Moved commit "OAuth2 token exchange in ydb cli" from ydb repo

Author: UgnineSirdis

include/ydb-cpp-sdk/client/helpers/helpers.h

@@ -9,6 +9,7 @@ namespace NYdb {
 //! YDB_ANONYMOUS_CREDENTIALS="1" — uses anonymous access (used for test installation),
 //! YDB_METADATA_CREDENTIALS="1" — uses metadata service,
 //! YDB_ACCESS_TOKEN_CREDENTIALS=<access-token> — access token (for example, IAM-token).
+//! YDB_OAUTH2_KEY_FILE=<path-to-file> - OAuth 2.0 RFC8693 token exchange credentials parameters json file
 //! If grpcs protocol is given in endpoint (or protocol is empty), enables SSL and uses
 //! certificate from resourses and user cert from env variable "YDB_SERVICE_ACCOUNT_KEY_FILE_CREDENTIALS"
 TDriverConfig CreateFromEnvironment(const std::string& connectionString = "");

include/ydb-cpp-sdk/client/types/credentials/oauth2_token_exchange/from_file.h

@@ -0,0 +1,46 @@
+#pragma once
+
+#include <ydb-cpp-sdk/client/types/credentials/credentials.h>
+
+#include <string>
+#include <vector>
+
+namespace NYdb {
+
+// Lists supported algorithms for creation of OAuth 2.0 token exchange provider via config file
+std::vector<std::string> GetSupportedOauth2TokenExchangeJwtAlgorithms();
+
+// Creates OAuth 2.0 token exchange credentials provider factory that exchanges token using standard protocol
+// https://www.rfc-editor.org/rfc/rfc8693
+//
+// Config file must be a valid json file
+//
+// Fields of json file
+//     grant-type:           [string] Grant type option (default: see TOauth2TokenExchangeParams)
+//     res:                  [string] Resource option (optional)
+//     aud:                  [string | list of strings] Audience option for token exchange request (optional)
+//     scope:                [string | list of strings] Scope option (optional)
+//     requested-token-type: [string] Requested token type option (default: see TOauth2TokenExchangeParams)
+//     subject-credentials:  [creds_json] Subject credentials options (optional)
+//     actor-credentials:    [creds_json] Actor credentials options (optional)
+//     token-endpoint:       [string] Token endpoint. Can be overritten with tokenEndpoint param (if it is not empty)
+//
+// Fields of creds_json (JWT):
+//     type:                 [string] Token source type. Set JWT
+//     alg:                  [string] Algorithm for JWT signature. Supported algorithms can be listed with GetSupportedOauth2TokenExchangeJwtAlgorithms()
+//     private-key:          [string] (Private) key in PEM format for JWT signature
+//     kid:                  [string] Key id JWT standard claim (optional)
+//     iss:                  [string] Issuer JWT standard claim (optional)
+//     sub:                  [string] Subject JWT standard claim (optional)
+//     aud:                  [string | list of strings] Audience JWT standard claim (optional)
+//     jti:                  [string] JWT ID JWT standard claim (optional)
+//     ttl:                  [string] Token TTL (default: see TJwtTokenSourceParams)
+//
+// Fields of creds_json (FIXED):
+//     type:                 [string] Token source type. Set FIXED
+//     token:                [string] Token value
+//     token-type:           [string] Token type value. It will become subject_token_type/actor_token_type parameter in token exchange request (https://www.rfc-editor.org/rfc/rfc8693)
+//
+std::shared_ptr<ICredentialsProviderFactory> CreateOauth2TokenExchangeFileCredentialsProviderFactory(const std::string& configFilePath, const std::string& tokenEndpoint = {});
+
+} // namespace NYdb

src/client/helpers/CMakeLists.txt

@@ -1,14 +1,17 @@
 _ydb_sdk_add_library(client-helpers)
 
-target_link_libraries(client-helpers PUBLIC
-  yutil
-  client-iam-common
-  client-ydb_types-credentials
-  yql-public-issue-protos
+target_link_libraries(client-helpers
+  PUBLIC
+    yutil
+    client-ydb_types-credentials-oauth2
+    client-iam-common
+    client-ydb_types-credentials
+    yql-public-issue-protos
 )
 
-target_sources(client-helpers PRIVATE
-  helpers.cpp
+target_sources(client-helpers
+  PRIVATE
+    helpers.cpp
 )
 
