feat: Moving configuration and auth logic (#37)

This is being moved from cloudquery/cli to allow it to be shared by both the `plugin-sdk` and `cloudquery/cli` components.

This may not be the best place for this code in the long run, but for now we want to share the code between `cloudquery/cli` and `plugin-sdk` without having `cloudquery/cli` introduce a dependency on the `plugin-sdk`.

This PR also modifies the token issuing logic, to only refresh the ID token if the existing token is close to expiry. This is to minimise the API calls needed during the sync upsert process.

Author: mnorbury

.github/workflows/lint_golang.yml

@@ -0,0 +1,23 @@
+name: Lint
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+
+jobs:
+  golangci:
+    name: Lint with GolangCI
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    steps:
+      - uses: actions/checkout@v3
+      - uses: actions/setup-go@v4
+        with:
+          go-version-file: go.mod
+      - name: golangci-lint
+        uses: golangci/golangci-lint-action@v3
+        with:
+          version: v1.54.2

.github/workflows/unittest.yml

@@ -0,0 +1,28 @@
+name: "Unit tests"
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+
+jobs:
+  unitests:
+    timeout-minutes: 30
+    runs-on: ${{ matrix.os }}
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ubuntu-latest, macos-latest, windows-latest]
+    steps:
+      - name: Check out code into the Go module directory
+        uses: actions/checkout@v3
+      - name: Set up Go 1.x
+        uses: actions/setup-go@v4
+        with:
+          go-version-file: go.mod
+      - run: go mod download
+      - run: go build ./...
+      - name: Run tests
+        run: make test

.gitignore

@@ -19,3 +19,6 @@
 
 # Go workspace file
 go.work
+
+# Intellij IDE file
+.idea

Makefile

@@ -0,0 +1,8 @@
+.PHONY: test
+test:
+	go test -tags=assert -race ./...
+
+.PHONY: lint
+lint:
+	golangci-lint run
+

