Initial commit to support JWT authentication

Author: ramya18101

go.mod

@@ -20,6 +20,7 @@ require (
 	github.com/hashicorp/hc-install v0.9.2
 	github.com/hashicorp/terraform-exec v0.23.0
 	github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51
+	github.com/lestrrat-go/jwx/v2 v2.1.6
 	github.com/lestrrat-go/jwx/v3 v3.0.1
 	github.com/logrusorgru/aurora v2.0.3+incompatible
 	github.com/manifoldco/promptui v0.9.0
@@ -76,7 +77,6 @@ require (
 	github.com/lestrrat-go/httprc v1.0.6 // indirect
 	github.com/lestrrat-go/httprc/v3 v3.0.0-beta2 // indirect
 	github.com/lestrrat-go/iter v1.0.2 // indirect
-	github.com/lestrrat-go/jwx/v2 v2.1.6 // indirect
 	github.com/lestrrat-go/option v1.0.1 // indirect
 	github.com/lucasb-eyer/go-colorful v1.2.0 // indirect
 	github.com/mattn/go-colorable v0.1.13 // indirect

internal/auth/auth.go

@@ -13,6 +13,11 @@ import (
 	"strings"
 	"time"
 
+	"github.com/google/uuid"
+	"github.com/lestrrat-go/jwx/v2/jwa"
+	"github.com/lestrrat-go/jwx/v2/jwk"
+	"github.com/lestrrat-go/jwx/v2/jwt"
+	"golang.org/x/oauth2"
 	"golang.org/x/oauth2/clientcredentials"
 )
 
