Test the bearer token fetching

Author: nomtrosk

README.md

@@ -32,17 +32,31 @@ end
 
 ## Configuration
 
-The configuration should _either_ define `storage_account_name` and `storage_account_key` _or_ `storage_account_connection_string`.
+For authentication, there is support for using both an account key or service principal.
+For configuration of the account key, use _either_ `storage_account_name` and `storage_account_key` _or_ `storage_account_connection_string`.
 
 ```elixir
 config :azurex, Azurex.Blob.Config,
   api_url: "https://sample.blob.core.windows.net", # Optional
   default_container: "defaultcontainer", # Optional
-  storage_account_name: "name",
+  storage_account_name: "sample",
   storage_account_key: "access key",
   storage_account_connection_string: "Storage=Account;Connection=String" # Required if storage account `name` and `key` not set
 ```
 
+For configuration of service principal, use `storage_client_id`, `storage_client_secret`, `storage_tenant_id`.
+
+```elixir
+config :azurex, Azurex.Blob.Config,
+  api_url: "https://sample.blob.core.windows.net", # Optional
+  default_container: "defaultcontainer", # Optional
+  storage_account_name: "sample",
+  storage_client_id: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+  storage_client_secret: "secret"
+  storage_tenant_id: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
+```
+Note that SAS token generation is currently not supported when using Service Principal.
+
 ## Documentation
 
 Documentation can be found at [https://hexdocs.pm/azurex](https://hexdocs.pm/azurex). Or generated using [ExDoc](https://github.com/elixir-lang/ex_doc)

lib/azurex/authorization/auth.ex

@@ -3,6 +3,10 @@ defmodule Azurex.Authorization.Auth do
   alias Azurex.Authorization.SharedKey
   alias Azurex.Authorization.ServicePrincipal
 
+  @doc """
+  Adds authentication header to a given request based on the configured auth method.
+  """
+  @spec authorize_request(HTTPoison.Request.t(), binary()) :: HTTPoison.Request.t()
   def authorize_request(request, content_type \\ "") do
     case Config.auth_method() do
       {:account_key, storage_account_key} ->

lib/azurex/authorization/service_principal.ex

@@ -1,6 +1,17 @@
 defmodule Azurex.Authorization.ServicePrincipal do
+  require Logger
+  alias Azurex.Blob.Config
+
   @cache_key "azurex_bearer_token"
   @cache_expiry_margin_seconds 10
+
+  @doc """
+  Fetches a bearer token and adds it to the request headers.
+  In case fetching the token fails, it logs an error and returns "No token"
+  which will fail the real request.
+  """
+  @spec add_bearer_token(HTTPoison.Request.t(), binary(), binary(), binary()) ::
+          HTTPoison.Request.t()
   def add_bearer_token(%HTTPoison.Request{} = request, client_id, client_secret, tenant_id) do
     bearer_token = fetch_bearer_token_cached(client_id, client_secret, tenant_id)
     authorization = {"Authorization", "Bearer #{bearer_token}"}
@@ -20,7 +31,6 @@ defmodule Azurex.Authorization.ServicePrincipal do
         if expiry > System.os_time(:second) do
           token
         else
-          IO.inspect("Token expired, refreshing")
           refresh_bearer_token_cache(client_id, client_secret, tenant_id)
         end
 
@@ -45,14 +55,14 @@ defmodule Azurex.Authorization.ServicePrincipal do
     |> Map.get("exp")
   end
 
