feat(foundry): adds initial auth commands for generating API keys (#180)

Author: jmgilman

foundry/api/Earthfile

@@ -12,6 +12,9 @@ deps:
     ENV GOMODCACHE=/go/modcache
     CACHE --persist --sharing shared /go
 
+    # Copy local deps
+    COPY ../../lib/tools+src/src /lib/tools
+
     COPY go.mod go.sum .
     RUN go mod download
 
@@ -76,12 +79,12 @@ docker:
 
     ARG TARGETOS
     ARG TARGETARCH
-    ARG USERPLATFORM
+    ARG TARGETPLATFORM
 
     RUN apt-get update && apt-get install -y curl postgresql-client
 
     COPY \
-        --platform=$USERPLATFORM \
+        --platform=$TARGETPLATFORM \
         (+build/foundry-api \
         --GOOS=$TARGETOS \
         --GOARCH=$TARGETARCH \

foundry/api/cmd/api/auth/auth.go

@@ -0,0 +1,8 @@
+package auth
+
+// AuthCmd represents the auth subcommand category
+type AuthCmd struct {
+	Generate GenerateCmd `kong:"cmd,help='Generate authentication tokens'"`
+	Init     InitCmd     `kong:"cmd,help='Initialize authentication configuration'"`
+	Validate ValidateCmd `kong:"cmd,help='Validate authentication tokens'"`
+}

foundry/api/cmd/api/auth/generate.go

@@ -0,0 +1,39 @@
+package auth
+
+import (
+	"fmt"
+	"time"
+
+	"github.com/input-output-hk/catalyst-forge/foundry/api/internal/auth"
+)
+
+type GenerateCmd struct {
+	Admin       bool              `kong:"short='a',help='Generate admin token'"`
+	Expiration  time.Duration     `kong:"short='e',help='Expiration time for the token',default='1h'"`
+	Permissions []auth.Permission `kong:"short='p',help='Permissions to generate'"`
+	PrivateKey  string            `kong:"short='k',help='Path to the private key to use for signing',type='existingfile'"`
+}
+
+func (g *GenerateCmd) Run() error {
+	am, err := auth.NewAuthManager(g.PrivateKey, "")
+	if err != nil {
+		return err
+	}
+
+	if g.Admin {
+		token, err := am.GenerateToken("admin", auth.AllPermissions, g.Expiration)
+		if err != nil {
+			return err
+		}
+		fmt.Println(token)
+		return nil
+	}
+
+	token, err := am.GenerateToken("user", g.Permissions, g.Expiration)
+	if err != nil {
+		return err
+	}
+	fmt.Println(token)
+
+	return nil
+}

foundry/api/cmd/api/auth/init.go

@@ -0,0 +1,43 @@
+package auth
+
+import (
+	"fmt"
+	"os"
+	"path/filepath"
+
+	"github.com/input-output-hk/catalyst-forge/foundry/api/internal/auth"
+)
+
+type InitCmd struct {
+	OutputDir string `kong:"help='Output directory for generated keys',default='./auth-keys'"`
+}
+
+// Run executes the auth init subcommand
+func (i *InitCmd) Run() error {
+	if err := os.MkdirAll(i.OutputDir, 0755); err != nil {
+		return fmt.Errorf("failed to create output directory: %w", err)
+	}
+
+	keyPair, err := auth.GenerateES256Keys()
+	if err != nil {
+		return fmt.Errorf("failed to generate ES256 keys: %w", err)
+	}
+
+	privateKeyPath := filepath.Join(i.OutputDir, "private.pem")
+	if err := os.WriteFile(privateKeyPath, keyPair.PrivateKeyPEM, 0600); err != nil {
+		return fmt.Errorf("failed to write private key: %w", err)
+	}
+
+	publicKeyPath := filepath.Join(i.OutputDir, "public.pem")
+	if err := os.WriteFile(publicKeyPath, keyPair.PublicKeyPEM, 0644); err != nil {
+		return fmt.Errorf("failed to write public key: %w", err)
+	}
+
+	fmt.Printf("✅ Successfully generated ES256 key pair\n")
+	fmt.Printf("📁 Private key: %s\n", privateKeyPath)
+	fmt.Printf("📁 Public key: %s\n", publicKeyPath)
+	fmt.Printf("🔐 Key type: ES256 (ECDSA with P-256 curve and SHA-256)\n")
+	fmt.Printf("⚠️ Keep your private key secure and never share it!\n")
+
+	return nil
+}

