Added session token based authentication

Added session token based authentication

Added capability to use Session Token based authentication:
  NewSessionTokenSignatureProvider
  NewSessionTokenSignatureProviderFromFile

Cloud only: added support to read region from system environment variable
  OCI_REGION if using user principal or session token authentication

Minor code formatting cleanup from `go fmt`

Author: connelly38

CHANGELOG.md

@@ -3,6 +3,16 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](http://keepachangelog.com/).
 
+## Unreleased
+
+### Added
+
+- Added capability to use Session Token based authentication:
+     * NewSessionTokenSignatureProvider
+     * NewSessionTokenSignatureProviderFromFile
+- Cloud only: added support to read region from system environment variable
+  OCI_REGION if using user principal or session token authentication
+
 ## 1.4.1 - 2023-08-21
 
 ### Added

internal/test/cloudsim_config.json

@@ -1,8 +1,9 @@
 {
- "version": "21.2.19",
+ "version": "22.4.10",
  "tablePrefix": "Go",
  "reCreateTables": true,
  "verbose": true,
+ "serialVersion": 0,
  "dropTablesOnTearDown": true,
  "clientConfig": {
    "mode": "cloudsim",

nosqldb/auth/iam/configuration.go

@@ -7,6 +7,7 @@ import (
 	"errors"
 	"fmt"
 	"io/ioutil"
+	"os"
 	"regexp"
 	"strings"
 	"time"
@@ -21,11 +22,12 @@ type ConfigurationProvider interface {
 	UserOCID() (string, error)
 	KeyFingerprint() (string, error)
 	Region() (string, error)
+	SecurityTokenFile() (string, error)
 }
 
 // IsConfigurationProviderValid Tests all parts of the configuration provider do not return an error
 func IsConfigurationProviderValid(conf ConfigurationProvider) (ok bool, err error) {
-	baseFn := []func() (string, error){conf.TenancyOCID, conf.UserOCID, conf.KeyFingerprint, conf.KeyID}
+	baseFn := []func() (string, error){conf.TenancyOCID, conf.KeyFingerprint, conf.KeyID}
 	for _, fn := range baseFn {
 		_, err = fn()
 		ok = err == nil
@@ -39,6 +41,20 @@ func IsConfigurationProviderValid(conf ConfigurationProvider) (ok bool, err erro
 	if err != nil {
 		return
 	}
+
+	// if using session token, user is not required
+	sFile, err := conf.SecurityTokenFile()
+	if err == nil && sFile != "" {
+		return true, nil
+	}
+
+	// otherwise user ocid is required
+	_, err = conf.UserOCID()
+	ok = err == nil
+	if err != nil {
+		return
+	}
+
 	return true, nil
 }
 
@@ -99,6 +115,10 @@ func (p rawConfigurationProvider) UserOCID() (string, error) {
 	return p.user, nil
 }
 
+func (p rawConfigurationProvider) SecurityTokenFile() (string, error) {
+	return "", fmt.Errorf("RawConfigurationProvider does not support SecurityTokenFile")
+}
+
 func (p rawConfigurationProvider) KeyFingerprint() (string, error) {
 	if p.fingerprint == "" {
 		return "", fmt.Errorf("fingerprint can not be empty")
@@ -150,8 +170,8 @@ func ConfigurationProviderFromFileWithProfile(configFilePath, profile, privateKe
 }
 
 type configFileInfo struct {
-	UserOcid, Fingerprint, KeyFilePath, TenancyOcid, Region, Passphrase string
-	PresentConfiguration                                                byte
+	UserOcid, Fingerprint, KeyFilePath, TenancyOcid, Region, Passphrase, SecurityTokenFile string
+	PresentConfiguration                                                                   byte
 }
 
 const (
@@ -161,6 +181,7 @@ const (
 	hasRegion
 	hasKeyFile
 	hasPassphrase
+	hasSecurityTokenFile
 	none
 )
 
@@ -216,6 +237,9 @@ func parseConfigAtLine(start int, content []string) (info *configFileInfo, err e
 		case "tenancy":
 			configurationPresent = configurationPresent | hasTenancy
 			info.TenancyOcid = value
+		case "security_token_file":
+			configurationPresent = configurationPresent | hasSecurityTokenFile
+			info.SecurityTokenFile = value
 		case "region":
 			configurationPresent = configurationPresent | hasRegion
 			info.Region = value
@@ -241,6 +265,23 @@ func openConfigFile(configFilePath string) (data []byte, err error) {
 	return
 }
 
