Merge pull request #175 from php-opencloud/cache-token

Auth token caching

Author: jamiehannaford

doc/services/identity/v3/tokens.rst

@@ -43,3 +43,36 @@ Revoke token
 
 .. sample:: identity/v3/tokens/revoke_token.php
 .. refdoc:: OpenStack/Identity/v3/Service.html#method_revokeToken
+
+Cache authentication token
+--------------------------
+
+Use case
+~~~~~~~~
+
+Before the SDK performs an API call, it will first authenticate to the OpenStack Identity service using the provided
+credentials.
+
+If the user's credential is valid, credentials are valid, the Identity service returns an authentication token. The SDK
+will then use this authentication token and service catalog in all subsequent API calls.
+
+This setup typically works well for CLI applications. However, for web-based applications, performance
+is undesirable since authentication step adds ~100ms to the response time.
+
+In order to improve performance, the SDK allows users to export and store authentication tokens, and re-use until they
+expire.
+
+
+Generate token and persist to file
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. sample:: identity/v3/tokens/export_authentication_token.php
+
+
+For scalability, it is recommended that cached tokens are stored in persistent storage such as memcache or redis instead
+of a local file.
+
+Initialize Open Stack using cached authentication token
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. sample:: identity/v3/tokens/use_cached_authentication_token.php

samples/identity/v3/tokens/export_authentication_token.php

@@ -0,0 +1,35 @@
+<?php
+
+require 'vendor/autoload.php';
+
+$params = [
+    'authUrl' => '{authUrl}',
+    'region'  => '{region}',
+    'user'    => [
+        'name'     => '{username}',
+        'password' => '{password}',
+        'domain'   => ['id' => '{domainId}']
+    ],
+    'scope' => [
+        'project' => ['id' => '{projectId}']
+    ]
+];
+
+$openstack = new OpenStack\OpenStack($params);
+
+$identity = $openstack->identityV3();
+
+$token = $identity->generateToken($params);
+
+// Display token expiry
+echo sprintf('Token expires at %s'. PHP_EOL, $token->expires->format('c'));
+
+// Save token to file
+file_put_contents('token.json', json_encode($token->export()));
+
+
+// Alternatively, one may persist token to memcache or redis
+// Redis and memcache then can purge the entry when token expires.
+
+/**@var \Memcached $memcache */
+$memcache->set('token', $token->export(), $token->expires->format('U'));

samples/identity/v3/tokens/use_cached_authentication_token.php

@@ -0,0 +1,25 @@
+<?php
+
+require 'vendor/autoload.php';
+
+$params = [
+    'authUrl' => '{authUrl}',
+    'region'  => '{region}',
+    'user'    => [
+        'name'     => '{username}',
+        'password' => '{password}',
+        'domain'   => ['id' => '{domainId}']
+    ],
+    'scope' => [
+        'project' => ['id' => '{projectId}']
+    ]
+];
+
+$token = json_decode(file_get_contents('token.json'), true);
+
+// Inject cached token to params if token is still fresh
+if ((new \DateTimeImmutable($token['expires_at'])) > (new \DateTimeImmutable('now'))) {
+    $params['cachedToken'] = $token;
+}
+
+$openstack = new OpenStack\OpenStack($params);

src/Identity/v3/Models/Token.php

@@ -3,6 +3,7 @@
 namespace OpenStack\Identity\v3\Models;
 
 use OpenStack\Common\Resource\Alias;
+use OpenStack\Common\Transport\Utils;
 use Psr\Http\Message\ResponseInterface;
 use OpenStack\Common\Resource\OperatorResource;
 use OpenStack\Common\Resource\Creatable;
@@ -16,7 +17,7 @@ class Token extends OperatorResource implements Creatable, Retrievable, \OpenSta
     /** @var array */
     public $methods;
 
-    /** @var []Role */
+    /** @var Role[] */
     public $roles;
 
     /** @var \DateTimeImmutable */
@@ -43,6 +44,8 @@ class Token extends OperatorResource implements Creatable, Retrievable, \OpenSta
     protected $resourceKey = 'token';
     protected $resourcesKey = 'tokens';
 
+    protected $cachedToken;
+
     /**
      * @inheritdoc
      */
@@ -116,6 +119,27 @@ public function create(array $data): Creatable
         }
 
