feat: adds cognito token source to offchain/jd (#336)

This adds functionality to the `offchain/jd` package to create an oauth2
token source for Cognito. This token is used to authenticate against the
Job Distributor API.

Author: jkongie

.changeset/long-chefs-sleep.md

@@ -0,0 +1,5 @@
+---
+"chainlink-deployments-framework": minor
+---
+
+Adds a struct to generate Cognito oauth tokens for Job Distributor

.mockery.yml

@@ -24,6 +24,14 @@ packages:
       filename: "mock_{{.InterfaceName | snakecase}}.go"
     interfaces:
       Client:
+  github.com/smartcontractkit/chainlink-deployments-framework/offchain/jd:
+    config:
+      all: false
+      pkgname: "mocks"
+      dir: "offchain/jd/internal/mocks"
+      filename: "mock_{{.InterfaceName | snakecase}}.go"
+    interfaces:
+      CognitoClient:
   github.com/smartcontractkit/chainlink-protos/job-distributor/v1/job:
     config:
       all: false
@@ -48,4 +56,3 @@ packages:
       filename: "mock_{{.InterfaceName | snakecase}}.go"
     interfaces:
       NodeServiceClient:
-

go.mod

@@ -9,6 +9,9 @@ require (
 	github.com/aptos-labs/aptos-go-sdk v1.6.3-0.20250331001805-0680b714db6d
 	github.com/avast/retry-go/v4 v4.6.1
 	github.com/aws/aws-sdk-go v1.55.7
+	github.com/aws/aws-sdk-go-v2 v1.38.1
+	github.com/aws/aws-sdk-go-v2/config v1.28.0
+	github.com/aws/aws-sdk-go-v2/service/cognitoidentityprovider v1.57.1
 	github.com/block-vision/sui-go-sdk v1.0.6
 	github.com/cosmos/go-bip39 v1.0.0
 	github.com/ethereum/go-ethereum v1.15.7
@@ -54,20 +57,18 @@ require (
 	github.com/XSAM/otelsql v0.37.0 // indirect
 	github.com/avast/retry-go v3.0.0+incompatible // indirect
 	github.com/awalterschulze/gographviz v2.0.3+incompatible // indirect
-	github.com/aws/aws-sdk-go-v2 v1.32.2 // indirect
-	github.com/aws/aws-sdk-go-v2/config v1.28.0 // indirect
 	github.com/aws/aws-sdk-go-v2/credentials v1.17.41 // indirect
 	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.17 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.21 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.21 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.4 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.4 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.1 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.0 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.2 // indirect
 	github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.34.2 // indirect
 	github.com/aws/aws-sdk-go-v2/service/sso v1.24.2 // indirect
 	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.2 // indirect
 	github.com/aws/aws-sdk-go-v2/service/sts v1.32.2 // indirect
-	github.com/aws/smithy-go v1.22.0 // indirect
+	github.com/aws/smithy-go v1.22.5 // indirect
 	github.com/bahlo/generic-list-go v0.2.0 // indirect
 	github.com/benbjohnson/clock v1.3.5 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect

