core: Add STACKIT CLI Auth flow

Signed-off-by: Jan-Otto Kröpke <[email protected]>

Author: jkroepke

.github/workflows/ci.yaml

@@ -17,6 +17,8 @@ jobs:
         uses: actions/setup-go@v5
         with:
           go-version: ${{ matrix.go-version }}
+      - name: Install STACKIT CLI
+        uses: jkroepke/setup-stackit-cli@v1
       - name: Test
         run: make test
 

CHANGELOG.md

@@ -1,3 +1,7 @@
+## Release (2025-XX-YY)
+- `core`: [v0.16.2](core/CHANGELOG.md#v0162-2025-XX-YY)
+  - **New:** If a custom http.Client is provided, the http.Transport is respected. This allows customizing the http.Client with custom timeouts or instrumentation.
+
 ## Release (2025-03-14)
 - `certificates`: [v1.0.0](services/certificates/CHANGELOG.md#v100-2025-03-14)
   - **Breaking Change:** The region is no longer specified within the client configuration. Instead, the region must be passed as a parameter to any region-specific request.

core/CHANGELOG.md

@@ -1,3 +1,7 @@
+## v0.16.2 (2025-XX-YY)
+
+- **New:** Add STACKIT CLI auth flow.
+
 ## v0.16.1 (2025-02-25)
 
 - **Bugfix:** STACKIT_PRIVATE_KEY and STACKIT_SERVICE_ACCOUNT_KEY can be set via environment variable or via credentials file.

core/auth/auth.go

@@ -2,6 +2,7 @@ package auth
 
 import (
 	"encoding/json"
+	"errors"
 	"fmt"
 	"net/http"
 	"os"
@@ -62,7 +63,14 @@ func SetupAuth(cfg *config.Configuration) (rt http.RoundTripper, err error) {
 			return nil, fmt.Errorf("configuring token authentication: %w", err)
 		}
 		return tokenRoundTripper, nil
+	} else if !cfg.DisableCLIAuthFlow {
+		cliRoundTripper, err := StackitCliAuth(cfg)
+		if err != nil {
+			return nil, fmt.Errorf("configuring CLI authentication: %w", err)
+		}
+		return cliRoundTripper, nil
 	}
+
 	authRoundTripper, err := DefaultAuth(cfg)
 	if err != nil {
 		return nil, fmt.Errorf("configuring default authentication: %w", err)
@@ -90,7 +98,17 @@ func DefaultAuth(cfg *config.Configuration) (rt http.RoundTripper, err error) {
 		// Token flow
 		rt, err = TokenAuth(cfg)
 		if err != nil {
-			return nil, fmt.Errorf("no valid credentials were found: trying key flow: %s, trying token flow: %w", keyFlowErr.Error(), err)
+			tokenFlowErr := err
+			if cfg.DisableCLIAuthFlow {
+				err = errors.New("CLI flow disabled")
+			} else {
+				// Stackit CLI flow
+				rt, err = StackitCliAuth(cfg)
+			}
+
+			if err != nil {
+				return nil, fmt.Errorf("no valid credentials were found: trying key flow: %s, trying token flow: %s, trying stackit cli flow: %w", keyFlowErr.Error(), tokenFlowErr.Error(), err)
+			}
 		}
 	}
 	return rt, nil
@@ -195,6 +213,16 @@ func KeyAuth(cfg *config.Configuration) (http.RoundTripper, error) {
 	return client, nil
 }
 
+// StackitCliAuth configures the [clients.STACKITCLIFlow] and returns an http.RoundTripper
+func StackitCliAuth(_ *config.Configuration) (http.RoundTripper, error) {
+	client := &clients.STACKITCLIFlow{}
+	if err := client.Init(&clients.STACKITCLIFlowConfig{}); err != nil {
+		return nil, fmt.Errorf("error initializing client: %w", err)
+	}
+
+	return client, nil
+}
+
 // readCredentialsFile reads the credentials file from the specified path and returns Credentials
 func readCredentialsFile(path string) (*Credentials, error) {
 	if path == "" {

