Adds suport for token refreshing mechanism on token expiry

Harsh4902 · Harsh4902 · commit 0343a6ed609a · 2025-05-15T16:53:59.000+05:30
Signed-off-by: Harsh4902 &lt;harshparmar4902@gmail.com&gt;
diff --git a/pkg/config/localconfig.go b/pkg/config/localconfig.go
@@ -14,6 +14,7 @@ type LocalConfig struct {
 	Servers        []Server     `yaml:"servers"`
 	Users          []User       `yaml:"users"`
 	Instances      []Instance   `yaml:"instances"`
+	Auths          []Auth       `yaml:"auths"`
 }
 
 type ContextRef struct {
@@ -53,6 +54,12 @@ type Instance struct {
 	Driver      string `yaml:"driver"`
 }
 
+type Auth struct {
+	Server       string
+	ClientId     string
+	ClientSecret string
+}
+
 // ReadLocalConfig loads up the local configuration file. Returns nil if config does not exist
 func ReadLocalConfig(path string) (*LocalConfig, error) {
 	var err error
@@ -293,3 +300,34 @@ func (l *LocalConfig) RemoveInstance(instanceName string) bool {
 func (l *LocalConfig) IsEmpty() bool {
 	return len(l.Servers) == 0
 }
+
+func (l *LocalConfig) GetAuth(server string) (*Auth, error) {
+	for _, a := range l.Auths {
+		if a.Server == server {
+			return &a, nil
+		}
+	}
+
+	return nil, fmt.Errorf("Auth for '%s' is undifined\n", server)
+}
+
+func (l *LocalConfig) UpserAuth(auth Auth) {
+	for i, a := range l.Auths {
+		if a.Server == auth.Server {
+			l.Auths[i] = auth
+			return
+		}
+	}
+
+	l.Auths = append(l.Auths, auth)
+}
+
+func (l *LocalConfig) RemoveAuth(server string) bool {
+	for i, a := range l.Auths {
+		if a.Server == server {
+			l.Auths = append(l.Auths[:i], l.Auths[i+1:]...)
+			return true
+		}
+	}
+	return false
+}
diff --git a/pkg/connectors/microcks_client.go b/pkg/connectors/microcks_client.go
@@ -17,11 +17,14 @@ package connectors
 
 import (
 	"bytes"
+	"context"
+	"crypto/tls"
 	"encoding/json"
-	"errors"
+	errs "errors"
 	"fmt"
 	"io"
 	"io/ioutil"
+	"log"
 	"mime/multipart"
 	"net/http"
 	"net/url"
@@ -30,7 +33,11 @@ import (
 	"strconv"
 	"strings"
 
+	"github.com/coreos/go-oidc/v3/oidc"
+	"github.com/golang-jwt/jwt/v4"
 	"github.com/microcks/microcks-cli/pkg/config"
+	"github.com/microcks/microcks-cli/pkg/errors"
+	"golang.org/x/oauth2"
 )
 
 var (
@@ -79,41 +86,79 @@ type OAuth2ClientContext struct {
 	Scopes       string `json:"scopes"`
 }
 
+type ClientOptions struct {
+	ServerAddr  string
+	Context     string
+	ConfigPath  string
+	AuthToken   string
+	InsecureTLS bool
+	Verbose     bool
+	CaCertPaths string
+}
+
 type microcksClient struct {
-	APIURL     *url.URL
-	OAuthToken string
+	ServerAddr   string
+	APIURL       *url.URL
+	AuthToken    string
+	CertFile     *tls.Certificate
+	InsecureTLS  bool
+	RefreshToken string
+	Insecure     bool
+	Verbose      bool
 
 	httpClient *http.Client
 }
 
-// NewMicrocksClient build a new MicrocksClient implementation
-func NewMicrocksClient(apiURL string) MicrocksClient {
-	mc := microcksClient{}
+func NewClient(opts ClientOptions) (MicrocksClient, error) {
+	var c microcksClient
+	localCfg, err := config.ReadLocalConfig(opts.ConfigPath)
+	if err != nil {
+		return nil, err
+	}
+	var ctxName string
 