@@ -257,3 +262,151 @@ func GetAccessTokenFromClientCreds(ctx context.Context, args ClientCredentials)
 		ExpiresAt:   resp.Expiry,
 	}, nil
 }
+
+// GetAccessTokenFromClientPrivateJWT generates an access token from client prviateJWT.
+func GetAccessTokenFromClientPrivateJWT(args PrivateKeyJwtTokenSource) (Result, error) {
+	resp, err := args.Token()
+	if err != nil {
+		return Result{}, err
+	}
+
+	fmt.Println(resp.AccessToken)
+
+	return Result{
+		AccessToken: resp.AccessToken,
+		ExpiresAt:   resp.Expiry,
+	}, nil
+}
+
+// PrivateKeyJwtTokenSource implements oauth2.TokenSource for Private Key JWT client authentication.
+type PrivateKeyJwtTokenSource struct {
+	Ctx                       context.Context
+	Uri                       string
+	ClientID                  string
+	ClientAssertionSigningAlg string
+	ClientAssertionSigningKey string
+	Audience                  string
+}
+
+// Token generates a new token using Private Key JWT client authentication.
+func (p PrivateKeyJwtTokenSource) Token() (*oauth2.Token, error) {
+	alg, err := DetermineSigningAlgorithm(p.ClientAssertionSigningAlg)
+	if err != nil {
+		return nil, fmt.Errorf("invalid algorithm: %w", err)
+	}
+
+	baseURL, err := url.Parse(p.Uri)
+	if err != nil {
+		return nil, fmt.Errorf("invalid URI: %w", err)
+	}
+
+	assertion, err := CreateClientAssertion(
+		alg,
+		p.ClientAssertionSigningKey,
+		p.ClientID,
+		baseURL.JoinPath("/").String(),
+	)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create client assertion: %w", err)
+	}
+
+	cfg := &clientcredentials.Config{
+		TokenURL:  p.Uri + "/oauth/token",
+		AuthStyle: oauth2.AuthStyleInParams,
+		EndpointParams: url.Values{
+			"audience":              []string{p.Audience},
+			"client_assertion_type": []string{"urn:ietf:params:oauth:client-assertion-type:jwt-bearer"},
+			"client_assertion":      []string{assertion},
+			"grant_type":            []string{"client_credentials"},
+		},
+	}
+
+	token, err := cfg.Token(p.Ctx)
+	if err != nil {
+		return nil, fmt.Errorf("token request failed: %w", err)
+	}
+
+	return token, nil
+}
+
+// DetermineSigningAlgorithm returns the appropriate JWA signature algorithm based on the string representation.
+func DetermineSigningAlgorithm(alg string) (jwa.SignatureAlgorithm, error) {
+	switch alg {
+	case "RS256":
+		return jwa.RS256, nil
+	case "RS384":
+		return jwa.RS384, nil
+	case "RS512":
+		return jwa.RS512, nil
+	case "PS256":
+		return jwa.PS256, nil
+	case "PS384":
+		return jwa.PS384, nil
+	case "PS512":
+		return jwa.PS512, nil
+	case "ES256":
+		return jwa.ES256, nil
+	case "ES384":
+		return jwa.ES384, nil
+	case "ES512":
+		return jwa.ES512, nil
+	default:
+		return "", fmt.Errorf("unsupported client assertion algorithm %q", alg)
+	}
+}
+
+// CreateClientAssertion creates a JWT token for client authentication with the specified lifetime.
+func CreateClientAssertion(alg jwa.SignatureAlgorithm, signingKey, clientID, audience string) (string, error) {
+	key, err := jwk.ParseKey([]byte(signingKey), jwk.WithPEM(true))
+	if err != nil {
+		return "", fmt.Errorf("failed to parse signing key: %w", err)
+	}
+
+	// Verify that the key type is compatible with the algorithm
+	if err := verifyKeyCompatibility(alg, key); err != nil {
+		return "", err
+	}
+
+	now := time.Now()
+
+	token, err := jwt.NewBuilder().
+		IssuedAt(now).
+		NotBefore(now).
+		Subject(clientID).
+		JwtID(uuid.NewString()).
+		Issuer(clientID).
+		Audience([]string{audience}).
+		Expiration(now.Add(2 * time.Minute)).
+		Build()
+	if err != nil {
+		return "", fmt.Errorf("failed to build JWT: %w", err)
+	}
+
+	signedToken, err := jwt.Sign(token, jwt.WithKey(alg, key))
+	if err != nil {
+		return "", fmt.Errorf("failed to sign JWT: %w", err)
+	}
+
+	return string(signedToken), nil
+}
+
+// verifyKeyCompatibility checks if the provided key is compatible with the specified algorithm.
+func verifyKeyCompatibility(alg jwa.SignatureAlgorithm, key jwk.Key) error {
+	keyType := key.KeyType()
+
+	// Check key compatibility with algorithm
+	switch alg {
+	case jwa.RS256, jwa.RS384, jwa.RS512, jwa.PS256, jwa.PS384, jwa.PS512:
+		if keyType != "RSA" {
+			return fmt.Errorf("%s algorithm requires an RSA key, but got %s", alg, keyType)
+		}
+	case jwa.ES256, jwa.ES384, jwa.ES512:
+		if keyType != "EC" {
+			return fmt.Errorf("%s algorithm requires an EC key, but got %s", alg, keyType)
+		}
+	default:
+		return fmt.Errorf("unsupported algorithm: %s", alg)
+	}
+
+	return nil
+}

internal/cli/login.go

@@ -41,6 +41,22 @@ var (
 		AlwaysPrompt: false,
 	}
 
+	loginClientAssertionSigningKey = Flag{
+		Name:         "Client Assertion Signing Key",
+		LongForm:     "client-assertion-signing-key",
+		Help:         "Client Assertion .",
+		IsRequired:   false,
+		AlwaysPrompt: false,
+	}
+
+	loginClientAssertionSigningAlg = Flag{
+		Name:         "Client Assertion Signing Algorithm",
+		LongForm:     "client-assertion-signing-alg",
+		Help:         "Client Assertion Signing Algorithm.",
+		IsRequired:   false,
+		AlwaysPrompt: false,
+	}
+
 	loginAdditionalScopes = Flag{
 		Name:         "Additional Scopes",
 		LongForm:     "scopes",
@@ -51,10 +67,12 @@ var (
 )
 
 type LoginInputs struct {
-	Domain           string
-	ClientID         string
-	ClientSecret     string
-	AdditionalScopes []string
+	Domain                    string
+	ClientID                  string
+	ClientSecret              string
+	ClientAssertionSigningKey string
+	ClientAssertionSigningAlg string
+	AdditionalScopes          []string
 }
 