+func readTokenFromFile(tokenFilePath string) (string, error) {
+	expandedPath, err := sdkutil.ExpandPath(tokenFilePath)
+	if err != nil {
+		err = fmt.Errorf("can not read token file: %s due to: %s", tokenFilePath, err.Error())
+		return "", err
+	}
+
+	data, err := ioutil.ReadFile(expandedPath)
+	if err != nil {
+		err = fmt.Errorf("can not read token file: %s due to: %s", tokenFilePath, err.Error())
+		return "", err
+	}
+
+	token := strings.Replace(string(data), "\r\n", "", -1)
+	return strings.Replace(token, "\n", "", -1), nil
+}
+
 func (p fileConfigurationProvider) String() string {
 	return fmt.Sprintf("Configuration provided by file: %s", p.ConfigPath)
 }
@@ -286,6 +327,18 @@ func (p fileConfigurationProvider) TenancyOCID() (value string, err error) {
 	return
 }
 
+func (p fileConfigurationProvider) SecurityTokenFile() (value string, err error) {
+	info, err := p.readAndParseConfigFile()
+	if err != nil {
+		err = fmt.Errorf("can not read security token configuration due to: %s", err.Error())
+		return
+	}
+
+	value, err = presentOrError(info.SecurityTokenFile, hasSecurityTokenFile,
+		info.PresentConfiguration, "security_token_file")
+	return
+}
+
 func (p fileConfigurationProvider) UserOCID() (value string, err error) {
 	info, err := p.readAndParseConfigFile()
 	if err != nil {
@@ -312,11 +365,22 @@ func (p fileConfigurationProvider) ExpirationTime() time.Time {
 	return time.Now().Add(24 * time.Hour)
 }
 
-func (p fileConfigurationProvider) KeyID() (keyID string, err error) {
+func (p fileConfigurationProvider) KeyID() (string, error) {
 	info, err := p.readAndParseConfigFile()
 	if err != nil {
 		err = fmt.Errorf("can not read tenancy configuration due to: %s", err.Error())
-		return
+		return "", err
+	}
+
+	// SecurityTokenFile providers return different format for KeyID
+	sFile, err := p.SecurityTokenFile()
+	if sFile != "" && err == nil {
+		// open/read file, return "ST$" + value (minus newlines)
+		token, err := readTokenFromFile(sFile)
+		if err != nil {
+			return "", err
+		}
+		return "ST$" + token, nil
 	}
 
 	return fmt.Sprintf("%s/%s/%s", info.TenancyOcid, info.UserOcid, info.Fingerprint), nil
@@ -365,7 +429,11 @@ func (p fileConfigurationProvider) Region() (value string, err error) {
 
 	value, err = presentOrError(info.Region, hasRegion, info.PresentConfiguration, "region")
 	if err != nil {
-		return
+		// Attempt to read region from environment variable
+		value = os.Getenv("OCI_REGION")
+		if value == "" {
+			return
+		}
 	}
 
 	return canStringBeRegion(value)
@@ -379,3 +447,24 @@ func canStringBeRegion(stringRegion string) (region string, err error) {
 	}
 	return stringRegion, nil
 }
+
+func SessionTokenProviderFromFileWithProfile(configFilePath, profile, privateKeyPassword string) (ConfigurationProvider, error) {
+	if profile == "" {
+		profile = "DEFAULT"
+	}
+	provider, err := ConfigurationProviderFromFileWithProfile(configFilePath, profile, privateKeyPassword)
+	if err != nil {
+		return nil, err
+	}
+	// verify that the config specifies a security token file
+	_, err = provider.SecurityTokenFile()
+	if err != nil {
+		return nil, err
+	}
+	// read the session token file, verify it has contents
+	_, err = provider.KeyID()
+	if err != nil {
+		return nil, err
+	}
+	return provider, nil
+}