-	if !strings.HasSuffix(apiURL, "/api/") {
-		apiURL += "/api/"
+	if localCfg != nil {
+		configCtx, err := localCfg.ResolveContext(opts.Context)
+		if err != nil {
+			return nil, err
+		}
+		c.ServerAddr = configCtx.Server.Server
+		c.Insecure = configCtx.Server.KeycloackEnable
+		c.InsecureTLS = configCtx.Server.InsecureTLS
+		c.AuthToken = configCtx.User.AuthToken
+		c.RefreshToken = configCtx.User.RefreshToken
+
+		apiurl := configCtx.Server.Server
+
+		if !strings.HasSuffix(apiurl, "/api/") {
+			apiurl += "/api/"
+		}
+
+		u, err := url.Parse(apiurl)
+		if err != nil {
+			panic(err)
+		}
+		c.APIURL = u
+
+		ctxName = configCtx.Name
 	}
 
-	u, err := url.Parse(apiURL)
-	if err != nil {
-		panic(err)
+	if opts.Verbose {
+		c.Verbose = opts.Verbose
 	}
-	mc.APIURL = u
 
-	if config.InsecureTLS || len(config.CaCertPaths) > 0 {
-		tlsConfig := config.CreateTLSConfig()
-		tr := &http.Transport{
-			TLSClientConfig: tlsConfig,
+	c.httpClient = &http.Client{}
+	if localCfg != nil {
+		err = c.refreshAuthToken(localCfg, ctxName, opts.ConfigPath)
+		if err != nil {
+			return nil, err
 		}
-		mc.httpClient = &http.Client{Transport: tr}
-	} else {
-		mc.httpClient = http.DefaultClient
 	}
-	return &mc
+	return &c, nil
 }
 
-func (mc *microcksClient) HttpClient() *http.Client {
-	return mc.httpClient
+func (c *microcksClient) HttpClient() *http.Client {
+	return c.httpClient
 }
 
 func (c *microcksClient) GetKeycloakURL() (string, error) {
@@ -162,8 +207,100 @@ func (c *microcksClient) GetKeycloakURL() (string, error) {
 	return "null", nil
 }
 
+func (c *microcksClient) refreshAuthToken(localCfg *config.LocalConfig, ctxName, configPath string) error {
+	if c.RefreshToken == "" {
+		// If we have no refresh token, there's no point in doing anything
+		return nil
+	}
+	configCtx, err := localCfg.ResolveContext(ctxName)
+	if err != nil {
+		return err
+	}
+	parser := jwt.NewParser(jwt.WithoutClaimsValidation())
+	var claims jwt.RegisteredClaims
+	_, _, err = parser.ParseUnverified(configCtx.User.AuthToken, &claims)
+	if err != nil {
+		return err
+	}
+	if claims.Valid() == nil {
+		// token is still valid
+		return nil
+	}
+
+	log.Printf("Auth token no longer valid. Refreshing")
+	auth, err := localCfg.GetAuth(configCtx.Server.Server)
+	if err != nil {
+		return err
+	}
+	authToken, refreshToken, err := c.redeemRefreshToken(*auth)
+	if err != nil {
+		return err
+	}
+	c.AuthToken = authToken
+	c.RefreshToken = refreshToken
+	localCfg.UpsertUser(config.User{
+		Name:         ctxName,
+		AuthToken:    authToken,
+		RefreshToken: refreshToken,
+	})
+	err = config.WriteLocalConfig(*localCfg, configPath)
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
+func (c *microcksClient) redeemRefreshToken(auth config.Auth) (string, string, error) {
+	keyCloakUrl, err := c.GetKeycloakURL()
+	errors.CheckError(err)
+	kc := NewKeycloakClient(keyCloakUrl, "", "")
+	oauth2Conf, err := kc.GetOIDCConfig()
+	errors.CheckError(err)
+	oauth2Conf.ClientID = auth.ClientId
+	oauth2Conf.ClientSecret = auth.ClientSecret
+
+	httpClient := c.httpClient
+	ctx := oidc.ClientContext(context.Background(), httpClient)
+
+	t := &oauth2.Token{
+		RefreshToken: c.RefreshToken,
+	}
+	token, err := oauth2Conf.TokenSource(ctx, t).Token()
+	if err != nil {
+		return "", "", err
+	}
+
+	return token.AccessToken, token.RefreshToken, nil
+}
+
+// NewMicrocksClient builds a new headless MicrocksClient without any authtoken and all for general purposes
+func NewMicrocksClient(apiURL string) MicrocksClient {
+	mc := microcksClient{}
+
+	if !strings.HasSuffix(apiURL, "/api/") {
+		apiURL += "/api/"
+	}
+
+	u, err := url.Parse(apiURL)
+	if err != nil {
+		panic(err)
+	}
+	mc.APIURL = u
+
+	if config.InsecureTLS || len(config.CaCertPaths) > 0 {
+		tlsConfig := config.CreateTLSConfig()
+		tr := &http.Transport{
+			TLSClientConfig: tlsConfig,
+		}
+		mc.httpClient = &http.Client{Transport: tr}
+	} else {
+		mc.httpClient = http.DefaultClient
+	}
+	return &mc
+}
+
 func (c *microcksClient) SetOAuthToken(oauthToken string) {
-	c.OAuthToken = oauthToken
+	c.AuthToken = oauthToken
 }
 
