Create Credential Provider for EntraID

Author: ofekshenawa

entra_id/credentials_provider.go

@@ -0,0 +1,57 @@
+package entra_id
+
+import (
+	"log"
+	"time"
+)
+
+// EntraIdIdentityProvider defines the interface for an identity provider
+type EntraIdIdentityProvider interface {
+	RequestToken(forceRefresh bool) (string, time.Duration, error)
+}
+
+// EntraIdCredentialsProvider manages credentials and token lifecycle
+type EntraIdCredentialsProvider struct {
+	tokenManager *TokenManager
+	isStreaming  bool
+}
+
+// NewEntraIdCredentialsProvider initializes a new credentials provider
+func NewEntraIdCredentialsProvider(idp EntraIdIdentityProvider, refreshInterval time.Duration, telemetryEnabled bool) *EntraIdCredentialsProvider {
+	refreshFunc := func() (string, time.Duration, error) {
+		return idp.RequestToken(false)
+	}
+
+	tokenManager := NewTokenManager(refreshFunc, refreshInterval, telemetryEnabled)
+
+	return &EntraIdCredentialsProvider{
+		tokenManager: tokenManager,
+		isStreaming:  false,
+	}
+}
+
+// GetCredentials retrieves the current token or refreshes it if needed
+func (cp *EntraIdCredentialsProvider) GetCredentials() (string, error) {
+	token, valid := cp.tokenManager.GetToken()
+	if !valid {
+		if err := cp.tokenManager.RefreshToken(); err != nil {
+			log.Printf("[EntraIdCredentialsProvider] Failed to refresh token: %v", err)
+			return "", err
+		}
+		token, _ = cp.tokenManager.GetToken()
+	}
+
+	// Start streaming if not already started
+	if !cp.isStreaming {
+		cp.tokenManager.StartAutoRefresh()
+		cp.isStreaming = true
+	}
+
+	return token, nil
+}
+
+// Stop stops the credentials provider and cleans up resources
+func (cp *EntraIdCredentialsProvider) Stop() {
+	cp.tokenManager.StopAutoRefresh()
+	log.Println("[EntraIdCredentialsProvider] Stopped and cleaned up resources.")
+}

entra_id/credentials_provider_test.go

@@ -0,0 +1,81 @@
+package entra_id_test
+
+import (
+	"errors"
+	"time"
+
+	. "github.com/bsm/ginkgo/v2"
+	. "github.com/bsm/gomega"
+	"github.com/go-redis/entra_id"
+)
+
+type MockEntraIdIdentityProvider struct {
+	Token string
+	TTL   time.Duration
+	Error error
+}
+
+func (m *MockEntraIdIdentityProvider) RequestToken(forceRefresh bool) (string, time.Duration, error) {
+	if m.Error != nil {
+		return "", 0, m.Error
+	}
+	return m.Token, m.TTL, nil
+}
+
+var _ = Describe("EntraIdCredentialsProvider", func() {
+	var (
+		provider    *entra_id.EntraIdCredentialsProvider
+		mockIDP     *MockEntraIdIdentityProvider
+		refreshRate time.Duration
+	)
+
+	BeforeEach(func() {
+		refreshRate = 1 * time.Minute
+		mockIDP = &MockEntraIdIdentityProvider{
+			Token: "mock-token",
+			TTL:   10 * time.Second,
+			Error: nil,
+		}
+		provider = entra_id.NewEntraIdCredentialsProvider(mockIDP, refreshRate, true)
+	})
+
+	AfterEach(func() {
+		provider.Stop()
+	})
+
+	Context("Initial Token Retrieval", func() {
+		It("should retrieve a valid token from the identity provider", func() {
+			token, err := provider.GetCredentials()
+			Expect(err).To(BeNil())
+			Expect(token).To(Equal("mock-token"))
+		})
+
+		It("should return an error if the identity provider fails", func() {
+			mockIDP.Error = errors.New("identity provider failure")
+			_, err := provider.GetCredentials()
+			Expect(err).To(HaveOccurred())
+			Expect(err.Error()).To(ContainSubstring("identity provider failure"))
+		})
+	})
+
+	Context("Automatic Token Renewal", func() {
+		It("should automatically refresh the token when it expires", func() {
+			token, err := provider.GetCredentials()
+			Expect(err).To(BeNil())
+			Expect(token).To(Equal("mock-token"))
+
+			time.Sleep(11 * time.Second) // Wait for token expiry and auto-refresh
+
+			newToken, err := provider.GetCredentials()
+			Expect(err).To(BeNil())
+			Expect(newToken).To(Equal("mock-token")) // Mock still returns the same token
+		})
+	})
+
+	Context("Stop Streaming", func() {
+		It("should stop token renewal and clean up resources when Stop is called", func() {
+			provider.GetCredentials() // Start streaming
+			// Ensure no further actions or panics occur after stopping, the stopping ocuur in the AfterEach
+		})
+	})
+})

entra_id/entra_id_suite_test.go

@@ -0,0 +1,13 @@
+package entra_id_test
+
+import (
+	"testing"
+
+	. "github.com/bsm/ginkgo/v2"
+	. "github.com/bsm/gomega"
+)
+
+func TestEntraId(t *testing.T) {
+	RegisterFailHandler(Fail)
+	RunSpecs(t, "EntraId Suite")
+}