nosqldb/auth/iam/configuration_test.go

@@ -19,6 +19,7 @@ var (
 	tkeyfile           = "somelocation"
 	ttenancy           = "sometenancy"
 	tregion            = "someregion"
+	tsessionfile       = "somesessionfile"
 	testPrivateKeyConf = `-----BEGIN RSA PRIVATE KEY-----
 MIICXgIBAAKBgQDCFENGw33yGihy92pDjZQhl0C36rPJj+CvfSC8+q28hxA161QF
 NUd13wuCTUcq0Qd2qsBe/2hFyc2DCJJg0h1L78+6Z4UMR7EOcpfdUE9Hf3m/hs+F
@@ -65,6 +66,14 @@ ufFtnLEj/5G9a8A//MFrXsXePUeBDEzjtEcjPGNxe0ZkuOgYx11Zc0R4oLI7LoHO
 07vtw4qCH4hztCJ5+JOUac6sGcILFRc4vSQQ15Cg5QEdBiSbQ/yo1P0hbNtSvnwO
 -----END RSA PRIVATE KEY-----`
 	testKeyPassphrase = "goisfun"
+	testSecurityToken = `bKbv8X2oyfxwp55w3MVKj1bfWnhvQgyqJ/1dER53STao3qRS26epRoBc0BoLtrNj
+L+Wfa3NeuEinetDYKRwWGHZqvbs/3PD5OKIXW1y/EAlg1vr6JWX8KxhQ0PzGJOdQ
+KPcB2duDtlNJ4awoGEsSp/qYyJLKOKpcz893OWTe3Oi9aQpzuL+kgH6VboCUdwdl
+Ub7YyTMFBkGzzjOXV/iSJDaxvVUIZt7CQS/DkBq4IHXX8iFUDzh6L297/BuRp3Q8
+9ydxmHQjNNtyH+RceZFn07IkWvPveo2BXpK4K9DXE39Z/g1nQzwTqgN8diXxwRuN
+Ge97lBWup4vP1TV8nyHW2AppgFVuPynO+XWfZUuCUzxNseB+XOyeqitoM4uvSNax
+DQmokjIf4qXC/46EnJ/fd9Ydz4GVQ4TYyxwNCBJK39RdUOcUtyI+A3IbZ+vt2HIV`
+	testSessionKeyID = "ST$bKbv8X2oyfxwp55w3MVKj1bfWnhvQgyqJ/1dER53STao3qRS26epRoBc0BoLtrNjL+Wfa3NeuEinetDYKRwWGHZqvbs/3PD5OKIXW1y/EAlg1vr6JWX8KxhQ0PzGJOdQKPcB2duDtlNJ4awoGEsSp/qYyJLKOKpcz893OWTe3Oi9aQpzuL+kgH6VboCUdwdlUb7YyTMFBkGzzjOXV/iSJDaxvVUIZt7CQS/DkBq4IHXX8iFUDzh6L297/BuRp3Q89ydxmHQjNNtyH+RceZFn07IkWvPveo2BXpK4K9DXE39Z/g1nQzwTqgN8diXxwRuNGe97lBWup4vP1TV8nyHW2AppgFVuPynO+XWfZUuCUzxNseB+XOyeqitoM4uvSNaxDQmokjIf4qXC/46EnJ/fd9Ydz4GVQ4TYyxwNCBJK39RdUOcUtyI+A3IbZ+vt2HIV"
 )
 
 func removeFileFn(filename string) {
@@ -86,15 +95,17 @@ key_file=somelocation
 tenancy=sometenancy
 compartment = somecompartment
 region=someregion
+security_token_file=somesessionfile
 `
 	c, e := parseConfigFile([]byte(data), "DEFAULT")
 
 	assert.NoError(t, e)
-	assert.Equal(t, c.UserOcid, tuser)
-	assert.Equal(t, c.Fingerprint, tfingerprint)
-	assert.Equal(t, c.KeyFilePath, tkeyfile)
-	assert.Equal(t, c.TenancyOcid, ttenancy)
-	assert.Equal(t, c.Region, tregion)
+	assert.Equal(t, tuser, c.UserOcid)
+	assert.Equal(t, tfingerprint, c.Fingerprint)
+	assert.Equal(t, tkeyfile, c.KeyFilePath)
+	assert.Equal(t, ttenancy, c.TenancyOcid)
+	assert.Equal(t, tregion, c.Region)
+	assert.Equal(t, tsessionfile, c.SecurityTokenFile)
 }
 
 func TestFileConfigurationProvider_ParseEmptyFile(t *testing.T) {
@@ -303,6 +314,108 @@ region=someregion
 	assert.NotEmpty(t, keyID)
 }
 
