DataDog · isaacdd · Oct 25, 2024 · Oct 25, 2024
@@ -0,0 +1 @@
+Add an OIDC auth token reader
@@ -9,7 +9,7 @@
 from copy import deepcopy
 from io import open
 from ipaddress import ip_address, ip_network
-from urllib.parse import quote, urlparse, urlunparse
+from urllib.parse import quote, urlparse, urlunparse, urljoin
 
 import requests
 import requests_unixsocket
@@ -923,6 +923,45 @@ def read(self, **request):
 
             return self._token
 
+class AuthTokenOIDCReader(object):
+    def __init__(self, config):
+        _url = config.get('url')
+        if not isinstance(_url, str):
+            raise ConfigurationError('The `url` setting of `auth_token` reader must be a string')
+        elif not _url:
+            raise ConfigurationError('The `url` setting of `auth_token` reader is required')
+
+        _role = config.get('role')
+        if not isinstance(_role, str):
+            raise ConfigurationError('The `role` setting of `auth_token` reader must be a string')
+        elif not _role:
+            raise ConfigurationError('The `role` setting of `auth_token` reader is required')
+
+        self._headers = config.get('headers') or {}
+        if not isinstance(self._headers, dict):
+            raise ConfigurationError('The `headers` setting of `auth_token` reader must be a dict')
+
+        self._token_url = urljoin(_url+"/", _role)
+
+        self._token = None
+        self._expiration = None
+
+    def read(self, **request):
+        if self._token is None or get_timestamp() >= self._expiration or 'error' in request:
+            resp = requests.get(self._token_url, headers=self._headers)
+            resp.raise_for_status()
+            try:
+                data = resp.json()['data']
+            except requests.exceptions.JSONDecodeError:
+                raise Exception("OIDC reader failed to parse token endpoint response")
+            except KeyError:
+                raise Exception("OIDC reader an invalid response")
+
+            self._token = data['token']
+            self._expiration = get_timestamp() + data['ttl']
+
+            return self._token
+
 
 class AuthTokenHeaderWriter(object):
     DEFAULT_PLACEHOLDER = '<TOKEN>'
@@ -958,6 +997,7 @@ def write(self, token, **request):
     'file': AuthTokenFileReader,
     'oauth': AuthTokenOAuthReader,
     'dcos_auth': DCOSAuthTokenReader,
+    'oidc': AuthTokenOIDCReader, 
 }
 AUTH_TOKEN_WRITERS = {'header': AuthTokenHeaderWriter}
 

@@ -213,6 +213,53 @@ def test_basic_auth_not_boolean(self):
         ):
             RequestsWrapper(instance, init_config)
 
+class TestAuthTokenOIDCReaderCreation:
+    def test_url_missing(self):
+        instance = {'auth_token': {'reader': {'type': 'oidc'}, 'writer': {'type': 'header'}}}
+        init_config = {}
+
+        with pytest.raises(ConfigurationError, match='^The `url` setting of `auth_token` reader is required$'):
+            RequestsWrapper(instance, init_config)
+
+    def test_url_not_string(self):
+        instance = {'auth_token': {'reader': {'type': 'oidc', 'url': {}}, 'writer': {'type': 'header'}}}
+        init_config = {}
+
+        with pytest.raises(ConfigurationError, match='^The `url` setting of `auth_token` reader must be a string$'):
+            RequestsWrapper(instance, init_config)
+
+    def test_role_missing(self):
+        instance = {'auth_token': {'reader': {'type': 'oidc', 'url': 'foo'}, 'writer': {'type': 'header'}}}
+        init_config = {}
+
+        with pytest.raises(ConfigurationError, match='^The `role` setting of `auth_token` reader is required$'):
+            RequestsWrapper(instance, init_config)
+
+    def test_role_not_string(self):
+        instance = {
+            'auth_token': {'reader': {'type': 'oauth', 'url': 'foo', 'role': {}}, 'writer': {'type': 'header'}}
+        }
+        init_config = {}
+
+        with pytest.raises(
+            ConfigurationError, match='^The `role` setting of `auth_token` reader must be a string$'
+        ):
+            RequestsWrapper(instance, init_config)
+
+    def test_headers_not_string(self):
+        instance = {
+            'auth_token': {
+                'reader': {'type': 'oauth', 'url': 'foo', 'role': 'bar', 'headers': ['header: value']},
+                'writer': {'type': 'header'},
+            }
+        }
+        init_config = {}
+
+        with pytest.raises(
+            ConfigurationError, match='^The `headers` setting of `auth_token` reader must be a dict$'
+        ):
+            RequestsWrapper(instance, init_config)
+
 
 class TestAuthTokenDCOSReaderCreation:
     def test_login_url_missing(self):

@@ -0,0 +1 @@
+Add an OIDC auth token reader
@@ -1,4 +1,4 @@
 ## All options defined here are available to all instances.
 #
 init_config:

@@ -393,6 +393,12 @@
     ##                 options:
     ##                   audience: https://example.com
     ##                   scope: read:example
+    ##   - type: oidc
+    ##     url (required): The full OIDC token provider endpoint
+    ##                     e.g. http://127.0.0.1:8200/v1/identity/oidc/token/
+    ##     role (required): The role against which to generate the token
+    ##     headers: Additional headers to include in the request
+    ##
     ##
     ## The available writers are:
     ##