[Feature] Implement U2M Authentication in the Go SDK #1108
Conversation
mgyucht
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
mgyucht
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
mgyucht
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
mgyucht
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
mgyucht
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
mgyucht
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
credentials/cache/file.go
Outdated
| tokenCacheVersion = 1 | ||
| ) | ||
|
|
||
| var ErrNotConfigured = errors.New("databricks OAuth is not configured for this host") |
credentials/cache/file.go
Outdated
| ) | ||
|
|
||
| const ( | ||
| // where the token cache is stored |
There was a problem hiding this comment.
I realize you didn't write these comments. Though, let's remain consistent by writing them as full sentences (with majuscule and period). Ref: https://go.dev/wiki/CodeReviewComments#comment-sentences
credentials/cache/file.go
Outdated
| // format versioning leaves some room for format improvement | ||
| tokenCacheVersion = 1 |
There was a problem hiding this comment.
Maybe explain a little more what problem this is solving? It's not super clear from looking at this definition.
httpclient/oauth_token.go
Outdated
| // https://datatracker.ietf.org/doc/html/rfc6749 | ||
| type OAuthToken struct { | ||
| // The access token issued by the authorization server. This is the token that will be used to authenticate requests. | ||
| AccessToken string `json:"access_token" auth:",sensitive"` |
There was a problem hiding this comment.
What is auth:",sensitive"? I don't remember seeing this annotation before.
There was a problem hiding this comment.
In some cases (like failed authentication), debug logs will include configuration parameters. Config attributes marked as sensitive are redacted in these logs. I don't think that also applies to this struct though. I'll take a closer look here.
There was a problem hiding this comment.
Good observation: this is only used for attributes of the Config object, to determine whether they are omitted when the config is printed out. I will remove this here.
httpclient/oauth_token.go
Outdated
| @@ -22,6 +21,19 @@ type GetOAuthTokenRequest struct { | |||
| Assertion string `url:"assertion"` | |||
| } | |||
|
|
|||
| // OAuthToken represents an OAuth token as defined by the OAuth 2.0 Authorization Framework. | |||
| // https://datatracker.ietf.org/doc/html/rfc6749 | |||
| type OAuthToken struct { | |||
There was a problem hiding this comment.
Use oauth2.Token instead?
There was a problem hiding this comment.
oauth2.Token has an "Expiry" field, which is computed based on the "expires_in" field. This mimics the unexported tokenJSON type from that library.
credentials/cache/file.go
Outdated
| loc, err := c.location() | ||
| if err != nil { | ||
| return err | ||
| } |
There was a problem hiding this comment.
[nit] What location was doing wasn't obvious to me reading this line. We could make that clearer with a better name. For example tokenCacheFilepath(). Though, I think it might just be simpler to inline the code since it results in the same number of line minus the location method.
| loc, err := c.location() | |
| if err != nil { | |
| return err | |
| } | |
| home, err := os.UserHomeDir() | |
| if err != nil { | |
| return fmt.Errorf("could not access home dir: %w") | |
| } | |
| c.fileLocation = filepath.Join(home, tokenCacheFileName) |
credentials/cache/file.go
Outdated
| // this implementation requires the calling code to do a machine-wide lock, | ||
| // otherwise the file might get corrupt. | ||
| type FileTokenCache struct { |
There was a problem hiding this comment.
Could we briefly explain what this cache does? Something like:
// FileTokenCache caches tokens in "~/.databricks/token-cache.json". FileTokenCache
// implements the TokenCache interface.
There was a problem hiding this comment.
Great, will use this description. Sorry, most of this is copied directly from the CLI without carefully reviewing for style or comments, but thanks for pointing these out, and I'm happy to correct them here.
credentials/cache/file.go
Outdated
| if errors.Is(err, fs.ErrNotExist) { | ||
| dir := filepath.Dir(c.fileLocation) | ||
| err = os.MkdirAll(dir, ownerExecReadWrite) | ||
| if err != nil { | ||
| return fmt.Errorf("mkdir: %w", err) | ||
| } | ||
| } else if err != nil { | ||
| return fmt.Errorf("load: %w", err) | ||
| } |
There was a problem hiding this comment.