auth/token.go

@@ -0,0 +1,176 @@
+package auth
+
+import (
+	"encoding/json"
+	"fmt"
+	"io"
+	"net/http"
+	"net/url"
+	"os"
+	"strings"
+	"time"
+
+	"github.com/adrg/xdg"
+)
+
+const (
+	FirebaseAPIKey         = "AIzaSyCxsrwjABEF-dWLzUqmwiL-ct02cnG9GCs"
+	TokenBaseURL           = "https://securetoken.googleapis.com"
+	EnvVarCloudQueryAPIKey = "CLOUDQUERY_API_KEY"
+	ExpiryBuffer           = 60 * time.Second
+)
+
+type tokenResponse struct {
+	AccessToken  string `json:"access_token"`
+	ExpiresIn    string `json:"expires_in"`
+	TokenType    string `json:"token_type"`
+	RefreshToken string `json:"refresh_token"`
+	IDToken      string `json:"id_token"`
+	UserID       string `json:"user_id"`
+	ProjectID    string `json:"project_id"`
+}
+
+type TokenClient struct {
+	url       string
+	apiKey    string
+	idToken   string
+	expiresAt time.Time
+}
+
+func NewTokenClient() *TokenClient {
+	return &TokenClient{
+		url:    TokenBaseURL,
+		apiKey: FirebaseAPIKey,
+	}
+}
+
+// GetToken returns the ID token
+// If CLOUDQUERY_API_KEY is set, it returns that value, otherwise it returns an ID token generated from the refresh token.
+func (tc *TokenClient) GetToken() (string, error) {
+	if token := os.Getenv(EnvVarCloudQueryAPIKey); token != "" {
+		return token, nil
+	}
+
+	// If the token is not expired, return it
+	if !tc.expiresAt.IsZero() && tc.expiresAt.Sub(time.Now().UTC()) > ExpiryBuffer {
+		return tc.idToken, nil
+	}
+
+	refreshToken, err := ReadRefreshToken()
+	if err != nil {
+		return "", fmt.Errorf("failed to read refresh token: %w. Hint: You may need to run `cloudquery login` or set %s", err, EnvVarCloudQueryAPIKey)
+	}
+	if refreshToken == "" {
+		return "", fmt.Errorf("authentication token not found. Hint: You may need to run `cloudquery login` or set %s", EnvVarCloudQueryAPIKey)
+	}
+	tokenResponse, err := tc.generateToken(refreshToken)
+	if err != nil {
+		return "", fmt.Errorf("failed to sign in with custom token: %w", err)
+	}
+
+	if err := SaveRefreshToken(tokenResponse.RefreshToken); err != nil {
+		return "", fmt.Errorf("failed to save refresh token: %w", err)
+	}
+
+	if err := tc.updateIDToken(tokenResponse); err != nil {
+		return "", fmt.Errorf("failed to update ID token: %w", err)
+	}
+
+	return tc.idToken, nil
+}
+
+func (tc *TokenClient) generateToken(refreshToken string) (*tokenResponse, error) {
+	data := url.Values{}
+	data.Set("grant_type", "refresh_token")
+	data.Set("refresh_token", refreshToken)
+
+	resp, err := http.PostForm(fmt.Sprintf("%s/v1/token?key=%s", tc.url, tc.apiKey), data)
+	if err != nil {
+		return nil, err
+	}
+	defer resp.Body.Close()
+	if resp.StatusCode != http.StatusOK {
+		body, readErr := io.ReadAll(resp.Body)
+		if readErr != nil {
+			return nil, fmt.Errorf("failed to read response body: %w", readErr)
+		}
+		return nil, fmt.Errorf("failed to refresh token: %s: %s", resp.Status, body)
+	}
+
+	var tr tokenResponse
+	body, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return nil, err
+	}
+	if err := parseToken(body, &tr); err != nil {
+		return nil, err
+	}
+
+	return &tr, nil
+}
+
+func (tc *TokenClient) updateIDToken(tr *tokenResponse) error {
+	// Convert string duration in seconds to time.Duration
+	duration, err := time.ParseDuration(tr.ExpiresIn + "s")
+	if err != nil {
+		return err
+	}
+
+	tc.expiresAt = time.Now().UTC().Add(duration)
+	tc.idToken = tr.IDToken
+	return nil
+}
+
+func parseToken(response []byte, tr *tokenResponse) error {
+	err := json.Unmarshal(response, tr)
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
+// SaveRefreshToken saves the refresh token to the token file
+func SaveRefreshToken(refreshToken string) error {
+	tokenFilePath, err := xdg.DataFile("cloudquery/token")
+	if err != nil {
+		return fmt.Errorf("failed to get token file path: %w", err)
+	}
+	tokenFile, err := os.OpenFile(tokenFilePath, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0644)
+	if err != nil {
+		return fmt.Errorf("failed to open token file %q for writing: %w", tokenFilePath, err)
+	}
+	defer func() {
+		if closeErr := tokenFile.Close(); closeErr != nil {
+			fmt.Printf("error closing token file: %v", closeErr)
+		}
+	}()
+	if _, err = tokenFile.WriteString(refreshToken); err != nil {
+		return fmt.Errorf("failed to write token to %q: %w", tokenFilePath, err)
+	}
+	return nil
+}
+
+// ReadRefreshToken reads the refresh token from the token file
+func ReadRefreshToken() (string, error) {
+	tokenFilePath, err := xdg.DataFile("cloudquery/token")
+	if err != nil {
+		return "", fmt.Errorf("failed to get token file path: %w", err)
+	}
+	b, err := os.ReadFile(tokenFilePath)
+	if err != nil {
+		return "", fmt.Errorf("failed to read token file: %w", err)
+	}
+	return strings.TrimSpace(string(b)), nil
+}
+
+// RemoveRefreshToken removes the token file
+func RemoveRefreshToken() error {
+	tokenFilePath, err := xdg.DataFile("cloudquery/token")
+	if err != nil {
+		return fmt.Errorf("failed to get token file path: %w", err)
+	}
+	if err := os.RemoveAll(tokenFilePath); err != nil {
+		return fmt.Errorf("failed to remove token file %q: %w", tokenFilePath, err)
+	}
+	return nil
+}

