feat: Implement JWT login

implement JWT login gated behind the keystone_ng feature.

Author: gtema

openstack_cli/src/output.rs

@@ -20,7 +20,7 @@ use comfy_table::{
 use itertools::Itertools;
 use openstack_sdk::types::EntryStatus;
 use owo_colors::{OwoColorize, Stream::Stderr};
-use rand::prelude::*; //seq::IndexedRandom;
+use rand::prelude::*;
 use serde::de::DeserializeOwned;
 use std::collections::BTreeSet;
 use std::io::{self, Write};

openstack_sdk/src/auth.rs

@@ -38,15 +38,15 @@ pub mod v3totp;
 pub mod v3websso;
 #[cfg(feature = "keystone_ng")]
 pub mod v4federation;
+#[cfg(feature = "keystone_ng")]
+pub mod v4jwt;
 #[cfg(feature = "passkey")]
 pub mod v4passkey;
 
 use authtoken::{AuthToken, AuthTokenError};
 use authtoken_scope::AuthTokenScopeError;
 use v3oidcaccesstoken::OidcAccessTokenError;
 use v3websso::WebSsoError;
-#[cfg(feature = "keystone_ng")]
-use v4federation::FederationError;
 
 /// Authentication error
 #[derive(Debug, Error)]
@@ -97,14 +97,23 @@ impl From<WebSsoError> for AuthError {
 }
 
 #[cfg(feature = "keystone_ng")]
-impl From<FederationError> for AuthError {
+impl From<v4federation::FederationError> for AuthError {
     fn from(source: v4federation::FederationError) -> Self {
         Self::AuthToken {
             source: source.into(),
         }
     }
 }
 
+#[cfg(feature = "keystone_ng")]
+impl From<v4jwt::JwtError> for AuthError {
+    fn from(source: v4jwt::JwtError) -> Self {
+        Self::AuthToken {
+            source: source.into(),
+        }
+    }
+}
+
 #[cfg(feature = "passkey")]
 impl From<v4passkey::PasskeyError> for AuthError {
     fn from(source: v4passkey::PasskeyError) -> Self {

openstack_sdk/src/auth/authtoken.rs

@@ -26,14 +26,14 @@ use tracing::{debug, error, trace};
 use crate::api::identity::v3::auth::token::get as token_v3_info;
 use crate::api::RestEndpoint;
 use crate::auth::auth_token_endpoint as token_v3;
-#[cfg(feature = "keystone_ng")]
-use crate::auth::v4federation;
 #[cfg(feature = "passkey")]
 use crate::auth::v4passkey;
 use crate::auth::{
     auth_helper::AuthHelper, authtoken_scope, v3applicationcredential, v3oidcaccesstoken,
     v3password, v3token, v3totp, v3websso, AuthState,
 };
+#[cfg(feature = "keystone_ng")]
+use crate::auth::{v4federation, v4jwt};
 use crate::config;
 use crate::types::identity::v3::{AuthReceiptResponse, AuthResponse};
 
@@ -152,15 +152,15 @@ pub enum AuthTokenError {
         source: v3totp::TotpError,
     },
 
-    /// WebSSO Identity error
+    /// WebSSO Identity error.
     #[error("SSO based authentication error: {}", source)]
     WebSso {
         /// The error source
         #[from]
         source: v3websso::WebSsoError,
     },
 
-    /// Federation Identity error
+    /// Federation Identity error.
     #[cfg(feature = "keystone_ng")]
     #[error("Federation based authentication error: {}", source)]
     Federation {
@@ -169,7 +169,16 @@ pub enum AuthTokenError {
         source: v4federation::FederationError,
     },
 
-    /// Passkey error
+    /// JWT error.
+    #[cfg(feature = "keystone_ng")]
+    #[error("Jwt based authentication error: {}", source)]
+    Jwt {
+        /// The error source
+        #[from]
+        source: v4jwt::JwtError,
+    },
+
+    /// Passkey error.
     #[cfg(feature = "passkey")]
     #[error("Passkey based authentication error: {}", source)]
     Passkey {
@@ -275,6 +284,9 @@ pub enum AuthType {
     #[cfg(feature = "keystone_ng")]
     /// Federation.
     V4Federation,
+    #[cfg(feature = "keystone_ng")]
+    /// JWT.
+    V4Jwt,
     #[cfg(feature = "passkey")]
     /// Passkey.
     V4Passkey,
@@ -296,6 +308,8 @@ impl FromStr for AuthType {
             "v3websso" => Ok(Self::V3WebSso),
             #[cfg(feature = "keystone_ng")]
             "v4federation" | "federation" => Ok(Self::V4Federation),
+            #[cfg(feature = "keystone_ng")]
+            "v4jwt" | "jwt" => Ok(Self::V4Jwt),
             #[cfg(feature = "passkey")]
             "v4passkey" | "passkey" => Ok(Self::V4Passkey),
             other => Err(Self::Err::IdentityMethod {
@@ -327,6 +341,8 @@ impl AuthType {
             Self::V3WebSso => "v3websso",
             #[cfg(feature = "keystone_ng")]
             Self::V4Federation => "v4federation",
+            #[cfg(feature = "keystone_ng")]
+            Self::V4Jwt => "v4jwt",
             #[cfg(feature = "passkey")]
             Self::V4Passkey => "v4passkey",
         }