[optional] This is slightly more idiomatic to test for nil error first.
| if errors.Is(err, fs.ErrNotExist) { | |
| dir := filepath.Dir(c.fileLocation) | |
| err = os.MkdirAll(dir, ownerExecReadWrite) | |
| if err != nil { | |
| return fmt.Errorf("mkdir: %w", err) | |
| } | |
| } else if err != nil { | |
| return fmt.Errorf("load: %w", err) | |
| } | |
| if err != nil { | |
| if !errors.Is(err, fs.ErrNotExist) { | |
| return fmt.Errorf("load: %w", err) | |
| } | |
| dir := filepath.Dir(c.fileLocation) | |
| if err := os.MkdirAll(dir, ownerExecReadWrite); err != nil { | |
| return fmt.Errorf("mkdir: %w", err) | |
| } | |
| } |
credentials/cache/file.go
Outdated
| var ErrNotConfigured = errors.New("databricks OAuth is not configured for this host") | ||
|
|
||
| // this implementation requires the calling code to do a machine-wide lock, | ||
| // otherwise the file might get corrupt. |
There was a problem hiding this comment.
Naively, I would have expected the lock to be managed by this cache implementation as an internal detail. Having the lock managed by the client sounds a little bug prone — especially given that the client does not have a programmatic way to know in what file the cache is storing the tokens. Am I missing something?
There was a problem hiding this comment.
Good question. It needs to be at least locked in PersistentAuth: the Load() method will read from the cache and then, if the access token is expired, refresh it and update the cache, which replaces it entirely. That requires some form of user-wide mutual exclusion that lasts longer than an individual method call, thus the lock file. I don't see any issues with adding an in-memory mutex within FileTokenCache as well in case an application is directly managing and updating tokens, considering what that would be protecting against.
credentials/oauth/persistent_auth.go
Outdated
| // Cache is the token cache to store and lookup tokens. | ||
| cache cache.TokenCache | ||
| // Locker is the lock to synchronize token cache access. | ||
| locker sync.Locker |
There was a problem hiding this comment.
It looks like locker is never locked. Am I missing something?
There was a problem hiding this comment.
You're not missing anything, I forgot to add it before, but I have it locally and will include it in my next update.
mgyucht
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
mgyucht
had a problem deploying
to
test-trigger-is
GitHub Actions
Failure
mgyucht
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
mgyucht
had a problem deploying
to
test-trigger-is
GitHub Actions
Failure
mgyucht
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
mgyucht
had a problem deploying
to
test-trigger-is
GitHub Actions
Failure
mgyucht
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
mgyucht
had a problem deploying
to
test-trigger-is
GitHub Actions
Failure
mgyucht
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
mgyucht
had a problem deploying
to
test-trigger-is
GitHub Actions
Failure
Discussed offline:
|
mgyucht
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
mgyucht
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
mgyucht
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
mgyucht
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
mgyucht
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
mgyucht
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
mgyucht
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
mgyucht
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
mgyucht
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
mgyucht
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
mgyucht
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
mgyucht
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
credentials/u2m/cache/file.go
Outdated
| fileLocation string | ||
|
|
||
| // locker protects the token cache file from concurrent reads and writes. | ||
| locker sync.Locker |
There was a problem hiding this comment.
No need for an interface, let's use a mutex directly. The zero value of a mutex is a valid mutex so we do not even need to think about initialization anymore.
| locker sync.Locker | |
| locker sync.Mutex |
| } | ||
|
|
||
| // Store implements the TokenCache interface. | ||
| func (c *fileTokenCache) Store(key string, t *oauth2.Token) error { |
There was a problem hiding this comment.
What's the intended behavior when storing a nil token? Should we delete it from the cache?
delete(key, f.Tokens)There was a problem hiding this comment.
Good question. I think that's a reasonable implementation.
credentials/u2m/error.go
Outdated
| // InvalidRefreshTokenError is returned from PersistentAuth's Load() method | ||
| // if the access token has expired and the refresh token in the token cache | ||
| // is invalid. | ||
| type InvalidRefreshTokenError struct { | ||
| err error | ||
| } | ||
|
|
||
| func (e *InvalidRefreshTokenError) Error() string { | ||
| return e.err.Error() | ||
| } | ||
|
|
||
| func (e *InvalidRefreshTokenError) Unwrap() error { | ||
| return e.err | ||
| } | ||
|
|
||
| var _ error = &InvalidRefreshTokenError{} |
There was a problem hiding this comment.