 func (i *LoginInputs) isLoggingInWithAdditionalScopes() bool {
@@ -78,7 +96,7 @@ func loginCmd(cli *cli) *cobra.Command {
 		RunE: func(cmd *cobra.Command, args []string) error {
 			var selectedLoginType string
 			const loginAsUser, loginAsMachine = "As a user", "As a machine"
-			shouldLoginAsUser, shouldLoginAsMachine := false, false
+			shouldLoginAsUser, shouldLoginAsMachine, shouldLoginAsMachineWithJWT := false, false, false
 
 			/*
 				Based on the initial inputs we'd like to determine if
@@ -95,35 +113,59 @@ func loginCmd(cli *cli) *cobra.Command {
 				case inputs.Domain != "" && inputs.ClientSecret != "" && inputs.ClientID != "":
 					// If all three fields are passed, machine login flag is set to true.
 					shouldLoginAsMachine = true
-				case inputs.Domain != "" && inputs.ClientSecret == "" && inputs.ClientID == "":
+				case inputs.Domain != "" && inputs.ClientID != "" && inputs.ClientAssertionSigningAlg != "" && inputs.ClientAssertionSigningKey != "":
+					// If all four fields are passed related to client Assertion, machine login with jwt flag is set to true.
+					shouldLoginAsMachineWithJWT = true
+				case inputs.Domain != "" && inputs.ClientSecret == "" && inputs.ClientID == "" && inputs.ClientAssertionSigningAlg == "" && inputs.ClientAssertionSigningKey == "":
 					/*
 						The domain flag is common between Machine and User Login.
 						If domain is passed without client-id and client-secret,
 						it can be evaluated that it is a user login flow.
 					*/
 					shouldLoginAsUser = true
-				case inputs.Domain != "" || inputs.ClientSecret != "" || inputs.ClientID != "":
+				case inputs.Domain != "" || inputs.ClientSecret != "" || inputs.ClientID != "" || inputs.ClientAssertionSigningAlg != "" || inputs.ClientAssertionSigningKey != "":
 					/*
 						At this point, if AT LEAST one of the three flags are passed but not ALL three,
 						we return an error since it's a no-input flow and it will need all three params
 						for successful machine flow.
 						Note that we already determined it's not a user login flow in the condition above.
 					*/
-					return fmt.Errorf("flags client-id, client-secret and domain are required together")
+					return fmt.Errorf("flags client-id, client-secret and domain are required together or client-id, client-assertion-signing-alg, client-assertion-signing-key and domain are required together")
 				default:
 					/*
 						If no flags are passed along with --no-input, it is defaulted to user login flow.
 					*/
 					shouldLoginAsUser = true
 				}
 			default:
-				if inputs.ClientSecret != "" || inputs.ClientID != "" {
+				if inputs.ClientID != "" {
+					const clientSecret, clientAssertion = "Client Secret", "Client Assertion"
+					input := prompt.SelectInput("", "How would you like to authenticate?", "", []string{clientSecret, clientAssertion}, clientSecret, true)
+					if err := prompt.AskOne(input, &selectedLoginType); err != nil {
+						return handleInputError(err)
+					}
+					if selectedLoginType == clientAssertion {
+						shouldLoginAsMachineWithJWT = true
+					} else {
+						shouldLoginAsMachine = true
+					}
+				}
+
+				if inputs.ClientSecret != "" {
 					/*
 						If all three params are passed, we evaluate it as a Machine Login Flow.
 						Else required params are prompted for.
 					*/
 					shouldLoginAsMachine = true
 				}
+
+				if inputs.ClientAssertionSigningAlg != "" || inputs.ClientAssertionSigningKey != "" {
+					/*
+						If all four params are passed, we evaluate it as a Machine Login Flow.
+						Else required params are prompted for.
+					*/
+					shouldLoginAsMachineWithJWT = true
+				}
 			}
 
