feat: Started implementing OIDC in vickyctl

Author: johannwagner

Cargo.lock

@@ -15,3 +15,7 @@ which = "6.0.1"
 ratatui = { version = "0.26.3", features = ["serde"] }
 ratatui-widgets = "0.1.6"
 crossterm = "0.27.0"
+openidconnect = "3.5.0"
+anyhow = "1.0.86"
+dirs = "5.0.1"
+figment = { version = "0.10.19", features = ["json", "env"] }

vickyctl/Cargo.toml

@@ -0,0 +1,89 @@
+use openidconnect::{ErrorResponse, ClientId, IssuerUrl, core::{CoreProviderMetadata, CoreClient, CoreDeviceAuthorizationResponse, CoreAuthDisplay, CoreClientAuthMethod, CoreClaimName, CoreClaimType, CoreGrantType, CoreJweContentEncryptionAlgorithm, CoreJweKeyManagementAlgorithm, CoreJsonWebKey, CoreResponseMode, CoreResponseType, CoreSubjectIdentifierType, CoreJwsSigningAlgorithm, CoreJsonWebKeyType, CoreJsonWebKeyUse}, Scope, reqwest::{http_client}, AdditionalProviderMetadata, ProviderMetadata, DeviceAuthorizationUrl, AuthType, OAuth2TokenResponse};
+use serde::{Deserialize, Serialize};
+
+use crate::{cli::AppContext, error::Error, FileConfig, AuthState};
+
+
+// Taken from https://github.com/ramosbugs/openidconnect-rs/blob/support/3.x/examples/okta_device_grant.rs
+#[derive(Clone, Debug, Deserialize, Serialize)]
+struct DeviceEndpointProviderMetadata {
+    device_authorization_endpoint: DeviceAuthorizationUrl,
+}
+impl AdditionalProviderMetadata for DeviceEndpointProviderMetadata {}
+type DeviceProviderMetadata = ProviderMetadata<
+    DeviceEndpointProviderMetadata,
+    CoreAuthDisplay,
+    CoreClientAuthMethod,
+    CoreClaimName,
+    CoreClaimType,
+    CoreGrantType,
+    CoreJweContentEncryptionAlgorithm,
+    CoreJweKeyManagementAlgorithm,
+    CoreJwsSigningAlgorithm,
+    CoreJsonWebKeyType,
+    CoreJsonWebKeyUse,
+    CoreJsonWebKey,
+    CoreResponseMode,
+    CoreResponseType,
+    CoreSubjectIdentifierType,
+>;
+
+
+pub fn show(auth_state: &AuthState) -> Result<(), anyhow::Error> {
+    print!("{:?}", auth_state.clone());
+    Ok(())
+}
+
+pub fn login(ctx: &AppContext, vicky_url_str: String, issuer_url_str: String, client_id_str: String) -> Result<(), anyhow::Error> {
+
+    let client_id = ClientId::new(client_id_str.clone().to_string());
+    let issuer_url = IssuerUrl::new(issuer_url_str.clone().to_string())?;
+
+
+    let provider_metadata = DeviceProviderMetadata::discover(&issuer_url, http_client)?;
+
+    let device_authorization_endpoint = provider_metadata
+        .additional_metadata()
+        .device_authorization_endpoint
+        .clone();
+
+    let client = CoreClient::from_provider_metadata(
+        provider_metadata,
+        client_id,
+        None,
+    )
+        .set_device_authorization_uri(device_authorization_endpoint)
+        .set_auth_type(AuthType::RequestBody);
+
+    let details: CoreDeviceAuthorizationResponse = client
+        .exchange_device_code()?
+        .add_scope(Scope::new("profile".to_string()))
+        .request(http_client)?;
+
+
+    println!("Fetching device code...");
+    dbg!(&details);
+
+    // Display the URL and user-code.
+    println!(
+        "Open this URL in your browser:\n{}\nand enter the code: {}",
+        details.verification_uri_complete().unwrap().secret(),
+        details.user_code().secret()
+    );
+
+    // Now poll for the token
+    let token = client
+        .exchange_device_access_token(&details)
+        .request(http_client, std::thread::sleep, None)?;
+
+    let account_cfg = FileConfig {
+        vicky_url: vicky_url_str,
+        client_id: client_id_str,
+        issuer_url: issuer_url_str,
+        refresh_token: token.refresh_token().unwrap().secret().to_string(),
+    };
+    account_cfg.save()?;
+
+    Ok(())
+}
+

vickyctl/src/account.rs

@@ -4,12 +4,6 @@ use uuid::Uuid;
 // TODO: Add abouts to arguments
 #[derive(Parser, Debug, Clone)]
 pub struct AppContext {
-    #[clap(env)]
-    pub vicky_url: String,
-
-    #[clap(env)]
-    pub vicky_token: String,
-
     #[clap(long)]
     pub humanize: bool,
 }
@@ -38,6 +32,13 @@ pub enum TaskCommands {
     Finish { id: Uuid, status: String },
 }
 
+
+#[derive(Subcommand, Debug)]
+pub enum AccountCommands {
+    Show,
+    Login {vicky_url: String, issuer_url: String, client_id: String},
+}
+
 #[derive(Args, Debug)]
 #[command(version, about = "Manage tasks on the vicky delegation server", long_about = None)]
 pub struct TaskArgs {
@@ -55,6 +56,16 @@ pub struct TasksArgs {
     pub ctx: AppContext,
 }
 