openstack_sdk/src/auth/v4jwt.rs

@@ -0,0 +1,191 @@
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+// SPDX-License-Identifier: Apache-2.0
+
+//! JWT login handling
+//!
+//! This module implements login using the JWT token by exchanging it for a regular Keystone token.
+
+use derive_builder::Builder;
+use http::{header, HeaderMap, HeaderName, HeaderValue};
+use secrecy::{ExposeSecret, SecretString};
+use std::borrow::Cow;
+use thiserror::Error;
+use tracing::error;
+
+use crate::api::rest_endpoint_prelude::*;
+use crate::api::RestEndpoint;
+use crate::auth::auth_helper::AuthHelper;
+use crate::config;
+use crate::types::{ApiVersion, ServiceType};
+
+/// JWT related errors
+#[derive(Debug, Error)]
+#[non_exhaustive]
+pub enum JwtError {
+    /// Auth data is missing.
+    #[error("auth data is missing")]
+    MissingAuthData,
+
+    /// Identity provider id is missing.
+    #[error("identity provider id is missing")]
+    MissingIdentityProvider,
+
+    /// Attribute mapping name is missing.
+    #[error("attribute mapping name is missing")]
+    MissingAttributeMapping,
+
+    /// JWT is missing.
+    #[error("JWT is missing")]
+    MissingJwt,
+
+    /// Jwt Auth builder.
+    #[error("error preparing auth request: {}", source)]
+    JwtBuilder {
+        /// The error source.
+        #[from]
+        source: JwtRequestBuilderError,
+    },
+
+    /// HeaderValue error.
+    #[error("invalid value for the header: {}", source)]
+    HeaderValue {
+        /// The error source.
+        #[from]
+        source: http::header::InvalidHeaderValue,
+    },
+}
+
+/// Endpoint for the JWT authorization
+#[derive(Builder, Debug, Clone)]
+#[builder(setter(into, strip_option))]
+pub struct JwtRequest<'a> {
+    /// idp_id that issued the JWT.
+    #[builder(setter(into))]
+    idp_id: Cow<'a, str>,
+    /// Attribute mapping name.
+
+    #[builder(default, private)]
+    _headers: Option<HeaderMap>,
+}
+
+impl<'a> JwtRequest<'a> {
+    /// Create a builder for the endpoint.
+    pub fn builder() -> JwtRequestBuilder<'a> {
+        JwtRequestBuilder::default()
+    }
+}
+
+impl<'a> JwtRequestBuilder<'a> {
+    /// Set attribute mapping name.
+    pub fn mapping_name<S: AsRef<str>>(&mut self, mapping_name: S) -> Result<(), JwtError> {
+        let val = HeaderValue::from_str(mapping_name.as_ref())?;
+        self._headers
+            .get_or_insert(None)
+            .get_or_insert_with(HeaderMap::new)
+            .insert(HeaderName::from_static("openstack-mapping"), val);
+        Ok(())
+    }
+
+    /// Set the JWT token.
+    pub fn token(&mut self, token: &SecretString) -> Result<(), JwtError> {
+        let mut val = HeaderValue::from_str(format!("bearer {}", token.expose_secret()).as_str())?;
+        val.set_sensitive(true);
+        self._headers
+            .get_or_insert(None)
+            .get_or_insert_with(HeaderMap::new)
+            .insert(header::AUTHORIZATION, val);
+        Ok(())
+    }
+}
+
+impl RestEndpoint for JwtRequest<'_> {
+    fn method(&self) -> http::Method {
+        http::Method::POST
+    }
+
+    fn endpoint(&self) -> Cow<'static, str> {
+        format!(
+            "federation/identity_providers/{idp_id}/jwt",
+            idp_id = self.idp_id.as_ref(),
+        )
+        .into()
+    }
+
+    fn body(&self) -> Result<Option<(&'static str, Vec<u8>)>, BodyError> {
+        JsonBodyParams::default().into_body()
+    }
+
+    fn service_type(&self) -> ServiceType {
+        ServiceType::Identity
+    }
+
+    /// Returns headers to be set into the request
+    fn request_headers(&self) -> Option<&HeaderMap> {
+        self._headers.as_ref()
+    }
+
+    /// Returns required API version
+    fn api_version(&self) -> Option<ApiVersion> {
+        Some(ApiVersion::new(4, 0))
+    }
+}
+
+/// Get [`RestEndpoint`] for initializing the JWT authentication.
+pub async fn get_auth_ep<A>(
+    config: &config::CloudConfig,
+    auth_helper: &mut A,
+) -> Result<impl RestEndpoint, JwtError>
+where
+    A: AuthHelper,
+{
+    if let Some(auth_data) = &config.auth {
+        let connection_name = config.name.as_ref();
+        let mut ep = JwtRequest::builder();
+        if let Some(val) = &auth_data.identity_provider {
+            ep.idp_id(val.clone());
+        } else {
+            // Or ask user for idp_id in interactive mode
+            let idp = auth_helper
+                .get("identity_provider".into(), connection_name.cloned())
+                .await
+                .map_err(|_| JwtError::MissingIdentityProvider)?
+                .to_owned();
+            ep.idp_id(idp);
+        }
+        if let Some(val) = &auth_data.attribute_mapping_name {
+            ep.mapping_name(val)?;
+        } else {
+            // Or ask user for mapping name in interactive mode
+            ep.mapping_name(
+                auth_helper
+                    .get("mapping name".into(), connection_name.cloned())
+                    .await
+                    .map_err(|_| JwtError::MissingAttributeMapping)?,
+            )?;
+        }
+        if let Some(val) = &auth_data.jwt {
+            ep.token(val)?;
+        } else {
+            // Or ask user for token in interactive mode
+            ep.token(
+                &auth_helper
+                    .get_secret("JWT".into(), connection_name.cloned())
+                    .await
+                    .map_err(|_| JwtError::MissingJwt)?,
+            )?;
+        }
+        return Ok(ep.build()?);
+    }
+    Err(JwtError::MissingAuthData)
+}