I think this could just be this:
| // InvalidRefreshTokenError is returned from PersistentAuth's Load() method | |
| // if the access token has expired and the refresh token in the token cache | |
| // is invalid. | |
| type InvalidRefreshTokenError struct { | |
| err error | |
| } | |
| func (e *InvalidRefreshTokenError) Error() string { | |
| return e.err.Error() | |
| } | |
| func (e *InvalidRefreshTokenError) Unwrap() error { | |
| return e.err | |
| } | |
| var _ error = &InvalidRefreshTokenError{} | |
| // InvalidRefreshTokenError is returned from PersistentAuth's Load() method | |
| // if the access token has expired and the refresh token in the token cache | |
| // is invalid. | |
| type InvalidRefreshTokenError struct { | |
| error | |
| } |
| // a special error message that instructs the user how to reauthenticate. | ||
| type u2mCredentials struct { | ||
| // auth is the persistent auth object that manages the token cache. | ||
| auth *u2m.PersistentAuth |
There was a problem hiding this comment.
Should this just be a token source?
| auth *u2m.PersistentAuth | |
| ts oauth2.TokenSource |
| // callback server listens for the redirect from the identity provider and | ||
| // exchanges the authorization code for an access token. It returns the OAuth2 | ||
| // token on success. | ||
| func (a *PersistentAuth) Challenge() (*oauth2.Token, error) { |
There was a problem hiding this comment.
This method does not seem to be used. Also, its documentation does not look up to date. Is it necessary to implement some interface?
There was a problem hiding this comment.
This is the core routine that handles the U2M OAuth login. There isn't a specific interface that it implements. It might be reasonable to consider this to be a token source as well
| return nil | ||
| } | ||
|
|
||
| func (a *PersistentAuth) Close() error { |
There was a problem hiding this comment.
This method does not seem to be used publicly, can we make it private?
There was a problem hiding this comment.
It will be used by the CLI and by any clients who want to use U2M but want to manage the token cache independently from the CLI.
| } | ||
|
|
||
| // NewPersistentAuth creates a new PersistentAuth with the provided options. | ||
| func NewPersistentAuth(ctx context.Context, opts ...PersistentAuthOption) (*PersistentAuth, error) { |
There was a problem hiding this comment.
Should this return a TokenSource so that the implementation is hidden? Ultimately, it does not look like the Challenge and Close methods are used outside of this package.
| cfg: &Config{ | ||
| Host: "https://myworkspace.cloud.databricks.com", | ||
| }, | ||
| auth: must( |
There was a problem hiding this comment.
I would have naturally leaned toward mocking PersistentAuth rather than the OAuthClient — especially if PersitentAuth is treated as a TokenSource (see other comments in persistent_auth.go).
| // GetHttpClient returns an HTTP client for OAuth2 requests. | ||
| GetHttpClient(context.Context) *http.Client |
There was a problem hiding this comment.
This method bothers me. I'm wondering if we would not be better off passing the HTTPClient directly to PersistentAuth. I'm also wondering if this interface needs to be public (see comments about mocking PersistentAuth in auth_u2m_test.go).
There was a problem hiding this comment.
We can split the OAuth endpoints and the HTTP client into separate parameters. However, because oauth2 depends on an http.Client, and to preserve the existing behavior, we do need to pass in the existing ApiClient somehow.
In an ideal world, we would have a pipelined API client specifically for OAuth that would be independent of the ApiClient package. We could actually just duplicate the code in order to break that dependency.
mgyucht
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
mgyucht
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
mgyucht
temporarily deployed
to
test-trigger-is
GitHub Actions
Inactive
|
If integration tests don't run automatically, an authorized user can run them manually by following the instructions below: Trigger: Inputs:
Checks will be approved automatically on success. |
config/auth_u2m.go
Outdated
| // Auth is the persistent auth object to use. If not specified, a new one will | ||
| // be created, using the default cache and locker. | ||
| Auth *oauth.PersistentAuth | ||
|
|
||
| // GetOAuthArg is a function that returns the OAuth argument to use for | ||
| // loading the OAuth session token. If not specified, the OAuth argument is | ||
| // determined by the account host and account ID or workspace host in the | ||
| // Config. | ||
| GetOAuthArg func(context.Context, *Config) (oauth.OAuthArgument, error) | ||
|
|
||
| // ErrorHandler controls the behavior of Configure() when loading the OAuth | ||
| // token fails. If not specified, any error will cause Configure() to return | ||
| // said error. | ||
| ErrorHandler func(context.Context, *Config, oauth.OAuthArgument, error) error |
There was a problem hiding this comment.
