Merge pull request #55 from ydb-platform/create-credentials

Added credentials authentication

Author: ilyakharev

CHANGELOG.md

@@ -1,3 +1,4 @@
+* added credentials authentication
 * added CI test
 
 ## 1.5.1

README.md

@@ -28,6 +28,7 @@ First, create a database using [Yandex Cloud Console](https://cloud.yandex.com/d
 
 YDB supports the following authentication methods:
 
+- Access token
 - OAuth token
 - JWT + private key
 - JWT + JSON file
@@ -65,7 +66,34 @@ $config = [
 
 $ydb = new Ydb($config);
 ```
+or:
+```php
+<?php
+
+use YdbPlatform\Ydb\Ydb;
+use YdbPlatform\Ydb\Auth\AccessTokenAuthentication;
+
+$config = [
+
+    // Database path
+    'database'    => '/ru-central1/b1glxxxxxxxxxxxxxxxx/etn0xxxxxxxxxxxxxxxx',
+
+    // Database endpoint
+    'endpoint'    => 'ydb.serverless.yandexcloud.net:2135',
+
+    // Auto discovery (dedicated server only)
+    'discovery'   => false,
+
+    // IAM config
+    'iam_config'  => [
+        'root_cert_file' => './CA.pem', // Root CA file (dedicated server only!)
+    ],
+    
+    'credentials' => new AccessTokenAuthentication('AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA')
+];
 
+$ydb = new Ydb($config);
+```
 ## OAuth token
 
 You should obtain [a new OAuth token](https://cloud.yandex.com/docs/iam/concepts/authorization/oauth-token).
@@ -101,6 +129,35 @@ $config = [
 $ydb = new Ydb($config);
 ```
 
+or
+```php
+<?php
+
+use YdbPlatform\Ydb\Ydb;
+use YdbPlatform\Ydb\Auth\OAuthTokenAuthentication;
+
+$config = [
+
+    // Database path
+    'database'    => '/ru-central1/b1glxxxxxxxxxxxxxxxx/etn0xxxxxxxxxxxxxxxx',
+
+    // Database endpoint
+    'endpoint'    => 'ydb.serverless.yandexcloud.net:2135',
+
+    // Auto discovery (dedicated server only)
+    'discovery'   => false,
+
+    // IAM config
+    'iam_config'  => [
+        'temp_dir'       => './tmp', // Temp directory
+        'root_cert_file' => './CA.pem', // Root CA file (dedicated server only!)
+    ],
+    
+    'credentials' => new OAuthTokenAuthentication('AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA')
+];
+
+$ydb = new Ydb($config);
+```
 ## JWT + private key
 
 Create [a service account](https://cloud.yandex.com/docs/iam/operations/sa/create) with the `editor` role, then create a private key. Also you need a key ID and a service account ID.
@@ -128,10 +185,36 @@ $config = [
 ];
 
 $ydb = new Ydb($config);
-
 ```
 
+or
+```php
+<?php
+
+use YdbPlatform\Ydb\Ydb;
+use YdbPlatform\Ydb\Auth\JwtWithPrivateKeyAuthentication;
+
+$config = [
+    'database'    => '/ru-central1/b1glxxxxxxxxxxxxxxxx/etn0xxxxxxxxxxxxxxxx',
+    'endpoint'    => 'ydb.serverless.yandexcloud.net:2135',
+    'discovery'   => false,
+    'iam_config'  => [
+        'temp_dir'           => './tmp', // Temp directory
+        'root_cert_file'     => './CA.pem', // Root CA file (dedicated server only!)
+
+        // Private key authentication
+        'key_id'             => 'ajexxxxxxxxx',
+        'service_account_id' => 'ajeyyyyyyyyy',
+        'private_key_file'   => './private.key',
+    ],
+    
+    'credentials' => new JwtWithPrivateKeyAuthentication(
+        "ajexxxxxxxxx","ajeyyyyyyyyy",'./private.key')
+        
+];
 
+$ydb = new Ydb($config);
+```
 ## JWT + JSON file
 
 Create [a service account](https://cloud.yandex.com/docs/iam/operations/sa/create) with the `editor` role.
@@ -161,6 +244,27 @@ $config = [
 $ydb = new Ydb($config);
 ```
 
+or:
+```php
+<?php
+
+use YdbPlatform\Ydb\Ydb;
+use YdbPlatform\Ydb\Auth\JwtWithJsonAuthentication;
+
+$config = [
+    'database'    => '/ru-central1/b1glxxxxxxxxxxxxxxxx/etn0xxxxxxxxxxxxxxxx',
+    'endpoint'    => 'ydb.serverless.yandexcloud.net:2135',
+    'discovery'   => false,
+    'iam_config'  => [
+        'temp_dir'       => './tmp', // Temp directory
+        'root_cert_file' => './CA.pem', // Root CA file (dedicated server only!)
+    ],
+            
+    'credentials' => new JwtWithJsonAuthentication('./jwtjson.json')
+];
+
+$ydb = new Ydb($config);
+```
 ## Metadata URL
 
 When you deploy a project to VM or function at Yandex.Cloud, you are able to connect to the database using [Metadata URL](https://cloud.yandex.com/docs/compute/operations/vm-connect/auth-inside-vm). Before you start, you should link your service account to an existing or new VM or function.
@@ -189,7 +293,33 @@ $config = [
 ];
 
 $ydb = new Ydb($config);
+```
+or
+```php
+<?php
+
+use YdbPlatform\Ydb\Ydb;
+use YdbPlatform\Ydb\Auth\MetadataAuthentication;
 
