[major] rename options (#69)

* rename options

* add unit test

* fix lint

* fix typo and unit test

* fix unit test

* use ETag in doc, eTag as variable

* update README

* add PolicyPurgePeriod, refactor transport to HTTP client, remove athenzTimeout & athenzCAPath

* update go.mod

* increase unit test wait time

* increase coverage

* fix README

* fix nil panic, when disable

* fix lint

* add unit test

access/option.go

@@ -70,7 +70,7 @@ func WithClientCertificateGoBackSeconds(t string) Option {
 		}
 		rd, err := time.ParseDuration(t)
 		if err != nil {
-			return errors.Wrap(err, "invalid refresh duration")
+			return errors.Wrap(err, "invalid refresh period")
 		}
 		r.clientCertificateGoBackSeconds = int64(rd.Seconds())
 		return nil

access/processor.go

@@ -27,7 +27,7 @@ import (
 )
 
 const (
-	CONFIRM_METHOD_MEMBER = "x5t#S256"
+	confirmMethodMember = "x5t#S256"
 )
 
 // Processor represents the access token parser interface.
@@ -51,7 +51,7 @@ func New(opts ...Option) (Processor, error) {
 	a := new(atp)
 	for _, opt := range append(defaultOptions, opts...) {
 		if err := opt(a); err != nil {
-			return nil, err
+			return nil, errors.Wrap(err, "error create access token processor")
 		}
 	}
 	return a, nil
@@ -115,7 +115,7 @@ func (a *atp) validateCertificateBoundAccessToken(cert *x509.Certificate, claims
 		return errors.New("error claim of access token is nil")
 	}
 
-	certThumbprint, ok := claims.Confirm[CONFIRM_METHOD_MEMBER]
+	certThumbprint, ok := claims.Confirm[confirmMethodMember]
 	if !ok {
 		return errors.New("error token is not certificate bound access token")
 	}

access/processor_test.go

@@ -280,7 +280,7 @@ func Test_rtp_ParseAndValidateOAuth2AccessToken(t *testing.T) {
 					}),
 					enableVerifyClientID: true,
 					authorizedClientIDs: map[string][]string{
-						"domain.tenant.service": []string{
+						"domain.tenant.service": {
 							"domain.tenant.service",
 						},
 					},
@@ -584,8 +584,8 @@ func Test_rtp_validateClientID(t *testing.T) {
 			fields: fields{
 				enableVerifyClientID: true,
 				authorizedClientIDs: map[string][]string{
-					"dummy cn1": []string{"dummy client_id1", "dummy client_id2"},
-					"dummy cn2": []string{"dummy client_id1", "dummy client_id2"},
+					"dummy cn1": {"dummy client_id1", "dummy client_id2"},
+					"dummy cn2": {"dummy client_id1", "dummy client_id2"},
 				},
 			},
 			args: args{
@@ -671,8 +671,8 @@ func Test_rtp_validateClientID(t *testing.T) {
 			fields: fields{
 				enableVerifyClientID: true,
 				authorizedClientIDs: map[string][]string{
-					"dummy cn1": []string{"dummy client_id1", "dummy client_id2"},
-					"dummy cn2": []string{"dummy client_id1", "dummy client_id2"},
+					"dummy cn1": {"dummy client_id1", "dummy client_id2"},
+					"dummy cn2": {"dummy client_id1", "dummy client_id2"},
 				},
 			},
 			args: args{

authorizerd.go

@@ -59,7 +59,7 @@ type authorizer struct {
 	accessProcessor access.Processor
 	verifiers       []verifier
 
-	// common parameters
+	// athenz connection parameters
 	athenzURL string
 	client    *http.Client
 
@@ -71,25 +71,26 @@ type authorizer struct {
 	roleCertURIPrefix string
 
 	// pubkeyd parameters
-	disablePubkeyd         bool
-	pubkeyRefreshDuration  string
-	pubkeyErrRetryInterval string
-	pubkeySysAuthDomain    string
-	pubkeyEtagExpTime      string
-	pubkeyEtagFlushDur     string
+	disablePubkeyd        bool
+	pubkeyRefreshPeriod   string
+	pubkeyRetryDelay      string
+	pubkeySysAuthDomain   string
+	pubkeyETagExpiry      string
+	pubkeyETagPurgePeriod string
 
