feat(api): adds auth support using GHA tokens (#182)

Author: jmgilman

.github/workflows/test_oidc.yml

@@ -0,0 +1,73 @@
+name: Validate GHA OIDC
+
+on:
+  push:
+    branches: [master]
+  pull_request:
+
+permissions:
+  id-token: write
+  contents: read
+
+env:
+  API_URL: "http://localhost:5000"
+  OIDC_AUDIENCE: "forge"
+
+jobs:
+  test-auth-endpoint:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install Local Forge
+        id: install-local
+        uses: input-output-hk/catalyst-forge/actions/install-local@master
+      - name: Check forge version
+        id: local
+        run: |
+          forge version
+
+      - name: Setup CI
+        uses: input-output-hk/catalyst-forge/actions/setup@master
+        with:
+          skip_docker: 'true'
+          skip_github: 'true'
+
+      - name: Build image
+        run: |
+            forge run ./foundry/api+docker
+
+      - name: Start API
+        run: |
+          docker compose -f ./foundry/api/docker-compose.yml up -d auth auth-jwt api postgres
+
+      - name: Wait for API to be ready
+        run: |
+          sleep 1
+
+      - name: Create GHA auth
+        run: |
+            forge -vvv --api-url "http://localhost:5050" api login "$(cat ./foundry/api/.secret/jwt.txt)"
+            forge -vvv --api-url "http://localhost:5050" api auth gha create -a input-output-hk/catalyst-forge
+            rm -rf $HOME/.config/forge/config.toml
+
+      - name: Get OIDC token
+        id: oidc
+        uses: actions/github-script@v7
+        with:
+            result-encoding: string
+            script: |
+                const token = await core.getIDToken('forge');
+                core.setOutput('token', token);
+
+      - name: Login with OIDC ID token
+        id: call-api
+        shell: bash
+        run: |
+          forge -vvv --api-url "http://localhost:5050" api login -t "gha" "${{ steps.oidc.outputs.token }}"
+
+      - name: Verify returned JWT token
+        shell: bash
+        run: |
+          forge -vvv --api-url "http://localhost:5050" api auth gha list -j

.gitignore

@@ -12,3 +12,4 @@ node_modules
 !/.vscode/tasks.recommended.json
 
 .env
+.secret

cli/Earthfile

@@ -12,6 +12,7 @@ deps:
     ENV GOMODCACHE=/go/modcache
     CACHE --persist --sharing shared /go
 
+    COPY ../foundry/api+src/src /foundry/api
     COPY ../lib/project+src/src /lib/project
     COPY ../lib/providers+src/src /lib/providers
     COPY ../lib/schema+src/src /lib/schema

cli/cmd/cmds/api/auth/cmd.go

@@ -0,0 +1,7 @@
+package auth
+
+import "github.com/input-output-hk/catalyst-forge/cli/cmd/cmds/api/auth/gha"
+
+type AuthCmd struct {
+	GHA gha.GhaCmd `cmd:"" help:"Manage GitHub Actions authentication."`
+}

cli/cmd/cmds/api/auth/gha/cmd.go

@@ -0,0 +1,9 @@
+package gha
+
+type GhaCmd struct {
+	Create CreateCmd `cmd:"" help:"Create a new GHA authentication entry."`
+	Get    GetCmd    `cmd:"" help:"Get a GHA authentication entry."`
+	Update UpdateCmd `cmd:"" help:"Update a GHA authentication entry."`
+	Delete DeleteCmd `cmd:"" help:"Delete a GHA authentication entry."`
+	List   ListCmd   `cmd:"" help:"List all GHA authentication entries."`
+}