go.sum

@@ -39,20 +39,22 @@ github.com/awalterschulze/gographviz v2.0.3+incompatible h1:9sVEXJBJLwGX7EQVhLm2
 github.com/awalterschulze/gographviz v2.0.3+incompatible/go.mod h1:GEV5wmg4YquNw7v1kkyoX9etIk8yVmXj+AkDHuuETHs=
 github.com/aws/aws-sdk-go v1.55.7 h1:UJrkFq7es5CShfBwlWAC8DA077vp8PyVbQd3lqLiztE=
 github.com/aws/aws-sdk-go v1.55.7/go.mod h1:eRwEWoyTWFMVYVQzKMNHWP5/RV4xIUGMQfXQHfHkpNU=
-github.com/aws/aws-sdk-go-v2 v1.32.2 h1:AkNLZEyYMLnx/Q/mSKkcMqwNFXMAvFto9bNsHqcTduI=
-github.com/aws/aws-sdk-go-v2 v1.32.2/go.mod h1:2SK5n0a2karNTv5tbP1SjsX0uhttou00v/HpXKM1ZUo=
+github.com/aws/aws-sdk-go-v2 v1.38.1 h1:j7sc33amE74Rz0M/PoCpsZQ6OunLqys/m5antM0J+Z8=
+github.com/aws/aws-sdk-go-v2 v1.38.1/go.mod h1:9Q0OoGQoboYIAJyslFyF1f5K1Ryddop8gqMhWx/n4Wg=
 github.com/aws/aws-sdk-go-v2/config v1.28.0 h1:FosVYWcqEtWNxHn8gB/Vs6jOlNwSoyOCA/g/sxyySOQ=
 github.com/aws/aws-sdk-go-v2/config v1.28.0/go.mod h1:pYhbtvg1siOOg8h5an77rXle9tVG8T+BWLWAo7cOukc=
 github.com/aws/aws-sdk-go-v2/credentials v1.17.41 h1:7gXo+Axmp+R4Z+AK8YFQO0ZV3L0gizGINCOWxSLY9W8=
 github.com/aws/aws-sdk-go-v2/credentials v1.17.41/go.mod h1:u4Eb8d3394YLubphT4jLEwN1rLNq2wFOlT6OuxFwPzU=
 github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.17 h1:TMH3f/SCAWdNtXXVPPu5D6wrr4G5hI1rAxbcocKfC7Q=
 github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.17/go.mod h1:1ZRXLdTpzdJb9fwTMXiLipENRxkGMTn1sfKexGllQCw=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.21 h1:UAsR3xA31QGf79WzpG/ixT9FZvQlh5HY1NRqSHBNOCk=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.21/go.mod h1:JNr43NFf5L9YaG3eKTm7HQzls9J+A9YYcGI5Quh1r2Y=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.21 h1:6jZVETqmYCadGFvrYEQfC5fAQmlo80CeL5psbno6r0s=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.21/go.mod h1:1SR0GbLlnN3QUmYaflZNiH1ql+1qrSiB2vwcJ+4UM60=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.4 h1:IdCLsiiIj5YJ3AFevsewURCPV+YWUlOW8JiPhoAy8vg=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.4/go.mod h1:l4bdfCD7XyyZA9BolKBo1eLqgaJxl0/x91PL4Yqe0ao=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.4 h1:j7vjtr1YIssWQOMeOWRbh3z8g2oY/xPjnZH2gLY4sGw=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.4/go.mod h1:yDmJgqOiH4EA8Hndnv4KwAo8jCGTSnM5ASG1nBI+toA=
 github.com/aws/aws-sdk-go-v2/internal/ini v1.8.1 h1:VaRN3TlFdd6KxX1x3ILT5ynH6HvKgqdiXoTxAF4HQcQ=
 github.com/aws/aws-sdk-go-v2/internal/ini v1.8.1/go.mod h1:FbtygfRFze9usAadmnGJNc8KsP346kEe+y2/oyhGAGc=
+github.com/aws/aws-sdk-go-v2/service/cognitoidentityprovider v1.57.1 h1:gKFnV8HEJomx4XFOVBXRUA5hphkhpnUjqJsYPCc9K8Q=
+github.com/aws/aws-sdk-go-v2/service/cognitoidentityprovider v1.57.1/go.mod h1:+UxryRSMGMtqsvxdnws+VpNyFYWRkw4ZlM+5AC160XA=
 github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.0 h1:TToQNkvGguu209puTojY/ozlqy2d/SFNcoLIqTFi42g=
 github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.0/go.mod h1:0jp+ltwkf+SwG2fm/PKo8t4y8pJSgOCO4D8Lz3k0aHQ=
 github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.2 h1:s7NA1SOw8q/5c0wr8477yOPp0z+uBaXBnLE0XYb0POA=
@@ -65,8 +67,8 @@ github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.2 h1:AhmO1fHINP9vFYUE0LHzCWg/
 github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.2/go.mod h1:o8aQygT2+MVP0NaV6kbdE1YnnIM8RRVQzoeUH45GOdI=
 github.com/aws/aws-sdk-go-v2/service/sts v1.32.2 h1:CiS7i0+FUe+/YY1GvIBLLrR/XNGZ4CtM1Ll0XavNuVo=
 github.com/aws/aws-sdk-go-v2/service/sts v1.32.2/go.mod h1:HtaiBI8CjYoNVde8arShXb94UbQQi9L4EMr6D+xGBwo=
-github.com/aws/smithy-go v1.22.0 h1:uunKnWlcoL3zO7q+gG2Pk53joueEOsnNB28QdMsmiMM=
-github.com/aws/smithy-go v1.22.0/go.mod h1:irrKGvNn1InZwb2d7fkIRNucdfwR8R+Ts3wxYa/cJHg=
+github.com/aws/smithy-go v1.22.5 h1:P9ATCXPMb2mPjYBgueqJNCA5S9UfktsW0tTxi+a7eqw=
+github.com/aws/smithy-go v1.22.5/go.mod h1:t1ufH5HMublsJYulve2RKmHDC15xu1f26kHCp/HgceI=
 github.com/bahlo/generic-list-go v0.2.0 h1:5sz/EEAK+ls5wF+NeqDpk5+iNdMDXrh3z3nPnH1Wvgk=
 github.com/bahlo/generic-list-go v0.2.0/go.mod h1:2KvAjgMlE5NNynlg/5iLrrCCZ2+5xWbdbCW3pNTGyYg=
 github.com/barkimedes/go-deepcopy v0.0.0-20220514131651-17c30cfc62df h1:GSoSVRLoBaFpOOds6QyY1L8AX7uoY+Ln3BHc22W40X0=

