feat(auth): read API key from CLI access token. fixes #562 (#563)

Eases use of CLI from GitHub actions and avoids some legacy hard-coding of API Keys

Author: justinedelson

package.json

@@ -10,7 +10,6 @@
     "@adobe/aio-lib-core-errors": "^3.0.1",
     "@adobe/aio-lib-core-logging": "^1.2.0",
     "@adobe/aio-lib-core-networking": "^2.0.0",
-    "@adobe/aio-lib-env": "^1.1.0",
     "@adobe/aio-lib-ims": "^5.0.0",
     "@oclif/command": "^1.6.1",
     "@oclif/config": "^1.15.1",
@@ -20,6 +19,7 @@
     "figures": "^3.2.0",
     "halfred": "^2.0.0",
     "inquirer": "^8.1.0",
+    "jsonwebtoken": "^8.5.1",
     "lodash": "^4.17.15",
     "moment": "^2.29.0"
   },
@@ -36,10 +36,10 @@
     "eslint-config-standard": "14.1.1",
     "eslint-plugin-import": "2.25.2",
     "eslint-plugin-jest": "23.20.0",
+    "eslint-plugin-jsdoc": "25.4.3",
     "eslint-plugin-node": "10.0.0",
     "eslint-plugin-promise": "4.3.1",
     "eslint-plugin-standard": "4.1.0",
-    "eslint-plugin-jsdoc": "25.4.3",
     "execa": "5.1.1",
     "fetch-mock": "9.11.0",
     "husky": "5.2.0",

src/ConfigurationErrors.js

@@ -57,3 +57,5 @@ E('IMS_CONTEXT_MISSING_FIELDS', 'One or more of the required fields in %s were n
 E('IMS_CONTEXT_MISSING_METASCOPE', 'The configuration %s is missing the required metascope %s.')
 E('CLI_AUTH_EXPLICIT_NO_AUTH', 'cli context explicitly enabled, but not authenticated. You must run "aio auth:login" first.')
 E('CLI_AUTH_EXPLICIT_NO_ORG', 'cli context explicitly enabled but no org id specified. Configure using either "cloudmanager_orgid" or by running "aio cloudmanager:org:select"')
+E('CLI_AUTH_CONTEXT_CANNOT_DECODE', 'The access token configured for cli authentication cannot be decoded.')
+E('CLI_AUTH_CONTEXT_NO_CLIENT_ID', 'The decoded access token configured for cli authentication does not have a client_id.')

src/cloudmanager-helpers.js

@@ -14,22 +14,17 @@ const Config = require('@adobe/aio-lib-core-config')
 const { init } = require('@adobe/aio-lib-cloudmanager')
 const { cli } = require('cli-ux')
 const { context, getToken, Ims } = require('@adobe/aio-lib-ims')
-const { getCliEnv, DEFAULT_ENV } = require('@adobe/aio-lib-env')
 const moment = require('moment')
 const _ = require('lodash')
 const { CLI } = require('@adobe/aio-lib-ims/src/context')
+const jwt = require('jsonwebtoken')
 const { defaultImsContextName: defaultContextName, exitCodes } = require('./constants')
 const { codes: validationCodes } = require('./ValidationErrors')
 const { codes: configurationCodes } = require('./ConfigurationErrors')
 
 const SERVICE_ACCOUNT = 'service_account'
 const CLI_AUTH = 'cli_auth'
 
-const CLI_API_KEYS = {
-  prod: 'aio-cli-console-auth',
-  stage: 'aio-cli-console-auth-stage',
-}
-
 const SERVICE_CODES = [
   'dma_aem_cloud',
   'dma_aem_ams',
@@ -154,11 +149,21 @@ function setCliOrgId (orgId, local) {
 async function initSdk (contextName) {
   let apiKey
   let orgId
+  let accessToken
 