+$config = [
+
+    // Database path
+    'database'    => '/ru-central1/b1glxxxxxxxxxxxxxxxx/etn0xxxxxxxxxxxxxxxx',
+
+    // Database endpoint
+    'endpoint'    => 'ydb.serverless.yandexcloud.net:2135',
+
+    // Auto discovery (dedicated server only)
+    'discovery'   => false,
+
+    // IAM config
+    'iam_config'  => [
+        'temp_dir'     => './tmp', // Temp directory
+    ],
+    'credentials' => new MetadataAuthentication()
+];
+
+$ydb = new Ydb($config);
 ```
 
 ## Anonymous
@@ -218,7 +348,35 @@ $config = [
 ];
 
 $ydb = new Ydb($config);
+```
+
+or:
+```php
+<?php
+
+use YdbPlatform\Ydb\Ydb;
+use YdbPlatform\Ydb\Auth\AnonymousAuthentication;
+
+$config = [
 
+    // Database path
+    'database'    => '/local',
+
+    // Database endpoint
+    'endpoint'    => 'localhost:2136',
+
+    // Auto discovery (dedicated server only)
+    'discovery'   => false,
+
+    // IAM config
+    'iam_config'  => [
+        'insecure' => true,
+    ],
+    
+    'credentials' => new AnonymousAuthentication()
+];
+
+$ydb = new Ydb($config);
 ```
 
 # Usage

src/Auth/Auth.php

@@ -0,0 +1,41 @@
+<?php
+
+namespace YdbPlatform\Ydb\Auth;
+
+use DateTime;
+use YdbPlatform\Ydb\Iam;
+
+abstract class Auth
+{
+    public abstract function getTokenInfo(): TokenInfo;
+
+    public abstract function getName(): string;
+
+    protected $logger;
+
+    public function logger(){
+        return $this->logger;
+    }
+
+    public function setLogger($logger){
+        $this->logger = $logger;
+    }
+
+    /**
+     * @param string $expiresAt
+     * @return int
+     */
+    protected function convertExpiresAt($expiresAt)
+    {
+        if (is_int($expiresAt)) {
+            return $expiresAt;
+        }
+
+        $time = time() + 60 * 60 * Iam::DEFAULT_TOKEN_EXPIRES_AT;
+        if (preg_match('/^(\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2})(?:\.\d+)?(.*)$/', $expiresAt, $matches)) {
+            $time = new DateTime($matches[1] . $matches[2]);
+            $time = (int)$time->format('U');
+        }
+        return $time;
+    }
+}

src/Auth/IamAuth.php

@@ -0,0 +1,57 @@
+<?php
+
+namespace YdbPlatform\Ydb\Auth;
+
+use YdbPlatform\Ydb\Exception;
+use YdbPlatform\Ydb\Iam;
+
+abstract class IamAuth extends Auth
+{
+    /**
+     * @return mixed|null
+     * @throws Exception
+     */
+    public function requestToken($request_data): mixed
+    {
+        $this->logger()->info('YDB: Obtaining new IAM token...');
+
+        $curl = curl_init(Iam::IAM_TOKEN_API_URL);
+
+        curl_setopt_array($curl, [
+            CURLOPT_RETURNTRANSFER => 1,
+            CURLOPT_SSL_VERIFYPEER => 0,
+            CURLOPT_SSL_VERIFYHOST => 0,
+            CURLOPT_HEADER => 0,
+            CURLOPT_POSTFIELDS => json_encode($request_data),
+            CURLOPT_HTTPHEADER => [
+                'Accept: application/json',
+                'Content-Type: application/json',
+            ],
+        ]);
+
+        $result = curl_exec($curl);
+
+        $status = curl_getinfo($curl, CURLINFO_HTTP_CODE);
+
+        if ($status === 200) {
+            $token = json_decode($result);
+
+            if (isset($token->iamToken)) {
+                $this->logger()->info('YDB: Obtained new IAM token [...' . substr($token->iamToken, -6) . '].');
+                return $token;
+            } else {
+                $this->logger()->error('YDB: Failed to obtain new IAM token', [
+                    'status' => $status,
+                    'result' => $token,
+                ]);
+                throw new Exception('Failed to obtain new iamToken: no token was received.');
+            }
+        } else {
+            $this->logger()->error('YDB: Failed to obtain new IAM token', [
+                'status' => $status,
+                'result' => $result,
+            ]);
+            throw new Exception('Failed to obtain new iamToken: response status is ' . $status);
+        }
+    }
+}

src/Auth/Implement/AccessTokenAuthentication.php

@@ -0,0 +1,28 @@
+<?php
+
+namespace YdbPlatform\Ydb\Auth\Implement;
+
+use YdbPlatform\Ydb\Auth\TokenInfo;
+
+class AccessTokenAuthentication extends \YdbPlatform\Ydb\Auth\Auth
+{
+    /**
+     * @var string
+     */
+    protected $access_token;
+
+    public function __construct(string $access_token)
+    {
+        $this->access_token = $access_token;
+    }
+
+    public function getTokenInfo(): TokenInfo
+    {
+        return new TokenInfo($this->access_token, time()+24*60*60);
+    }
+
+    public function getName(): string
+    {
+        return 'Access token';
+    }
+}

src/Auth/Implement/AnonymousAuthentication.php

@@ -0,0 +1,23 @@
+<?php
+
+namespace YdbPlatform\Ydb\Auth\Implement;
+
+use YdbPlatform\Ydb\Auth\TokenInfo;
+
+class AnonymousAuthentication extends \YdbPlatform\Ydb\Auth\Auth
+{
+
+    public function __construct()
+    {
+    }
+
+    public function getTokenInfo(): TokenInfo
+    {
+        return new TokenInfo("", time()+24*3600);
+    }
+
+    public function getName(): string
+    {
+        return 'Anonymous';
+    }
+}