core/clients/stackit_cli_flow.go

@@ -0,0 +1,77 @@
+package clients
+
+import (
+	"bytes"
+	"context"
+	"errors"
+	"os"
+	"os/exec"
+	"runtime"
+	"strings"
+)
+
+// STACKITCLIFlow invoke the STACKIT CLI from PATH to get the access token.
+// If successful, then token is passed to clients.TokenFlow.
+type STACKITCLIFlow struct {
+	TokenFlow
+}
+
+// STACKITCLIFlowConfig is the flow config
+type STACKITCLIFlowConfig struct{}
+
+// GetConfig returns the flow configuration
+func (c *STACKITCLIFlow) GetConfig() STACKITCLIFlowConfig {
+	return STACKITCLIFlowConfig{}
+}
+
+func (c *STACKITCLIFlow) Init(_ *STACKITCLIFlowConfig) error {
+	token, err := c.getTokenFromCLI()
+	if err != nil {
+		return err
+	}
+
+	c.config = &TokenFlowConfig{
+		ServiceAccountToken: strings.TrimSpace(token),
+	}
+
+	c.configureHTTPClient()
+	return c.validate()
+}
+
+func (c *STACKITCLIFlow) getTokenFromCLI() (string, error) {
+	return runSTACKITCLICommand(context.TODO(), "stackit auth get-access-token")
+}
+
+// runSTACKITCLICommand executes the command line and returns the output.
+func runSTACKITCLICommand(ctx context.Context, commandLine string) (string, error) {
+	var cliCmd *exec.Cmd
+	if runtime.GOOS == "windows" {
+		dir := os.Getenv("SYSTEMROOT")
+		if dir == "" {
+			return "", errors.New("environment variable 'SYSTEMROOT' has no value")
+		}
+		cliCmd = exec.CommandContext(ctx, "cmd.exe", "/c", commandLine)
+		cliCmd.Dir = dir
+	} else {
+		cliCmd = exec.CommandContext(ctx, "/bin/sh", "-c", commandLine)
+		cliCmd.Dir = "/bin"
+	}
+	cliCmd.Env = os.Environ()
+	var stderr bytes.Buffer
+	cliCmd.Stderr = &stderr
+
+	output, err := cliCmd.Output()
+	if err != nil {
+		msg := stderr.String()
+		var exErr *exec.ExitError
+		if errors.As(err, &exErr) && exErr.ExitCode() == 127 || strings.HasPrefix(msg, "'stackit' is not recognized") {
+			msg = "STACKIT CLI not found on path"
+		}
+		if msg == "" {
+			msg = err.Error()
+		}
+		return "", errors.New(msg)
+	}
+
+	return string(output), nil
+}