openstack_sdk/src/config.rs

@@ -261,10 +261,14 @@ pub struct Auth {
     pub protocol: Option<String>,
     /// `Federation` identity provider.
     pub identity_provider: Option<String>,
+    /// `Federation` attribute mapping name to be applied.
+    pub attribute_mapping_name: Option<String>,
     /// OIDC access token.
     pub access_token: Option<SecretString>,
     /// OIDC access token type (when not access_token).
     pub access_token_type: Option<String>,
+    /// JWT token.
+    pub jwt: Option<SecretString>,
 
     /// `Application Credential` ID.
     pub application_credential_id: Option<String>,
@@ -292,6 +296,7 @@ impl fmt::Debug for Auth {
             .field("user_domain_name", &self.user_domain_name)
             .field("protocol", &self.protocol)
             .field("identity_provider", &self.identity_provider)
+            .field("mapping_name", &self.attribute_mapping_name)
             .field("access_token_type", &self.access_token_type)
             .field("application_credential_id", &self.application_credential_id)
             .field(
@@ -371,6 +376,9 @@ pub fn get_config_identity_hash(config: &CloudConfig) -> u64 {
         if let Some(data) = &auth.protocol {
             data.hash(&mut s);
         }
+        if let Some(data) = &auth.attribute_mapping_name {
+            data.hash(&mut s);
+        }
         if let Some(data) = &auth.access_token_type {
             data.hash(&mut s);
         }
@@ -479,13 +487,21 @@ impl CloudConfig {
                 auth.identity_provider
                     .clone_from(&update_auth.identity_provider);
             }
+            if auth.attribute_mapping_name.is_none() && update_auth.attribute_mapping_name.is_some()
+            {
+                auth.attribute_mapping_name
+                    .clone_from(&update_auth.attribute_mapping_name);
+            }
             if auth.access_token_type.is_none() && update_auth.access_token_type.is_some() {
                 auth.access_token_type
                     .clone_from(&update_auth.access_token_type);
             }
             if auth.access_token.is_none() && update_auth.access_token.is_some() {
                 auth.access_token.clone_from(&update_auth.access_token);
             }
+            if auth.jwt.is_none() && update_auth.jwt.is_some() {
+                auth.jwt.clone_from(&update_auth.jwt);
+            }
             if auth.application_credential_id.is_none()
                 && update_auth.application_credential_id.is_some()
             {