-  def fetch_bearer_token(client_id, client_secret, tenant_id) do
+  defp fetch_bearer_token(client_id, client_secret, tenant_id) do
     body =
       "grant_type=client_credentials&client_id=#{client_id}&client_secret=#{client_secret}&scope=https://storage.azure.com/.default"
 
     respone =
       %HTTPoison.Request{
         method: :post,
-        url: "https://login.microsoftonline.com/#{tenant_id}/oauth2/v2.0/token",
+        url: "#{Config.get_auth_url()}/#{tenant_id}/oauth2/v2.0/token",
         body: body,
         headers: [
           {"content-type", "application/x-www-form-urlencoded"}
@@ -62,10 +72,15 @@ defmodule Azurex.Authorization.ServicePrincipal do
 
     case respone do
       {:ok, %HTTPoison.Response{status_code: 200, body: body}} ->
-        body |> Jason.decode!() |> Map.get("access_token")
+        body |> Jason.decode!() |> Map.fetch!("access_token")
+
+      {:ok, %HTTPoison.Response{status_code: sc, body: body}} ->
+        Logger.error("Failed to fetch bearer token. Reason: #{sc}: #{body}")
+        "No token"
 
-      {:error, err} ->
-        {:error, err}
+      {:error, %HTTPoison.Error{reason: reason}} ->
+        Logger.error("Failed to fetch bearer token. Reason: #{reason}")
+        "No token"
     end
   end
 end

lib/azurex/blob/config.ex

@@ -78,7 +78,8 @@ defmodule Azurex.Blob.Config do
   defp try_service_principal(value), do: value
 
   @doc """
-  Investigate which authentication method is set.
+  Investigate which authentication method is set and return the appropriate tuple
+  or raise an error if miss configured.
   """
   @spec auth_method() ::
           {:service_principal, binary(), binary(), binary()} | {:account_key, binary()}
@@ -138,4 +139,8 @@ defmodule Azurex.Blob.Config do
     |> parse_connection_string
     |> Map.get(key)
   end
+
+  def get_auth_url do
+    Keyword.get(conf(), :auth_url) || "https://login.microsoftonline.com"
+  end
 end

mix.exs

@@ -28,6 +28,7 @@ defmodule Azurex.MixProject do
     [
       {:dialyxir, "~> 1.4", only: [:dev, :test], runtime: false},
       {:ex_doc, ">= 0.0.0", only: :dev, runtime: false},
+      {:bypass, "~> 2.1", only: :test},
       {:httpoison, "~> 1.8 or ~> 2.2"},
       {:jason, "~> 1.4.4"}
     ]

