return only the credentials property from the credential provider response (#185)

Co-authored-by: Toan Nguyen <hgiasac@gmail.com>

Author: m-Bilal

credentials/credentials_provider.go

@@ -2,9 +2,9 @@ package credentials
 
 import (
 	"context"
+	"encoding/json"
 	"errors"
 	"fmt"
-	"io"
 	"net/http"
 	"net/url"
 	"os"
@@ -17,7 +17,10 @@ import (
 	"go.opentelemetry.io/otel/trace"
 )
 
-var errAuthWebhookUriRequired = errors.New("the env var HASURA_CREDENTIALS_PROVIDER_URI must be set and non-empty")
+var (
+	errAuthWebhookUriRequired = errors.New("the env var HASURA_CREDENTIALS_PROVIDER_URI must be set and non-empty")
+	errEmptyCredentials       = errors.New("empty credentials")
+)
 
 var defaultClient = CredentialClient{
 	httpClient: http.DefaultClient,
@@ -33,6 +36,11 @@ func AcquireCredentials(ctx context.Context, key string, forceRefresh bool) (str
 	return defaultClient.AcquireCredentials(ctx, key, forceRefresh)
 }
 
+// Payload is the credentials provider webhook response payload.
+type Payload struct {
+	Credentials string `json:"credentials"`
+}
+
 // CredentialClient is an HTTP client that  can requests the credentials provider webhook to get the credentials.
 type CredentialClient struct {
 	providerUri         *url.URL
@@ -128,15 +136,21 @@ func (cc *CredentialClient) AcquireCredentials(ctx context.Context, key string,
 
 	span.SetAttributes(attribute.Int("http.response.status_code", resp.StatusCode))
 
-	body, err := io.ReadAll(resp.Body)
+	var payload Payload
+	err = json.NewDecoder(resp.Body).Decode(&payload)
 	if err != nil {
 		span.SetStatus(codes.Error, "failed to read the response")
 		span.RecordError(err)
 
 		return "", fmt.Errorf("error reading response: %w", err)
 	}
 
-	span.SetAttributes(attribute.Int64("http.response.size", int64(len(body))))
+	if payload.Credentials == "" {
+		span.SetStatus(codes.Error, errEmptyCredentials.Error())
+		span.RecordError(err)
+
+		return "", errEmptyCredentials
+	}
 
-	return string(body), nil
+	return payload.Credentials, nil
 }

credentials/credentials_provider_test.go

@@ -5,8 +5,11 @@ import (
 	"fmt"
 	"net/http"
 	"net/http/httptest"
+	"net/url"
 	"os"
 	"testing"
+
+	"go.opentelemetry.io/otel"
 )
 
 func TestAcquireCredentials(t *testing.T) {
@@ -36,26 +39,28 @@ func TestAcquireCredentials(t *testing.T) {
 					t.Errorf("expected Authorization=Bearer %s; got %s", bearerToken, r.Header.Get("Authorization"))
 				}
 
-				fmt.Fprint(w, "credentials")
+				fmt.Fprint(w, "{ \"credentials\": \"api-key\" }")
 			}))
 
 			defer server.Close()
 
 			// Set the environment variable
 			os.Setenv("HASURA_CREDENTIALS_PROVIDER_URI", server.URL)
 			os.Setenv("HASURA_CREDENTIALS_PROVIDER_BEARER_TOKEN", bearerToken)
+			defer os.Unsetenv("HASURA_CREDENTIALS_PROVIDER_URI")
+			defer os.Unsetenv("HASURA_CREDENTIALS_PROVIDER_BEARER_TOKEN")
 
 			credentials, err := AcquireCredentials(context.TODO(), "key", false)
 			if err != nil {
 				t.Errorf("unexpected error: %v", err)
 			}
 
-			if credentials != "credentials" {
-				t.Errorf("expected credentials to be 'credentials', got '%s'", credentials)
+			if credentials != "api-key" {
+				t.Errorf("expected credentials to be 'api-key', got '%s'", credentials)
 			}
 		})
 
-		t.Run("when the request fails", func(t *testing.T) {
+		t.Run("when the server does not exist", func(t *testing.T) {
 			os.Setenv("HASURA_CREDENTIALS_PROVIDER_URI", "http://localhost:0000")
 
 			_, err := AcquireCredentials(context.TODO(), "key", false)
@@ -64,4 +69,28 @@ func TestAcquireCredentials(t *testing.T) {
 			}
 		})
 	})
+
+	t.Run("when the response does not have credentials", func(t *testing.T) {
+		server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			fmt.Fprint(w, "{}")
+		}))
+
+		defer server.Close()
+
+		serverUri, err := url.Parse(server.URL)
+		if err != nil {
+			t.Fatalf("unexpected error: %v", err)
+		}
+
+		client := &CredentialClient{
+			providerUri: serverUri,
+			httpClient:  server.Client(),
+			propagator:  otel.GetTextMapPropagator(),
+		}
+
+		_, err = client.AcquireCredentials(context.TODO(), "key", false)
+		if err != errEmptyCredentials {
+			t.Errorf("expected an empty credentails error, got: %s\n", err)
+		}
+	})
 }

utils/decode_test.go

@@ -2,6 +2,7 @@ package utils
 
 import (
 	"fmt"
+	"math"
 	"reflect"
 	"testing"
 	"time"
@@ -217,7 +218,7 @@ func TestDecodeDateTime(t *testing.T) {
 		iNow := float64(now.UnixNano()) / float64(1000)
 		value, err := DecodeDateTime(iNow, WithBaseUnix(time.Microsecond))
 		assert.NilError(t, err)
-		assert.Equal(t, int64(now.UnixNano()/1000), int64(value.UnixNano()/1000))
+		assert.Assert(t, math.Abs(float64(int64(now.UnixNano()/1000)-int64(value.UnixNano()/1000))) <= 1)
 	})
 
 	t.Run("from_string", func(t *testing.T) {