Implement WIF support

Author: hectorcast-db

databricks-sdk-java/src/main/java/com/databricks/sdk/core/DatabricksConfig.java

@@ -141,6 +141,12 @@ public class DatabricksConfig {
 
   private DatabricksEnvironment databricksEnvironment;
 
+  /**
+   *  When using Workload Identity Federation, the audience to specify when fetching an ID token from the ID token supplier.
+   */
+  @ConfigAttribute(env = "TOKEN_AUDIENCE")
+  private String tokenAudience;
+
   public Environment getEnv() {
     return env;
   }
@@ -512,6 +518,15 @@ public DatabricksConfig setHttpClient(HttpClient httpClient) {
     return this;
   }
 
+  public String getTokenAudience() {
+    return tokenAudience;
+  }
+
+  public DatabricksConfig setTokenAudience(String tokenAudience) {
+    this.tokenAudience = tokenAudience;
+    return this;
+  }
+
   public boolean isAzure() {
     if (azureWorkspaceResourceId != null) {
       return true;

databricks-sdk-java/src/main/java/com/databricks/sdk/core/DefaultCredentialsProvider.java

@@ -1,9 +1,7 @@
 package com.databricks.sdk.core;
 
-import com.databricks.sdk.core.oauth.AzureGithubOidcCredentialsProvider;
-import com.databricks.sdk.core.oauth.AzureServicePrincipalCredentialsProvider;
-import com.databricks.sdk.core.oauth.ExternalBrowserCredentialsProvider;
-import com.databricks.sdk.core.oauth.OAuthM2MServicePrincipalCredentialsProvider;
+import com.databricks.sdk.core.oauth.*;
+
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.List;
@@ -18,6 +16,7 @@ public class DefaultCredentialsProvider implements CredentialsProvider {
           PatCredentialsProvider.class,
           BasicCredentialsProvider.class,
           OAuthM2MServicePrincipalCredentialsProvider.class,
+          DatabricksWIFCredentialsProvider.class,
           AzureGithubOidcCredentialsProvider.class,
           AzureServicePrincipalCredentialsProvider.class,
           AzureCliCredentialsProvider.class,

databricks-sdk-java/src/main/java/com/databricks/sdk/core/oauth/AzureServicePrincipalCredentialsProvider.java

@@ -63,7 +63,7 @@ private static RefreshableTokenSource tokenSourceFor(DatabricksConfig config, St
         .withClientId(config.getAzureClientId())
         .withClientSecret(config.getAzureClientSecret())
         .withTokenUrl(tokenUrl)
-        .withEndpointParameters(endpointParams)
+        .withEndpointParametersSupplier(() -> endpointParams)
         .withAuthParameterPosition(AuthParameterPosition.BODY)
         .build();
   }

databricks-sdk-java/src/main/java/com/databricks/sdk/core/oauth/ClientCredentials.java

@@ -3,6 +3,8 @@
 import com.databricks.sdk.core.commons.CommonsHttpClient;
 import com.databricks.sdk.core.http.HttpClient;
 import java.util.*;
+import java.util.function.Function;
+import java.util.function.Supplier;
 
 /**
  * An implementation of RefreshableTokenSource implementing the client_credentials OAuth grant type.
@@ -18,7 +20,7 @@ public static class Builder {
     private String clientSecret;
     private String tokenUrl;
     private HttpClient hc = new CommonsHttpClient.Builder().withTimeoutSeconds(30).build();
-    private Map<String, String> endpointParams = Collections.emptyMap();
+    private Supplier<Map<String, String>> endpointParamsSupplier = null;
     private List<String> scopes = Collections.emptyList();
     private AuthParameterPosition position = AuthParameterPosition.BODY;
 
@@ -32,13 +34,13 @@ public Builder withClientSecret(String clientSecret) {
       return this;
     }
 
-    public Builder withTokenUrl(String tokenUrl) {
-      this.tokenUrl = tokenUrl;
-      return this;
+    public Builder withEndpointParametersSupplier(Supplier<Map<String, String>> endpointParamsSupplier) {
+        this.endpointParamsSupplier = endpointParamsSupplier;
+        return this;
     }
 