 	// policyd parameters
-	disablePolicyd         bool
-	policyExpireMargin     string
-	athenzDomains          []string
-	policyRefreshDuration  string
-	policyErrRetryInterval string
-	policyRetryAttempts    int
+	disablePolicyd      bool
+	athenzDomains       []string
+	policyExpiryMargin  string
+	policyRefreshPeriod string
+	policyPurgePeriod   string
+	policyRetryDelay    string
+	policyRetryAttempts int
 
 	// jwkd parameters
-	disableJwkd         bool
-	jwkRefreshDuration  string
-	jwkErrRetryInterval string
+	disableJwkd      bool
+	jwkRefreshPeriod string
+	jwkRetryDelay    string
 
 	// accessTokenProcessor parameters
 	accessTokenParam AccessTokenParam
@@ -110,17 +111,15 @@ const (
 	accessToken
 )
 
-// New return Authorizerd
-// This function will initialize the Authorizerd object with the options
+// New creates the Authorizerd object with the options
 func New(opts ...Option) (Authorizerd, error) {
 	var (
 		prov = &authorizer{
 			cache: gache.New(),
 		}
-		err error
-
-		pubkeyProvider pubkey.Provider
-		jwkProvider    jwk.Provider
+		err    error
+		pkPro  pubkey.Provider
+		jwkPro jwk.Provider
 	)
 
 	for _, opt := range append(defaultOptions, opts...) {
@@ -133,66 +132,64 @@ func New(opts ...Option) (Authorizerd, error) {
 		if prov.pubkeyd, err = pubkey.New(
 			pubkey.WithAthenzURL(prov.athenzURL),
 			pubkey.WithSysAuthDomain(prov.pubkeySysAuthDomain),
-			pubkey.WithEtagExpTime(prov.pubkeyEtagExpTime),
-			pubkey.WithEtagFlushDuration(prov.pubkeyEtagFlushDur),
-			pubkey.WithRefreshDuration(prov.pubkeyRefreshDuration),
-			pubkey.WithErrRetryInterval(prov.pubkeyErrRetryInterval),
+			pubkey.WithETagExpiry(prov.pubkeyETagExpiry),
+			pubkey.WithETagPurgePeriod(prov.pubkeyETagPurgePeriod),
+			pubkey.WithRefreshPeriod(prov.pubkeyRefreshPeriod),
+			pubkey.WithRetryDelay(prov.pubkeyRetryDelay),
 			pubkey.WithHTTPClient(prov.client),
 		); err != nil {
-			return nil, errors.Wrap(err, "error create pubkeyd")
+			return nil, err
 		}
-
-		pubkeyProvider = prov.pubkeyd.GetProvider()
+		pkPro = prov.pubkeyd.GetProvider()
 	}
 
 	if !prov.disablePolicyd {
 		if prov.policyd, err = policy.New(
-			policy.WithExpireMargin(prov.policyExpireMargin),
 			policy.WithAthenzURL(prov.athenzURL),
 			policy.WithAthenzDomains(prov.athenzDomains...),
-			policy.WithRefreshDuration(prov.policyRefreshDuration),
-			policy.WithErrRetryInterval(prov.policyErrRetryInterval),
+			policy.WithExpiryMargin(prov.policyExpiryMargin),
+			policy.WithRefreshPeriod(prov.policyRefreshPeriod),
+			policy.WithPurgePeriod(prov.policyPurgePeriod),
+			policy.WithRetryDelay(prov.policyRetryDelay),
 			policy.WithRetryAttempts(prov.policyRetryAttempts),
 			policy.WithHTTPClient(prov.client),
-			policy.WithPubKeyProvider(pubkeyProvider),
+			policy.WithPubKeyProvider(pkPro),
 		); err != nil {
-			return nil, errors.Wrap(err, "error create policyd")
+			return nil, err
 		}
 	}
 