auth/token_test.go

@@ -0,0 +1,144 @@
+package auth
+
+import (
+	"encoding/json"
+	"fmt"
+	"github.com/stretchr/testify/require"
+	"net/http"
+	"net/http/httptest"
+	"os"
+	"testing"
+	"time"
+)
+
+func TestRefreshToken_RoundTrip(t *testing.T) {
+	token := "my_token"
+
+	err := SaveRefreshToken(token)
+	require.NoError(t, err)
+
+	readToken, err := ReadRefreshToken()
+	require.NoError(t, err)
+
+	require.Equal(t, token, readToken)
+}
+
+func TestRefreshToken_Removal(t *testing.T) {
+	token := "my_token"
+
+	err := SaveRefreshToken(token)
+	require.NoError(t, err)
+
+	_, err = ReadRefreshToken()
+	require.NoError(t, err)
+
+	err = RemoveRefreshToken()
+	require.NoError(t, err)
+
+	_, err = ReadRefreshToken()
+	require.Error(t, err)
+}
+
+func TestTokenClient_EnvironmentVariable(t *testing.T) {
+	reset := overrideEnvironmentVariable(t, EnvVarCloudQueryAPIKey, "my_token")
+	defer reset()
+
+	token, err := NewTokenClient().GetToken()
+	require.NoError(t, err)
+
+	require.Equal(t, "my_token", token)
+}
+
+func TestTokenClient_GetToken_ShortExpiry(t *testing.T) {
+	server, closer := fakeAuthServer(t, "0")
+	defer closer()
+
+	err := SaveRefreshToken("my_refresh_token")
+	require.NoError(t, err)
+
+	t0 := time.Now().UTC()
+
+	tc := TokenClient{
+		url:       server.URL,
+		apiKey:    "my-api-key",
+		expiresAt: t0,
+	}
+
+	token, err := tc.GetToken()
+	require.NoError(t, err)
+	require.Equal(t, "my_id_token_0", token, "first token")
+
+	tc.expiresAt = t0
+
+	token, err = tc.GetToken()
+	require.NoError(t, err)
+	require.Equal(t, "my_id_token_1", token, "expected to issue new token")
+}
+
+func TestTokenClient_GetToken_LongExpiry(t *testing.T) {
+	server, closer := fakeAuthServer(t, "3600")
+	defer closer()
+
+	err := SaveRefreshToken("my_refresh_token")
+	require.NoError(t, err)
+
+	tc := TokenClient{
+		url:    server.URL,
+		apiKey: "my-api-key",
+	}
+
+	token, err := tc.GetToken()
+	require.NoError(t, err)
+	require.Equal(t, "my_id_token_0", token, "first token")
+
+	token, err = tc.GetToken()
+	require.NoError(t, err)
+	require.Equal(t, "my_id_token_0", token, "expected to reuse token")
+}
+
+func overrideEnvironmentVariable(t *testing.T, key, value string) func() {
+	originalValue := os.Getenv(key)
+	resetFn := func() {
+		err := os.Setenv(key, originalValue)
+		require.NoError(t, err)
+	}
+
+	err := os.Setenv(key, value)
+	require.NoError(t, err)
+
+	return resetFn
+}
+
+func fakeAuthServer(t *testing.T, expiresIn string) (*httptest.Server, func()) {
+	tokenCount := 0
+
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		require.Equal(t, http.MethodPost, r.Method)
+		require.Equal(t, "/v1/token?key=my-api-key", r.URL.String())
+
+		err := r.ParseForm()
+		require.NoError(t, err)
+
+		require.Equal(t, "my_refresh_token", r.Form.Get("refresh_token"))
+		require.Equal(t, "refresh_token", r.Form.Get("grant_type"))
+
+		w.Header().Set("Content-Type", "application/json")
+		response := tokenResponse{
+			AccessToken:  "my_access_token",
+			ExpiresIn:    expiresIn,
+			TokenType:    "Bearer",
+			RefreshToken: "my_refresh_token",
+			IDToken:      fmt.Sprintf("my_id_token_%d", tokenCount),
+			UserID:       "abcd-1234",
+			ProjectID:    "project-1",
+		}
+		err = json.NewEncoder(w).Encode(response)
+		require.NoError(t, err)
+
+		tokenCount++
+	}))
+
+	return server, func() {
+		server.Close()
+	}
+}