            raise AuthnError("Unable to authenticate. Check credentials.", response)
+        return AuthContext(**response.json())

test/auth/test_auth_manager.py

@@ -10,6 +10,7 @@
 from splunk_sdk.auth import PKCEAuthManager, ClientAuthManager
 from test.fixtures import get_auth_manager as pkce_auth_manager  # NOQA
 from test.fixtures import get_client_auth_manager as client_auth_manager  # NOQA
+from test.fixtures import get_service_principal_auth_manager as service_principal_auth_manager  # NOQA
 
 
 @pytest.mark.usefixtures('pkce_auth_manager')  # NOQA
@@ -180,11 +181,48 @@ def _assert_pkce_auth_context(auth_context):
     assert ('email' in auth_context.scope)
 
 
-def _assert_client_credentials_auth_context(auth_context):
+def _assert_client_credentials_auth_context(auth_context, expires_in=43200):
     assert (auth_context is not None)
     assert (auth_context.access_token is not None)
     # assert(auth_context.id_token is None)
-    assert (auth_context.expires_in == 43200)
+    assert (auth_context.expires_in == expires_in)
     assert (auth_context.token_type == 'Bearer')
     assert (auth_context.refresh_token is None)
     assert (auth_context.scope == 'client_credentials')
+
+
+def _assert_sp_credentials_auth_context(auth_context):
+    _assert_client_credentials_auth_context(auth_context, 3600)
+
+
+@pytest.mark.usefixtures('service_principal_auth_manager')  # NOQA
+def test_sp_authenticate(service_principal_auth_manager):
+    auth_context = service_principal_auth_manager.authenticate()
+    _assert_sp_credentials_auth_context(auth_context)
+
+
+@pytest.mark.usefixtures('service_principal_auth_manager')  # NOQA
+def test_sp_token_authenticate(service_principal_auth_manager):
+    auth_context = service_principal_auth_manager.authenticate()
+    _assert_sp_credentials_auth_context(auth_context)
+
+    # use existing token from auth_context
+    token_mgr = TokenAuthManager(access_token=auth_context.access_token,
+                                 token_type=auth_context.token_type,
+                                 expires_in=auth_context.expires_in,
+                                 scope=auth_context.scope,
+                                 id_token=auth_context.id_token,
+                                 refresh_token=auth_context.refresh_token)
+
+    new_auth_context = token_mgr.authenticate()
+    assert (auth_context.access_token == new_auth_context.access_token)
+    assert (auth_context.token_type == new_auth_context.token_type)
+    assert (auth_context.expires_in == new_auth_context.expires_in)
+    assert (auth_context.scope == new_auth_context.scope)
+    assert (auth_context.id_token == new_auth_context.id_token)
+    assert (auth_context.refresh_token == new_auth_context.refresh_token)
+
+    context = Context(host=os.environ.get("SPLUNK_HOST"), tenant=os.environ.get("SPLUNK_TENANT"))
+    base_client = BaseClient(context=context, auth_manager=token_mgr)
+    idc = IdentityAndAccessControl(base_client)
+    assert (idc.validate_token().name.lower() == os.environ.get("SPLUNK_APP_PRINCIPAL_NAME").lower())

test/fixtures.py

@@ -13,7 +13,7 @@
 import pytest
 import sys
 
-from splunk_sdk.auth import ClientAuthManager, PKCEAuthManager
+from splunk_sdk.auth import ClientAuthManager, PKCEAuthManager, ServicePrincipalAuthManager
 from splunk_sdk.common.context import Context
 from splunk_sdk.base_client import get_client
 
@@ -139,6 +139,13 @@ def get_client_auth_manager():
     return auth_manager
 
 
+@pytest.fixture(scope='session')
+def get_service_principal_auth_manager():
+    auth_manager = _get_principal_manager()
+    assert (auth_manager is not None)
+    return auth_manager
+
+
 def _get_pkce_manager():
     return PKCEAuthManager(host=os.environ.get('SPLUNK_AUTH_HOST'),
                            client_id=os.environ.get('SPLUNK_APP_CLIENT_ID'),
@@ -154,3 +161,11 @@ def _get_client_manager():
                              client_secret=os.environ.get(
                                  'SPLUNK_APP_CLIENT_CRED_SECRET'),
                              scope=os.environ.get('SPLUNK_SCOPE'))
+
+
+def _get_principal_manager():
+    return ServicePrincipalAuthManager(host=os.environ.get('SPLUNK_AUTH_HOST'),
+                                       principal_name=os.environ.get('SPLUNK_APP_PRINCIPAL_NAME'),
+                                       key=os.environ.get('SPLUNK_APP_PRINCIPAL_PRIVATE_KEY'),
+                                       kid=os.environ.get('SPLUNK_APP_PRINCIPAL_KEY_ID'),
+                                       algorithm=os.environ.get('SPLUNK_APP_PRINCIPAL_KEY_ALG'))

test/test_base_client.py

@@ -12,9 +12,10 @@
 import pytest
 
 from test.auth.test_auth_manager import \
-    _assert_client_credentials_auth_context, _assert_pkce_auth_context  # NOQA
+    _assert_client_credentials_auth_context, _assert_pkce_auth_context, _assert_sp_credentials_auth_context  # NOQA
 from test.fixtures import get_auth_manager as pkce_auth_manager  # NOQA
 from test.fixtures import get_client_auth_manager as client_auth_manager  # NOQA
+from test.fixtures import get_service_principal_auth_manager as service_principal_auth_manager  # NOQA
 from splunk_sdk.common.context import Context
 from splunk_sdk.base_client import BaseClient
 from splunk_sdk.identity import Identity as IdentityAndAccessControl
@@ -83,3 +84,14 @@ def test_base_client_instance_with_client_auth(client_auth_manager):
     assert (default_config is not None)
     assert (base_client is not None)
     _assert_client_credentials_auth_context(base_client.auth_manager.context)
+
+
+@pytest.mark.usefixtures("service_principal_auth_manager")  # NOQA
+def test_base_client_instance_with_sp_auth(service_principal_auth_manager):
+    """Get a base client with a context and a client auth manager."""
+    default_config = Context()
+    base_client = BaseClient(context=default_config,
+                             auth_manager=service_principal_auth_manager)
+    assert (default_config is not None)
+    assert (base_client is not None)
+    _assert_sp_credentials_auth_context(base_client.auth_manager.context)

tox.ini

@@ -18,6 +18,10 @@ passenv = SPLUNK_AUTH_HOST
           SPLUNK_SCOPE
           SPLUNK_REDIRECT_URL
           SPLUNK_DEBUG
+          SPLUNK_APP_PRINCIPAL_NAME
+          SPLUNK_APP_PRINCIPAL_PRIVATE_KEY
+          SPLUNK_APP_PRINCIPAL_KEY_ID
+          SPLUNK_APP_PRINCIPAL_KEY_ALG
           ARTIFACT_USERNAME
           ARTIFACT_PASSWORD
           ARTIFACTORY_NPM_REGISTRY