Support OIDC Token Exchange During Server Configuration (#1369)

Author: EyalDelarea

common/cliutils/utils.go

@@ -3,8 +3,10 @@ package cliutils
 import (
 	"errors"
 	"fmt"
+	"github.com/jfrog/jfrog-cli-core/v2/common/project"
 	"io"
 	"os"
+	"path/filepath"
 	"strconv"
 	"strings"
 
@@ -18,6 +20,13 @@ import (
 	"github.com/jfrog/jfrog-client-go/utils/log"
 )
 
+const (
+	JfConfigDirName    = ".jfrog"
+	JfConfigFileName   = "config.yml"
+	ApplicationRootYML = "application"
+	Key                = "key"
+)
+
 func FixWinPathBySource(path string, fromSpec bool) string {
 	if strings.Count(path, "/") > 0 {
 		// Assuming forward slashes - not doubling backslash to allow regexp escaping
@@ -251,3 +260,39 @@ func FixWinPathsForFileSystemSourcedCmds(uploadSpec *spec.SpecFiles, specFlag, e
 		}
 	}
 }
+
+// Retrieves the application key from the .jfrog/config file or the environment variable.
+// If the application key is not found in either, returns an empty string.
+func ReadJFrogApplicationKeyFromConfigOrEnv() (applicationKeyValue string) {
+	applicationKeyValue = getApplicationKeyFromConfig()
+	if applicationKeyValue != "" {
+		log.Debug("Found application key in config file:", applicationKeyValue)
+		return
+	}
+	applicationKeyValue = os.Getenv(coreutils.ApplicationKey)
+	if applicationKeyValue != "" {
+		log.Debug("Found application key in environment variable:", applicationKeyValue)
+		return
+	}
+	log.Debug("Application key is not found in the config file or environment variable.")
+	return ""
+}
+
+func getApplicationKeyFromConfig() string {
+	configFilePath := filepath.Join(JfConfigDirName, JfConfigFileName)
+	vConfig, err := project.ReadConfigFile(configFilePath, project.YAML)
+	if err != nil {
+		log.Debug("error reading config file: %v", err)
+		return ""
+	}
+
+	application := vConfig.GetStringMapString(ApplicationRootYML)
+	applicationKey, ok := application[Key]
+	if !ok {
+		log.Debug("Application key is not found in the config file.")
+		return ""
+	}
+
+	log.Debug("Found application key:", applicationKey)
+	return applicationKey
+}

common/cliutils/utils_test.go

@@ -0,0 +1,78 @@
+package cliutils
+
+import (
+	testUtils "github.com/jfrog/jfrog-cli-core/v2/utils/tests"
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/jfrog/jfrog-cli-core/v2/utils/coreutils"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestReadJFrogApplicationKeyFromConfigOrEnv(t *testing.T) {
+	configFilePath := filepath.Join(JfConfigDirName, JfConfigFileName)
+
+	// Test cases
+	tests := []struct {
+		name           string
+		configContent  string
+		envValue       string
+		expectedResult string
+	}{
+		{
+			name:           "Application key in config file",
+			configContent:  "application:\n  key: configKey",
+			envValue:       "",
+			expectedResult: "configKey",
+		},
+		{
+			name:           "Application key in environment variable",
+			configContent:  "",
+			envValue:       "envKey",
+			expectedResult: "envKey",
+		},
+		{
+			name:           "Application key in both config file and environment variable",
+			configContent:  "application:\n  key: configKey",
+			envValue:       "envKey",
+			expectedResult: "configKey",
+		},
+		{
+			name:           "No application key in config file or environment variable",
+			configContent:  "",
+			envValue:       "",
+			expectedResult: "",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			// Setup temp dir for each test
+			testDirPath, err := filepath.Abs(filepath.Join("../", "tests", "applicationConfigTestDir"))
+			assert.NoError(t, err)
+			_, cleanUp := testUtils.CreateTestWorkspace(t, testDirPath)
+
+			// Write config content to file
+			if tt.configContent != "" {
+				err = os.WriteFile(configFilePath, []byte(tt.configContent), 0644)
+				assert.NoError(t, err)
+			}
+
+			// Set environment variable
+			if tt.envValue != "" {
+				assert.NoError(t, os.Setenv(coreutils.ApplicationKey, tt.envValue))
+			} else {
+				assert.NoError(t, os.Unsetenv(coreutils.ApplicationKey))
+			}
+
+			// Call the function
+			result := ReadJFrogApplicationKeyFromConfigOrEnv()
+
+			// Assert the result
+			assert.Equal(t, tt.expectedResult, result)
+			// delete temp folder
+			cleanUp()
+		})
+	}
+}

