Merge a927fe7 into 6d655d3

Author: spbsoluble

CHANGELOG.md

@@ -1,3 +1,15 @@
+# v1.3.0
+
+## Features
+- Add support for fetching an oauth2 token using the `client_credentials` grant type without connecting to Keyfactor Command.
+- Add placeholders for omitted `Authorization` header in the `curl` command string output in trace logging.
+
+## Bug Fixes
+- Log `curl` command string at `trace` level after request is sent to include any transport mutations.
+
+## Chores
+- Bump Go version to `1.24`.
+
 # v1.2.0
 
 ## Features

auth_providers/auth_core.go

@@ -501,19 +501,21 @@ func (c *CommandAuthConfig) Authenticate() error {
 	}
 
 	c.HttpClient.Timeout = time.Duration(c.HttpClientTimeout) * time.Second
-	curlStr, cErr := RequestToCurl(req)
-	if cErr == nil {
+
+	cResp, cErr := c.HttpClient.Do(req)
+	curlStr, curlErr := RequestToCurl(req)
+	if curlErr == nil {
 		log.Printf("[TRACE] curl command: %s", curlStr)
 	}
 
-	cResp, cErr := c.HttpClient.Do(req)
 	if cErr != nil {
 		return cErr
 	} else if cResp == nil {
 		return fmt.Errorf("failed to authenticate, no response received from Keyfactor Command")
 	}
 
 	defer cResp.Body.Close()
+	log.Printf("[DEBUG] request to Keyfactor Command API returned status code %d", cResp.StatusCode)
 
 	// check if body is empty
 	if cResp.Body == nil {
@@ -798,19 +800,56 @@ func RequestToCurl(req *http.Request) (string, error) {
 	// Add headers
 	for name, values := range req.Header {
 		for _, value := range values {
+			// check if is Authorization header and skip it
+			if strings.EqualFold(name, "Authorization") {
+				// check if basic auth and skip it
+				if strings.HasPrefix(value, "Basic ") {
+					// Remove credentials and put in env variables as placeholder
+					log.Printf(
+						"[DEBUG] Found Basic auth in Authorization header, " +
+							"replacing with env variable references",
+					)
+					curlCommand.WriteString(
+						fmt.Sprintf(
+							"-H %q ", fmt.Sprintf(
+								"%s: Basic $(echo -n $\"%s,$%s\" | base64)", name,
+								EnvKeyfactorUsername, EnvKeyfactorPassword,
+							),
+						),
+					)
+					continue
+				} else if strings.HasPrefix(value, "Bearer ") {
+					// Remove credentials and put in env variables as placeholder
+					log.Printf("[DEBUG] Found Bearer token in Authorization header, replacing with kfutil command to fetch token")
+					curlCommand.WriteString(
+						fmt.Sprintf(
+							"-H %q ", fmt.Sprintf(
+								"%s: Bearer $(kfutil auth fetch-oauth-token)", name,
+							),
+						),
+					)
+					continue
+				} else {
+					// Skip other Authorization headers
+					log.Printf("[ERROR] Skipping unhandled Authorization header: %s", name)
+					continue
+				}
+			}
 			curlCommand.WriteString(fmt.Sprintf("-H %q ", fmt.Sprintf("%s: %s", name, value)))
 		}
 	}
 
 	// Add the body if it exists
 	if req.Method == http.MethodPost || req.Method == http.MethodPut {
-		body, err := io.ReadAll(req.Body)
-		if err != nil {
-			return "", err
-		}
-		req.Body = io.NopCloser(bytes.NewBuffer(body)) // Restore the request body
+		if req.Body != nil {
+			body, err := io.ReadAll(req.Body)
+			if err != nil {
+				return "", err
+			}
+			req.Body = io.NopCloser(bytes.NewBuffer(body)) // Restore the request body
 
-		curlCommand.WriteString(fmt.Sprintf("--data %q ", string(body)))
+			curlCommand.WriteString(fmt.Sprintf("--data %q ", string(body)))
+		}
 	}
 
 	return curlCommand.String(), nil

auth_providers/auth_core_test.go

@@ -16,6 +16,7 @@ package auth_providers_test
 
 import (
 	"net/http"
+	"strings"
 	"testing"
 
