Merge pull request #137 from datum-cloud/feat/machine-account-login

feat: add machine account login via credentials file

Author: scotwells

flake.nix

@@ -41,7 +41,7 @@
             # Hash of Go module dependencies.
             # Update this after changing go.mod/go.sum:
             #   task nix-update-hash
-            vendorHash = "sha256-e8StaOrjkhc3VGyoCndfenrM4onTk2/QvmylKvR2+bs=";
+            vendorHash = "sha256-JMIKdKmT9g4isKgg4/CFmTil7T4FUlpC0p5Wqiunc9Q=";
 
             ldflags = [
               "-s"

go.mod

@@ -6,6 +6,8 @@ toolchain go1.26.2
 
 require (
 	github.com/coreos/go-oidc/v3 v3.18.0
+	github.com/go-jose/go-jose/v4 v4.1.4
+	github.com/google/uuid v1.6.0
 	github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c
 	github.com/rodaine/table v1.3.1
 	github.com/spf13/cobra v1.10.2
@@ -25,7 +27,6 @@ require (
 )
 
 require (
-	al.essio.dev/pkg/shellescape v1.5.1 // indirect
 	github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c // indirect
 	github.com/MakeNowJust/heredoc v1.0.0 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
@@ -42,7 +43,6 @@ require (
 	github.com/fatih/camelcase v1.0.0 // indirect
 	github.com/fxamacker/cbor/v2 v2.9.0 // indirect
 	github.com/go-errors/errors v1.5.1 // indirect
-	github.com/go-jose/go-jose/v4 v4.1.4 // indirect
 	github.com/go-logr/logr v1.4.3 // indirect
 	github.com/go-openapi/jsonpointer v0.22.4 // indirect
 	github.com/go-openapi/jsonreference v0.21.4 // indirect
@@ -62,7 +62,6 @@ require (
 	github.com/google/btree v1.1.3 // indirect
 	github.com/google/gnostic-models v0.7.1 // indirect
 	github.com/google/go-cmp v0.7.0 // indirect
-	github.com/google/uuid v1.6.0 // indirect
 	github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674 // indirect
 	github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect

go.sum

@@ -1,5 +1,3 @@
-al.essio.dev/pkg/shellescape v1.5.1 h1:86HrALUujYS/h+GtqoB26SBEdkWfmMI6FubjXlsXyho=
-al.essio.dev/pkg/shellescape v1.5.1/go.mod h1:6sIqp7X2P6mThCQ7twERpZTuigpr6KbZWtls1U8I890=
 github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c h1:udKWzYgxTojEKWjV8V+WSxDXJ4NFATAsZjh8iIbsQIg=
 github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E=
 github.com/MakeNowJust/heredoc v1.0.0 h1:cXCdzVdstXyiTqTvfqk9SDHpKNjxuom+DOlyEeQ4pzQ=
@@ -18,16 +16,12 @@ github.com/chai2010/gettext-go v1.0.3 h1:9liNh8t+u26xl5ddmWLmsOsdNLwkdRTg5AG+JnT
 github.com/chai2010/gettext-go v1.0.3/go.mod h1:y+wnP2cHYaVj19NZhYKAwEMH2CI1gNHeQQ+5AjwawxA=
 github.com/clipperhouse/uax29/v2 v2.2.0 h1:ChwIKnQN3kcZteTXMgb1wztSgaU+ZemkgWdohwgs8tY=
 github.com/clipperhouse/uax29/v2 v2.2.0/go.mod h1:EFJ2TJMRUaplDxHKj1qAEhCtQPW2tJSwu5BF98AuoVM=
-github.com/coreos/go-oidc/v3 v3.17.0 h1:hWBGaQfbi0iVviX4ibC7bk8OKT5qNr4klBaCHVNvehc=
-github.com/coreos/go-oidc/v3 v3.17.0/go.mod h1:wqPbKFrVnE90vty060SB40FCJ8fTHTxSwyXJqZH+sI8=
 github.com/coreos/go-oidc/v3 v3.18.0 h1:V9orjXynvu5wiC9SemFTWnG4F45v403aIcjWo0d41+A=
 github.com/coreos/go-oidc/v3 v3.18.0/go.mod h1:DYCf24+ncYi+XkIH97GY1+dqoRlbaSI26KVTCI9SrY4=
 github.com/cpuguy83/go-md2man/v2 v2.0.6 h1:XJtiaUW6dEEqVuZiMTn1ldk455QWwEIsMIJlo5vtkx0=
 github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
 github.com/creack/pty v1.1.18 h1:n56/Zwd5o6whRC5PMGretI4IdRLlmBXYNjScPaBgsbY=
 github.com/creack/pty v1.1.18/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4=
-github.com/danieljoos/wincred v1.2.2 h1:774zMFJrqaeYCK2W57BgAem/MLi6mtSE47MB6BOJ0i0=
-github.com/danieljoos/wincred v1.2.2/go.mod h1:w7w4Utbrz8lqeMbDAK0lkNJUv5sAOkFi7nd/ogr0Uh8=
 github.com/danieljoos/wincred v1.2.3 h1:v7dZC2x32Ut3nEfRH+vhoZGvN72+dQ/snVXo/vMFLdQ=
 github.com/danieljoos/wincred v1.2.3/go.mod h1:6qqX0WNrS4RzPZ1tnroDzq9kY3fu1KwE7MRLQK4X0bs=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@@ -90,8 +84,6 @@ github.com/go-openapi/testify/v2 v2.0.2 h1:X999g3jeLcoY8qctY/c/Z8iBHTbwLz7R2WXd6
 github.com/go-openapi/testify/v2 v2.0.2/go.mod h1:HCPmvFFnheKK2BuwSA0TbbdxJ3I16pjwMkYkP4Ywn54=
 github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI=
 github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8=
-github.com/godbus/dbus/v5 v5.1.0 h1:4KLkAxT3aOY8Li4FRJe/KvhoNFFxo0m6fNuFUO8QJUk=
-github.com/godbus/dbus/v5 v5.1.0/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
 github.com/godbus/dbus/v5 v5.2.2 h1:TUR3TgtSVDmjiXOgAAyaZbYmIeP3DPkld3jgKGV8mXQ=
 github.com/godbus/dbus/v5 v5.2.2/go.mod h1:3AAv2+hPq5rdnr5txxxRwiGjPXamgoIHgz9FPBfOp3c=
 github.com/google/btree v1.1.3 h1:CVpQJjYgC4VbzxeGVHfvZrv1ctoYCAI8vbl07Fcxlyg=
@@ -103,8 +95,6 @@ github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/pprof v0.0.0-20250403155104-27863c87afa6 h1:BHT72Gu3keYf3ZEu2J0b1vyeLSOYI8bm5wbJM/8yDe8=
 github.com/google/pprof v0.0.0-20250403155104-27863c87afa6/go.mod h1:boTsfXsheKC2y+lKOCMpSfarhxDeIzfZG1jqGcPl3cA=
-github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 h1:El6M4kTTCOh6aBiKaUGG7oYTSPP8MxqL4YI3kZKwcP4=
-github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510/go.mod h1:pupxD2MaaD3pAXIBCelhxNneeOaAeabZDe5s4K6zSpQ=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674 h1:JeSE6pjso5THxAzdVpqr6/geYxZytqFMBCOtn/ujyeo=
@@ -195,8 +185,6 @@ github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
 github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
 github.com/xlab/treeprint v1.2.0 h1:HzHnuAF1plUN2zGlAFHbSQP2qJ0ZAD3XF5XD7OesXRQ=
 github.com/xlab/treeprint v1.2.0/go.mod h1:gj5Gd3gPdKtR1ikdDK6fnFLdmIS0X30kTTuNd/WEJu0=
-github.com/zalando/go-keyring v0.2.6 h1:r7Yc3+H+Ux0+M72zacZoItR3UDxeWfKTcabvkI8ua9s=
-github.com/zalando/go-keyring v0.2.6/go.mod h1:2TCrxYrbUNYfNS/Kgy/LSrkSQzZ5UPVH85RwfczwvcI=
 github.com/zalando/go-keyring v0.2.8 h1:6sD/Ucpl7jNq10rM2pgqTs0sZ9V3qMrqfIIy5YPccHs=
 github.com/zalando/go-keyring v0.2.8/go.mod h1:tsMo+VpRq5NGyKfxoBVjCuMrG47yj8cmakZDO5QGii0=
 go.miloapis.com/activity v0.3.1 h1:Yq8pdfphiAqr3DqZNQ0a50SadHrbdZyqng/HEwHe4WI=

