feat: [STO-9557]: add auth support for STO using ng-manager secret (#124)

* feat: add global exemption management APIs and CLI commands

* refactor: simplify STO authentication by using NG manager secret instead of STO token

Author: tkAcharya007

README.md

@@ -191,7 +191,9 @@ Toolset Name: `scs`
 Toolset Name: `sto`
 
 - `frontend_all_issues_list`: List and filter security issues in Harness STO by target, pipeline, tool, severity, exemption status, and type.
-
+- `global_exemptions`: List all global exemptions in Harness STO.
+- `promote_exemption`: Promote a specific exemption to a global exemption.
+- `approve_exemption`: Approve a specific exemption.
 
 #### Logs Toolset
 

pkg/modules/sto.go

@@ -2,9 +2,6 @@ package modules
 
 import (
 	"context"
-	"encoding/json"
-	"fmt"
-	"io"
 	"log/slog"
 	"net/http"
 	"time"
@@ -74,13 +71,14 @@ func (m *STOModule) IsDefault() bool {
 // RegisterSTO registers the Security Test Orchestration toolset
 func RegisterSTO(config *config.Config, tsg *toolsets.ToolsetGroup) error {
 	baseURL := utils.BuildServiceURL(config, config.STOSvcBaseURL, config.BaseURL, "sto")
-	secret := config.STOSvcSecret
-	c := &http.Client{
-		Timeout: 30 * time.Second,
+	// Do not use STO API key, use NG Manager secret as STO calls ACL & ng-manager APIs with the token
+	principalSecret := config.NgManagerSecret
+	c, err := utils.CreateClient(baseURL, config, principalSecret, 30*time.Second)
+	if err != nil {
+		return err
 	}
 
 	baseURLPrincipal := utils.BuildServiceURL(config, config.NgManagerBaseURL, config.BaseURL, "ng/api")
-	principalSecret := config.NgManagerSecret
 
 	cPrincipal, err := utils.CreateClient(baseURLPrincipal, config, principalSecret)
 	if err != nil {
@@ -89,17 +87,14 @@ func RegisterSTO(config *config.Config, tsg *toolsets.ToolsetGroup) error {
 	}
 	principalClient := &client.PrincipalService{Client: cPrincipal}
 
-	stoAPIKey := ""
-	tokenURL := fmt.Sprintf("%s/api/v2/token?accountId=%s&audience=sto-plugin", baseURL, config.AccountID)
-	if config.Internal {
-		stoAPIKey, err = retrieveSTOToken(tokenURL, secret)
+	requestEditorFn := func(ctx context.Context, req *http.Request) error {
+		k, v, err := c.AuthProvider.GetHeader(ctx)
 		if err != nil {
-			slog.Warn("Failed to retrieve STO token. STO toolset will be partially operational", "error", err)
-			// Continue without the token
+			return err
 		}
+		req.Header.Set(k, v)
+		return nil
 	}
-
-	requestEditorFn := createSTORequestEditor(config, stoAPIKey)
 	stoClient, err := sto.NewClientWithResponses(baseURL, sto.WithHTTPClient(c),
 		sto.WithRequestEditorFn(requestEditorFn))
 	if err != nil {
@@ -116,58 +111,3 @@ func RegisterSTO(config *config.Config, tsg *toolsets.ToolsetGroup) error {
 	tsg.AddToolset(sto)
 	return nil
 }
-
-// createSTORequestEditor creates a request editor function for STO API requests
-func createSTORequestEditor(config *config.Config, stoAPIKey string) func(context.Context, *http.Request) error {
-	return func(ctx context.Context, req *http.Request) error {
-		//Add STO plugin token as Authorization header if internal mode
-		if config.Internal && stoAPIKey != "" {
-			req.Header.Set("Authorization", "ApiKey "+stoAPIKey)
-		} else {
-			req.Header.Set("x-api-key", config.APIKey)
-		}
-		return nil
-	}
-}
-
-// retrieveSTOToken retrieves the STO plugin token from the token endpoint
-func retrieveSTOToken(tokenURL, secret string) (string, error) {
-	stoTokenReq, err := http.NewRequestWithContext(context.Background(), http.MethodGet, tokenURL, nil)
-	if err != nil {
-		return "", fmt.Errorf("failed to create STO token request: %w", err)
-	}
-
-	stoTokenReq.Header.Set("X-Harness-Token", secret)
-
-	// Try with a fresh HTTP client to avoid any client configuration issues
-	httpClient := &http.Client{
-		Timeout: 30 * time.Second,
-	}
-
-	stoTokenResp, err := httpClient.Do(stoTokenReq)
-	if err != nil {
-		return "", fmt.Errorf("failed to call STO token endpoint: %w", err)
-	}
-
-	defer stoTokenResp.Body.Close()
-
-	if stoTokenResp.StatusCode >= 300 {
-		return "", fmt.Errorf("failed to retrieve STO token, status: %s", stoTokenResp.Status)
-	}
-
-	bodyBytes, err := io.ReadAll(stoTokenResp.Body)
-	if err != nil {
-		return "", fmt.Errorf("failed to read STO token response: %w", err)
-	}
-
-	var tokenJSON map[string]interface{}
-	if err := json.Unmarshal(bodyBytes, &tokenJSON); err == nil {
-		if v, ok := tokenJSON["token"].(string); ok && v != "" {
-			return v, nil
-		} else if v, ok := tokenJSON["apiKey"].(string); ok && v != "" {
-			return v, nil
-		}
-	}
-
-	return "", nil
-}