 	"github.com/Keyfactor/keyfactor-auth-client-go/auth_providers"
@@ -102,3 +103,75 @@ MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7Q2+1+2+1+2+1+2+1+2+
 		t.Fatalf("expected non-zero blocks")
 	}
 }
+
+func TestRequestToCurl(t *testing.T) {
+	tests := []struct {
+		name          string
+		method        string
+		url           string
+		headers       map[string]string
+		wantInCurl    []string
+		notWantInCurl []string
+	}{
+		{
+			name:   "Basic Auth",
+			method: "GET",
+			url:    "https://example.com/api",
+			headers: map[string]string{
+				"Authorization": "Basic dXNlcjpwYXNz",
+			},
+			wantInCurl: []string{
+				"curl", "-X", "GET", "https://example.com/api",
+				"-H", "Authorization: Basic",
+			},
+			notWantInCurl: []string{
+				"Authorization: Basic dXNlcjpwYXNz",
+			},
+		},
+		{
+			name:   "Bearer Auth",
+			method: "POST",
+			url:    "https://example.com/token",
+			headers: map[string]string{
+				"Authorization": "Bearer testtoken",
+				"Content-Type":  "application/json",
+			},
+			wantInCurl: []string{
+				"curl", "-X", "POST", "https://example.com/token",
+				"-H", "Authorization: Bearer",
+				"-H", "Content-Type: application/json",
+			},
+			notWantInCurl: []string{
+				"Authorization: Bearer testtoken",
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		req, err := http.NewRequest(tt.method, tt.url, nil)
+		if err != nil {
+			t.Fatalf("failed to create request: %v", err)
+		}
+		for k, v := range tt.headers {
+			req.Header.Set(k, v)
+		}
+
+		curlStr, err := auth_providers.RequestToCurl(req)
+		if err != nil {
+			t.Errorf("%s: RequestToCurl returned error: %v", tt.name, err)
+			continue
+		}
+		for _, want := range tt.wantInCurl {
+			if !strings.Contains(curlStr, want) {
+				t.Errorf("%s: curl string missing %q\nGot: %s", tt.name, want, curlStr)
+			}
+		}
+
+		for _, notWant := range tt.notWantInCurl {
+			if strings.Contains(curlStr, notWant) {
+				t.Errorf("%s: curl string contains unwanted %q\nGot: %s", tt.name, notWant, curlStr)
+			}
+		}
+		t.Logf("%s: curl command: %s", tt.name, curlStr)
+	}
+}

auth_providers/auth_oauth.go

@@ -18,6 +18,7 @@ import (
 	"context"
 	"crypto/x509"
 	"fmt"
+	"log"
 	"net/http"
 	"os"
 	"strings"
@@ -439,16 +440,80 @@ func (b *CommandConfigOauth) GetServerConfig() *Server {
 	return &server
 }
 
+// GetAccessToken returns the OAuth2 token source for the given configuration.
+func (b *CommandConfigOauth) GetAccessToken() (oauth2.TokenSource, error) {
+	if b == nil {
+		return nil, fmt.Errorf("CommandConfigOauth is nil")
+	}
+
+	b.ValidateAuthConfig()
+
+	if b.AccessToken != "" && (b.ClientID == "" || b.ClientSecret == "" || b.TokenURL == "") {
+		log.Printf("[DEBUG] Access token is explicitly set, and no client credentials are provided. Using static token source.")
+		return oauth2.StaticTokenSource(
+			&oauth2.Token{
+				AccessToken: b.AccessToken,
+				TokenType:   DefaultTokenPrefix,
+				Expiry:      b.Expiry,
+			},
+		), nil
+	}
+
+	log.Printf("[DEBUG] Getting OAuth2 token source for client ID: %s", b.ClientID)
+	if b.ClientID == "" || b.ClientSecret == "" || b.TokenURL == "" {
+		return nil, fmt.Errorf("client ID, client secret, and token URL must be provided")
+	}
+
+	config := &clientcredentials.Config{
+		ClientID:     b.ClientID,
+		ClientSecret: b.ClientSecret,
+		TokenURL:     b.TokenURL,
+		Scopes:       b.Scopes,
+	}
+
+	if b.Audience != "" {
+		log.Printf("[DEBUG] Setting audience for OAuth2 token source: %s", b.Audience)
+		config.EndpointParams = map[string][]string{
+			"audience": {b.Audience},
+		}
+	}
+
+	ctx := context.Background()
+	log.Printf("[DEBUG] Returning call config.TokenSource() for client ID: %s", b.ClientID)
+	tokenSource := config.TokenSource(ctx)
+	if tokenSource == nil {
+		return nil, fmt.Errorf("failed to create token source for client ID: %s", b.ClientID)
+	}
+	token, tErr := tokenSource.Token()
+	if tErr != nil {
+		return nil, fmt.Errorf("failed to retrieve token for client ID %s: %w", b.ClientID, tErr)
+	}
+	if token == nil || token.AccessToken == "" {
+		return nil, fmt.Errorf("received empty OAuth token for client ID: %s", b.ClientID)
+	}
+
+	return tokenSource, nil
+}
+
 // RoundTrip executes a single HTTP transaction, adding the OAuth2 token to the request
 func (t *oauth2Transport) RoundTrip(req *http.Request) (*http.Response, error) {
+	log.Printf("[DEBUG] Attempting to get oAuth token from: %s %s", req.Method, req.URL)
 	token, err := t.src.Token()
 	if err != nil {
+
 		return nil, fmt.Errorf("failed to retrieve OAuth token: %w", err)
 	}
 
+	if token == nil || token.AccessToken == "" {
+		return nil, fmt.Errorf("received empty OAuth token")
+	}
+
 	// Clone the request to avoid mutating the original
+	log.Printf("[DEBUG] Adding oAuth token to request: %s %s", req.Method, req.URL)
 	reqCopy := req.Clone(req.Context())
 	token.SetAuthHeader(reqCopy)
+	requestCurlStr, _ := RequestToCurl(reqCopy)
+	log.Printf("[TRACE] curl command: %s", requestCurlStr)
 
 	return t.base.RoundTrip(reqCopy)
 }

auth_providers/auth_oauth_test.go

@@ -26,6 +26,7 @@ import (
 	"testing"
 