offchain/jd/cognito.go

@@ -0,0 +1,144 @@
+package jd
+
+import (
+	"context"
+	"crypto/hmac"
+	"crypto/sha256"
+	"encoding/base64"
+
+	"github.com/aws/aws-sdk-go-v2/aws"
+	"github.com/aws/aws-sdk-go-v2/config"
+	"github.com/aws/aws-sdk-go-v2/service/cognitoidentityprovider"
+	"github.com/aws/aws-sdk-go-v2/service/cognitoidentityprovider/types"
+	"golang.org/x/oauth2"
+)
+
+// CognitoClient defines the interface for Cognito Identity Provider operations.
+// This interface allows for mocking the AWS Cognito client in unit tests.
+type CognitoClient interface {
+	InitiateAuth(
+		ctx context.Context,
+		params *cognitoidentityprovider.InitiateAuthInput,
+		optFns ...func(*cognitoidentityprovider.Options),
+	) (*cognitoidentityprovider.InitiateAuthOutput, error)
+}
+
+// CognitoTokenSource provides a oath2 token that is used to authenticate with the Job Distributor.
+type CognitoTokenSource struct {
+	// The Cognito authentication information
+	auth CognitoAuth
+
+	// The cached authentication result from Cognito
+	authResult *types.AuthenticationResultType
+
+	// The Cognito client interface for making API calls
+	client CognitoClient
+}
+
+// CognitoAuth contains the Cognito authentication information required to generate a token from
+// Cognito.
+type CognitoAuth struct {
+	AWSRegion              string
+	CognitoAppClientID     string
+	CognitoAppClientSecret string
+	Username               string
+	Password               string
+}
+
+// NewCognitoTokenSource creates a new CognitoTokenSource with the given CognitoAuth configuration.
+// If client is nil, a real AWS Cognito client will be created when Authenticate is called.
+func NewCognitoTokenSource(auth CognitoAuth) *CognitoTokenSource {
+	return &CognitoTokenSource{
+		auth: auth,
+	}
+}
+
+// Authenticate performs user authentication against AWS Cognito using the USER_PASSWORD_AUTH flow.
+//
+// Authentication results are cached in the authResult field and used by the Token() method
+// to provide OAuth2 access tokens without re-authenticating.
+func (c *CognitoTokenSource) Authenticate(ctx context.Context) error {
+	// Create client if not already set (for production use)
+	if c.client == nil {
+		sdkConfig, err := config.LoadDefaultConfig(ctx,
+			config.WithRegion(c.auth.AWSRegion),
+		)
+		if err != nil {
+			return err
+		}
+		c.client = cognitoidentityprovider.NewFromConfig(sdkConfig)
+	}
+
+	// Authenticate the user
+	input := &cognitoidentityprovider.InitiateAuthInput{
+		AuthFlow: types.AuthFlowTypeUserPasswordAuth,
+		ClientId: aws.String(c.auth.CognitoAppClientID),
+		AuthParameters: map[string]string{
+			"USERNAME":    c.auth.Username,
+			"PASSWORD":    c.auth.Password,
+			"SECRET_HASH": c.secretHash(),
+		},
+	}
+
+	output, err := c.client.InitiateAuth(ctx, input)
+	if err != nil {
+		return err
+	}
+
+	c.authResult = output.AuthenticationResult
+
+	return nil
+}
+
+// Token retrieves an OAuth2 access token for authenticating with the Job Distributor service.
+//
+// This method implements a lazy loading pattern:
+//  1. If an authentication result is already cached, it returns the cached access token
+//  2. If no cached result exists, it automatically authenticates with AWS Cognito first
+//  3. Returns the access token wrapped in an oauth2.Token struct
+//
+// The method implements the oauth2.TokenSource interface, making it compatible with
+// standard OAuth2 client libraries and HTTP clients that support token sources.
+//
+// Note: This method uses context.Background() for authentication if no cached token exists.
+// For more control over authentication context and timeout behavior, consider calling
+// Authenticate() explicitly before calling Token().
+//
+// Returns an OAuth2 token containing the Cognito access token
+func (c *CognitoTokenSource) Token() (*oauth2.Token, error) {
+	if c.authResult == nil {
+		if err := c.Authenticate(context.Background()); err != nil {
+			return nil, err
+		}
+	}
+
+	return &oauth2.Token{
+		AccessToken: aws.ToString(c.authResult.AccessToken),
+	}, nil
+}
+
+// secretHash computes the AWS Cognito secret hash required for authentication with app clients that have a client secret.
+//
+// The secret hash is calculated using HMAC-SHA256 with the following formula:
+//
+//	HMAC-SHA256(ClientSecret, Username + ClientId)
+//
+// This method:
+//  1. Creates an HMAC-SHA256 hash using the Cognito app client secret as the key
+//  2. Constructs the message by concatenating the username and client ID
+//  3. Computes the HMAC hash of the message
+//  4. Returns the hash encoded as a base64 string
+//
+// The secret hash is required by AWS Cognito when the app client is configured with a client secret.
+// It provides an additional layer of security by ensuring that only clients with the correct secret
+// can authenticate users.
+//
+// Returns the computed secret hash as a base64-encoded string.
+func (c *CognitoTokenSource) secretHash() string {
+	hmac := hmac.New(sha256.New, []byte(c.auth.CognitoAppClientSecret))
+	message := []byte(c.auth.Username + c.auth.CognitoAppClientID)
+	hmac.Write(message)
+	dataHmac := hmac.Sum(nil)
+
+	return base64.StdEncoding.EncodeToString(dataHmac)
+}