core/clients/stackit_cli_flow_test.go

@@ -0,0 +1,143 @@
+package clients
+
+import (
+	"fmt"
+	"io"
+	"net/http"
+	"net/http/httptest"
+	"net/url"
+	"testing"
+)
+
+const testServiceAccountToken = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJlbWFpbCI6ImR1bW15QGV4YW1wbGUuY29tIiwiZXhwIjo5MDA3MTkyNTQ3NDA5OTF9.sM2yd5GL9kK4h8IKHbr_fA2XmrzEsLOeLTIPrU0VfMg"
+
+func TestSTACKITCLIFlow_Init(t *testing.T) {
+	type args struct {
+		cfg *STACKITCLIFlowConfig
+	}
+	tests := []struct {
+		name    string
+		args    args
+		wantErr bool
+	}{
+		{"ok", args{&STACKITCLIFlowConfig{}}, false},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			c := &STACKITCLIFlow{}
+
+			_, _ = runSTACKITCLICommand(t.Context(), "stackit config profile delete test-stackit-cli-flow-init -y")
+			_, err := runSTACKITCLICommand(t.Context(), "stackit config profile create test-stackit-cli-flow-init")
+			if err != nil {
+				t.Errorf("runSTACKITCLICommand() error = %v", err)
+				return
+			}
+
+			_, err = runSTACKITCLICommand(t.Context(), "stackit auth activate-service-account --service-account-token="+testServiceAccountToken)
+			if err != nil {
+				t.Errorf("runSTACKITCLICommand() error = %v", err)
+				return
+			}
+
+			defer func() {
+				_, _ = runSTACKITCLICommand(t.Context(), "stackit config profile delete test-stackit-cli-flow-init -y")
+			}()
+
+			if err := c.Init(tt.args.cfg); (err != nil) != tt.wantErr {
+				t.Errorf("TokenFlow.Init() error = %v, wantErr %v", err, tt.wantErr)
+			}
+			if c.config == nil {
+				t.Error("config is nil")
+			}
+		})
+	}
+}
+
+func TestSTACKITCLIFlow_Do(t *testing.T) {
+	type fields struct {
+		client *http.Client
+		config *STACKITCLIFlowConfig
+	}
+	type args struct{}
+	tests := []struct {
+		name    string
+		fields  fields
+		args    args
+		want    int
+		wantErr bool
+	}{
+		{"success", fields{&http.Client{}, &STACKITCLIFlowConfig{}}, args{}, http.StatusOK, false},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			_, _ = runSTACKITCLICommand(t.Context(), "stackit config profile delete test-stackit-cli-flow-do -y")
+			_, err := runSTACKITCLICommand(t.Context(), "stackit config profile create test-stackit-cli-flow-do")
+			if err != nil {
+				t.Errorf("runSTACKITCLICommand() error = %v", err)
+				return
+			}
+
+			_, err = runSTACKITCLICommand(t.Context(), "stackit auth activate-service-account --service-account-token="+testServiceAccountToken)
+			if err != nil {
+				t.Errorf("runSTACKITCLICommand() error = %v", err)
+				return
+			}
+
+			defer func() {
+				_, _ = runSTACKITCLICommand(t.Context(), "stackit config profile delete test-stackit-cli-flow-do -y")
+			}()
+
+			c := &STACKITCLIFlow{}
+			err = c.Init(tt.fields.config)
+			if err != nil {
+				t.Errorf("Init() error = %v", err)
+				return
+			}
+
+			handler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+				authorization := r.Header.Get("Authorization")
+				if authorization != "Bearer "+testServiceAccountToken {
+					w.WriteHeader(http.StatusUnauthorized)
+					_, _ = fmt.Fprintln(w, `{"error":"missing authorization header"}`)
+					return
+				}
+
+				w.Header().Set("Content-Type", "application/json")
+				w.WriteHeader(http.StatusOK)
+				_, _ = fmt.Fprintln(w, `{"status":"ok"}`)
+			})
+			server := httptest.NewServer(handler)
+			defer server.Close()
+
+			u, err := url.Parse(server.URL)
+			if err != nil {
+				t.Error(err)
+				return
+			}
+			req, err := http.NewRequest(http.MethodGet, u.String(), http.NoBody)
+			if err != nil {
+				t.Error(err)
+				return
+			}
+			got, err := c.RoundTrip(req)
+			if err == nil {
+				// Defer discard and close the body
+				defer func() {
+					if _, discardErr := io.Copy(io.Discard, got.Body); discardErr != nil && err == nil {
+						err = discardErr
+					}
+					if closeErr := got.Body.Close(); closeErr != nil && err == nil {
+						err = closeErr
+					}
+				}()
+			}
+			if (err != nil) != tt.wantErr {
+				t.Errorf("STACKITCLIFlow.Do() error = %v, wantErr %v", err, tt.wantErr)
+				return
+			}
+			if got != nil && got.StatusCode != tt.want {
+				t.Errorf("STACKITCLIFlow.Do() = %v, want %v", got.StatusCode, tt.want)
+			}
+		})
+	}
+}

core/config/config.go

@@ -90,6 +90,7 @@ type Configuration struct {
 	CredentialsFilePath   string            `json:"credentialsFilePath,omitempty"`
 	TokenCustomUrl        string            `json:"tokenCustomUrl,omitempty"`
 	Region                string            `json:"region,omitempty"`
+	DisableCLIAuthFlow    bool              `json:"disableCLIAuthFlow,omitempty"` // Should be set to true, if called by STACKIT CLI to avoid infinite loops.
 	CustomAuth            http.RoundTripper
 	Servers               ServerConfigurations
 	OperationServers      map[string]ServerConfigurations