-    public Builder withEndpointParameters(Map<String, String> params) {
-      this.endpointParams = params;
+    public Builder withTokenUrl(String tokenUrl) {
+      this.tokenUrl = tokenUrl;
       return this;
     }
 
@@ -59,34 +61,33 @@ public Builder withHttpClient(HttpClient hc) {
 
     public ClientCredentials build() {
       Objects.requireNonNull(this.clientId, "clientId must be specified");
-      Objects.requireNonNull(this.clientSecret, "clientSecret must be specified");
       Objects.requireNonNull(this.tokenUrl, "tokenUrl must be specified");
       return new ClientCredentials(
-          hc, clientId, clientSecret, tokenUrl, endpointParams, scopes, position);
+          hc, clientId, clientSecret, tokenUrl, endpointParamsSupplier, scopes, position);
     }
   }
 
   private HttpClient hc;
   private String clientId;
   private String clientSecret;
   private String tokenUrl;
-  private Map<String, String> endpointParams;
   private List<String> scopes;
   private AuthParameterPosition position;
+  private Supplier<Map<String, String>> endpointParamsSupplier;
 
   private ClientCredentials(
       HttpClient hc,
       String clientId,
       String clientSecret,
       String tokenUrl,
-      Map<String, String> endpointParams,
+      Supplier<Map<String, String>> endpointParamsSupplier,
       List<String> scopes,
       AuthParameterPosition position) {
     this.hc = hc;
     this.clientId = clientId;
     this.clientSecret = clientSecret;
     this.tokenUrl = tokenUrl;
-    this.endpointParams = endpointParams;
+    this.endpointParamsSupplier = endpointParamsSupplier;
     this.scopes = scopes;
     this.position = position;
   }
@@ -98,8 +99,8 @@ protected Token refresh() {
     if (scopes != null) {
       params.put("scope", String.join(" ", scopes));
     }
-    if (endpointParams != null) {
-      params.putAll(endpointParams);
+    if (endpointParamsSupplier != null) {
+      params.putAll(endpointParamsSupplier.get());
     }
     return retrieveToken(hc, clientId, clientSecret, tokenUrl, params, new HashMap<>(), position);
   }

databricks-sdk-java/src/main/java/com/databricks/sdk/core/oauth/DatabricksWIFCredentialsProvider.java

@@ -0,0 +1,64 @@
+package com.databricks.sdk.core.oauth;
+
+import com.databricks.sdk.core.CredentialsProvider;
+import com.databricks.sdk.core.DatabricksConfig;
+import com.databricks.sdk.core.DatabricksException;
+import com.databricks.sdk.core.HeaderFactory;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.google.common.collect.ImmutableMap;
+
+import java.io.IOException;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.Map;
+
+/**
+ * TODO: Add description
+ *
+ */
+public class DatabricksWIFCredentialsProvider implements CredentialsProvider {
+  private final ObjectMapper mapper = new ObjectMapper();
+
+  @Override
+  public String authType() {
+    return "databricks-wif";
+  }
+
+  @Override
+  public HeaderFactory configure(DatabricksConfig config) throws DatabricksException{
+    GitHubOidcTokenSupplier idTokenProvider = new GitHubOidcTokenSupplier(config);
+
+    if (!idTokenProvider.enabled() || config.getHost() == null || config.getClientId() == null) {
+      return null;
+    }
+
+    String endpointUrl;
+
+    try {
+      endpointUrl = config.getOidcEndpoints().getTokenEndpoint();
+    } catch (IOException e) {
+      throw new DatabricksException("Unable to fetch OIDC endpoint: " + e.getMessage(), e);
+    }
+
+    ClientCredentials clientCredentials = new ClientCredentials.Builder()
+      .withHttpClient(config.getHttpClient())
+      .withClientId(config.getClientId())
+      .withTokenUrl(endpointUrl)
+      .withScopes(Collections.singletonList("all-apis"))
+      .withAuthParameterPosition(AuthParameterPosition.HEADER)
+      .withEndpointParametersSupplier(
+        () -> new ImmutableMap.Builder<String, String>()
+                .put("subject_token_type", "urn:ietf:params:oauth:token-type:jwt")
+                .put("subject_token", idTokenProvider.getOidcToken())
+                .put("grant_type", "urn:ietf:params:oauth:grant-type:token-exchange")
+                .build()
+      )
+      .build();
+
+    return () -> {
+      Map<String, String> headers = new HashMap<>();
+      headers.put("Authorization", "Bearer " + clientCredentials.getToken().getAccessToken());
+      return headers;
+    };
+  }
+}