+#[derive(Args, Debug)]
+#[command(version, about = "Show all accounts", long_about = None)]
+pub struct AccountArgs {
+    #[command(subcommand)]
+    pub commands: AccountCommands,
+
+    #[command(flatten)]
+    pub ctx: AppContext,
+}
+
 #[derive(Args, Debug)]
 #[command(version, about = "Show all poisoned locks vicky is managing", long_about = None)]
 pub struct LocksArgs {
@@ -80,6 +91,7 @@ pub struct ResolveArgs {
 #[derive(Parser, Debug)]
 #[command(version, about, long_about = None)]
 pub enum Cli {
+    Account(AccountArgs),
     Task(TaskArgs),
     Tasks(TasksArgs),
     Locks(LocksArgs),

vickyctl/src/cli.rs

@@ -9,8 +9,10 @@ pub enum Error {
     ReqwestDetailed(reqwest::Error, String),
     Io(std::io::Error),
     Json(serde_json::Error),
+    Unauthenticated(),
     #[allow(dead_code)]
     Custom(&'static str),
+    Anyhow(anyhow::Error),
 }
 
 impl From<reqwest::Error> for Error {
@@ -37,6 +39,12 @@ impl From<serde_json::Error> for Error {
     }
 }
 
+impl From<anyhow::Error> for Error {
+    fn from(e: anyhow::Error) -> Self {
+        Error::Anyhow(e)
+    }
+}
+
 impl Display for Error {
     fn fmt(&self, f: &mut Formatter<'_>) -> std::fmt::Result {
         match self {
@@ -55,6 +63,8 @@ impl Display for Error {
             Error::Io(e) => write!(f, "Filesystem Error: {}", e),
             Error::Json(e) => write!(f, "Parser Error: {}", e),
             Error::Custom(ref str) => write!(f, "Custom Error: {}", str),
+            Error::Anyhow(ref str) => write!(f, "Unknown Error: {}", str),
+            Error::Unauthenticated() => write!(f, "Unauthenticated"),
             Error::ReqwestDetailed(e, ref detail) => {
                 write!(f, "{}", format_http_msg(e.status(), detail))
             }

vickyctl/src/error.rs

@@ -1,18 +1,34 @@
+use crate::AuthState;
 use crate::error::Error;
 use reqwest::blocking::Client;
 use reqwest::header::{HeaderMap, AUTHORIZATION};
 use reqwest::StatusCode;
 use yansi::Paint;
-use crate::cli::AppContext;
 
-pub fn prepare_client(ctx: &AppContext) -> Result<Client, Error> {
+pub fn prepare_client(auth_state: &AuthState) -> Result<(Client, String), Error> {
+
+    let base_url: String;
+    let auth_token: String = "".to_owned();
+
+    match auth_state {
+        AuthState::EnvironmentAuthenticated(envConfig) => {
+            base_url = envConfig.url.clone();
+        },
+        AuthState::FileAuthenticated(fileCfg) => {
+            base_url = fileCfg.vicky_url.clone();
+        },
+        AuthState::Unauthenticated => {
+            return Err(Error::Unauthenticated())
+        },
+    }
+
     let mut default_headers = HeaderMap::new();
-    default_headers.insert(AUTHORIZATION, ctx.vicky_token.parse().unwrap());
+    default_headers.insert(AUTHORIZATION, auth_token.parse().unwrap());
     let client = Client::builder()
         .default_headers(default_headers)
         .user_agent(format!("vickyctl/{}", env!("CARGO_PKG_VERSION")))
         .build()?;
-    Ok(client)
+    Ok((client, base_url))
 }
 
 pub fn print_http(status: Option<StatusCode>, msg: &str) {

vickyctl/src/http_client.rs

@@ -1,4 +1,6 @@
-use crate::cli::AppContext;
+use reqwest::blocking::Client;
+
+use crate::AuthState;
 use crate::error::Error;
 use crate::http_client::prepare_client;
 use crate::locks::types::{LockType, PoisonedLock};
@@ -14,15 +16,15 @@ pub fn get_locks_endpoint(lock_type: LockType, detailed: bool) -> &'static str {
 }
 
 pub fn fetch_locks_raw(
-    ctx: &AppContext,
+    client: &Client, 
+    vicky_url: String,
     lock_type: LockType,
     detailed: bool,
 ) -> Result<String, Error> {
-    let client = prepare_client(ctx)?;
     let request = client
         .get(format!(
             "{}/{}",
-            ctx.vicky_url,
+            vicky_url,
             get_locks_endpoint(lock_type, detailed)
         ))
         .build()?;
@@ -32,18 +34,17 @@ pub fn fetch_locks_raw(
     Ok(locks)
 }
 
-pub fn fetch_detailed_poisoned_locks(ctx: &AppContext) -> Result<Vec<PoisonedLock>, Error> {
-    let raw_locks = fetch_locks_raw(ctx, LockType::Poisoned, true)?;
+pub fn fetch_detailed_poisoned_locks(client: &Client, vicky_url: String) -> Result<Vec<PoisonedLock>, Error> {
+    let raw_locks = fetch_locks_raw(client, vicky_url, LockType::Poisoned, true)?;
     let locks: Vec<PoisonedLock> = serde_json::from_str(&raw_locks)?;
     Ok(locks)
 }
 
-pub fn unlock_lock(ctx: &AppContext, lock_to_clear: &PoisonedLock) -> Result<(), Error> {
-    let client = prepare_client(ctx)?;
+pub fn unlock_lock(client: &Client, vicky_url: String, lock_to_clear: &PoisonedLock) -> Result<(), Error> {
     let request = client
         .patch(format!(
             "{}/api/v1/locks/unlock/{}",
-            ctx.vicky_url,
+            vicky_url,
             lock_to_clear.id()
         ))
         .build()?;