         $response = $this->execute($this->api->postTokens(), $data);
-        return $this->populateFromResponse($response);
+        $token = $this->populateFromResponse($response);
+
+        // Cache response as an array to export if needed.
+        // Added key `id` which is auth token from HTTP header X-Subject-Token
+        $this->cachedToken = Utils::flattenJson(Utils::jsonDecode($response), $this->resourceKey);
+        $this->cachedToken['id'] = $token->id;
+
+        return $token;
+    }
+
+    /**
+     * Returns a serialized representation of an authentication token.
+     *
+     * Initialize OpenStack object using $params['cachedToken'] to reduce the amount of HTTP calls.
+     *
+     * This array is a modified version of response from `/auth/tokens`. Do not manually modify this array.
+     *
+     * @return array
+     */
+    public function export(): array
+    {
+        return $this->cachedToken;
     }
 }

src/Identity/v3/Service.php

@@ -31,7 +31,15 @@ public function authenticate(array $options): array
     {
         $authOptions = array_intersect_key($options, $this->api->postTokens()['params']);
 
-        $token = $this->generateToken($authOptions);
+        if (!empty($options['cachedToken'])) {
+            $token = $this->generateTokenFromCache($options['cachedToken']);
+
+            if ($token->hasExpired()) {
+                throw new \RuntimeException(sprintf('Cached token has expired on "%s".', $token->expires->format(\DateTime::ISO8601)));
+            }
+        } else {
+            $token = $this->generateToken($authOptions);
+        }
 
         $name      = $options['catalogName'];
         $type      = $options['catalogType'];
@@ -46,6 +54,18 @@ public function authenticate(array $options): array
             $type, $name, $region, $interface));
     }
 
+    /**
+     * Generates authentication token from cached token using `$token->export()`
+     *
+     * @param array $cachedToken {@see \OpenStack\Identity\v3\Models\Token::export}
+     *
+     * @return Models\Token
+     */
+    public function generateTokenFromCache(array $cachedToken): Models\Token
+    {
+        return $this->model(Models\Token::class)->populateFromArray($cachedToken);
+    }
+
     /**
      * Generates a new authentication token
      *

src/OpenStack.php

@@ -32,6 +32,7 @@ class OpenStack
      *         ['logger']           = (LoggerInterface)   Must set if debugLog is true   [OPTIONAL]
      *         ['messageFormatter'] = (MessageFormatter)  Must set if debugLog is true   [OPTIONAL]
      *         ['requestOptions']   = (array)             Guzzle Http request options    [OPTIONAL]
+     *         ['cachedToken']      = (array)             Cached token credential        [OPTIONAL]
      *
      * @param Builder $builder
      */

tests/unit/Identity/v3/ServiceTest.php

@@ -10,9 +10,11 @@
 use OpenStack\Identity\v3\Service;
 use OpenStack\Test\TestCase;
 use Prophecy\Argument;
+use Psr\Http\Message\ResponseInterface;
 
 class ServiceTest extends TestCase
 {
+    /** @var Service */
     private $service;
 
     public function setUp()
@@ -64,6 +66,156 @@ public function test_it_authenticates()
         $this->assertEquals('http://example.org:8080/v1/AUTH_e00abf65afca49609eedd163c515cf10', $url);
     }
 