mix.lock

@@ -1,6 +1,10 @@
 %{
+  "bypass": {:hex, :bypass, "2.1.0", "909782781bf8e20ee86a9cabde36b259d44af8b9f38756173e8f5e2e1fabb9b1", [:mix], [{:plug, "~> 1.7", [hex: :plug, repo: "hexpm", optional: false]}, {:plug_cowboy, "~> 2.0", [hex: :plug_cowboy, repo: "hexpm", optional: false]}, {:ranch, "~> 1.3", [hex: :ranch, repo: "hexpm", optional: false]}], "hexpm", "d9b5df8fa5b7a6efa08384e9bbecfe4ce61c77d28a4282f79e02f1ef78d96b80"},
   "certifi": {:hex, :certifi, "2.12.0", "2d1cca2ec95f59643862af91f001478c9863c2ac9cb6e2f89780bfd8de987329", [:rebar3], [], "hexpm", "ee68d85df22e554040cdb4be100f33873ac6051387baf6a8f6ce82272340ff1c"},
   "combine": {:hex, :combine, "0.10.0", "eff8224eeb56498a2af13011d142c5e7997a80c8f5b97c499f84c841032e429f", [:mix], [], "hexpm", "1b1dbc1790073076580d0d1d64e42eae2366583e7aecd455d1215b0d16f2451b"},
+  "cowboy": {:hex, :cowboy, "2.13.0", "09d770dd5f6a22cc60c071f432cd7cb87776164527f205c5a6b0f24ff6b38990", [:make, :rebar3], [{:cowlib, ">= 2.14.0 and < 3.0.0", [hex: :cowlib, repo: "hexpm", optional: false]}, {:ranch, ">= 1.8.0 and < 3.0.0", [hex: :ranch, repo: "hexpm", optional: false]}], "hexpm", "e724d3a70995025d654c1992c7b11dbfea95205c047d86ff9bf1cda92ddc5614"},
+  "cowboy_telemetry": {:hex, :cowboy_telemetry, "0.4.0", "f239f68b588efa7707abce16a84d0d2acf3a0f50571f8bb7f56a15865aae820c", [:rebar3], [{:cowboy, "~> 2.7", [hex: :cowboy, repo: "hexpm", optional: false]}, {:telemetry, "~> 1.0", [hex: :telemetry, repo: "hexpm", optional: false]}], "hexpm", "7d98bac1ee4565d31b62d59f8823dfd8356a169e7fcbb83831b8a5397404c9de"},
+  "cowlib": {:hex, :cowlib, "2.14.0", "623791c56c1cc9df54a71a9c55147a401549917f00a2e48a6ae12b812c586ced", [:make, :rebar3], [], "hexpm", "0af652d1550c8411c3b58eed7a035a7fb088c0b86aff6bc504b0bc3b7f791aa2"},
   "dialyxir": {:hex, :dialyxir, "1.4.3", "edd0124f358f0b9e95bfe53a9fcf806d615d8f838e2202a9f430d59566b6b53b", [:mix], [{:erlex, ">= 0.2.6", [hex: :erlex, repo: "hexpm", optional: false]}], "hexpm", "bf2cfb75cd5c5006bec30141b131663299c661a864ec7fbbc72dfa557487a986"},
   "earmark_parser": {:hex, :earmark_parser, "1.4.39", "424642f8335b05bb9eb611aa1564c148a8ee35c9c8a8bba6e129d51a3e3c6769", [:mix], [], "hexpm", "06553a88d1f1846da9ef066b87b57c6f605552cfbe40d20bd8d59cc6bde41944"},
   "erlex": {:hex, :erlex, "0.2.6", "c7987d15e899c7a2f34f5420d2a2ea0d659682c06ac607572df55a43753aa12e", [:mix], [], "hexpm", "2ed2e25711feb44d52b17d2780eabf998452f6efda104877a3881c2f8c0c0c75"},
@@ -15,10 +19,16 @@
   "makeup_elixir": {:hex, :makeup_elixir, "0.16.2", "627e84b8e8bf22e60a2579dad15067c755531fea049ae26ef1020cad58fe9578", [:mix], [{:makeup, "~> 1.0", [hex: :makeup, repo: "hexpm", optional: false]}, {:nimble_parsec, "~> 1.2.3 or ~> 1.3", [hex: :nimble_parsec, repo: "hexpm", optional: false]}], "hexpm", "41193978704763f6bbe6cc2758b84909e62984c7752b3784bd3c218bb341706b"},
   "makeup_erlang": {:hex, :makeup_erlang, "0.1.5", "e0ff5a7c708dda34311f7522a8758e23bfcd7d8d8068dc312b5eb41c6fd76eba", [:mix], [{:makeup, "~> 1.0", [hex: :makeup, repo: "hexpm", optional: false]}], "hexpm", "94d2e986428585a21516d7d7149781480013c56e30c6a233534bedf38867a59a"},