common/commands/command.go

@@ -39,6 +39,17 @@ func Exec(command Command) error {
 	return err
 }
 
+// ExecAndThenReportUsage runs the command and then triggers a usage report
+// Is used for commands which don't have the full server details before execution
+// For example: oidc exchange command, which will get access token only after execution.
+func ExecAndThenReportUsage(cc Command) (err error) {
+	if err = cc.Run(); err != nil {
+		return
+	}
+	reportUsage(cc, nil)
+	return
+}
+
 func reportUsage(command Command, channel chan<- bool) {
 	// When the usage reporting is done, signal to the channel.
 	defer signalReportUsageFinished(channel)

common/commands/config.go

@@ -3,6 +3,7 @@ package commands
 import (
 	"errors"
 	"fmt"
+	generic "github.com/jfrog/jfrog-cli-core/v2/general/token"
 	"net/url"
 	"os"
 	"reflect"
@@ -39,11 +40,11 @@ const (
 	BasicAuth   AuthenticationMethod = "Username and Password / Reference token"
 	MTLS        AuthenticationMethod = "Mutual TLS"
 	WebLogin    AuthenticationMethod = "Web Login"
+	// Currently supported only non-interactively.
+	OIDC AuthenticationMethod = "OIDC"
 )
 
 const (
-	// Indicates that the config command uses OIDC authentication.
-	configOidcCommandName = "config_oidc"
 	// Default config command name.
 	configCommandName = "config"
 )
@@ -63,8 +64,9 @@ type ConfigCommand struct {
 	// Forcibly make the configured server default.
 	makeDefault bool
 	// For unit tests
-	disablePrompts bool
-	cmdType        ConfigAction
+	disablePrompts  bool
+	cmdType         ConfigAction
+	oidcSetupParams *generic.OidcParams
 }
 
 func NewConfigCommand(cmdType ConfigAction, serverId string) *ConfigCommand {
@@ -150,27 +152,9 @@ func (cc *ConfigCommand) ServerDetails() (*config.ServerDetails, error) {
 }
 
 func (cc *ConfigCommand) CommandName() string {
-	oidcConfigured, err := clientUtils.GetBoolEnvValue(coreutils.UsageOidcConfigured, false)
-	if err != nil {
-		log.Warn("Failed to get the value of the environment variable: " + coreutils.UsageAutoPublishedBuild + ". " + err.Error())
-	}
-	if oidcConfigured {
-		return configOidcCommandName
-	}
 	return configCommandName
 }
 
-// ExecAndReportUsage runs the ConfigCommand and then triggers a usage report if needed,
-// Report usage only if OIDC integration was used
-// Usage must be sent after command execution as we need the server details to be set.
-func (cc *ConfigCommand) ExecAndReportUsage() (err error) {
-	if err = cc.Run(); err != nil {
-		return
-	}
-	reportUsage(cc, nil)
-	return
-}
-
 func (cc *ConfigCommand) config() error {
 	configurations, err := cc.prepareConfigurationData()
 	if err != nil {
@@ -215,6 +199,12 @@ func (cc *ConfigCommand) getConfigurationNonInteractively() error {
 		}
 	}
 
+	if cc.OidcAuthMethodUsed() {
+		if err := exchangeOidcTokenAndSetAccessToken(cc); err != nil {
+			return err
+		}
+	}
+
 	if cc.details.AccessToken != "" && cc.details.User == "" {
 		if err := cc.validateTokenIsNotApiKey(); err != nil {
 			return err
@@ -224,6 +214,35 @@ func (cc *ConfigCommand) getConfigurationNonInteractively() error {
 	return nil
 }
 
