Merge pull request #27 from palantir/apastrana/pythonjavasdk

Auth features java sdk

Author: apastrana6

README.md

@@ -110,8 +110,38 @@ public class App {
    - When the application launches, the compute module is started by invoking the `.start()` method.
    - This initiates the module and makes the registered functions, like `hello`, available for execution.
 ---
+### 4. Auth and Credentials
+To obtain an auth token for interacting with Foundry resources in Pipeline mode use the following function:
 
-### 4. Build and Deploy with Docker
+```java
+import com.palantir.computemodules.auth.PipelinesAuth;
+
+String token = PipelinesAuth.retrievePipelineToken();
+```
+
+If you have configured your Compute Module (CM) to use Application's permissions, your application will use a service user for permissions instead of relying on the user's permissions. This configuration requires you to obtain the client ID and credentials to grant permission to the service token. This library facilitates this process:
+```java
+import com.palantir.computemodules.auth.ThirdPartyAuth;
+
+ThirdPartyCredentials credentials = ThirdPartyAuth.retrieveThirdPartyIdAndCreds();
+
+// get a scoped token for your 3pa
+String HOSTNAME = "myenvironment.palantirfoundry.com"
+String token = ThirdPartyAuth.fetchOAuthToken(HOSTNAME, ["api:datasets-read"]);
+```
+
+For usecases where you require the token to automatically refresh after expiry, you can utilize the RefreshingOauthToken class. By default, a token refresh will be triggered after 30 minutes. When using this class, you should ensure to only retrieve and generate tokens through the get_token() function.
+```java
+import com.palantir.computemodules.auth.RefreshingOauthToken;
+
+RefreshingOauthToken refreshingToken = new RefreshingOauthToken(HOSTNAME, ["api:datasets-read"]);
+
+// Token will automatically refresh when beyond expiry period
+String token = refreshingToken.getToken();
+```
+---
+
+### 5. Build and Deploy with Docker
 
 Containerize your application and then upload the resulting Docker image to Foundry. Once uploaded, you can reference your newly created image in a compute module. Example of Dockerfile:
 

lib/src/main/java/com/palantir/computemodules/ComputeModule.java

@@ -32,6 +32,7 @@
 import com.palantir.computemodules.functions.serde.DefaultDeserializer;
 import com.palantir.computemodules.functions.serde.DefaultSerializer;
 import com.palantir.logsafe.SafeArg;
+import com.palantir.logsafe.Unsafe;
 import com.palantir.logsafe.exceptions.SafeRuntimeException;
 import com.palantir.logsafe.logger.SafeLogger;
 import com.palantir.logsafe.logger.SafeLoggerFactory;
@@ -90,6 +91,7 @@ public void onFailure(Throwable throwable) {
         }
     }
 
+    @Unsafe
     private Result execute(ComputeModuleJob job) {
         if (functions.containsKey(job.queryType())) {
             return functions.get(job.queryType()).run(new Context(job.jobId()), job.query());

lib/src/main/java/com/palantir/computemodules/auth/PipelinesAuth.java

@@ -0,0 +1,43 @@
+/*
+ * (c) Copyright 2025 Palantir Technologies Inc. All rights reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.palantir.computemodules.auth;
+
+import com.palantir.logsafe.exceptions.SafeRuntimeException;
+import java.io.IOException;
+import java.nio.charset.StandardCharsets;
+import java.nio.file.Files;
+import java.nio.file.Paths;
+
+public final class PipelinesAuth {
+    private PipelinesAuth() {}
+
+    // Produces a bearer token that can be used to make calls to access pipeline resources.
+    // This is only available in pipeline mode.
+    public static String retrievePipelineToken() {
+        String tokenFilePath = System.getenv("BUILD2_TOKEN");
+        if (tokenFilePath == null || tokenFilePath.isEmpty()) {
+            throw new SafeRuntimeException(
+                    "Pipeline token not available. Please make sure you are running in Pipeline mode.");
+        }
+        try {
+            return Files.readString(Paths.get(tokenFilePath), StandardCharsets.UTF_8)
+                    .trim();
+        } catch (IOException e) {
+            throw new SafeRuntimeException("Failed to read pipeline token from file where it is stored.", e);
+        }
+    }
+}

