Managed: Use the keyrings-cryptfile library for caching the JWT token

Also, implement token refresh after expiry.

Author: amotl

cratedb_toolkit/cluster/croud.py

@@ -1,4 +1,5 @@
 import dataclasses
+import datetime as dt
 import json
 import logging
 import os
@@ -7,6 +8,7 @@
 
 from croud.clusters.commands import _wait_for_completed_operation
 from croud.projects.commands import _transform_backup_location
+from keyrings.cryptfile.cryptfile import CryptFileKeyring
 
 from cratedb_toolkit.exception import CroudException
 from cratedb_toolkit.meta.release import CrateDBRelease
@@ -432,9 +434,30 @@ def create_import_job(self, resource: InputOutputResource, target: TableAddress)
         return wr.invoke()
 
     def get_jwt_token(self) -> t.Dict[str, str]:
+        """
+        Retrieve per-cluster JWT token from keyring, falling back to API.
+        """
+        kr = CryptFileKeyring()
+        kr.keyring_key = os.getenv("CTK_KEYRING_CRYPTFILE_PASSWORD") or "TruaframEkEk"
+        key = "ctk-cluster-jwt"
+        data = None
+        data_raw = kr.get_password(key, self.cluster_id)
+        if data_raw is not None:
+            data = json.loads(data_raw)
+            now = (dt.datetime.now(dt.timezone.utc) - dt.timedelta(minutes=5)).isoformat()
+            if now > data["expiry"]:
+                logger.info("JWT token expired")
+                data = None
+        if data is None:
+            data = self._get_jwt_token()
+            kr.set_password(key, self.cluster_id, json.dumps(data))
+        return data
+
+    def _get_jwt_token(self) -> t.Dict[str, str]:
         """
         Retrieve per-cluster JWT token.
         """
+        logger.info("Retrieving JWT token from API")
         data, errors = self.client.get(self.url.jwt)
         if data is None:
             if not errors:

cratedb_toolkit/cluster/model.py

@@ -25,11 +25,6 @@ class JwtResponse:
     refresh: str
     token: str
 
-    def get_token(self):
-        # TODO: Persist token across sessions.
-        # TODO: Refresh automatically when expired.
-        return self.token
-
 
 @dataclasses.dataclass
 class ClusterInformation:
@@ -144,6 +139,8 @@ def acquire_dynamic_content(self):
         cluster = ManagedCluster(cluster_id=self.cloud_id).probe()
         if not cluster.address:
             raise CroudException(f"Cluster not found: {self.cloud_name}")
+        if not cluster.info:
+            raise CroudException(f"Cluster information not available for: {self.cloud_name}")
         adapter = DatabaseAdapter(dburi=cluster.address.dburi, jwt=cluster.info.jwt)
         self.database = InfoContainer(adapter=adapter, scrub=True).database()
 

doc/cluster/backlog.md

@@ -15,7 +15,6 @@ a patch for some item, it will be very much welcome.
 - CLI: Less verbosity by default for `ctk cluster` operations
   Possibly display cluster operation and job execution outcomes, and `last_async_operation` details
 - CLI: Implement `ctk cluster list`, `ctk cluster delete`
-- Managed: Use `keyring` for caching the JWT token, and compensate token expiry
 
 ## Iteration +2
 - Python API: Make `cluster.query` use the excellent `records` package
@@ -96,3 +95,4 @@ a patch for some item, it will be very much welcome.
 - CLI: Shrink address URLs to single parameter `--cluster-url`
 - Changelog: Notify about breaking change with input address parameter names
 - Docs: Update guidelines about input address parameter preferences
+- Managed: Use `keyring` for caching the JWT token, and compensate token expiry

pyproject.toml

@@ -102,6 +102,7 @@ dependencies = [
   "croud==1.13.0",
   "importlib-metadata; python_version<'3.8'",
   "importlib-resources; python_version<'3.9'",
+  "keyrings-cryptfile<2",
   "orjsonl<2",
   "pympler<1.2",
   "python-dateutil<3",