databricks-sdk-java/src/main/java/com/databricks/sdk/core/oauth/GitHubOidcTokenSupplier.java

@@ -0,0 +1,77 @@
+package com.databricks.sdk.core.oauth;
+
+import com.databricks.sdk.core.DatabricksConfig;
+import com.databricks.sdk.core.DatabricksException;
+import com.databricks.sdk.core.http.Request;
+import com.databricks.sdk.core.http.Response;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.fasterxml.jackson.databind.node.ObjectNode;
+
+import java.io.IOException;
+
+public class GitHubOidcTokenSupplier    {
+
+    private final ObjectMapper mapper = new ObjectMapper();
+
+    private final DatabricksConfig config;
+
+    public GitHubOidcTokenSupplier(DatabricksConfig config) {
+        this.config = config;
+    }
+
+
+    /**
+     * Checks if the required parameters are present to request a GitHub's OIDC token.
+     */
+    public Boolean enabled() {
+        return config.getActionsIdTokenRequestUrl() != null
+                && config.getActionsIdTokenRequestToken() != null;
+    }
+
+    /**
+     * Requests a GitHub's OIDC token.
+     *
+     * @return A GitHub OIDC token.
+     */
+    public String getOidcToken() {
+       if (!enabled()) {
+           throw new DatabricksException("Failed to request ID token: missing required parameters");
+       }
+
+        String requestUrl =
+                config.getActionsIdTokenRequestUrl();
+       if (config.getTokenAudience() != null) {
+              requestUrl += "&audience=" + config.getTokenAudience();
+       }
+
+        Request req =
+                new Request("GET", requestUrl)
+                        .withHeader("Authorization", "Bearer " + config.getActionsIdTokenRequestToken());
+
+        Response resp;
+        try {
+            resp = config.getHttpClient().execute(req);
+        } catch (IOException e) {
+            throw new DatabricksException(
+                    "Failed to request ID token from " + requestUrl + ":" + e.getMessage(), e);
+        }
+
+        if (resp.getStatusCode() != 200) {
+            throw new DatabricksException(
+                    "Failed to request ID token: status code "
+                            + resp.getStatusCode()
+                            + ", response body: "
+                            + resp.getBody().toString());
+        }
+
+        ObjectNode jsonResp;
+        try {
+            jsonResp = mapper.readValue(resp.getBody(), ObjectNode.class);
+        } catch (IOException e) {
+            throw new DatabricksException(
+                    "Failed to request ID token: corrupted token: " + e.getMessage());
+        }
+
+        return jsonResp.get("value").textValue();
+    }
+}

databricks-sdk-java/src/test/java/com/databricks/sdk/integration/DatabricksWifIT.java