+    public function test_it_authenticates_using_cache_token()
+    {
+        $cachedToken = [
+            'is_domain'  => false,
+            'methods'    => [
+                'password',
+            ],
+            'roles'      => [
+                0 => [
+                    'id'   => 'ce40dfb7a1b14f8a875194fe2944e00c',
+                    'name' => 'admin',
+                ],
+            ],
+            'expires_at' => '2199-11-24T04:47:49.000000Z',
+            'project'    => [
+                'domain' => [
+                    'id'   => 'default',
+                    'name' => 'Default',
+                ],
+                'id'     => 'c41b19de8aac4ecdb0f04ede718206c5',
+                'name'   => 'admin',
+            ],
+            'catalog' => [
+                [
+                    'endpoints' => [
+                        [
+                            'region_id' => 'RegionOne',
+                            'url'       => 'http://example.org:8080/v1/AUTH_e00abf65afca49609eedd163c515cf10',
+                            'region'    => 'RegionOne',
+                            'interface' => 'public',
+                            'id'        => 'hhh',
+                        ]
+                    ],
+                    'type'      => 'object-store',
+                    'id'        => 'aaa',
+                    'name'      => 'swift',
+                ],
+            ],
+            'user'       => [
+                'domain' => [
+                    'id'   => 'default',
+                    'name' => 'Default',
+                ],
+                'id'     => '37a36374b074428985165e80c9ab28c8',
+                'name'   => 'admin',
+            ],
+            'audit_ids'  => [
+                'X0oY7ouSQ32vEpbgDJTDpA',
+            ],
+            'issued_at'  => '2017-11-24T03:47:49.000000Z',
+            'id'         => 'bb4f74cfb73847ec9ca947fa61d799d3',
+        ];
+
+        $userOptions = [
+            'user'        => [
+                'id'       => '{userId}',
+                'password' => '{userPassword}',
+                'domain'   => ['id' => '{domainId}']
+            ],
+            'scope'       => [
+                'project' => ['id' => '{projectId}']
+            ],
+            'catalogName' => 'swift',
+            'catalogType' => 'object-store',
+            'region'      => 'RegionOne',
+            'cachedToken' => $cachedToken
+        ];
+
+        list($token, $url) = $this->service->authenticate($userOptions);
+
+        $this->assertInstanceOf(Models\Token::class, $token);
+        $this->assertEquals('http://example.org:8080/v1/AUTH_e00abf65afca49609eedd163c515cf10', $url);
+    }
+
+
+    /**
+     * @expectedException \RuntimeException
+     * @expectedExceptionMessage Cached token has expired
+     */
+    public function test_it_authenticates_and_throws_exception_when_authenticate_with_expired_cached_token()
+    {
+        $cachedToken = [
+            'is_domain'  => false,
+            'methods'    => [
+                'password',
+            ],
+            'roles'      => [
+                0 => [
+                    'id'   => 'ce40dfb7a1b14f8a875194fe2944e00c',
+                    'name' => 'admin',
+                ],
+            ],
+            'expires_at' => '2000-11-24T04:47:49.000000Z',
+            'project'    => [
+                'domain' => [
+                    'id'   => 'default',
+                    'name' => 'Default',
+                ],
+                'id'     => 'c41b19de8aac4ecdb0f04ede718206c5',
+                'name'   => 'admin',
+            ],
+            'catalog' => [
+                [
+                    'endpoints' => [
+                        [
+                            'region_id' => 'RegionOne',
+                            'url'       => 'http://example.org:8080/v1/AUTH_e00abf65afca49609eedd163c515cf10',
+                            'region'    => 'RegionOne',
+                            'interface' => 'public',
+                            'id'        => 'hhh',
+                        ]
+                    ],
+                    'type'      => 'object-store',
+                    'id'        => 'aaa',
+                    'name'      => 'swift',
+                ],
+            ],
+            'user'       => [
+                'domain' => [
+                    'id'   => 'default',
+                    'name' => 'Default',
+                ],
+                'id'     => '37a36374b074428985165e80c9ab28c8',
+                'name'   => 'admin',
+            ],
+            'audit_ids'  => [
+                'X0oY7ouSQ32vEpbgDJTDpA',
+            ],
+            'issued_at'  => '2017-11-24T03:47:49.000000Z',
+            'id'         => 'bb4f74cfb73847ec9ca947fa61d799d3',
+        ];
+
+        $userOptions = [
+            'user'        => [
+                'id'       => '{userId}',
+                'password' => '{userPassword}',
+                'domain'   => ['id' => '{domainId}']
+            ],
+            'scope'       => [
+                'project' => ['id' => '{projectId}']
+            ],
+            'catalogName' => 'swift',
+            'catalogType' => 'object-store',
+            'region'      => 'RegionOne',
+            'cachedToken' => $cachedToken
+        ];
+
+        $this->service->authenticate($userOptions);
+    }
+
     /**
      * @expectedException \RuntimeException
      */
@@ -513,6 +665,23 @@ public function test_it_generates_token_with_token_id()
         $this->assertInstanceOf(Models\Token::class, $token);
     }
 
+    public function test_it_generates_token_from_cache()
+    {
+        $cache = [
+            'id' => 'some-token-id'
+        ];
+
+        $this->client
+            ->request('POST', 'auth/tokens', Argument::any())
+            ->shouldNotBeCalled()
+            ->willReturn($this->getFixture('token-get'));
+
+        $token = $this->service->generateTokenFromCache($cache);
+
+        $this->assertInstanceOf(Models\Token::class, $token);
+        $this->assertEquals('some-token-id', $token->id);
+    }
+
     public function test_it_lists_endpoints()
     {
         $this->listTest($this->createFn($this->service, 'listEndpoints', []), 'endpoints', 'Endpoint');