replace wif assertion options with a func

JorTurFer · JorTurFer · commit 5e41dc32d226 · 2026-01-07T18:29:57.000+01:00
Signed-off-by: Jorge Turrado &lt;jorge_turrado@hotmail.es&gt;
diff --git a/core/auth/auth.go b/core/auth/auth.go
@@ -238,9 +238,8 @@ func WorkloadIdentityFederationAuth(cfg *config.Configuration) (http.RoundTrippe
 		TokenUrl:                      cfg.TokenCustomUrl,
 		BackgroundTokenRefreshContext: cfg.BackgroundTokenRefreshContext,
 		ClientID:                      cfg.ServiceAccountEmail,
-		FederatedTokenFilePath:        cfg.ServiceAccountFederatedTokenPath,
 		TokenExpiration:               cfg.ServiceAccountFederatedTokenExpiration,
-		FederatedToken:                cfg.ServiceAccountFederatedToken,
+		FederatedTokenFunction:        cfg.ServiceAccountFederatedTokenFunc,
 	}
 
 	if cfg.HTTPClient != nil && cfg.HTTPClient.Transport != nil {
diff --git a/core/clients/workload_identity_flow.go b/core/clients/workload_identity_flow.go
@@ -10,7 +10,7 @@ import (
 	"sync"
 	"time"
 
-	"github.com/golang-jwt/jwt/v5"
+	"github.com/stackitcloud/stackit-sdk-go/core/utils"
 )
 
 const (
@@ -48,8 +48,6 @@ type WorkloadIdentityFederationFlow struct {
 	tokenMutex sync.RWMutex
 	token      *TokenResponseBody
 
-	parser *jwt.Parser
-
 	// If the current access token would expire in less than TokenExpirationLeeway,
 	// the client will refresh it early to prevent clock skew or other timing issues.
 	tokenExpirationLeeway time.Duration
@@ -59,12 +57,11 @@ type WorkloadIdentityFederationFlow struct {
 type WorkloadIdentityFederationFlowConfig struct {
 	TokenUrl                      string
 	ClientID                      string
-	FederatedToken                string // Static token string. This is optional, if not set the token will be read from file.
-	FederatedTokenFilePath        string
 	TokenExpiration               string          // Not supported yet
 	BackgroundTokenRefreshContext context.Context // Functionality is enabled if this isn't nil
 	HTTPTransport                 http.RoundTripper
 	AuthHTTPClient                *http.Client
+	FederatedTokenFunction        func() (string, error) // Function to get the federated token
 }
 
 // GetConfig returns the flow configuration
@@ -130,7 +127,6 @@ func (c *WorkloadIdentityFederationFlow) Init(cfg *WorkloadIdentityFederationFlo
 	// No concurrency at this point, so no mutex check needed
 	c.token = &TokenResponseBody{}
 	c.config = cfg
-	c.parser = jwt.NewParser()
 
 	if c.config.TokenUrl == "" {
 		c.config.TokenUrl = getEnvOrDefault(wifTokenEndpointEnv, defaultWifTokenEndpoint)
@@ -140,8 +136,10 @@ func (c *WorkloadIdentityFederationFlow) Init(cfg *WorkloadIdentityFederationFlo
 		c.config.ClientID = getEnvOrDefault(clientIDEnv, "")
 	}
 
-	if c.config.FederatedToken == "" && c.config.FederatedTokenFilePath == "" {
-		c.config.FederatedTokenFilePath = getEnvOrDefault(FederatedTokenFileEnv, defaultFederatedTokenPath)
+	if c.config.FederatedTokenFunction == nil {
+		c.config.FederatedTokenFunction = func() (string, error) {
+			return utils.ReadJWTFromFileSystem(getEnvOrDefault(FederatedTokenFileEnv, defaultFederatedTokenPath))
+		}
 	}
 
 	c.tokenExpirationLeeway = defaultTokenExpirationLeeway
@@ -176,10 +174,8 @@ func (c *WorkloadIdentityFederationFlow) validate() error {
 	if c.config.TokenUrl == "" {
 		return fmt.Errorf("token URL cannot be empty")
 	}
-	if c.config.FederatedToken == "" {
-		if _, err := c.readJWTFromFileSystem(c.config.FederatedTokenFilePath); err != nil {
-			return fmt.Errorf("error reading federated token file - %w", err)
-		}
+	if _, err := c.config.FederatedTokenFunction(); err != nil {
+		return fmt.Errorf("error reading federated token file - %w", err)
 	}
 	if c.tokenExpirationLeeway < 0 {
 		return fmt.Errorf("token expiration leeway cannot be negative")
@@ -190,15 +186,10 @@ func (c *WorkloadIdentityFederationFlow) validate() error {
 