   "metrics": {:hex, :metrics, "1.0.1", "25f094dea2cda98213cecc3aeff09e940299d950904393b2a29d191c346a8486", [:rebar3], [], "hexpm", "69b09adddc4f74a40716ae54d140f93beb0fb8978d8636eaded0c31b6f099f16"},
+  "mime": {:hex, :mime, "2.0.6", "8f18486773d9b15f95f4f4f1e39b710045fa1de891fada4516559967276e4dc2", [:mix], [], "hexpm", "c9945363a6b26d747389aac3643f8e0e09d30499a138ad64fe8fd1d13d9b153e"},
   "mimerl": {:hex, :mimerl, "1.2.0", "67e2d3f571088d5cfd3e550c383094b47159f3eee8ffa08e64106cdf5e981be3", [:rebar3], [], "hexpm", "f278585650aa581986264638ebf698f8bb19df297f66ad91b18910dfc6e19323"},
   "nimble_parsec": {:hex, :nimble_parsec, "1.4.0", "51f9b613ea62cfa97b25ccc2c1b4216e81df970acd8e16e8d1bdc58fef21370d", [:mix], [], "hexpm", "9c565862810fb383e9838c1dd2d7d2c437b3d13b267414ba6af33e50d2d1cf28"},
   "parse_trans": {:hex, :parse_trans, "3.4.1", "6e6aa8167cb44cc8f39441d05193be6e6f4e7c2946cb2759f015f8c56b76e5ff", [:rebar3], [], "hexpm", "620a406ce75dada827b82e453c19cf06776be266f5a67cff34e1ef2cbb60e49a"},
+  "plug": {:hex, :plug, "1.16.1", "40c74619c12f82736d2214557dedec2e9762029b2438d6d175c5074c933edc9d", [:mix], [{:mime, "~> 1.0 or ~> 2.0", [hex: :mime, repo: "hexpm", optional: false]}, {:plug_crypto, "~> 1.1.1 or ~> 1.2 or ~> 2.0", [hex: :plug_crypto, repo: "hexpm", optional: false]}, {:telemetry, "~> 0.4.3 or ~> 1.0", [hex: :telemetry, repo: "hexpm", optional: false]}], "hexpm", "a13ff6b9006b03d7e33874945b2755253841b238c34071ed85b0e86057f8cddc"},
+  "plug_cowboy": {:hex, :plug_cowboy, "2.7.3", "1304d36752e8bdde213cea59ef424ca932910a91a07ef9f3874be709c4ddb94b", [:mix], [{:cowboy, "~> 2.7", [hex: :cowboy, repo: "hexpm", optional: false]}, {:cowboy_telemetry, "~> 0.3", [hex: :cowboy_telemetry, repo: "hexpm", optional: false]}, {:plug, "~> 1.14", [hex: :plug, repo: "hexpm", optional: false]}], "hexpm", "77c95524b2aa5364b247fa17089029e73b951ebc1adeef429361eab0bb55819d"},
+  "plug_crypto": {:hex, :plug_crypto, "2.1.0", "f44309c2b06d249c27c8d3f65cfe08158ade08418cf540fd4f72d4d6863abb7b", [:mix], [], "hexpm", "131216a4b030b8f8ce0f26038bc4421ae60e4bb95c5cf5395e1421437824c4fa"},
+  "ranch": {:hex, :ranch, "1.8.1", "208169e65292ac5d333d6cdbad49388c1ae198136e4697ae2f474697140f201c", [:make, :rebar3], [], "hexpm", "aed58910f4e21deea992a67bf51632b6d60114895eb03bb392bb733064594dd0"},
   "ssl_verify_fun": {:hex, :ssl_verify_fun, "1.1.7", "354c321cf377240c7b8716899e182ce4890c5938111a1296add3ec74cf1715df", [:make, :mix, :rebar3], [], "hexpm", "fe4c190e8f37401d30167c8c405eda19469f34577987c76dde613e838bbc67f8"},
+  "telemetry": {:hex, :telemetry, "1.3.0", "fedebbae410d715cf8e7062c96a1ef32ec22e764197f70cda73d82778d61e7a2", [:rebar3], [], "hexpm", "7015fc8919dbe63764f4b4b87a95b7c0996bd539e0d499be6ec9d7f3875b79e6"},
   "tzdata": {:hex, :tzdata, "1.1.1", "20c8043476dfda8504952d00adac41c6eda23912278add38edc140ae0c5bcc46", [:mix], [{:hackney, "~> 1.17", [hex: :hackney, repo: "hexpm", optional: false]}], "hexpm", "a69cec8352eafcd2e198dea28a34113b60fdc6cb57eb5ad65c10292a6ba89787"},
   "unicode_util_compat": {:hex, :unicode_util_compat, "0.7.0", "bc84380c9ab48177092f43ac89e4dfa2c6d62b40b8bd132b1059ecc7232f9a78", [:rebar3], [], "hexpm", "25eee6d67df61960cf6a794239566599b09e17e668d3700247bc498638152521"},
 }