 func (c *microcksClient) CreateTestResult(serviceID string, testEndpoint string, runnerType string, secretName string, timeout int64, filteredOperations string, operationsHeaders string, oAuth2Context string) (string, error) {
@@ -199,7 +336,7 @@ func (c *microcksClient) CreateTestResult(serviceID string, testEndpoint string,
 
 	req.Header.Set("Content-Type", "application/json; charset=utf-8")
 	req.Header.Set("Accept", "application/json")
-	req.Header.Set("Authorization", "Bearer "+c.OAuthToken)
+	req.Header.Set("Authorization", "Bearer "+c.AuthToken)
 
 	// Dump request if verbose required.
 	config.DumpRequestIfRequired("Microcks for creating test", req, true)
@@ -238,7 +375,7 @@ func (c *microcksClient) GetTestResult(testResultID string) (*TestResultSummary,
 	}
 
 	req.Header.Set("Accept", "application/json")
-	req.Header.Set("Authorization", "Bearer "+c.OAuthToken)
+	req.Header.Set("Authorization", "Bearer "+c.AuthToken)
 
 	// Dump request if verbose required.
 	config.DumpRequestIfRequired("Microcks for getting status", req, false)
@@ -300,7 +437,7 @@ func (c *microcksClient) UploadArtifact(specificationFilePath string, mainArtifa
 		return "", err
 	}
 	req.Header.Set("Content-Type", writer.FormDataContentType())
-	req.Header.Set("Authorization", "Bearer "+c.OAuthToken)
+	req.Header.Set("Authorization", "Bearer "+c.AuthToken)
 
 	// Dump request if verbose required.
 	config.DumpRequestIfRequired("Microcks for uploading artifact", req, true)
@@ -321,7 +458,7 @@ func (c *microcksClient) UploadArtifact(specificationFilePath string, mainArtifa
 
 	// Raise exception if not created.
 	if resp.StatusCode != 201 {
-		return "", errors.New(string(respBody))
+		return "", errs.New(string(respBody))
 	}
 
 	return string(respBody), err
@@ -354,7 +491,7 @@ func (c *microcksClient) DownloadArtifact(artifactURL string, mainArtifact bool,
 		return "", err
 	}
 	req.Header.Set("Content-Type", writer.FormDataContentType())
-	req.Header.Set("Authorization", "Bearer "+c.OAuthToken)
+	req.Header.Set("Authorization", "Bearer "+c.AuthToken)
 
 	// Dump request if verbose required.
 	config.DumpRequestIfRequired("Microcks for uploading artifact", req, true)
@@ -375,7 +512,7 @@ func (c *microcksClient) DownloadArtifact(artifactURL string, mainArtifact bool,
 
 	// Raise exception if not created.
 	if resp.StatusCode != 201 {
-		return "", errors.New(string(respBody))
+		return "", errs.New(string(respBody))
 	}
 
 	return string(respBody), err