lib/src/main/java/com/palantir/computemodules/auth/RefreshingOauthToken.java

@@ -0,0 +1,65 @@
+/*
+ * (c) Copyright 2025 Palantir Technologies Inc. All rights reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.palantir.computemodules.auth;
+
+import com.palantir.logsafe.exceptions.SafeRuntimeException;
+import com.palantir.logsafe.logger.SafeLogger;
+import com.palantir.logsafe.logger.SafeLoggerFactory;
+import java.time.Duration;
+import java.time.Instant;
+import java.util.List;
+
+public final class RefreshingOauthToken {
+
+    private static final Duration DEFAULT_REFRESH_INTERVAL = Duration.ofMinutes(30);
+    private static final SafeLogger log = SafeLoggerFactory.get(RefreshingOauthToken.class);
+
+    private final String hostname;
+    private final List<String> scope;
+    private final Duration refreshInterval;
+
+    private String token = "";
+    private volatile Instant lastRefreshTime = Instant.EPOCH;
+
+    public RefreshingOauthToken(String hostname, List<String> scope, Duration refreshInterval) {
+        this.hostname = hostname;
+        this.scope = scope;
+        this.refreshInterval = refreshInterval;
+    }
+
+    public RefreshingOauthToken(String hostname, List<String> scope) {
+        this(hostname, scope, DEFAULT_REFRESH_INTERVAL);
+    }
+
+    public String getToken() {
+        if (this.token.isEmpty()
+                || Duration.between(lastRefreshTime, Instant.now()).compareTo(refreshInterval) > 0) {
+            String newToken = fetchToken();
+            if (newToken.isEmpty()) {
+                throw new SafeRuntimeException("Failed to refresh token");
+            }
+
+            this.token = newToken;
+            lastRefreshTime = Instant.now();
+        }
+        return this.token;
+    }
+
+    private String fetchToken() {
+        return ThirdPartyAuth.fetchOAuthToken(this.hostname, this.scope);
+    }
+}

lib/src/main/java/com/palantir/computemodules/auth/ThirdPartyAuth.java

@@ -0,0 +1,91 @@
+/*
+ * (c) Copyright 2025 Palantir Technologies Inc. All rights reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.palantir.computemodules.auth;
+
+import com.fasterxml.jackson.core.type.TypeReference;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.palantir.computemodules.ssl.SslUtils;
+import com.palantir.logsafe.exceptions.SafeRuntimeException;
+import java.io.IOException;
+import java.net.URI;
+import java.net.URLEncoder;
+import java.net.http.HttpClient;
+import java.net.http.HttpRequest;
+import java.net.http.HttpResponse;
+import java.nio.charset.StandardCharsets;
+import java.time.Duration;
+import java.util.List;
+import java.util.Map;
+import javax.net.ssl.SSLContext;
+
+public final class ThirdPartyAuth {
+    private static final String HTTPS = "https://";
+    private static final String OAUTH_TOKEN_ENDPOINT = "/multipass/api/oauth2/token";
+
+    private static final ObjectMapper OBJECT_MAPPER = new ObjectMapper();
+
+    private ThirdPartyAuth() {}
+
+    public static ThirdPartyCredentials retrieveThirdPartyIdAndCreds() {
+        String clientId = System.getenv("CLIENT_ID");
+        String clientSecret = System.getenv("CLIENT_SECRET");
+        if (clientId.isEmpty() || clientSecret.isEmpty()) {
+            throw new SafeRuntimeException(
+                    "One or both of required environment variables not found: CLIENT_ID, CLIENT_SECRET. "
+                            + "Make sure that your CM has Application permissions enabled.");
+        }
+        return new ThirdPartyCredentials(clientId, clientSecret);
+    }
+
+    public static String fetchOAuthToken(String hostname, List<String> scope) {
+        ThirdPartyCredentials credentials = retrieveThirdPartyIdAndCreds();
+        try {
+            String formData = "grant_type=" + URLEncoder.encode("client_credentials", StandardCharsets.UTF_8)
+                    + "&client_id=" + URLEncoder.encode(credentials.clientId(), StandardCharsets.UTF_8)
+                    + "&client_secret="
+                    + URLEncoder.encode(credentials.clientSecret(), StandardCharsets.UTF_8)
+                    + "&scope=" + URLEncoder.encode(String.join(" ", scope), StandardCharsets.UTF_8);
+
+            String url = HTTPS + hostname + OAUTH_TOKEN_ENDPOINT;
+
+            SSLContext sslContext = SslUtils.createSslContext(System.getenv("DEFAULT_CA_PATH"));
+
+            HttpClient client = HttpClient.newBuilder().sslContext(sslContext).build();
+            HttpRequest request = HttpRequest.newBuilder()
+                    .uri(URI.create(url))
+                    .header("Content-Type", "application/x-www-form-urlencoded")
+                    .POST(HttpRequest.BodyPublishers.ofString(formData))
+                    .timeout(Duration.ofSeconds(10))
+                    .build();
+
+            HttpResponse<String> response = client.send(request, HttpResponse.BodyHandlers.ofString());
+
+            if (response.statusCode() == 200) {
+                Map<String, Object> tokenData =
+                        OBJECT_MAPPER.readValue(response.body(), new TypeReference<Map<String, Object>>() {});
+
+                if (tokenData != null && tokenData.containsKey("access_token")) {
+                    return tokenData.get("access_token").toString();
+                }
+            }
+        } catch (InterruptedException e) {
+            throw new SafeRuntimeException("Interrupted while fetching OAuth token", e);
+        } catch (IOException e) {
+            throw new SafeRuntimeException("IOException while fetching OAuth token", e);
+        }
+        return "";
+    }
+}

