cache refresh-token for future usage

  This avoid going thru the browser workflow again and again.

  Note: the refresh token is stored in 'git-credential-store', which
  is not encrypted but it is available with all git standard install.
  We might want to change that in the future.

Author: stang

internal/git/git.go

@@ -2,9 +2,11 @@ package git
 
 import (
 	"bytes"
+	"fmt"
 	_url "net/url"
 	"os"
 	"os/exec"
+	"regexp"
 	"strings"
 	"syscall"
 
@@ -50,3 +52,42 @@ func PassThruRemoteHTTPSHelper(remote, url string) {
 		log.Fatal().Msgf("passThruRemoteHTTPSHelper - %s", err.Error())
 	}
 }
+
+func StoreCredentials(protocol, host, username, password string) error {
+	var stdin bytes.Buffer
+
+	cmd := exec.Command(GitBinary, "credential-store", "store")
+	// see: https://git-scm.com/docs/git-credential
+	params := fmt.Sprintf("protocol=%s\nhost=%s\nusername=%s\npassword=%s\n", protocol, host, username, password)
+	if _, err := stdin.Write([]byte(params)); err != nil {
+		return err
+	}
+	cmd.Stdin = &stdin
+	res := cmd.Run()
+	if res == nil {
+		log.Debug().Msgf("StoreCredentials - credentials saved for protocol=%s,host=%s,username=%s", protocol, host, username)
+	}
+	return res
+}
+
+func GetCredentials(protocol, host, username string) (string, error) {
+	var stdin, stdout bytes.Buffer
+
+	cmd := exec.Command(GitBinary, "credential-store", "get")
+	// see: https://git-scm.com/docs/git-credential
+	params := fmt.Sprintf("protocol=%s\nhost=%s\nusername=%s\n", protocol, host, username)
+	stdin.Write([]byte(params))
+	cmd.Stdin = &stdin
+	cmd.Stdout = &stdout
+	if err := cmd.Run(); err != nil {
+		return "", err
+	}
+
+	match := regexp.MustCompile("password=(.*)").FindStringSubmatch(string(stdout.Bytes()))
+	if match != nil {
+		log.Debug().Msgf("GetCredentials - found credentials for protocol=%s,host=%s,username=%s", protocol, host, username)
+		return match[1], nil
+	}
+
+	return "", fmt.Errorf("GetCredentials - not found for protocol=%s,host=%s,username=%s", protocol, host, username)
+}

internal/iap/token.go

@@ -7,6 +7,7 @@ import (
 	"net/http"
 	"net/url"
 
+	"github.com/adohkan/git-remote-https-iap/internal/git"
 	"github.com/int128/oauth2cli"
 	"github.com/pkg/browser"
 	"github.com/rs/zerolog/log"
@@ -15,6 +16,11 @@ import (
 	"golang.org/x/sync/errgroup"
 )
 
+const (
+	CacheProtocol = "iap"
+	CacheUsername = "refresh-token"
+)
+
 type Token struct {
 	AccessToken string `json:"access_token"`
 	ExpiresIn   int    `json:"expires_in"`
@@ -81,13 +87,29 @@ func getRefreshTokenFromBrowserFlow(domain, helperID, helperSecret string) (stri
 	return token.RefreshToken, nil
 }
 
+func cacheRefreshToken(key, token string) error {
+	return git.StoreCredentials(CacheProtocol, key, CacheUsername, token)
+}
+
+func getRefreshTokenFromCache(key string) (string, error) {
+	return git.GetCredentials(CacheProtocol, key, CacheUsername)
+}
+
 // GetIAPAuthToken returns a raw IAP auth token for the given args
 func GetIAPAuthToken(domain, helperID, helperSecret, IAPclientID string) (string, error) {
 	var result Token
 
-	refreshToken, err := getRefreshTokenFromBrowserFlow(domain, helperID, helperSecret)
+	refreshToken, err := getRefreshTokenFromCache(domain)
 	if err != nil {
-		return "", err
+		log.Debug().Msgf("no cached refresh token for %s: %s", domain, err.Error())
+
+		refreshToken, err = getRefreshTokenFromBrowserFlow(domain, helperID, helperSecret)
+		if err != nil {
+			return "", err
+		}
+		if err := cacheRefreshToken(domain, refreshToken); err != nil {
+			log.Warn().Msgf("could not cache refresh token for %s: %s", domain, err.Error())
+		}
 	}
 
 	// exchange our refreshToken for an id_token that we can use as GCP_IAAP_AUTH_TOKEN