internal/authutil/credentials.go

@@ -30,6 +30,17 @@ var ErrNoActiveUser = customerrors.NewUserErrorWithHint(
 	"Please login first using: `datumctl auth login`",
 )
 
+// MachineAccountState holds fields needed to re-mint a JWT when the access token expires.
+// Only populated when CredentialType == "machine_account".
+type MachineAccountState struct {
+	ClientEmail  string `json:"client_email"`
+	ClientID     string `json:"client_id"`
+	PrivateKeyID string `json:"private_key_id"`
+	PrivateKey   string `json:"private_key"`
+	TokenURI     string `json:"token_uri"`
+	Scope        string `json:"scope,omitempty"`
+}
+
 // StoredCredentials holds all necessary information for a single authenticated session.
 type StoredCredentials struct {
 	Hostname         string        `json:"hostname"`           // The auth server hostname used (e.g., auth.datum.net)
@@ -42,6 +53,11 @@ type StoredCredentials struct {
 	UserName         string        `json:"user_name"`          // User's Name (e.g., from 'name' claim)
 	UserEmail        string        `json:"user_email"`         // User's Email (e.g., from 'email' claim)
 	Subject          string        `json:"subject"`            // User's Subject ID (sub claim from JWT)
+	// CredentialType distinguishes how stored credentials should be refreshed.
+	// "" or "interactive" → standard oauth2 refresh token path.
+	// "machine_account"  → re-mint JWT and re-exchange on expiry.
+	CredentialType string               `json:"credential_type,omitempty"`
+	MachineAccount *MachineAccountState `json:"machine_account,omitempty"`
 }
 
 // GetActiveCredentials retrieves the StoredCredentials for the currently active user.
@@ -152,6 +168,17 @@ func GetTokenSource(ctx context.Context) (oauth2.TokenSource, error) {
 		return nil, err
 	}
 
+	if creds.CredentialType == "machine_account" {
+		if creds.MachineAccount == nil {
+			return nil, fmt.Errorf("machine account credentials are missing from stored session")
+		}
+		return &machineAccountTokenSource{
+			ctx:     ctx,
+			creds:   creds,
+			userKey: userKey,
+		}, nil
+	}
+
 	// Rebuild the oauth2.Config needed for refreshing
 	conf := &oauth2.Config{
 		ClientID: creds.ClientID,