 // createAccessToken creates an access token using self signed JWT
 func (c *WorkloadIdentityFederationFlow) createAccessToken() error {
-	clientAssertion := c.config.FederatedToken
-	if clientAssertion == "" {
-		var err error
-		clientAssertion, err = c.readJWTFromFileSystem(c.config.FederatedTokenFilePath)
-		if err != nil {
-			return fmt.Errorf("error reading service account assertion - %w", err)
-		}
+	clientAssertion, err := c.config.FederatedTokenFunction()
+	if err != nil {
+		return err
 	}
-
 	res, err := c.requestToken(c.config.ClientID, clientAssertion)
 	if err != nil {
 		return err
@@ -235,16 +226,3 @@ func (c *WorkloadIdentityFederationFlow) requestToken(clientID, assertion string
 
 	return c.authClient.Do(req)
 }
-
-func (c *WorkloadIdentityFederationFlow) readJWTFromFileSystem(tokenFilePath string) (string, error) {
-	token, err := os.ReadFile(tokenFilePath)
-	if err != nil {
-		return "", err
-	}
-	tokenStr := string(token)
-	_, _, err = c.parser.ParseUnverified(tokenStr, jwt.MapClaims{})
-	if err != nil {
-		return "", err
-	}
-	return tokenStr, nil
-}
diff --git a/core/clients/workload_identity_flow_test.go b/core/clients/workload_identity_flow_test.go
@@ -11,6 +11,7 @@ import (
 	"time"
 
 	"github.com/golang-jwt/jwt/v5"
+	"github.com/stackitcloud/stackit-sdk-go/core/utils"
 )
 
 func TestWorkloadIdentityFlowInit(t *testing.T) {
@@ -55,12 +56,6 @@ func TestWorkloadIdentityFlowInit(t *testing.T) {
 			validAssertion: true,
 			wantErr:        true,
 		},
-		{
-			name:                 "missing assertion",
-			clientID:             "test@stackit.cloud",
-			missingTokenFilePath: true,
-			wantErr:              true,
-		},
 		{
 			name:     "invalid assertion",
 			clientID: "test@stackit.cloud",
@@ -114,7 +109,9 @@ func TestWorkloadIdentityFlowInit(t *testing.T) {
 				if tt.tokenFilePathAsEnv {
 					t.Setenv("STACKIT_FEDERATED_TOKEN_FILE", file.Name())
 				} else {
-					flowConfig.FederatedTokenFilePath = file.Name()
+					flowConfig.FederatedTokenFunction = func() (string, error) {
+						return utils.ReadJWTFromFileSystem(file.Name())
+					}
 				}
 			}
 
@@ -137,14 +134,6 @@ func TestWorkloadIdentityFlowInit(t *testing.T) {
 				t.Errorf("tokenUrl mismatch, want %s, got %s", "https://accounts.stackit.cloud/oauth/v2/token", flow.config.TokenUrl)
 			}
 
-			if tt.missingTokenFilePath && flow.config.FederatedTokenFilePath != "/var/run/secrets/stackit.cloud/serviceaccount/token" {
-				t.Errorf("clientID mismatch, want %s, got %s", "/var/run/secrets/stackit.cloud/serviceaccount/token", flow.config.FederatedTokenFilePath)
-			}
-
-			if !tt.missingTokenFilePath && flow.config.FederatedTokenFilePath == "/var/run/secrets/stackit.cloud/serviceaccount/token" {
-				t.Errorf("clientID mismatch, want different from %s", flow.config.FederatedTokenFilePath)
-			}
-
 			if tt.tokenExpiration != "" && flow.config.TokenExpiration != tt.tokenExpiration {
 				t.Errorf("tokenExpiration mismatch, want %s, got %s", tt.tokenExpiration, flow.config.TokenExpiration)
 			}
@@ -276,7 +265,9 @@ func TestWorkloadIdentityFlowRoundTrip(t *testing.T) {
 			}
 