entra_id/go.mod

@@ -0,0 +1,13 @@
+module entra_id
+
+go 1.22.0
+
+toolchain go1.23.1
+
+replace github.com/go-redis/entra_id => ./
+
+require (
+	github.com/bsm/ginkgo/v2 v2.12.0
+	github.com/bsm/gomega v1.27.10
+	github.com/go-redis/entra_id v0.0.0-00010101000000-000000000000
+)

entra_id/go.sum

@@ -0,0 +1,4 @@
+github.com/bsm/ginkgo/v2 v2.12.0 h1:Ny8MWAHyOepLGlLKYmXG4IEkioBysk6GpaRTLC8zwWs=
+github.com/bsm/ginkgo/v2 v2.12.0/go.mod h1:SwYbGRRDovPVboqFv0tPTcG1sN61LM1Z4ARdbAV9g4c=
+github.com/bsm/gomega v1.27.10 h1:yeMWxP2pV2fG3FgAODIY8EiRE3dy0aeFYt4l7wh6yKA=
+github.com/bsm/gomega v1.27.10/go.mod h1:JyEr/xRbxbtgWNi8tIEVPUYZ5Dzef52k01W3YH0H+O0=

entra_id/token_manager.go

@@ -0,0 +1,129 @@
+package entra_id
+
+import (
+	"log"
+	"sync"
+	"time"
+)
+
+type TokenManager struct {
+	token            string
+	expiresAt        time.Time
+	mutex            sync.Mutex
+	refreshFunc      func() (string, time.Duration, error)
+	stopChan         chan struct{}
+	refreshTicker    *time.Ticker
+	refreshInterval  time.Duration
+	telemetryEnabled bool
+}
+
+// NewTokenManager initializes a new TokenManager.
+func NewTokenManager(refreshFunc func() (string, time.Duration, error), refreshInterval time.Duration, telemetryEnabled bool) *TokenManager {
+	return &TokenManager{
+		refreshFunc:      refreshFunc,
+		stopChan:         make(chan struct{}),
+		refreshInterval:  refreshInterval,
+		telemetryEnabled: telemetryEnabled,
+	}
+}
+
+// SetToken updates the token and its expiration.
+func (tm *TokenManager) SetToken(token string, ttl time.Duration) {
+	tm.mutex.Lock()
+	defer tm.mutex.Unlock()
+	tm.token = token
+	tm.expiresAt = time.Now().Add(ttl)
+	log.Printf("[TokenManager] Token updated with TTL: %s", ttl)
+}
+
+// GetToken returns the current token if it's still valid.
+func (tm *TokenManager) GetToken() (string, bool) {
+	tm.mutex.Lock()
+	defer tm.mutex.Unlock()
+	if time.Now().After(tm.expiresAt) {
+		return "", false
+	}
+	return tm.token, true
+}
+
+// RefreshToken fetches a new token using the provided refresh function.
+func (tm *TokenManager) RefreshToken() error {
+	if tm.refreshFunc == nil {
+		return nil
+	}
+	token, ttl, err := tm.refreshFunc()
+	if err != nil {
+		log.Printf("[TokenManager] Failed to refresh token: %v", err)
+		return err
+	}
+	tm.SetToken(token, ttl)
+	log.Println("[TokenManager] Token refreshed successfully.")
+	return nil
+}
+
+// StartAutoRefresh starts a goroutine to proactively refresh the token.
+func (tm *TokenManager) StartAutoRefresh() {
+	tm.refreshTicker = time.NewTicker(tm.refreshInterval)
+	go func() {
+		for {
+			select {
+			case <-tm.refreshTicker.C:
+				if tm.shouldRefresh() {
+					log.Println("[TokenManager] Proactively refreshing token...")
+					if err := tm.RefreshToken(); err != nil {
+						log.Printf("[TokenManager] Error during token refresh: %v", err)
+					}
+				}
+			case <-tm.stopChan:
+				log.Println("[TokenManager] Stopping auto-refresh...")
+				return
+			}
+		}
+	}()
+}
+
+// StopAutoRefresh stops the auto-refresh goroutine and cleans up resources.
+func (tm *TokenManager) StopAutoRefresh() {
+	if tm.refreshTicker != nil {
+		tm.refreshTicker.Stop()
+	}
+	close(tm.stopChan)
+	log.Println("[TokenManager] Auto-refresh stopped and resources cleaned.")
+}
+
+// shouldRefresh determines if the token should be refreshed.
+func (tm *TokenManager) shouldRefresh() bool {
+	tm.mutex.Lock()
+	defer tm.mutex.Unlock()
+	remaining := time.Until(tm.expiresAt)
+
+	// Trigger refresh when less than 20% of TTL remains
+	return remaining < (tm.refreshInterval / 5)
+}
+
+// MonitorTelemetry adds monitoring for token usage and expiration.
+func (tm *TokenManager) MonitorTelemetry() {
+	if !tm.telemetryEnabled {
+		return
+	}
+
+	go func() {
+		ticker := time.NewTicker(30 * time.Second) // Adjust as needed
+		defer ticker.Stop()
+
+		for {
+			select {
+			case <-ticker.C:
+				_, valid := tm.GetToken()
+				if !valid {
+					log.Println("[TokenManager] Token has expired.")
+				} else {
+					log.Printf("[TokenManager] Token is valid: expires in %s", time.Until(tm.expiresAt))
+				}
+			case <-tm.stopChan:
+				log.Println("[TokenManager] Telemetry monitoring stopped.")
+				return
+			}
+		}
+	}()
+}