lib/src/main/java/com/palantir/computemodules/auth/ThirdPartyCredentials.java

@@ -0,0 +1,19 @@
+/*
+ * (c) Copyright 2025 Palantir Technologies Inc. All rights reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.palantir.computemodules.auth;
+
+public record ThirdPartyCredentials(String clientId, String clientSecret) {}

lib/src/main/java/com/palantir/computemodules/functions/FunctionRunner.java

@@ -20,6 +20,7 @@
 import com.palantir.computemodules.functions.results.Result;
 import com.palantir.computemodules.functions.serde.Deserializer;
 import com.palantir.computemodules.functions.serde.Serializer;
+import com.palantir.logsafe.Unsafe;
 import java.io.InputStream;
 
 public final class FunctionRunner<I, O> {
@@ -42,6 +43,7 @@ public FunctionRunner(
         this.serializer = serializer;
     }
 
+    @Unsafe
     public Result run(Context context, Object input) {
         I deserializedInput = deserializer.deserialize(input, inputType);
         try {

lib/src/main/java/com/palantir/computemodules/functions/results/Result.java

@@ -15,4 +15,7 @@
  */
 package com.palantir.computemodules.functions.results;
 
+import com.palantir.logsafe.Unsafe;
+
+@Unsafe
 public sealed interface Result permits Ok, Failed {}

lib/src/main/java/com/palantir/computemodules/ssl/SslUtils.java

@@ -0,0 +1,55 @@
+/*
+ * (c) Copyright 2025 Palantir Technologies Inc. All rights reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.palantir.computemodules.ssl;
+
+import java.io.BufferedInputStream;
+import java.io.FileInputStream;
+import java.io.InputStream;
+import java.security.KeyStore;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateFactory;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.TrustManagerFactory;
+
+public final class SslUtils {
+    private SslUtils() {}
+
+    public static SSLContext createSslContext(String caPath) {
+        try {
+            KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
+            ks.load(null, null);
+
+            CertificateFactory cf = CertificateFactory.getInstance("X.509");
+            try (InputStream is = new FileInputStream(caPath);
+                    BufferedInputStream bis = new BufferedInputStream(is)) {
+                int certIndex = 0;
+                while (bis.available() > 0) {
+                    Certificate cert = cf.generateCertificate(bis);
+                    ks.setCertificateEntry("alias-" + certIndex, cert);
+                    certIndex++;
+                }
+            }
+            TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
+            tmf.init(ks);
+            SSLContext sslContext = SSLContext.getInstance("TLS");
+            sslContext.init(null, tmf.getTrustManagers(), null);
+            return sslContext;
+        } catch (Exception e) {
+            throw new RuntimeException(e);
+        }
+    }
+}