foundry/api/cmd/api/auth/validate.go

@@ -0,0 +1,27 @@
+package auth
+
+import (
+	"fmt"
+
+	"github.com/input-output-hk/catalyst-forge/foundry/api/internal/auth"
+)
+
+type ValidateCmd struct {
+	Token     string `kong:"arg='',help='Token to validate'"`
+	PublicKey string `kong:"short='k',help='Path to the public key to use for validation',type='existingfile'"`
+}
+
+func (g *ValidateCmd) Run() error {
+	am, err := auth.NewAuthManager("", g.PublicKey)
+	if err != nil {
+		return err
+	}
+
+	claims, err := am.ValidateToken(g.Token)
+	if err != nil {
+		return err
+	}
+	fmt.Println(claims)
+
+	return nil
+}

foundry/api/cmd/api/main.go

@@ -2,12 +2,16 @@ package main
 
 import (
 	"context"
+	"fmt"
 	"log"
 	"os"
 	"os/signal"
+	"runtime"
 	"syscall"
 	"time"
 
+	"github.com/alecthomas/kong"
+	"github.com/input-output-hk/catalyst-forge/foundry/api/cmd/api/auth"
 	"github.com/input-output-hk/catalyst-forge/foundry/api/internal/api"
 	"github.com/input-output-hk/catalyst-forge/foundry/api/internal/config"
 	"github.com/input-output-hk/catalyst-forge/foundry/api/internal/models"
@@ -19,30 +23,53 @@ import (
 	"gorm.io/gorm"
 )
 
+var version = "dev"
+
 var mockK8sClient = mocks.ClientMock{
 	CreateDeploymentFunc: func(ctx context.Context, deployment *models.ReleaseDeployment) error {
 		return nil
 	},
 }
 
-func main() {
-	// Load configuration
-	cfg, err := config.Load()
-	if err != nil {
-		log.Fatalf("Failed to load configuration: %v", err)
+// CLI represents the command-line interface structure
+type CLI struct {
+	Run     RunCmd       `kong:"cmd,help='Start the API server'"`
+	Version VersionCmd   `kong:"cmd,help='Show version information'"`
+	Auth    auth.AuthCmd `kong:"cmd,help='Authentication management commands'"`
+}
+
+// RunCmd represents the run subcommand
+type RunCmd struct {
+	config.Config `kong:"embed"`
+}
+
+// VersionCmd represents the version subcommand
+type VersionCmd struct{}
+
+// Run executes the version subcommand
+func (v *VersionCmd) Run() error {
+	fmt.Printf("foundry api version %s %s/%s\n", version, runtime.GOOS, runtime.GOARCH)
+	return nil
+}
+
+// Run executes the run subcommand
+func (r *RunCmd) Run() error {
+	// Validate configuration
+	if err := r.Validate(); err != nil {
+		return err
 	}
 
 	// Initialize logger
-	logger, err := cfg.GetLogger()
+	logger, err := r.GetLogger()
 	if err != nil {
-		log.Fatalf("Failed to initialize logger: %v", err)
+		return err
 	}
 
 	// Connect to the database
-	db, err := gorm.Open(postgres.Open(cfg.GetDSN()), &gorm.Config{})
+	db, err := gorm.Open(postgres.Open(r.GetDSN()), &gorm.Config{})
 	if err != nil {
 		logger.Error("Failed to connect to database", "error", err)
-		os.Exit(1)
+		return err
 	}
 
 	// Run migrations
@@ -56,17 +83,17 @@ func main() {
 	)
 	if err != nil {
 		logger.Error("Failed to run migrations", "error", err)
-		os.Exit(1)
+		return err
 	}
 
 	// Initialize Kubernetes client if enabled
 	var k8sClient k8s.Client
-	if cfg.Kubernetes.Enabled {
-		logger.Info("Initializing Kubernetes client", "namespace", cfg.Kubernetes.Namespace)
-		k8sClient, err = k8s.New(cfg.Kubernetes.Namespace, logger)
+	if r.Kubernetes.Enabled {
+		logger.Info("Initializing Kubernetes client", "namespace", r.Kubernetes.Namespace)
+		k8sClient, err = k8s.New(r.Kubernetes.Namespace, logger)
 		if err != nil {
 			logger.Error("Failed to initialize Kubernetes client", "error", err)
-			os.Exit(1)
+			return err
 		}
 	} else {
 		k8sClient = &mockK8sClient
@@ -88,7 +115,7 @@ func main() {
 	router := api.SetupRouter(releaseService, deploymentService, db, logger)
 
 	// Initialize server
-	server := api.NewServer(cfg.GetServerAddr(), router, logger)
+	server := api.NewServer(r.GetServerAddr(), router, logger)
 