cli/cmd/cmds/api/auth/gha/common.go

@@ -0,0 +1,49 @@
+package gha
+
+import (
+	"encoding/json"
+	"fmt"
+	"strings"
+
+	"github.com/charmbracelet/lipgloss"
+	"github.com/charmbracelet/lipgloss/table"
+	"github.com/input-output-hk/catalyst-forge/foundry/api/client"
+)
+
+func outputJSON(auth *client.GHARepositoryAuth) error {
+	jsonData, err := json.MarshalIndent(auth, "", "  ")
+	if err != nil {
+		return fmt.Errorf("failed to marshal JSON: %w", err)
+	}
+	fmt.Println(string(jsonData))
+	return nil
+}
+
+func outputTable(auth *client.GHARepositoryAuth) error {
+	t := table.New().
+		Border(lipgloss.RoundedBorder()).
+		BorderStyle(lipgloss.NewStyle().Foreground(lipgloss.Color("62"))).
+		StyleFunc(func(row, col int) lipgloss.Style {
+			switch {
+			case row == 0:
+				return lipgloss.NewStyle().Bold(true).Foreground(lipgloss.Color("99"))
+			case row%2 == 0:
+				return lipgloss.NewStyle().Foreground(lipgloss.Color("240"))
+			default:
+				return lipgloss.NewStyle().Foreground(lipgloss.Color("252"))
+			}
+		}).
+		Headers("ID", "Repository", "Enabled", "Description", "Permissions").
+		Rows(
+			[]string{
+				fmt.Sprintf("%d", auth.ID),
+				auth.Repository,
+				fmt.Sprintf("%t", auth.Enabled),
+				auth.Description,
+				strings.Join(auth.Permissions, "\n"),
+			},
+		)
+
+	fmt.Println(t)
+	return nil
+}

cli/cmd/cmds/api/auth/gha/create.go

@@ -0,0 +1,44 @@
+package gha
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/input-output-hk/catalyst-forge/cli/pkg/run"
+	"github.com/input-output-hk/catalyst-forge/foundry/api/client"
+	"github.com/input-output-hk/catalyst-forge/foundry/api/pkg/auth"
+)
+
+type CreateCmd struct {
+	Admin       bool              `short:"a" help:"Whether the authentication entry is an admin entry." default:"false"`
+	Enabled     bool              `short:"e" help:"Whether the authentication entry is enabled." default:"true"`
+	Description string            `short:"d" help:"The description of the authentication entry." default:""`
+	Repository  string            `arg:"" help:"The repository to create the authentication entry for."`
+	Permissions []auth.Permission `short:"p" help:"The permissions to grant to the authentication entry."`
+	JSON        bool              `short:"j" help:"Output as prettified JSON instead of table."`
+}
+
+func (c *CreateCmd) Run(ctx run.RunContext, cl client.Client) error {
+	var permissions []auth.Permission
+	if c.Admin {
+		permissions = auth.AllPermissions
+	} else {
+		permissions = c.Permissions
+	}
+
+	auth, err := cl.CreateAuth(context.Background(), &client.CreateAuthRequest{
+		Repository:  c.Repository,
+		Permissions: permissions,
+		Description: c.Description,
+		Enabled:     c.Enabled,
+	})
+	if err != nil {
+		return fmt.Errorf("failed to create authentication entry: %w", err)
+	}
+
+	if c.JSON {
+		return outputJSON(auth)
+	}
+
+	return outputTable(auth)
+}

cli/cmd/cmds/api/auth/gha/delete.go

@@ -0,0 +1,23 @@
+package gha
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/input-output-hk/catalyst-forge/cli/pkg/run"
+	"github.com/input-output-hk/catalyst-forge/foundry/api/client"
+)
+
+type DeleteCmd struct {
+	ID uint `arg:"" help:"The ID of the authentication entry to delete."`
+}
+
+func (c *DeleteCmd) Run(ctx run.RunContext, cl client.Client) error {
+	err := cl.DeleteAuth(context.Background(), c.ID)
+	if err != nil {
+		return fmt.Errorf("failed to delete authentication entry: %w", err)
+	}
+
+	ctx.Logger.Info("Authentication entry deleted", "id", c.ID)
+	return nil
+}

cli/cmd/cmds/api/auth/gha/get.go

@@ -0,0 +1,52 @@
+package gha
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/input-output-hk/catalyst-forge/cli/pkg/run"
+	"github.com/input-output-hk/catalyst-forge/foundry/api/client"
+)
+
+type GetCmd struct {
+	ID         *uint   `short:"i" help:"The ID of the authentication entry to retrieve."`
+	Repository *string `short:"r" help:"The repository to retrieve the authentication entry for."`
+	JSON       bool    `short:"j" help:"Output as prettified JSON instead of table."`
+}
+
+func (c *GetCmd) Run(ctx run.RunContext, cl client.Client) error {
+	if c.ID == nil && c.Repository == nil {
+		return fmt.Errorf("either --id or --repository must be specified")
+	}
+
+	if c.ID != nil && c.Repository != nil {
+		return fmt.Errorf("only one of --id or --repository can be specified")
+	}
+
+	auth, err := c.retrieveAuth(cl)
+	if err != nil {
+		return err
+	}
+
+	if c.JSON {
+		return outputJSON(auth)
+	}
+
+	return outputTable(auth)
+}
+
+func (c *GetCmd) retrieveAuth(cl client.Client) (*client.GHARepositoryAuth, error) {
+	if c.ID != nil {
+		auth, err := cl.GetAuth(context.Background(), *c.ID)
+		if err != nil {
+			return nil, fmt.Errorf("failed to get authentication entry by ID: %w", err)
+		}
+		return auth, nil
+	}
+
+	auth, err := cl.GetAuthByRepository(context.Background(), *c.Repository)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get authentication entry by repository: %w", err)
+	}
+	return auth, nil
+}

cli/cmd/cmds/api/auth/gha/list.go

@@ -0,0 +1,87 @@
+package gha
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"strings"
+
+	"github.com/charmbracelet/lipgloss"
+	"github.com/charmbracelet/lipgloss/table"
+	"github.com/input-output-hk/catalyst-forge/cli/pkg/run"
+	"github.com/input-output-hk/catalyst-forge/foundry/api/client"
+)
+
+type ListCmd struct {
+	JSON bool `short:"j" help:"Output as prettified JSON instead of table."`
+}
+
+func (c *ListCmd) Run(ctx run.RunContext, cl client.Client) error {
+	auths, err := cl.ListAuths(context.Background())
+	if err != nil {
+		return fmt.Errorf("failed to list authentication entries: %w", err)
+	}
+
+	if c.JSON {
+		return outputJSONList(auths)
+	}
+
+	return outputTableList(auths)
+}
+
+func outputJSONList(auths []client.GHARepositoryAuth) error {
+	jsonData, err := json.MarshalIndent(auths, "", "  ")
+	if err != nil {
+		return fmt.Errorf("failed to marshal JSON: %w", err)
+	}
+	fmt.Println(string(jsonData))
+	return nil
+}
+
+func outputTableList(auths []client.GHARepositoryAuth) error {
+	if len(auths) == 0 {
+		fmt.Println("No authentication entries found.")
+		return nil
+	}
+
+	var rows [][]string
+	for _, auth := range auths {
+		// Truncate permissions if too long, show count if many
+		permissions := auth.Permissions
+		if len(permissions) > 3 {
+			permissions = permissions[:3]
+		}
+		permissionsStr := strings.Join(permissions, ", ")
+		if len(auth.Permissions) > 3 {
+			permissionsStr += fmt.Sprintf(" (+%d more)", len(auth.Permissions)-3)
+		}
+
+		rows = append(rows, []string{
+			fmt.Sprintf("%d", auth.ID),
+			auth.Repository,
+			fmt.Sprintf("%t", auth.Enabled),
+			auth.Description,
+			permissionsStr,
+		})
+	}
+
+	t := table.New().
+		Border(lipgloss.RoundedBorder()).
+		BorderStyle(lipgloss.NewStyle().Foreground(lipgloss.Color("62"))).
+		StyleFunc(func(row, col int) lipgloss.Style {
+			switch {
+			case row == 0:
+				return lipgloss.NewStyle().Bold(true).Foreground(lipgloss.Color("99"))
+			case row%2 == 0:
+				return lipgloss.NewStyle().Foreground(lipgloss.Color("240"))
+			default:
+				return lipgloss.NewStyle().Foreground(lipgloss.Color("252"))
+			}
+		}).
+		Headers("ID", "Repository", "Enabled", "Description", "Permissions").
+		Rows(rows...).
+		Width(120)
+
+	fmt.Println(t)
+	return nil
+}