   if (isCliAuthEnabled()) {
-    const imsEnv = getCliEnv() || DEFAULT_ENV
-    apiKey = CLI_API_KEYS[imsEnv]
     contextName = CLI
+    accessToken = await getToken(contextName)
+
+    // no need here to validate the token
+    const decodedToken = jwt.decode(accessToken)
+    if (!decodedToken) {
+      throw new configurationCodes.CLI_AUTH_CONTEXT_CANNOT_DECODE()
+    }
+    apiKey = decodedToken.client_id
+    if (!apiKey) {
+      throw new configurationCodes.CLI_AUTH_CONTEXT_NO_CLIENT_ID()
+    }
     orgId = getCliOrgId()
   } else {
     contextName = contextName || defaultContextName
@@ -168,10 +173,9 @@ async function initSdk (contextName) {
     }
     apiKey = contextData.data.client_id
     orgId = contextData.data.ims_org_id
+    accessToken = await getToken(contextName)
   }
 
-  const accessToken = await getToken(contextName)
-
   const baseUrl = getBaseUrl()
 
   return await init(orgId, apiKey, accessToken, baseUrl)

test/__mocks__/jsonwebtoken.js

@@ -0,0 +1,26 @@
+/*
+Copyright 2021 Adobe. All rights reserved.
+This file is licensed to you under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License. You may obtain a copy
+of the License at http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software distributed under
+the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR REPRESENTATIONS
+OF ANY KIND, either express or implied. See the License for the specific language
+governing permissions and limitations under the License.
+*/
+
+const DEFAULT_DECODED_TOKEN = {
+  client_id: 'fake-client-id',
+}
+let decodedToken = DEFAULT_DECODED_TOKEN
+
+module.exports = {
+  decode: () => decodedToken,
+  setDecodedToken: newToken => {
+    decodedToken = newToken
+  },
+  resetDecodedToken: () => {
+    decodedToken = DEFAULT_DECODED_TOKEN
+  },
+}

test/cloudmanager-helpers.test.js

@@ -14,10 +14,12 @@ const { setCurrentOrgId, context } = require('@adobe/aio-lib-ims')
 const { setStore } = require('@adobe/aio-lib-core-config')
 const { initSdk, getOutputFormat, columnWithArray, disableCliAuth, enableCliAuth, formatDuration } = require('../src/cloudmanager-helpers')
 const { init } = require('@adobe/aio-lib-cloudmanager')
+const { setDecodedToken, resetDecodedToken } = require('jsonwebtoken')
 
 beforeEach(() => {
   disableCliAuth()
   setStore({})
+  resetDecodedToken()
 })
 
 test('initSdk - base url config -- no config', async () => {
@@ -93,18 +95,27 @@ test('initSdk - cli context', async () => {
     cloudmanager_orgid: 'something',
   })
   await initSdk()
-  await expect(init).toHaveBeenCalledWith('something', 'aio-cli-console-auth', 'fake-token', 'https://cloudmanager.adobe.io')
+  await expect(init).toHaveBeenCalledWith('something', 'fake-client-id', 'fake-token', 'https://cloudmanager.adobe.io')
 })
 
-test('initSdk - cli context stage env', async () => {
+test('initSdk - cli cannot decode token', async () => {
   enableCliAuth()
+  setDecodedToken(null)
 
   setStore({
     cloudmanager_orgid: 'something',
-    'cli.env': 'stage',
   })
-  await initSdk()
-  await expect(init).toHaveBeenCalledWith('something', 'aio-cli-console-auth-stage', 'fake-token', 'https://cloudmanager.adobe.io')
+  await expect(initSdk).rejects.toThrow('[CloudManagerCLI:CLI_AUTH_CONTEXT_CANNOT_DECODE] The access token configured for cli authentication cannot be decoded.')
+})
+
+test('initSdk - decoded token does not have client_id', async () => {
+  enableCliAuth()
+  setDecodedToken({})
+
+  setStore({
+    cloudmanager_orgid: 'something',
+  })
+  await expect(initSdk).rejects.toThrow('[CloudManagerCLI:CLI_AUTH_CONTEXT_NO_CLIENT_ID] The decoded access token configured for cli authentication does not have a client_id.')
 })
 
 test('formatDuration -- empty', async () => {