Let's make these unexported (ditto for other types introduced in this PR).
credentials/cache/file.go
Outdated
| // mu protects the token cache file from concurrent reads and writes. | ||
| mu *sync.Mutex |
There was a problem hiding this comment.
This should be the filemutex
credentials/oauth/persistent_auth.go
Outdated
| // Cache is the token cache to store and lookup tokens. | ||
| cache cache.TokenCache | ||
| // Locker is the lock to synchronize token cache access. | ||
| locker sync.Locker |
httpclient/oauth_token.go
Outdated
| @@ -22,6 +21,19 @@ type GetOAuthTokenRequest struct { | |||
| Assertion string `url:"assertion"` | |||
| } | |||
|
|
|||
| // OAuthToken represents an OAuth token as defined by the OAuth 2.0 Authorization Framework. | |||
| // https://datatracker.ietf.org/doc/html/rfc6749 | |||
| type OAuthToken struct { | |||
There was a problem hiding this comment.
Unexport, explicit reason why this exists
credentials/oauth/persistent_auth.go
Outdated
|
|
||
| func (a *PersistentAuth) randomString(size int) string { | ||
| raw := make([]byte, size) | ||
| _, _ = rand.Read(raw) |
config/auth_u2m.go
Outdated
| // loading the OAuth session token. If not specified, the OAuth argument is | ||
| // determined by the account host and account ID or workspace host in the | ||
| // Config. | ||
| getOAuthArg func(context.Context, *Config) (oauth.OAuthArgument, error) |
There was a problem hiding this comment.
This is how we will support scopes. We'll need a way to determine which key in the token cache the user is intending to use based on the config. It's intentionally unexported now to indicate that we don't really want to support it yet, but it would be the narrow place to make the change later.
| } | ||
|
|
||
| // Store implements the TokenCache interface. | ||
| func (c *fileTokenCache) Store(key string, t *oauth2.Token) error { |
There was a problem hiding this comment.
Good question. I think that's a reasonable implementation.
| // callback server listens for the redirect from the identity provider and | ||
| // exchanges the authorization code for an access token. It returns the OAuth2 | ||
| // token on success. | ||
| func (a *PersistentAuth) Challenge() (*oauth2.Token, error) { |
There was a problem hiding this comment.
This is the core routine that handles the U2M OAuth login. There isn't a specific interface that it implements. It might be reasonable to consider this to be a token source as well
| return nil | ||
| } | ||
|
|
||
| func (a *PersistentAuth) Close() error { |
There was a problem hiding this comment.
It will be used by the CLI and by any clients who want to use U2M but want to manage the token cache independently from the CLI.
| // GetHttpClient returns an HTTP client for OAuth2 requests. | ||
| GetHttpClient(context.Context) *http.Client |
There was a problem hiding this comment.
We can split the OAuth endpoints and the HTTP client into separate parameters. However, because oauth2 depends on an http.Client, and to preserve the existing behavior, we do need to pass in the existing ApiClient somehow.
In an ideal world, we would have a pipelined API client specifically for OAuth that would be independent of the ApiClient package. We could actually just duplicate the code in order to break that dependency.
What changes are proposed in this pull request?
This PR moves logic about U2M OAuth login from the CLI to the Go SDK. This eliminates a cyclic dependency between the SDK and CLI for interacting with the OAuth token cache and enables U2M support directly in the Go SDK without need for the CLI to be installed.
Most of this code is carried over from the CLI, but I have made specific refactors to generalize it where needed.
Currently, the token cache key follows a specific structure:
https://<accounts-host>/oidc/accounts/<account-id>for account-based sessionshttps://<workspace host>for workspace-based sessionsThis can be generalized to allow callers to cache tokens in other manners. For example, users may want to cache tokens per principal or per set of OAuth scopes for their own OAuth applications.
Additionally, products should be able to use an isolated token cache or a token cache backed by a different storage medium, like a database. This is simple to do by introducing a token cache interface. Implementers can define their own credential strategy and reuse the PersistentAuth type to handle the negotiation.
How is this tested?
Carried over tests from the CLI.
More tests are forthcoming, once a decision is made on this approach.