+// When a user is configuration a new server with OIDC, we will exchange the token and set the access token.
+func exchangeOidcTokenAndSetAccessToken(cc *ConfigCommand) error {
+	if err := validateOidcParams(cc.details.Url, cc.oidcSetupParams); err != nil {
+		return err
+	}
+	log.Debug("Exchanging OIDC token...")
+	exchangeOidcTokenCmd := generic.NewOidcTokenExchangeCommand()
+	exchangeOidcTokenCmd.
+		SetServerDetails(cc.details).
+		SetProviderName(cc.oidcSetupParams.ProviderName).
+		SetOidcTokenID(cc.oidcSetupParams.TokenId).
+		SetProviderType(cc.oidcSetupParams.ProviderType).
+		SetAudience(cc.oidcSetupParams.Audience).
+		SetApplicationKey(cc.oidcSetupParams.ApplicationKey).
+		SetProjectKey(cc.oidcSetupParams.ProjectKey).
+		SetRepository(cc.oidcSetupParams.Repository).
+		SetJobId(cc.oidcSetupParams.JobId).
+		SetRunId(cc.oidcSetupParams.RunId)
+
+	// Usage report will be sent only after execution in order to have valid token
+	err := ExecAndThenReportUsage(exchangeOidcTokenCmd)
+	if err != nil {
+		return err
+	}
+	// Update the config server details with the exchanged token
+	cc.details.AccessToken = exchangeOidcTokenCmd.GetExchangedToken()
+	return nil
+}
+
 func (cc *ConfigCommand) addTrailingSlashes() {
 	cc.details.ArtifactoryUrl = clientUtils.AddTrailingSlashIfNeeded(cc.details.ArtifactoryUrl)
 	cc.details.DistributionUrl = clientUtils.AddTrailingSlashIfNeeded(cc.details.DistributionUrl)
@@ -281,6 +300,7 @@ func (cc *ConfigCommand) prepareConfigurationData() ([]*config.ServerDetails, er
 		if cc.defaultDetails != nil {
 			cc.details.InsecureTls = cc.defaultDetails.InsecureTls
 		}
+		cc.oidcSetupParams = new(generic.OidcParams)
 	}
 
 	// Get configurations list
@@ -404,6 +424,7 @@ func (cc *ConfigCommand) promptAuthMethods() (selectedMethod AuthenticationMetho
 		WebLogin,
 		BasicAuth,
 		MTLS,
+		OIDC,
 	}
 	var selectableItems []ioutils.PromptItem
 	for _, curMethod := range authMethods {
@@ -483,6 +504,15 @@ func (cc *ConfigCommand) readClientCertInfoFromConsole() {
 	}
 }
 
+func (cc *ConfigCommand) SetOidcExchangeTokenId(id string) {
+	cc.oidcSetupParams.TokenId = id
+}
+
+// If OIDC params were provided it indicates that we should use OIDC authentication method.
+func (cc *ConfigCommand) OidcAuthMethodUsed() bool {
+	return cc.oidcSetupParams != nil && cc.oidcSetupParams.ProviderName != ""
+}
+
 func readAccessTokenFromConsole(details *config.ServerDetails) error {
 	token, err := ioutils.ScanPasswordFromConsole("JFrog access token:")
 	if err == nil {
@@ -817,6 +847,11 @@ func (cc *ConfigCommand) handleWebLogin() error {
 	return nil
 }
 
+func (cc *ConfigCommand) SetOIDCParams(oidcDetails *generic.OidcParams) *ConfigCommand {
+	cc.oidcSetupParams = oidcDetails
+	return cc
+}
+
 // Return true if a URL is safe. URL is considered not safe if the following conditions are met:
 // 1. The URL uses an http:// scheme
 // 2. The URL leads to a URL outside the local machine
@@ -852,6 +887,7 @@ func assertSingleAuthMethod(details *config.ServerDetails) error {
 
 type ConfigCommandConfiguration struct {
 	ServerDetails *config.ServerDetails
+	OidcParams    *generic.OidcParams
 	Interactive   bool
 	EncPassword   bool
 	BasicAuthOnly bool
@@ -868,3 +904,16 @@ func GetAllServerIds() []string {
 	}
 	return serverIds
 }
+
+func validateOidcParams(platformUrl string, oidcParams *generic.OidcParams) error {
+	if platformUrl == "" {
+		return errorutils.CheckErrorf("the --url flag must be provided when --oidc-provider is used")
+	}
+	if oidcParams.TokenId == "" {
+		return errorutils.CheckErrorf("the --oidc-token-id flag must be provided when --oidc-provider is used. Ensure the flag is set or the environment variable is exported. If running on a CI server, verify the token is correctly injected.")
+	}
+	if oidcParams.ProviderName == "" {
+		return errorutils.CheckErrorf("the --oidc-provider flag must be provided when using OIDC authentication")
+	}
+	return nil
+}