test/azurex/authorization/service_principal_test.exs

@@ -0,0 +1,117 @@
+defmodule Azurex.Authorization.ServicePrincipalTest do
+  use ExUnit.Case
+  doctest Azurex.Authorization.ServicePrincipal
+
+  alias Azurex.Authorization.ServicePrincipal
+
+  setup do
+    bypass = Bypass.open()
+
+    Application.put_env(:azurex, Azurex.Blob.Config, auth_url: "http://localhost:#{bypass.port}")
+
+    {:ok, bypass: bypass}
+  end
+
+  defp generate_token(time) do
+    token = %{exp: time} |> Jason.encode!() |> Base.encode64()
+    "a.#{token}"
+  end
+
+  defp generate_request do
+    %HTTPoison.Request{
+      method: :put,
+      url: "https://example.com/sample-path",
+      body: "sample body",
+      headers: [
+        {"x-ms-blob-type", "BlockBlob"}
+      ],
+      options: [recv_timeout: :infinity]
+    }
+  end
+
+  defp prepare_auth_enpoint(bypass, token) do
+    Bypass.expect_once(bypass, "POST", "/tenant_id/oauth2/v2.0/token", fn conn ->
+      token_response = %{access_token: token} |> Jason.encode!()
+      Plug.Conn.resp(conn, 200, token_response)
+    end)
+  end
+
+  describe "add_bearer_token/4" do
+    test "Test bearer cache", %{bypass: bypass} do
+      # Set token time so it expires in 100 seconds
+      t = generate_token(:os.system_time(:second) + 100)
+      # Expect one token request because the second will be cached
+      prepare_auth_enpoint(bypass, t)
+      input_request = generate_request()
+
+      for _ <- 1..2 do
+        output_request =
+          ServicePrincipal.add_bearer_token(
+            input_request,
+            "client_id",
+            "client_secret",
+            "tenant_id"
+          )
+
+        assert output_request == %HTTPoison.Request{
+                 body: "sample body",
+                 headers: [
+                   {"Authorization", "Bearer #{t}"},
+                   {"x-ms-blob-type", "BlockBlob"}
+                 ],
+                 method: :put,
+                 options: [recv_timeout: :infinity],
+                 params: %{},
+                 url: "https://example.com/sample-path"
+               }
+      end
+    end
+
+    test "Test bearer cache refresh", %{bypass: bypass} do
+      # Set token time so it expired 100 seconds ago
+      t = generate_token(:os.system_time(:second) - 100)
+      input_request = generate_request()
+
+      for _ <- 1..2 do
+        # Now we expect two token requests because the token is expired
+        prepare_auth_enpoint(bypass, t)
+
+        output_request =
+          ServicePrincipal.add_bearer_token(
+            input_request,
+            "client_id",
+            "client_secret",
+            "tenant_id"
+          )
+
+        assert output_request == %HTTPoison.Request{
+                 body: "sample body",
+                 headers: [
+                   {"Authorization", "Bearer #{t}"},
+                   {"x-ms-blob-type", "BlockBlob"}
+                 ],
+                 method: :put,
+                 options: [recv_timeout: :infinity],
+                 params: %{},
+                 url: "https://example.com/sample-path"
+               }
+      end
+    end
+
+    test "Failure", %{bypass: bypass} do
+      Bypass.expect_once(bypass, "POST", "/tenant_id/oauth2/v2.0/token", fn conn ->
+        Plug.Conn.resp(conn, 403, "Not authorized")
+      end)
+
+      input_request = generate_request()
+
+      output_request =
+        ServicePrincipal.add_bearer_token(
+          input_request,
+          "client_id",
+          "client_secret",
+          "tenant_id"
+        )
+    end
+  end
+end