+
+func TestSessionConfigurationProvider_FromFileFn(t *testing.T) {
+	dataTpl := `[DEFAULT]
+user=someuser
+fingerprint=somefingerprint
+key_file=%s
+security_token_file=%s
+tenancy=sometenancy
+region=someregion
+`
+
+	keyFile := writeTempFile(testPrivateKeyConf)
+	tokenFile := writeTempFile(testSecurityToken)
+	data := fmt.Sprintf(dataTpl, keyFile, tokenFile)
+	tmpConfFile := writeTempFile(data)
+
+	defer removeFileFn(tmpConfFile)
+	defer removeFileFn(keyFile)
+	defer removeFileFn(tokenFile)
+
+	c, e0 := SessionTokenProviderFromFileWithProfile(tmpConfFile, "", "")
+	assert.NoError(t, e0)
+	assert.NotNil(t, c)
+	rskey, e := c.PrivateRSAKey()
+	keyID, e1 := c.KeyID()
+	tFile, e2 := c.SecurityTokenFile()
+	assert.NoError(t, e)
+	assert.NotEmpty(t, rskey)
+	assert.NoError(t, e1)
+	assert.Equal(t, testSessionKeyID, keyID)
+	assert.NoError(t, e2)
+	assert.Equal(t, tokenFile, tFile)
+}
+
+func TestSessionTokenSignatureProvider_FromFileFn(t *testing.T) {
+	dataTpl := `[DEFAULT]
+user=someuser
+fingerprint=somefingerprint
+key_file=%s
+security_token_file=%s
+tenancy=sometenancy
+region=someregion
+`
+
+	keyFile := writeTempFile(testPrivateKeyConf)
+	tokenFile := writeTempFile(testSecurityToken)
+	data := fmt.Sprintf(dataTpl, keyFile, tokenFile)
+	tmpConfFile := writeTempFile(data)
+
+	defer removeFileFn(tmpConfFile)
+	defer removeFileFn(keyFile)
+	defer removeFileFn(tokenFile)
+
+	c, e0 := NewSessionTokenSignatureProviderFromFile(tmpConfFile, "", "")
+	assert.NoError(t, e0)
+	assert.NotNil(t, c)
+}
+
+func TestSessionConfigurationProvider_MissingToken(t *testing.T) {
+	// note missing "security_token_file" field
+	dataTpl := `[DEFAULT]
+user=someuser
+fingerprint=somefingerprint
+key_file=%s
+tenancy=sometenancy
+region=someregion
+`
+
+	keyFile := writeTempFile(testPrivateKeyConf)
+	data := fmt.Sprintf(dataTpl, keyFile)
+	tmpConfFile := writeTempFile(data)
+
+	defer removeFileFn(tmpConfFile)
+	defer removeFileFn(keyFile)
+
+	c, e0 := SessionTokenProviderFromFileWithProfile(tmpConfFile, "", "")
+	assert.Error(t, e0)
+	assert.Nil(t, c)
+}
+
+func TestSessionConfigurationProvider_BadTokenFile(t *testing.T) {
+	dataTpl := `[DEFAULT]
+user=someuser
+fingerprint=somefingerprint
+key_file=%s
+security_token_file=gibberish
+tenancy=sometenancy
+region=someregion
+`
+
+	keyFile := writeTempFile(testPrivateKeyConf)
+	data := fmt.Sprintf(dataTpl, keyFile)
+	tmpConfFile := writeTempFile(data)
+
+	defer removeFileFn(tmpConfFile)
+	defer removeFileFn(keyFile)
+
+	c, e0 := SessionTokenProviderFromFileWithProfile(tmpConfFile, "", "")
+	assert.Error(t, e0)
+	assert.Nil(t, c)
+}
+
 func TestFileConfigurationProvider_FromFileAndProfile(t *testing.T) {
 	dataTpl := `[DEFAULT]
 user=someuser

nosqldb/auth/iam/federation_client.go

@@ -655,7 +655,7 @@ func newInstancePrincipalToken(tokenString string) (newToken securityToken, err
 	if jwtToken, err = parseJwt(tokenString); err != nil {
 		return nil, fmt.Errorf("failed to parse the token string \"%s\": %s", tokenString, err.Error())
 	}
-	newToken = &instancePrincipalToken{tokenString, jwtToken};
+	newToken = &instancePrincipalToken{tokenString, jwtToken}
 	if !newToken.Valid() {
 		return nil, fmt.Errorf("Expired or invalid token string \"%s\"", tokenString)
 	}