internal/authutil/machineaccount.go

@@ -0,0 +1,228 @@
+// Package authutil provides shared constants and functions for handling authentication
+// credentials, including storage in the system keyring and OAuth2 token management.
+package authutil
+
+import (
+	"context"
+	"crypto/rsa"
+	"crypto/x509"
+	"encoding/json"
+	"encoding/pem"
+	"fmt"
+	"io"
+	"net/http"
+	"net/url"
+	"strings"
+	"sync"
+	"time"
+
+	jose "github.com/go-jose/go-jose/v4"
+	josejwt "github.com/go-jose/go-jose/v4/jwt"
+	"github.com/google/uuid"
+	customerrors "go.datum.net/datumctl/internal/errors"
+	"go.datum.net/datumctl/internal/keyring"
+	"golang.org/x/oauth2"
+)
+
+// MachineAccountCredentials is the on-disk JSON format downloaded from the Datum Cloud portal.
+type MachineAccountCredentials struct {
+	Type         string `json:"type"`           // "datum_machine_account"
+	APIEndpoint  string `json:"api_endpoint"`   // "https://api.datum.net"
+	TokenURI     string `json:"token_uri"`      // "https://auth.datum.net/oauth/v2/token"
+	Scope        string `json:"scope"`          // OAuth2 scope string, e.g. "openid profile email urn:zitadel:..."
+	ProjectID    string `json:"project_id"`
+	ClientEmail  string `json:"client_email"`   // identity e-mail, used as display name
+	ClientID     string `json:"client_id"`      // numeric Zitadel user ID (iss / sub)
+	PrivateKeyID string `json:"private_key_id"` // kid header
+	PrivateKey   string `json:"private_key"`    // PEM-encoded RSA private key
+}
+
+// tokenResponse is a minimal struct for parsing token endpoint responses in the
+// JWT bearer exchange. It mirrors the fields we care about from deviceTokenResponse
+// without creating a circular import with the auth command package.
+type tokenResponse struct {
+	AccessToken string `json:"access_token"`
+	TokenType   string `json:"token_type"`
+	ExpiresIn   int64  `json:"expires_in"`
+	Error       string `json:"error"`
+	ErrorDesc   string `json:"error_description"`
+}
+
+// MintJWT mints a signed RS256 JWT suitable for the jwt-bearer grant.
+// Claims: iss=clientID, sub=clientID, aud=issuer (scheme+host of tokenURI),
+// kid=privateKeyID, jti=random UUID, iat=now, exp=now+60s.
+func MintJWT(clientID, privateKeyID, privateKeyPEM, tokenURI string) (string, error) {
+	block, _ := pem.Decode([]byte(privateKeyPEM))
+	if block == nil {
+		return "", fmt.Errorf("failed to decode PEM block from private key")
+	}
+
+	var rsaKey *rsa.PrivateKey
+	// Try PKCS#1 first, fall back to PKCS#8.
+	if key, err := x509.ParsePKCS1PrivateKey(block.Bytes); err == nil {
+		rsaKey = key
+	} else {
+		key8, err := x509.ParsePKCS8PrivateKey(block.Bytes)
+		if err != nil {
+			return "", fmt.Errorf("failed to parse private key (tried PKCS#1 and PKCS#8): %w", err)
+		}
+		var ok bool
+		rsaKey, ok = key8.(*rsa.PrivateKey)
+		if !ok {
+			return "", fmt.Errorf("private key is not an RSA key")
+		}
+	}
+
+	// aud must be the issuer (scheme+host), not the full token endpoint URL.
+	u, err := url.Parse(tokenURI)
+	if err != nil {
+		return "", fmt.Errorf("failed to parse token URI: %w", err)
+	}
+	issuer := u.Scheme + "://" + u.Host
+
+	jwk := jose.JSONWebKey{Key: rsaKey, KeyID: privateKeyID}
+
+	sig, err := jose.NewSigner(
+		jose.SigningKey{Algorithm: jose.RS256, Key: jwk},
+		(&jose.SignerOptions{}).WithType("JWT"),
+	)
+	if err != nil {
+		return "", fmt.Errorf("failed to create JWT signer: %w", err)
+	}
+
+	now := time.Now()
+	signed, err := josejwt.Signed(sig).
+		Claims(josejwt.Claims{
+			Issuer:   clientID,
+			Subject:  clientID,
+			Audience: josejwt.Audience{issuer},
+			IssuedAt: josejwt.NewNumericDate(now),
+			Expiry:   josejwt.NewNumericDate(now.Add(60 * time.Second)),
+			ID:       uuid.NewString(),
+		}).
+		Serialize()
+	if err != nil {
+		return "", fmt.Errorf("failed to serialize JWT: %w", err)
+	}
+
+	return signed, nil
+}
+
+// tokenHTTPClient is used for all JWT bearer token exchanges.
+// A dedicated client with a timeout prevents indefinite hangs on slow endpoints.