 	// Handle graceful shutdown
 	quit := make(chan os.Signal, 1)
@@ -102,7 +129,7 @@ func main() {
 		}
 	}()
 
-	logger.Info("API server started", "addr", cfg.GetServerAddr())
+	logger.Info("API server started", "addr", r.GetServerAddr())
 
 	// Wait for shutdown signal
 	<-quit
@@ -118,4 +145,23 @@ func main() {
 	}
 
 	logger.Info("Server exiting")
+	return nil
+}
+
+func main() {
+	var cli CLI
+	ctx := kong.Parse(&cli,
+		kong.Name("foundry-api"),
+		kong.Description("Catalyst Foundry API Server"),
+		kong.UsageOnError(),
+		kong.ConfigureHelp(kong.HelpOptions{
+			Compact: true,
+		}),
+	)
+
+	// Execute the selected subcommand
+	err := ctx.Run()
+	if err != nil {
+		log.Fatalf("Command failed: %v", err)
+	}
 }

foundry/api/entrypoint.sh

@@ -42,4 +42,4 @@ if [[ -n "${DB_INIT:-}" ]]; then
 fi
 
 echo "Starting Foundry API server..."
-exec "/app/foundry-api"
+exec /app/foundry-api run

foundry/api/go.mod

@@ -1,11 +1,13 @@
 module github.com/input-output-hk/catalyst-forge/foundry/api
 
-go 1.23.0
+go 1.24.2
 
 require (
 	github.com/alecthomas/kong v1.2.1
 	github.com/gin-gonic/gin v1.10.0
-	github.com/stretchr/testify v1.9.0
+	github.com/golang-jwt/jwt/v5 v5.2.3
+	github.com/input-output-hk/catalyst-forge/lib/tools v0.0.0-00010101000000-000000000000
+	github.com/stretchr/testify v1.10.0
 	gorm.io/driver/postgres v1.5.11
 	gorm.io/gorm v1.25.12
 	k8s.io/apimachinery v0.32.3
@@ -17,10 +19,12 @@ require (
 	github.com/bytedance/sonic/loader v0.1.1 // indirect
 	github.com/cloudwego/base64x v0.1.4 // indirect
 	github.com/cloudwego/iasm v0.2.0 // indirect
+	github.com/cyphar/filepath-securejoin v0.3.6 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/fxamacker/cbor/v2 v2.7.0 // indirect
 	github.com/gabriel-vasile/mimetype v1.4.3 // indirect
 	github.com/gin-contrib/sse v0.1.0 // indirect
+	github.com/go-git/go-billy/v5 v5.5.0 // indirect
 	github.com/go-logr/logr v1.4.2 // indirect
 	github.com/go-playground/locales v0.14.1 // indirect
 	github.com/go-playground/universal-translator v0.18.1 // indirect
@@ -37,27 +41,26 @@ require (
 	github.com/jinzhu/now v1.1.5 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/klauspost/cpuid/v2 v2.2.7 // indirect
-	github.com/kr/pretty v0.3.1 // indirect
 	github.com/leodido/go-urn v1.4.0 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
-	github.com/pelletier/go-toml/v2 v2.2.2 // indirect
+	github.com/pelletier/go-toml/v2 v2.2.3 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/rogpeppe/go-internal v1.14.1 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
 	github.com/twitchyliquid64/golang-asm v0.15.1 // indirect
 	github.com/ugorji/go/codec v1.2.12 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
 	golang.org/x/arch v0.8.0 // indirect
-	golang.org/x/crypto v0.28.0 // indirect
-	golang.org/x/net v0.30.0 // indirect
+	golang.org/x/crypto v0.32.0 // indirect
+	golang.org/x/net v0.34.0 // indirect
 	golang.org/x/oauth2 v0.23.0 // indirect
-	golang.org/x/sync v0.8.0 // indirect
-	golang.org/x/sys v0.26.0 // indirect
-	golang.org/x/term v0.25.0 // indirect
-	golang.org/x/text v0.19.0 // indirect
+	golang.org/x/sync v0.10.0 // indirect
+	golang.org/x/sys v0.29.0 // indirect
+	golang.org/x/term v0.28.0 // indirect
+	golang.org/x/text v0.21.0 // indirect
 	golang.org/x/time v0.7.0 // indirect
 	google.golang.org/protobuf v1.35.1 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
@@ -68,3 +71,5 @@ require (
 	sigs.k8s.io/structured-merge-diff/v4 v4.4.2 // indirect
 	sigs.k8s.io/yaml v1.4.0 // indirect
 )
+
+replace github.com/input-output-hk/catalyst-forge/lib/tools => ../../lib/tools