CLOUDP-110641: Add device grant flow to atlas client (#274)

Author: gssbzn

auth/device_flow.go

@@ -0,0 +1,111 @@
+// Copyright 2022 MongoDB Inc
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package auth
+
+import (
+	"context"
+	"errors"
+	"net/http"
+	"net/url"
+	"strings"
+	"time"
+
+	atlas "go.mongodb.org/atlas/mongodbatlas"
+)
+
+// DeviceCode holds information about the authorization-in-progress.
+type DeviceCode struct {
+	UserCode        string `json:"user_code"`        // UserCode is the code presented to users
+	VerificationURI string `json:"verification_uri"` // VerificationURI is the URI where users will need to confirm the code
+	DeviceCode      string `json:"device_code"`      // DeviceCode is the internal code to confirm the status of the flow
+	ExpiresIn       int    `json:"expires_in"`       // ExpiresIn when the code will expire
+	Interval        int    `json:"interval"`         // Interval how often to verify the status of the code
+
+	timeNow   func() time.Time
+	timeSleep func(time.Duration)
+}
+
+const deviceBasePath = "api/private/unauth/account/device"
+
+// RequestCode initiates the authorization flow by requesting a code.
+func (c Config) RequestCode(ctx context.Context) (*DeviceCode, *atlas.Response, error) {
+	req, err := c.NewRequest(ctx, http.MethodPost, deviceBasePath+"/authorize",
+		url.Values{
+			"client_id": {c.ClientID},
+			"scope":     {strings.Join(c.Scopes, " ")},
+		},
+	)
+	if err != nil {
+		return nil, nil, err
+	}
+	var r *DeviceCode
+	resp, err2 := c.Do(ctx, req, &r)
+	return r, resp, err2
+}
+
+// GetToken gets a device token.
+func (c Config) GetToken(ctx context.Context, deviceCode string) (*Token, *atlas.Response, error) {
+	req, err := c.NewRequest(ctx, http.MethodPost, deviceBasePath+"/token",
+		url.Values{
+			"client_id":   {c.ClientID},
+			"device_code": {deviceCode},
+			"grant_type":  {"urn:ietf:params:oauth:grant-type:device_code"},
+		},
+	)
+	if err != nil {
+		return nil, nil, err
+	}
+	var t *Token
+	resp, err2 := c.Do(ctx, req, &t)
+	if err2 != nil {
+		return nil, resp, err2
+	}
+	return t, resp, err2
+}
+
+// ErrTimeout is returned when polling the server for the granted token has timed out.
+var ErrTimeout = errors.New("authentication timed out")
+
+// PollToken polls the server until an access token is granted or denied.
+func (c Config) PollToken(ctx context.Context, code *DeviceCode) (*Token, *atlas.Response, error) {
+	timeNow := code.timeNow
+	if timeNow == nil {
+		timeNow = time.Now
+	}
+	timeSleep := code.timeSleep
+	if timeSleep == nil {
+		timeSleep = time.Sleep
+	}
+
+	checkInterval := time.Duration(code.Interval) * time.Second
+	expiresAt := timeNow().Add(time.Duration(code.ExpiresIn) * time.Second)
+
+	for {
+		timeSleep(checkInterval)
+		token, resp, err := c.GetToken(ctx, code.DeviceCode)
+		var target *atlas.ErrorResponse
+		if errors.As(err, &target) && target.ErrorCode == "DEVICE_AUTHORIZATION_PENDING" {
+			continue
+		}
+		if err != nil {
+			return nil, resp, err
+		}
+
+		if timeNow().After(expiresAt) {
+			return nil, nil, ErrTimeout
+		}
+		return token, resp, nil
+	}
+}