@@ -0,0 +1,101 @@
+package com.databricks.sdk.integration;
+
+import com.databricks.sdk.AccountClient;
+import com.databricks.sdk.WorkspaceClient;
+import com.databricks.sdk.core.DatabricksConfig;
+import com.databricks.sdk.integration.framework.CollectionUtils;
+import com.databricks.sdk.integration.framework.EnvContext;
+import com.databricks.sdk.integration.framework.EnvOrSkip;
+import com.databricks.sdk.integration.framework.EnvTest;
+import com.databricks.sdk.service.iam.*;
+import com.databricks.sdk.service.oauth2.CreateAccountFederationPolicyRequest;
+import com.databricks.sdk.service.oauth2.CreateServicePrincipalFederationPolicyRequest;
+import com.databricks.sdk.service.oauth2.FederationPolicy;
+import com.databricks.sdk.service.oauth2.OidcFederationPolicy;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
+
+import java.util.Collections;
+import java.util.UUID;
+
+@EnvContext("ucacct")
+@ExtendWith(EnvTest.class)
+public class DatabricksWifIT {
+    // This test cannot run on local machines. We use ACTIONS_ID_TOKEN_REQUEST_URL
+    // to determine whether we are running in the GitHub Actions,
+    // and we skip the test if we are not.
+    @Test
+    void workspace(AccountClient a,
+               @EnvOrSkip("TEST_WORKSPACE_ID") String workspaceId,
+               @EnvOrSkip("TEST_WORKSPACE_URL") String workspaceUrl,
+               @EnvOrSkip("ACTIONS_ID_TOKEN_REQUEST_URL") String userId) {
+        String spName = "java-sdk-sp" + UUID.randomUUID();
+
+        // Create SP with access to the workspace
+        ServicePrincipal sp = a.servicePrincipals().create(new ServicePrincipal()
+                .setActive(true).setDisplayName(spName));
+
+        a.workspaceAssignment().update(new UpdateWorkspaceAssignments()
+                .setWorkspaceId(Long.valueOf(workspaceId))
+                .setPrincipalId(Long.valueOf(sp.getId()))
+                .setPermissions(Collections.singleton(WorkspacePermission.ADMIN)));
+
+        // Setup Federation Policy
+        OidcFederationPolicy policy = new OidcFederationPolicy()
+                .setIssuer("https://token.actions.githubusercontent.com")
+                .setSubject("repo:databricks-eng/eng-dev-ecosystem:environment:integration-tests")
+                .setAudiences(Collections.singleton("https://github.com/databricks-eng"));
+
+        a.servicePrincipalFederationPolicy().create(new CreateServicePrincipalFederationPolicyRequest()
+                .setServicePrincipalId(Long.valueOf(sp.getId()))
+                .setPolicy(new FederationPolicy().setOidcPolicy(policy)));
+
+        // Test WIF login
+        DatabricksConfig config = new DatabricksConfig().setHost(workspaceUrl)
+                .setClientId(sp.getApplicationId())
+                .setAuthType("databricks-wif")
+                .setTokenAudience("https://github.com/databricks-eng");
+
+        WorkspaceClient ws = new WorkspaceClient(config);
+
+        ws.currentUser().me();
+    }
+
+    // This test cannot run on local machines. We use ACTIONS_ID_TOKEN_REQUEST_URL
+    // to determine whether we are running in the GitHub Actions,
+    // and we skip the test if we are not.
+    @Test
+    void account(AccountClient a,
+                   @EnvOrSkip("ACTIONS_ID_TOKEN_REQUEST_URL") String userId) {
+        String spName = "java-sdk-sp" + UUID.randomUUID();
+
+        // Create SP
+        ServicePrincipal sp = a.servicePrincipals().create(new ServicePrincipal()
+                .setActive(true).setDisplayName(spName))
+                .setRoles(Collections.singleton(new ComplexValue().setValue("account_admin")));
+
+
+        // Setup Federation Policy
+        OidcFederationPolicy policy = new OidcFederationPolicy()
+                .setIssuer("https://token.actions.githubusercontent.com")
+                .setSubject("repo:databricks-eng/eng-dev-ecosystem:environment:integration-tests")
+                .setAudiences(Collections.singleton("https://github.com/databricks-eng"));
+
+        a.servicePrincipalFederationPolicy().create(new CreateServicePrincipalFederationPolicyRequest()
+                .setServicePrincipalId(Long.valueOf(sp.getId()))
+                .setPolicy(new FederationPolicy().setOidcPolicy(policy)));
+
+        // Test WIF login
+        DatabricksConfig config = new DatabricksConfig().setHost(a.config().getHost())
+                .setAccountId(a.config().getAccountId())
+                .setClientId(sp.getApplicationId())
+                .setAuthType("databricks-wif")
+                .setTokenAudience("https://github.com/databricks-eng");
+
+        AccountClient ac = new AccountClient(config);
+
+        Iterable<Group> groups = ac.groups().list(new ListAccountGroupsRequest());
+        groups.iterator().next();
+    }
+}
+