 	if !prov.disableJwkd {
 		if prov.jwkd, err = jwk.New(
 			jwk.WithAthenzURL(prov.athenzURL),
-			jwk.WithRefreshDuration(prov.jwkRefreshDuration),
-			jwk.WithErrRetryInterval(prov.jwkErrRetryInterval),
+			jwk.WithRefreshPeriod(prov.jwkRefreshPeriod),
+			jwk.WithRetryDelay(prov.jwkRetryDelay),
 			jwk.WithHTTPClient(prov.client),
 		); err != nil {
-			return nil, errors.Wrap(err, "error create jwkd")
+			return nil, err
 		}
-
-		jwkProvider = prov.jwkd.GetProvider()
+		jwkPro = prov.jwkd.GetProvider()
 	}
 
 	if prov.enableRoleToken {
 		if prov.roleProcessor, err = role.New(
-			role.WithPubkeyProvider(pubkeyProvider),
-			role.WithJWKProvider(jwkProvider),
+			role.WithPubkeyProvider(pkPro),
+			role.WithJWKProvider(jwkPro),
 		); err != nil {
-			return nil, errors.Wrap(err, "error create role processor")
+			return nil, err
 		}
-
 	}
 
 	if prov.accessTokenParam.enable {
 		if prov.accessProcessor, err = access.New(
-			access.WithJWKProvider(jwkProvider),
+			access.WithJWKProvider(jwkPro),
 			access.WithEnableMTLSCertificateBoundAccessToken(prov.accessTokenParam.verifyCertThumbprint),
 			access.WithEnableVerifyClientID(prov.accessTokenParam.verifyClientID),
 			access.WithAuthorizedClientIDs(prov.accessTokenParam.authorizedClientIDs),
 			access.WithClientCertificateGoBackSeconds(prov.accessTokenParam.certBackdateDur),
 			access.WithClientCertificateOffsetSeconds(prov.accessTokenParam.certOffsetDur),
 		); err != nil {
-			return nil, errors.Wrap(err, "error create access processor")
+			return nil, err
 		}
 	}
 
@@ -206,7 +203,7 @@ func New(opts ...Option) (Authorizerd, error) {
 
 func (a *authorizer) initVerifiers() error {
 	// TODO: check empty credentials to speed up the checking
-	verifiers := make([]verifier, 0, 3) // rolecert, acess token, roletoken
+	verifiers := make([]verifier, 0, 3) // rolecert, access token, roletoken
 
 	if a.enableRoleCert {
 		rcVerifier := func(r *http.Request, act, res string) error {
@@ -400,8 +397,7 @@ func (a *authorizer) verify(ctx context.Context, m mode, tok, act, res string, c
 	return nil
 }
 
-// Verify returns error of verification.
-// Verifes each verifier and if one of them succeeds, the error will be nil(OR logic).
+// Verify returns error of verification. Returns nil if ANY verifier succeeds (OR logic).
 func (a *authorizer) Verify(r *http.Request, act, res string) error {
 	for _, verifier := range a.verifiers {
 		// OR logic on multiple credentials
@@ -414,6 +410,7 @@ func (a *authorizer) Verify(r *http.Request, act, res string) error {
 	return ErrInvalidCredentials
 }
 
+// VerifyRoleCert verifies the role certificate for specific resource and return and verification error.
 func (a *authorizer) VerifyRoleCert(ctx context.Context, peerCerts []*x509.Certificate, act, res string) error {
 	var dr []string
 	drcheck := make(map[string]struct{})
@@ -450,7 +447,7 @@ func (a *authorizer) VerifyRoleCert(ctx context.Context, peerCerts []*x509.Certi
 	return errors.Wrap(err, "role certificates unauthorized")
 }
 
+// GetPolicyCache returns the cached policy data
 func (a *authorizer) GetPolicyCache(ctx context.Context) map[string]interface{} {
 	return a.policyd.GetPolicyCache(ctx)
-
 }