 			if tt.injectToken {
-				flowConfig.FederatedToken = token
+				flowConfig.FederatedTokenFunction = func() (string, error) {
+					return token, nil
+				}
 			} else {
 				file, err := os.CreateTemp("", "*.token")
 				if err != nil {
@@ -288,7 +279,9 @@ func TestWorkloadIdentityFlowRoundTrip(t *testing.T) {
 						t.Fatalf("Removing temporary file: %s", err)
 					}
 				}()
-				flowConfig.FederatedTokenFilePath = file.Name()
+				flowConfig.FederatedTokenFunction = func() (string, error) {
+					return utils.ReadJWTFromFileSystem(file.Name())
+				}
 				err = os.WriteFile(file.Name(), []byte(token), os.ModeAppend)
 				if err != nil {
 					t.Fatalf("writing temporary file: %s", err)
diff --git a/core/config/config.go b/core/config/config.go
@@ -11,6 +11,7 @@ import (
 	"time"
 
 	"github.com/stackitcloud/stackit-sdk-go/core/clients"
+	"github.com/stackitcloud/stackit-sdk-go/core/utils"
 )
 
 const (
@@ -75,25 +76,24 @@ type Middleware func(http.RoundTripper) http.RoundTripper
 
 // Configuration stores the configuration of the API client
 type Configuration struct {
-	Host                                   string            `json:"host,omitempty"`
-	Scheme                                 string            `json:"scheme,omitempty"`
-	DefaultHeader                          map[string]string `json:"defaultHeader,omitempty"`
-	UserAgent                              string            `json:"userAgent,omitempty"`
-	Debug                                  bool              `json:"debug,omitempty"`
-	NoAuth                                 bool              `json:"noAuth,omitempty"`
-	WorkloadIdentityFederation             bool              `json:"workloadIdentityFederation,omitempty"`
-	ServiceAccountFederatedTokenExpiration string            `json:"serviceAccountFederatedTokenExpiration,omitempty"`
-	ServiceAccountFederatedToken           string            `json:"serviceAccountFederatedToken,omitempty"`
-	ServiceAccountFederatedTokenPath       string            `json:"serviceAccountFederatedTokenPath,omitempty"`
-	ServiceAccountEmail                    string            `json:"serviceAccountEmail,omitempty"`
-	Token                                  string            `json:"token,omitempty"`
-	ServiceAccountKey                      string            `json:"serviceAccountKey,omitempty"`
-	PrivateKey                             string            `json:"privateKey,omitempty"`
-	ServiceAccountKeyPath                  string            `json:"serviceAccountKeyPath,omitempty"`
-	PrivateKeyPath                         string            `json:"privateKeyPath,omitempty"`
-	CredentialsFilePath                    string            `json:"credentialsFilePath,omitempty"`
-	TokenCustomUrl                         string            `json:"tokenCustomUrl,omitempty"`
-	Region                                 string            `json:"region,omitempty"`
+	Host                                   string                 `json:"host,omitempty"`
+	Scheme                                 string                 `json:"scheme,omitempty"`
+	DefaultHeader                          map[string]string      `json:"defaultHeader,omitempty"`
+	UserAgent                              string                 `json:"userAgent,omitempty"`
+	Debug                                  bool                   `json:"debug,omitempty"`
+	NoAuth                                 bool                   `json:"noAuth,omitempty"`
+	WorkloadIdentityFederation             bool                   `json:"workloadIdentityFederation,omitempty"`
+	ServiceAccountFederatedTokenExpiration string                 `json:"serviceAccountFederatedTokenExpiration,omitempty"`
+	ServiceAccountFederatedTokenFunc       func() (string, error) `json:"serviceAccountFederatedTokenFunc,omitempty"`
+	ServiceAccountEmail                    string                 `json:"serviceAccountEmail,omitempty"`
+	Token                                  string                 `json:"token,omitempty"`
+	ServiceAccountKey                      string                 `json:"serviceAccountKey,omitempty"`
+	PrivateKey                             string                 `json:"privateKey,omitempty"`
+	ServiceAccountKeyPath                  string                 `json:"serviceAccountKeyPath,omitempty"`
+	PrivateKeyPath                         string                 `json:"privateKeyPath,omitempty"`
+	CredentialsFilePath                    string                 `json:"credentialsFilePath,omitempty"`
+	TokenCustomUrl                         string                 `json:"tokenCustomUrl,omitempty"`
+	Region                                 string                 `json:"region,omitempty"`
 	CustomAuth                             http.RoundTripper
 	Servers                                ServerConfigurations
 	OperationServers                       map[string]ServerConfigurations
@@ -247,10 +247,30 @@ func WithWorkloadIdentityFederationAuth() ConfigurationOption {
 	}
 }
 