 	"github.com/Keyfactor/keyfactor-auth-client-go/auth_providers"
+	"golang.org/x/oauth2"
 )
 
 func TestOAuthAuthenticator_GetHttpClient(t *testing.T) {
@@ -256,7 +257,7 @@ func TestCommandConfigOauth_Authenticate(t *testing.T) {
 	}
 	fullParamsInvalidPassConfig.WithSkipVerify(true)
 	invalidCredsExpectedError := []string{
-		"oauth2", "unauthorized_client", "Invalid client or Invalid client credentials",
+		"oauth2", "fail", "invalid", "client",
 	}
 	authOauthTest(t, "w/ full params & invalid pass", true, fullParamsInvalidPassConfig, invalidCredsExpectedError...)
 
@@ -346,6 +347,18 @@ func TestCommandConfigOauth_Authenticate(t *testing.T) {
 	authOauthTest(t, "with invalid creds implicit config file", true, invCmdHost, invHostExpectedError...)
 }
 
+func TestCommandConfigOauth_GetAccessToken(t *testing.T) {
+	clientID, clientSecret, tokenURL := exportOAuthEnvVariables()
+	t.Log("Testing auth with w/ full params variables")
+	fullParamsConfig := &auth_providers.CommandConfigOauth{
+		ClientID:     clientID,
+		ClientSecret: clientSecret,
+		TokenURL:     tokenURL,
+	}
+	fullParamsConfig.WithSkipVerify(true)
+	authOauthTest(t, "w/ GetAccessToken w/ full params variables", false, fullParamsConfig)
+}
+
 func TestCommandConfigOauth_Build(t *testing.T) {
 	// Skip test if TEST_KEYFACTOR_AD_AUTH is set to 1 or true
 	if os.Getenv("TEST_KEYFACTOR_AD_AUTH") == "1" || os.Getenv("TEST_KEYFACTOR_AD_AUTH") == "true" {
@@ -376,6 +389,34 @@ func authOauthTest(
 	t.Run(
 		fmt.Sprintf("oAuth Auth Test %s", testName), func(t *testing.T) {
 
+			// oauth credentials should always generate an access token
+			oauthToken, tErr := config.GetAccessToken()
+			if !allowFail {
+				if tErr != nil {
+					t.Errorf("oAuth auth test '%s' failed to get token source with %v", testName, tErr)
+					t.FailNow()
+					return
+				}
+				if oauthToken == nil {
+					t.Errorf("oAuth auth test '%s' failed to get token source", testName)
+					t.FailNow()
+					return
+				}
+				var at *oauth2.Token
+				var tkErr error
+				at, tkErr = oauthToken.Token()
+				if tkErr != nil {
+					t.Errorf("oAuth auth test '%s' failed to get token source", testName)
+					t.FailNow()
+				}
+				if at == nil || at.AccessToken == "" {
+					t.Errorf("oAuth auth test '%s' failed to get token source", testName)
+					t.FailNow()
+					return
+				}
+				//t.Logf("token %s", at.AccessToken)
+				t.Logf("oAuth auth test '%s' succeeded", testName)
+			}
 			err := config.Authenticate()
 			if allowFail {
 				if err == nil {

go.mod

@@ -14,30 +14,32 @@
 
 module github.com/Keyfactor/keyfactor-auth-client-go
 
-go 1.23
+go 1.24.0
+
+toolchain go1.24.3
 
 require (
-	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.8.1
-	github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azsecrets v1.3.0
+	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.10.1
+	github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azsecrets v1.3.1
 	github.com/stretchr/testify v1.10.0
-	golang.org/x/oauth2 v0.25.0
+	golang.org/x/oauth2 v0.30.0
 	gopkg.in/yaml.v2 v2.4.0
 )
 
 require (
-	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.17.0 // indirect
-	github.com/Azure/azure-sdk-for-go/sdk/internal v1.10.0 // indirect
-	github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.1.0 // indirect
-	github.com/AzureAD/microsoft-authentication-library-for-go v1.3.2 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.18.0 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.1 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.1.1 // indirect
+	github.com/AzureAD/microsoft-authentication-library-for-go v1.4.2 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
-	github.com/golang-jwt/jwt/v5 v5.2.1 // indirect
+	github.com/golang-jwt/jwt/v5 v5.2.2 // indirect
 	github.com/google/uuid v1.6.0 // indirect
 	github.com/kylelemons/godebug v1.1.0 // indirect
 	github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
-	golang.org/x/crypto v0.32.0 // indirect
-	golang.org/x/net v0.34.0 // indirect
-	golang.org/x/sys v0.29.0 // indirect
-	golang.org/x/text v0.21.0 // indirect
+	golang.org/x/crypto v0.39.0 // indirect
+	golang.org/x/net v0.41.0 // indirect
+	golang.org/x/sys v0.33.0 // indirect
+	golang.org/x/text v0.26.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )