[pat]Exchange pat for access token (#1947)

mikeland73 · web-flow · commit 9aac11a1cd15 · 2024-04-02T16:48:12.000-07:00
## Summary

If user specifies a `DEVBOX_ACCESS_TOKEN` we use it to fetch a short
lived JWT access token.

## How was it tested?

generated a pat and used it `DEVBOX_ACCESS_TOKEN=xxx devbox add hello`
diff --git a/go.mod b/go.mod
@@ -40,7 +40,7 @@ require (
 	github.com/wk8/go-ordered-map/v2 v2.1.8
 	github.com/zealic/go2node v0.1.0
 	go.jetpack.io/envsec v0.0.16-0.20240329013200-4174c0acdb00
-	go.jetpack.io/pkg v0.0.0-20240329001056-e451f5c5e234
+	go.jetpack.io/pkg v0.0.0-20240329230128-09e8a66df983
 	golang.org/x/exp v0.0.0-20240222234643-814bf88cf225
 	golang.org/x/mod v0.16.0
 	golang.org/x/sync v0.6.0
diff --git a/go.sum b/go.sum
@@ -371,6 +371,12 @@ go.jetpack.io/pkg v0.0.0-20240327051701-89e2d24bc65e h1:JuyexYMVBsXwMrnmcCYVEOP9
 go.jetpack.io/pkg v0.0.0-20240327051701-89e2d24bc65e/go.mod h1:vpIQT+m8iHO11v6bgMMG6iWfbGE2vxvLr9k7hLb4OeU=
 go.jetpack.io/pkg v0.0.0-20240329001056-e451f5c5e234 h1:MHZNJeQQwxqwVJhaCKtHAkCXrv3sWQkJoVf0i8Pf1Ro=
 go.jetpack.io/pkg v0.0.0-20240329001056-e451f5c5e234/go.mod h1:vpIQT+m8iHO11v6bgMMG6iWfbGE2vxvLr9k7hLb4OeU=
+go.jetpack.io/pkg v0.0.0-20240329204722-f4f14c8a894b h1:yAhOOZjimsf/hxY9d49xmVB+L5H5wkgoKXYqNLx8PFQ=
+go.jetpack.io/pkg v0.0.0-20240329204722-f4f14c8a894b/go.mod h1:vpIQT+m8iHO11v6bgMMG6iWfbGE2vxvLr9k7hLb4OeU=
+go.jetpack.io/pkg v0.0.0-20240329213144-bd03f1a1e491 h1:rD7aVnnpLHUnWKjiiMzWB1wKoJXQ/bsE/bZiei4KZ5Q=
+go.jetpack.io/pkg v0.0.0-20240329213144-bd03f1a1e491/go.mod h1:vpIQT+m8iHO11v6bgMMG6iWfbGE2vxvLr9k7hLb4OeU=
+go.jetpack.io/pkg v0.0.0-20240329230128-09e8a66df983 h1:tUWQOC0f12n8phuq7WGGtRVQ68F/DHPv+hWyR3bQUDA=
+go.jetpack.io/pkg v0.0.0-20240329230128-09e8a66df983/go.mod h1:gtmpVShXMEcZPBFZHswB3oCPYXobeR41b9CMybAjQYw=
 go.jetpack.io/typeid v1.0.0 h1:8gQ+iYGdyiQ0Pr40ydSB/PzMOIwlXX5DTojp1CBeSPQ=
 go.jetpack.io/typeid v1.0.0/go.mod h1:+UPEaECUgFxgAjFPn5Yf9eO/3ft/3xZ98Eahv9JW/GQ=
 go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU=
diff --git a/internal/devbox/cache.go b/internal/devbox/cache.go
@@ -25,7 +25,9 @@ func (d *Devbox) UploadProjectToCache(
 		return err
 	}
 
-	return nix.CopyInstallableToCache(ctx, d.stderr, cacheConfig.URI, profilePath)
+	return nix.CopyInstallableToCache(
+		ctx,
+		d.stderr, cacheConfig.URI, profilePath, cacheConfig.CredentialsEnvVars())
 }
 
 func UploadInstallableToCache(
@@ -41,5 +43,7 @@ func UploadInstallableToCache(
 			return err
 		}
 	}
-	return nix.CopyInstallableToCache(ctx, stderr, cacheConfig.URI, installable)
+	return nix.CopyInstallableToCache(
+		ctx,
+		stderr, cacheConfig.URI, installable, cacheConfig.CredentialsEnvVars())
 }
diff --git a/internal/devbox/providers/identity/identity.go b/internal/devbox/providers/identity/identity.go
@@ -2,10 +2,15 @@ package identity
 
 import (
 	"context"
+	"os"
 
 	"go.jetpack.io/devbox/internal/build"
+	"go.jetpack.io/pkg/api"
 	"go.jetpack.io/pkg/auth"
 	"go.jetpack.io/pkg/auth/session"
+	"go.jetpack.io/pkg/ids"
+	"go.jetpack.io/typeid"
+	"golang.org/x/oauth2"
 )
 
 var scopes = []string{"openid", "offline_access", "email", "profile"}
@@ -19,6 +24,10 @@ func Get() *Provider {
 }
 
 func (p *Provider) GenSession(ctx context.Context) (*session.Token, error) {
+	if t, err := p.getTokenFromPAT(ctx); err != nil || t != nil {
+		return t, err
+	}
+
 	c, err := p.AuthClient()
 	if err != nil {
 		return nil, err
@@ -35,3 +44,29 @@ func (p *Provider) AuthClient() (*auth.Client, error) {
 		build.Audience(),
 	)
 }
+
+func (p *Provider) getTokenFromPAT(ctx context.Context) (*session.Token, error) {
+	pat := os.Getenv("DEVBOX_ACCESS_TOKEN")
+	if pat == "" {
+		return nil, nil
+	}
+
+	patID, err := typeid.Parse[ids.PersonalAccessToken](pat)
+	if err != nil {
+		return nil, err
+	}
+
+	apiClient := api.NewClient(ctx, build.JetpackAPIHost(), &session.Token{})
+	response, err := apiClient.GetAccessToken(ctx, patID)
+	if err != nil {
+		return nil, err
+	}
+
+	// This is not the greatest. This token is missing id, refresh, etc.
+	// It may be better to change api.NewClient() to take a token string instead.
+	return &session.Token{
+		Token: oauth2.Token{
+			AccessToken: response.AccessToken,
+		},
+	}, nil
+}
diff --git a/internal/nix/cache.go b/internal/nix/cache.go
@@ -15,6 +15,7 @@ func CopyInstallableToCache(
 	// paths into "path" flakes which is not what we want for /nix/store paths.
 	// TODO: Add support for store paths in flake.Installable
 	to, installable string,
+	env []string,
 ) error {
 	fmt.Fprintf(out, "Copying %s to %s\n", installable, to)
 	cmd := commandContext(
@@ -30,6 +31,7 @@ func CopyInstallableToCache(
 	cmd.Stdin = os.Stdin
 	cmd.Stdout = out
 	cmd.Stderr = out
+	cmd.Env = append(os.Environ(), env...)
 
 	return cmd.Run()
 }

Original file line number	Diff line number	Diff line change
`@@ -25,7 +25,9 @@ func (d *Devbox) UploadProjectToCache(`
`25`	`25`	`return err`
`26`	`26`	`}`
`27`	`27`
`28`		`- return nix.CopyInstallableToCache(ctx, d.stderr, cacheConfig.URI, profilePath)`
	`28`	`+ return nix.CopyInstallableToCache(`
	`29`	`+ ctx,`
	`30`	`+ d.stderr, cacheConfig.URI, profilePath, cacheConfig.CredentialsEnvVars())`
`29`	`31`	`}`
`30`	`32`
`31`	`33`	`func UploadInstallableToCache(`
`@@ -41,5 +43,7 @@ func UploadInstallableToCache(`
`41`	`43`	`return err`
`42`	`44`	`}`
`43`	`45`	`}`
`44`		`- return nix.CopyInstallableToCache(ctx, stderr, cacheConfig.URI, installable)`
	`46`	`+ return nix.CopyInstallableToCache(`
	`47`	`+ ctx,`
	`48`	`+ stderr, cacheConfig.URI, installable, cacheConfig.CredentialsEnvVars())`
`45`	`49`	`}`