 			// If additional scopes are passed we mark shouldLoginAsUser flag to be true.
@@ -136,7 +178,7 @@ func loginCmd(cli *cli) *cobra.Command {
 				based on all the evaluation above, we go on to prompt the user and
 				determine if it's LoginAsUser or LoginAsMachine
 			*/
-			if !shouldLoginAsUser && !shouldLoginAsMachine {
+			if !shouldLoginAsUser && !shouldLoginAsMachine && !shouldLoginAsMachineWithJWT {
 				cli.renderer.Output(
 					fmt.Sprintf(
 						"%s\n\n%s\n%s\n\n%s\n%s\n%s\n%s\n\n",
@@ -317,6 +359,7 @@ func RunLoginAsUser(ctx context.Context, cli *cli, additionalScopes []string, do
 
 // RunLoginAsMachine facilitates the authentication process using client credentials (client ID, client secret).
 func RunLoginAsMachine(ctx context.Context, inputs LoginInputs, cli *cli, cmd *cobra.Command) error {
+	// Yet to handle the case with clientJWT Assertions
 	if err := loginTenantDomain.Ask(cmd, &inputs.Domain, nil); err != nil {
 		return err
 	}
@@ -371,3 +414,70 @@ func RunLoginAsMachine(ctx context.Context, inputs LoginInputs, cli *cli, cmd *c
 
 	return nil
 }
+
+// RunLoginAsMachineJWT facilitates the authentication process using  the client credentials
+// with Private Key JWT authentication flow. (client ID, client Assertion Signing key).
+func RunLoginAsMachineJWT(ctx context.Context, inputs LoginInputs, cli *cli, cmd *cobra.Command) error {
+	if err := loginTenantDomain.Ask(cmd, &inputs.Domain, nil); err != nil {
+		return err
+	}
+
+	if err := loginClientID.Ask(cmd, &inputs.ClientID, nil); err != nil {
+		return err
+	}
+
+	if err := loginClientAssertionSigningAlg.Ask(cmd, &inputs.ClientAssertionSigningAlg, nil); err != nil {
+		return err
+	}
+
+	if err := loginClientAssertionSigningKey.AskPassword(cmd, &inputs.ClientAssertionSigningKey); err != nil {
+		return err
+	}
+
+	domain := "https://" + inputs.Domain
+
+	token, err := auth.GetAccessTokenFromClientPrivateJWT(
+		auth.PrivateKeyJwtTokenSource{
+			Ctx:                       ctx,
+			ClientID:                  inputs.ClientID,
+			ClientAssertionSigningAlg: inputs.ClientAssertionSigningAlg,
+			Uri:                       domain,
+			Audience:                  domain + "/api/v2/",
+			ClientAssertionSigningKey: inputs.ClientAssertionSigningKey,
+		},
+	)
+
+	if err != nil {
+		return fmt.Errorf("failed to fetch access token using client credentials with Private Key. \n\nEnsure that the provided client-id, client-assertion-signing-key, client-assertion-signing-alg and domain are correct. \n\nerror: %w", err)
+	}
+
+	tenant := config.Tenant{
+		Name:      strings.Split(inputs.Domain, ".")[0],
+		Domain:    inputs.Domain,
+		ExpiresAt: token.ExpiresAt,
+		ClientID:  inputs.ClientID,
+	}
+
+	if err = keyring.StoreClientSecret(inputs.Domain, inputs.ClientSecret); err != nil {
+		cli.renderer.Warnf("Could not store the client secret and the access token to the keyring: %s", err)
+		cli.renderer.Warnf("Expect to login again when your access token expires.")
+	}
+
+	if err := keyring.StoreAccessToken(inputs.Domain, token.AccessToken); err != nil {
+		// In case we don't have a keyring, we want the
+		// access token to be saved in the config file.
+		tenant.AccessToken = token.AccessToken
+	}
+
+	if err = cli.Config.AddTenant(tenant); err != nil {
+		return fmt.Errorf("failed to save tenant data: %w", err)
+	}
+
+	cli.renderer.Newline()
+	cli.renderer.Infof("Successfully logged in.")
+	cli.renderer.Infof("Tenant: %s", inputs.Domain)
+
+	cli.tracker.TrackFirstLogin(cli.Config.InstallID)
+
+	return nil
+}