 _ydb_sdk_make_client_component(Helpers client-helpers)

src/client/helpers/helpers.cpp

@@ -2,8 +2,11 @@
 
 #include <ydb-cpp-sdk/client/iam/common/iam.h>
 #include <ydb-cpp-sdk/client/resources/ydb_ca.h>
+#include <ydb-cpp-sdk/client/types/credentials/oauth2_token_exchange/from_file.h>
+
 #include <src/client/impl/ydb_internal/common/parser.h>
 #include <src/client/impl/ydb_internal/common/getenv.h>
+
 #include <util/stream/file.h>
 
 namespace NYdb {
@@ -37,7 +40,7 @@ TDriverConfig CreateFromEnvironment(const std::string& connectionString) {
     }
 
     bool useMetadataCredentials = GetStrFromEnv("YDB_METADATA_CREDENTIALS", "0") == "1";
-    if (useMetadataCredentials){
+    if (useMetadataCredentials) {
         auto factory = CreateIamCredentialsProviderFactory();
         try {
             factory->CreateProvider();
@@ -49,11 +52,18 @@ TDriverConfig CreateFromEnvironment(const std::string& connectionString) {
     }
 
     std::string accessToken = GetStrFromEnv("YDB_ACCESS_TOKEN_CREDENTIALS", "");
-    if (accessToken != ""){
+    if (accessToken != "") {
         driverConfig.SetAuthToken(accessToken);
         return driverConfig;
     }
 
+    std::string oauth2KeyFile = GetStrFromEnv("YDB_OAUTH2_KEY_FILE", "");
+    if (!saKeyFile.empty()) {
+        driverConfig.SetCredentialsProviderFactory(
+            CreateOauth2TokenExchangeFileCredentialsProviderFactory(oauth2KeyFile));
+        return driverConfig;
+    }
+
     ythrow yexception() << "Unable to create driver config from environment";
 }
 
@@ -65,4 +75,3 @@ TDriverConfig CreateFromSaKeyFile(const std::string& saKeyFile, const std::strin
 }
 
 } // namespace NYdb
-

src/client/types/credentials/oauth2_token_exchange/CMakeLists.txt

@@ -1,25 +1,29 @@
 _ydb_sdk_add_library(client-ydb_types-credentials-oauth2)
 
-target_link_libraries(client-ydb_types-credentials-oauth2 PUBLIC
-  yutil
-  jwt-cpp::jwt-cpp
-  cgiparam
-  http-misc
-  http-simple
-  json
-  retry
-  uri
-  client-ydb_types-credentials
-  client-ydb_types
+target_link_libraries(client-ydb_types-credentials-oauth2
+  PUBLIC
+    yutil
+    jwt-cpp::jwt-cpp
+    cgiparam
+    http-misc
+    http-simple
+    json
+    retry
+    uri
+    client-ydb_types-credentials
+    client-ydb_types
 )
 
-target_compile_definitions(client-ydb_types-credentials-oauth2 PUBLIC
-  YDB_SDK_USE_NEW_JWT
+target_compile_definitions(client-ydb_types-credentials-oauth2
+  PUBLIC
+    YDB_SDK_USE_NEW_JWT
 )
 
-target_sources(client-ydb_types-credentials-oauth2 PRIVATE
-  credentials.cpp
-  jwt_token_source.cpp
+target_sources(client-ydb_types-credentials-oauth2
+  PRIVATE
+    credentials.cpp
+    from_file.cpp
+    jwt_token_source.cpp
 )
 
 _ydb_sdk_install_targets(TARGETS client-ydb_types-credentials-oauth2)

src/client/types/credentials/oauth2_token_exchange/credentials.cpp

@@ -141,13 +141,16 @@ struct TPrivateOauth2TokenExchangeParams: public TOauth2TokenExchangeParams {
 
 private:
     void ParseTokenEndpoint() {
+        if (TokenEndpoint_.empty()) {
+            throw std::invalid_argument(INV_ARG "token endpoint not set");
+        }
         NUri::TUri url;
         NUri::TUri::TState::EParsed parseStatus = url.Parse(TokenEndpoint_, NUri::TFeature::FeaturesAll);
         if (parseStatus != NUri::TUri::TState::EParsed::ParsedOK) {
             throw std::invalid_argument(INV_ARG "failed to parse url");
         }
         if (url.IsNull(NUri::TUri::FieldScheme)) {
-            throw std::invalid_argument(INV_ARG "token url without scheme");
+            throw std::invalid_argument(TStringBuilder() << INV_ARG "token url without scheme: " << TokenEndpoint_);
         }
         TokenHost_ = TStringBuilder() << url.GetField(NUri::TUri::FieldScheme) << "://" << url.GetHost();