303 support iam auth

[smithsz]

What

Add IAM authentication support.

How

Added a class method and context manager to simplify IAM client construction:

from cloudant.client import Cloudant
client = Cloudant.iam('account_name', 'api_key_here', connect=True)
print client.all_dbs()

# or using context manager...
from cloudant import cloudant_iam
with cloudant_iam('account_name', 'api_key_here') as client:
    print client.all_dbs()

Under the hood there's a new use_iam=True toggle. Once enabled, the password parameter is used as the IAM API key.

IAM Authentication Workflow:

1. Exchange IAM API key for access token via IAM_TOKEN_URL.
2. Generate a cookie from the access token using the POST /_iam_session Cloudant endpoint.
3. Use the IAMSession cookie in all library requests.
4. Attempt to renew if the IAMSession cookie has expired or on any 401 response.

Testing

Includes additional mock tests.

Issues

Fixes #303.

[emlaver]

Can we add an example similar to what we have below in cloudant_bluemix?

[smithsz]

Yep, will do. I'll improve the getting started stuff too once I find the proper IAM blumix docs link.

[ricellis]

A few thoughts.

[ricellis]

This test is invalid. A 403 should not trigger a renew.

[ricellis]

_iam_session shouldn't have this same 403 quirk as Cloudant's _session.

[ricellis]

The majority of the work that CookieSession and IAMSession have to do is the same, other than the extra piece to get an IAM token (and the content-type of the POST to *_session which should be application/json for IAM).
It would be nice (but by no means essential if it is harder than it initially looks) if we could use the same login/logout/expired checks in this base class and just customize them slightly (e.g. with the url/data/response conditions).

[smithsz]

It's a little tricky as ClientSession is used directly when admin party is enabled.
I still think it's worth doing. I've raise issue #310 to track the work.

[ricellis]

I'm not a fan of exposing yet another parameter on here, I think it is particularly confusing that the USERNAME is effectively ignored in this scenario. I wonder whether we can have another way of initializing that effectively hides this complexity.

[smithsz]

Added new class method in 9f181e7.

[ricellis]

Can we safely omit this property from the docs then?

[smithsz]

Ah, forgot to update docs. Fixed in cd1c664.

[ricellis]

This mock response should probably have more of the expected token content in it.

[ricellis]

Can we safely omit this property from the docs then?

[ricellis]

Should add a line here expressing that the preferred approach is to use the iam function.

[smithsz]

Added in 9d0a5f3.

[ricellis]

I feel like there is a golden path test missing here, checking that a request is as expected without any expiry/renewal conditions.

I also think it would be valuable to have a test at the client level verifying that using the class method creates the IAM session and appropriate golden path is followed making a normal request (token, iam_session, normal request).

[smithsz]

Added in 85932a9 & fc8d64a.

[mikerhodes]

Can this be made a kwarg rather than an env var? Why is it an env var?

[ricellis]

Our view was that it should basically never be necessary to change the token URL, but we thought there was value in providing an "override" primarily for the event that for some reason the expected URL was unavailable (although it also has value in testing).

I think an env var is more suitable for this purpose in that it doesn't require a code change if, for example, one needed to switch token server to a backup to temporarily workaround some kind of outage. That was the thinking anyway.

[mikerhodes]

Okay

[mikerhodes]

Do you want to mention here the environment variable that allows for different IAM servers? (Note I query below whether it should be an env var rather than a kwarg).

[smithsz]

Added in 3b4edd9.

[mikerhodes]

ok

[mikerhodes]

I'd rather this be more explicitly about the expiry of the IAMSession cookie, it took me a bit to understand that's what was actually happening. Like:

if self._auto_renew and 'IAMSession' not in self.cookies.keys() and not self.cookies['IAMSession'].is_expired():
    self.login()

[smithsz]

You can't get a cookie object from the jar without iterating over the entire jar. self.cookies['IAMSession'] just gives your the cookie value as a string.
We'd need something horrible like:

self.cookies._cookies['mikerhodes-iam-testing.cloudant.com']['/']['IAMSession'].is_expired()

I think sticking to self.cookies.clear_expired_cookies() is the cleanest solution.

[mikerhodes]

I guess add a comment to the effect of this being the simplest way to check whether we have an expired cookie so the next person doesn't have to figure it out by guesswork. A decent "why I'm doing it" comment rather than a "describe what the code does" comment.

[mikerhodes]

Approved, though I'd like to see the comment around the mess of an API the cookie jar has.