+var tokenHTTPClient = &http.Client{Timeout: 30 * time.Second}
+
+// ExchangeJWT POSTs a signed JWT to tokenURI using the jwt-bearer grant and
+// returns the resulting oauth2.Token. The token will have no RefreshToken.
+// If scope is empty, "openid profile email" is used as the default.
+func ExchangeJWT(ctx context.Context, tokenURI, signedJWT, scope string) (*oauth2.Token, error) {
+	u, err := url.Parse(tokenURI)
+	if err != nil {
+		return nil, fmt.Errorf("failed to parse token URI: %w", err)
+	}
+	if u.Scheme != "https" {
+		return nil, fmt.Errorf("token_uri must use HTTPS, got %q", u.Scheme)
+	}
+
+	if scope == "" {
+		scope = "openid profile email"
+	}
+	form := url.Values{}
+	form.Set("grant_type", "urn:ietf:params:oauth:grant-type:jwt-bearer")
+	form.Set("assertion", signedJWT)
+	form.Set("scope", scope)
+
+	req, err := http.NewRequestWithContext(ctx, http.MethodPost, tokenURI, strings.NewReader(form.Encode()))
+	if err != nil {
+		return nil, fmt.Errorf("failed to create JWT bearer request: %w", err)
+	}
+	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+
+	resp, err := tokenHTTPClient.Do(req)
+	if err != nil {
+		return nil, fmt.Errorf("JWT bearer token request failed: %w", err)
+	}
+	defer resp.Body.Close()
+
+	body, err := io.ReadAll(io.LimitReader(resp.Body, 1<<20)) // 1 MB cap
+	if err != nil {
+		return nil, fmt.Errorf("failed to read JWT bearer response: %w", err)
+	}
+
+	var tr tokenResponse
+	if err := json.Unmarshal(body, &tr); err != nil {
+		return nil, fmt.Errorf("failed to parse JWT bearer response: %w", err)
+	}
+
+	if resp.StatusCode != http.StatusOK {
+		if tr.Error != "" {
+			return nil, fmt.Errorf("JWT bearer exchange failed: %s (%s)", tr.Error, tr.ErrorDesc)
+		}
+		return nil, fmt.Errorf("JWT bearer exchange failed with status %s", resp.Status)
+	}
+
+	token := &oauth2.Token{
+		AccessToken: tr.AccessToken,
+		TokenType:   tr.TokenType,
+	}
+	if tr.ExpiresIn > 0 {
+		token.Expiry = time.Now().Add(time.Duration(tr.ExpiresIn) * time.Second)
+	}
+
+	return token, nil
+}
+
+// machineAccountTokenSource implements oauth2.TokenSource for machine account sessions.
+// It re-mints a JWT and re-exchanges it whenever the stored access token has expired,
+// since machine account sessions have no refresh token.
+type machineAccountTokenSource struct {
+	ctx     context.Context
+	creds   *StoredCredentials
+	userKey string
+	mu      sync.Mutex
+}
+
+// Token implements oauth2.TokenSource. If the cached token is still valid it is
+// returned immediately. Otherwise a new JWT is minted, exchanged for an access
+// token, and the updated credentials are persisted to the keyring.
+func (m *machineAccountTokenSource) Token() (*oauth2.Token, error) {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+
+	if m.creds.Token != nil && m.creds.Token.Valid() {
+		return m.creds.Token, nil
+	}
+
+	ma := m.creds.MachineAccount
+	signedJWT, err := MintJWT(ma.ClientID, ma.PrivateKeyID, ma.PrivateKey, ma.TokenURI)
+	if err != nil {
+		return nil, customerrors.WrapUserErrorWithHint(
+			"Failed to mint JWT for machine account authentication.",
+			"Please re-authenticate using: `datumctl auth login --credentials <file>`",
+			err,
+		)
+	}
+
+	token, err := ExchangeJWT(m.ctx, ma.TokenURI, signedJWT, ma.Scope)
+	if err != nil {
+		return nil, customerrors.WrapUserErrorWithHint(
+			"Failed to exchange JWT for access token.",
+			"Please re-authenticate using: `datumctl auth login --credentials <file>`",
+			err,
+		)
+	}
+
+	m.creds.Token = token
+
+	credsJSON, err := json.Marshal(m.creds)
+	if err != nil {
+		// Return token even if persistence fails — the caller can still proceed.
+		return token, fmt.Errorf("failed to marshal updated machine account credentials: %w", err)
+	}
+
+	if err := keyring.Set(ServiceName, m.userKey, string(credsJSON)); err != nil {
+		return token, fmt.Errorf("failed to persist refreshed machine account token to keyring: %w", err)
+	}
+
+	return token, nil
+}