-// WithWorkloadIdentityFederation returns a ConfigurationOption that sets workload identity flow to be used for authentication in API calls
-func WithWorkloadIdentityFederationTokenPath(path string) ConfigurationOption {
+// WithWorkloadIdentityFederationFunc returns a ConfigurationOption that sets the function to get the federated token for workload identity federation flow
+func WithWorkloadIdentityFederationFunc(function func() (string, error)) ConfigurationOption {
 	return func(config *Configuration) error {
-		config.ServiceAccountFederatedTokenPath = path
+		config.ServiceAccountFederatedTokenFunc = function
+		return nil
+	}
+}
+
+// WithWorkloadIdentityFederationPath returns a ConfigurationOption that sets the custom path to the federated token file for workload identity federation flow
+func WithWorkloadIdentityFederationPath(path string) ConfigurationOption {
+	return func(config *Configuration) error {
+		config.ServiceAccountFederatedTokenFunc = func() (string, error) {
+			return utils.ReadJWTFromFileSystem(path)
+		}
+		return nil
+	}
+}
+
+// WithWorkloadIdentityFederationFunc returns a ConfigurationOption that sets the id token for workload identity federation flow
+func WithWorkloadIdentityFederationToken(token string) ConfigurationOption {
+	return func(config *Configuration) error {
+		config.ServiceAccountFederatedTokenFunc = func() (string, error) {
+			return token, nil
+		}
 		return nil
 	}
 }
diff --git a/core/utils/filesystem.go b/core/utils/filesystem.go
@@ -0,0 +1,24 @@
+package utils
+
+import (
+	"os"
+
+	"github.com/golang-jwt/jwt/v5"
+)
+
+var (
+	parser *jwt.Parser = jwt.NewParser()
+)
+
+func ReadJWTFromFileSystem(tokenFilePath string) (string, error) {
+	token, err := os.ReadFile(tokenFilePath)
+	if err != nil {
+		return "", err
+	}
+	tokenStr := string(token)
+	_, _, err = parser.ParseUnverified(tokenStr, jwt.MapClaims{})
+	if err != nil {
+		return "", err
+	}
+	return tokenStr, nil
+}
diff --git a/core/utils/filesystem_test.go b/core/utils/filesystem_test.go
@@ -0,0 +1,62 @@
+package utils
+
+import (
+	"log"
+	"os"
+	"testing"
+)
+
+func TestReadJWTFromFileSystem(t *testing.T) {
+	file, err := os.CreateTemp("", "*.token")
+	if err != nil {
+		log.Fatal(err)
+	}
+	defer func() {
+		err := os.Remove(file.Name())
+		if err != nil {
+			t.Fatalf("Removing temporary file: %s", err)
+		}
+	}()
+
+	token := "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0.KMUFsIDTnFmyG3nMiGM6H9FNFUROf3wh7SmqJp-QV30" // nolint:gosec // This is a fake token for testing purposes only
+	err = os.WriteFile(file.Name(), []byte(token), os.ModeAppend)
+	if err != nil {
+		t.Fatalf("Writing temporary file: %s", err)
+	}
+
+	_, err = ReadJWTFromFileSystem(file.Name())
+	if err != nil {
+		t.Fatalf("Reading JWT from file system: %s", err)
+	}
+}
+
+func TestReadRandomContentFromFileSystem(t *testing.T) {
+	file, err := os.CreateTemp("", "*.token")
+	if err != nil {
+		log.Fatal(err)
+	}
+	defer func() {
+		err := os.Remove(file.Name())
+		if err != nil {
+			t.Fatalf("Removing temporary file: %s", err)
+		}
+	}()
+
+	token := "invalid random content"
+	err = os.WriteFile(file.Name(), []byte(token), os.ModeAppend)
+	if err != nil {
+		t.Fatalf("Writing temporary file: %s", err)
+	}
+
+	_, err = ReadJWTFromFileSystem(file.Name())
+	if err == nil {
+		t.Fatalf("Reading JWT from file system must fail")
+	}
+}
+
+func TestReadMissingFileFromFileSystem(t *testing.T) {
+	_, err := ReadJWTFromFileSystem("/path/to/nonexistent/file.token")
+	if err == nil {
+		t.Fatalf("Reading JWT from file system must fail")
+	}
+}
