PIP-79 OAuth Client Credentials & Token Support (#78)

* PIP-79 #in-progress support token in client * PIP-79 CCG oauth request formation * PIP-79 jackson vuln * PIP-79 async caching token retrieval * PIP-79 lib-level oauth ccg support! * PIP-79 cli for oauth params * PIP-79 added token cli and improve reconfigure * PIP-79 re-gen options doc * PIP-79 OAuth doc * PIP-79 jackson dababind to clear CVE-2020-36518 * PIP-79 add scope support back in * PIP-79 refactor options->config pathing to be declarative * PIP-79 target poll interval is not a thing * PIP-79 refactor reconfig * PIP-79 don't use defaults when reconfiguring so no clobbering happens * PIP-79 simplify reconfigure fn * PIP-79 correct pr ci target
yetanalytics · Jun 20, 2022 · c2c0a41 · c2c0a41
1 parent bf0ff08
commit c2c0a41
Show file tree

Hide file tree

Showing 12 changed files with 756 additions and 467 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -8,7 +8,7 @@ on:
       - 'v*'
   pull_request:
     branches:
-      - 'master'
+      - 'main'
 
 jobs:
   test:

diff --git a/doc/index.md b/doc/index.md
@@ -9,6 +9,7 @@ This process is one-way and any statements in the target LRS will not be replica
 - [Installation](install.md)
 - [Usage](usage.md)
 - [Persistence Config](persistence.md)
+- [OAuth Support](oauth.md)
 - [All Options](options.md)
 - [JSON Config](json.md)
 - [Metrics](metrics.md)

diff --git a/doc/oauth.md b/doc/oauth.md
@@ -0,0 +1,46 @@
+[<- Back to Index](index.md)
+# OAuth Support
+
+LRSPipe supports the use of [OAuth 2.0](https://oauth.net/2/) with LRS endpoints that support it via the [Client Credentials Grant](https://tools.ietf.org/html/rfc6749#section-4.4)
+
+## Client Credentials Grant
+
+To use OAuth, specify a source/target `auth-uri`, `client-id` and `client-secret`:
+
+``` shell
+bin/run.sh --source-url http://0.0.0.0:8080/xapi \
+           --source-auth-uri http://0.0.0.0:8083/auth/realms/test/protocol/openid-connect \
+           --source-client-id a_client_id \
+           --source-client-secret 1234 \
+           --target-url http://0.0.0.0:8081/xapi \
+           --target-auth-uri http://0.0.0.0:8083/auth/realms/test/protocol/openid-connect \
+           --target-client-id b_client_id \
+           --target-client-secret 1234
+```
+
+LRSPipe will connect to the specified auth provider(s) and provide up-to-date tokens for LRS requests as needed.
+
+### Scope
+
+According to OAuth 2.0 an optional `scope` parameter can be provided on Client Credentials Grant requests. To set this value for the source/target LRS:
+
+``` shell
+bin/run.sh ... \
+           --source-scope "lrs:read" \
+           --target-scope "lrs:write"
+```
+
+Note that the configuration of claims like scope should be done on the OAuth client itself. This option is provided for backwards compatibility only.
+
+## Manual Bearer Token Usage
+
+If you have a bearer token that will be valid for the duration of your job, you can pass it directly:
+
+``` shell
+bin/run.sh --source-url http://0.0.0.0:8080/xapi \
+           --source-token eyJhbGciOi...
+           --target-url http://0.0.0.0:8081/xapi \
+           --target-token eyJhbGciOi...
+```
+
+[<- Back to Index](index.md)
diff --git a/doc/options.md b/doc/options.md
@@ -48,6 +48,11 @@ All options:
   -p, --xapi-get-param KEY=VALUE        {}                    xAPI GET Parameters
       --source-username USERNAME                              Source LRS BASIC Auth username
       --source-password PASSWORD                              Source LRS BASIC Auth password
+      --source-auth-uri URI                                   Source LRS OAuth autentication URI
+      --source-client-id ID                                   Source LRS OAuth client ID
+      --source-client-secret SECRET                           Source LRS OAuth client secret
+      --source-scope SCOPE                                    Source LRS OAuth scope
+      --source-token TOKEN                                    Source LRS OAuth Bearer token
       --source-backoff-budget BUDGET    10000                 Source LRS Retry Backoff Budget in ms
       --source-backoff-max-attempt MAX  10                    Source LRS Retry Backoff Max Attempts, set to -1 for no retry
       --source-backoff-j-range RANGE                          Source LRS Retry Backoff Jitter Range in ms
@@ -56,6 +61,11 @@ All options:
       --target-batch-size SIZE          50                    Target LRS POST desired batch size
       --target-username USERNAME                              Target LRS BASIC Auth username
       --target-password PASSWORD                              Target LRS BASIC Auth password
+      --target-auth-uri URI                                   Target LRS OAuth autentication URI
+      --target-client-id ID                                   Target LRS OAuth client ID
+      --target-client-secret SECRET                           Target LRS OAuth client secret
+      --target-scope SCOPE                                    Target LRS OAuth scope
+      --target-token TOKEN                                    Target LRS OAuth Bearer token
       --target-backoff-budget BUDGET    10000                 Target LRS Retry Backoff Budget in ms
       --target-backoff-max-attempt MAX  10                    Target LRS Retry Backoff Max Attempts, set to -1 for no retry
       --target-backoff-j-range RANGE                          Target LRS Retry Backoff Jitter Range in ms