auth/device_flow_test.go

@@ -0,0 +1,134 @@
+// Copyright 2022 MongoDB Inc
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package auth
+
+import (
+	"fmt"
+	"net/http"
+	"testing"
+
+	"github.com/go-test/deep"
+)
+
+func TestConfig_RequestCode(t *testing.T) {
+	config, mux, teardown := setup()
+	defer teardown()
+
+	mux.HandleFunc("/api/private/unauth/account/device/authorize", func(w http.ResponseWriter, r *http.Request) {
+		testMethod(t, r, http.MethodPost)
+		fmt.Fprintf(w, `{
+		  "user_code": "QW3PYV7R",
+		  "verification_uri": "%s/account/connect",
+		  "device_code": "61eef18e310968047ff5e02a",
+		  "expires_in": 600,
+		  "interval": 10
+		}`, baseURLPath)
+	})
+
+	results, _, err := config.RequestCode(ctx)
+	if err != nil {
+		t.Fatalf("RequestCode returned error: %v", err)
+	}
+
+	expected := &DeviceCode{
+		UserCode:        "QW3PYV7R",
+		VerificationURI: baseURLPath + "/account/connect",
+		DeviceCode:      "61eef18e310968047ff5e02a",
+		ExpiresIn:       600,
+		Interval:        10,
+	}
+
+	if diff := deep.Equal(results, expected); diff != nil {
+		t.Error(diff)
+	}
+}
+
+func TestConfig_GetToken(t *testing.T) {
+	config, mux, teardown := setup()
+	defer teardown()
+
+	mux.HandleFunc("/api/private/unauth/account/device/token", func(w http.ResponseWriter, r *http.Request) {
+		testMethod(t, r, http.MethodPost)
+		fmt.Fprint(w, `{
+		  "access_token": "secret1",
+		  "refresh_token": "secret2",
+		  "scope": "openid",
+		  "id_token": "idtoken",
+		  "token_type": "Bearer",
+		  "expires_in": 3600
+		}`)
+	})
+	code := &DeviceCode{
+		DeviceCode: "61eef18e310968047ff5e02a",
+		ExpiresIn:  600,
+		Interval:   10,
+	}
+	results, _, err := config.GetToken(ctx, code.DeviceCode)
+	if err != nil {
+		t.Fatalf("PollToken returned error: %v", err)
+	}
+
+	expected := &Token{
+		AccessToken:  "secret1",
+		RefreshToken: "secret2",
+		Scope:        "openid",
+		IDToken:      "idtoken",
+		TokenType:    "Bearer",
+		ExpiresIn:    3600,
+	}
+
+	if diff := deep.Equal(results, expected); diff != nil {
+		t.Error(diff)
+	}
+}
+
+func TestConfig_PollToken(t *testing.T) {
+	config, mux, teardown := setup()
+	defer teardown()
+
+	mux.HandleFunc("/api/private/unauth/account/device/token", func(w http.ResponseWriter, r *http.Request) {
+		testMethod(t, r, http.MethodPost)
+		fmt.Fprint(w, `{
+		  "access_token": "secret1",
+		  "refresh_token": "secret2",
+		  "scope": "openid",
+		  "id_token": "idtoken",
+		  "token_type": "Bearer",
+		  "expires_in": 3600
+		}`)
+	})
+	code := &DeviceCode{
+		DeviceCode: "61eef18e310968047ff5e02a",
+		ExpiresIn:  600,
+		Interval:   10,
+	}
+	results, _, err := config.PollToken(ctx, code)
+	if err != nil {
+		t.Fatalf("PollToken returned error: %v", err)
+	}
+
+	expected := &Token{
+		AccessToken:  "secret1",
+		RefreshToken: "secret2",
+		Scope:        "openid",
+		IDToken:      "idtoken",
+		TokenType:    "Bearer",
+		ExpiresIn:    3600,
+	}
+
+	if diff := deep.Equal(results, expected); diff != nil {
+		t.Error(diff)
+	}
+}

auth/doc.go

@@ -0,0 +1,44 @@
+// Copyright 2022 MongoDB Inc
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+/*
+Package auth provides a way to follow a Device Authorization Grant https://datatracker.ietf.org/doc/html/rfc8628.
+
+Usage
+
+	import "go.mongodb.org/atlas/auth"
+
+Construct a new client Config, then use the various methods to complete a flow.
+For example:
+
+	config := auth.NewConfigWithOptions(nil, auth.SetClientID("my-client-id"), auth.SetScopes([]string{"openid"}))
+
+	code, _, err := config.RequestCode(ctx)
+	if err!= nil {
+		panic(err)
+	}
+	token, _, err := config.PollToken(ctx, code)
+	if err!= nil {
+		panic(err)
+	}
+	fmt.PrintLn(accessToken.AccessToken)
+
+NOTE: Using the https://godoc.org/context package, one can easily
+pass cancellation signals and deadlines to various services of the client for
+handling a request. In case there is no context available, then context.Background()
+can be used as a starting point.
+
+
+*/
+package auth