client-credentials-generic

Summary:

- Support for configurable `oauth2` client credentials pattern.

Author: general-kroll-4-life

go.mod

@@ -21,7 +21,7 @@ require (
 	github.com/spf13/cobra v1.4.0
 	github.com/spf13/pflag v1.0.5
 	github.com/spf13/viper v1.10.1
-	github.com/stackql/any-sdk v0.0.3-beta17
+	github.com/stackql/any-sdk v0.0.3-beta20
 	github.com/stackql/go-suffix-map v0.0.1-alpha01
 	github.com/stackql/psql-wire v0.1.1-alpha07
 	github.com/stackql/stackql-parser v0.0.14-alpha04

go.sum

@@ -471,8 +471,8 @@ github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
 github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/spf13/viper v1.10.1 h1:nuJZuYpG7gTj/XqiUwg8bA0cp1+M2mC3J4g5luUYBKk=
 github.com/spf13/viper v1.10.1/go.mod h1:IGlFPqhNAPKRxohIzWpI5QEy4kuI7tcl5WvR+8qy1rU=
-github.com/stackql/any-sdk v0.0.3-beta17 h1:eajJfNOZBvWwaUD9WdsS81PAKHFxyHndmpdOo3P867A=
-github.com/stackql/any-sdk v0.0.3-beta17/go.mod h1:CIMFo3fC2ScpqzkzeCkzUQQuzYA1VuqpG0p1EZXN+wY=
+github.com/stackql/any-sdk v0.0.3-beta20 h1:7zHdJp0gM9G8vr5IDN/e8H74gqWI2MkWXGrfkQp6irA=
+github.com/stackql/any-sdk v0.0.3-beta20/go.mod h1:CIMFo3fC2ScpqzkzeCkzUQQuzYA1VuqpG0p1EZXN+wY=
 github.com/stackql/go-suffix-map v0.0.1-alpha01 h1:TDUDS8bySu41Oo9p0eniUeCm43mnRM6zFEd6j6VUaz8=
 github.com/stackql/go-suffix-map v0.0.1-alpha01/go.mod h1:QAi+SKukOyf4dBtWy8UMy+hsXXV+yyEE4vmBkji2V7g=
 github.com/stackql/psql-wire v0.1.1-alpha07 h1:LQWVUlx4Bougk6dztDNG5tmXxpIVeeTSsInTj801xCs=

internal/stackql/dto/auth_ctx.go

@@ -3,6 +3,7 @@ package dto
 import (
 	"encoding/base64"
 	"fmt"
+	"net/url"
 	"os"
 	"strings"
 )
@@ -42,6 +43,14 @@ type AuthCtx struct {
 	Active                  bool           `json:"-" yaml:"-"`
 	Location                string         `json:"location" yaml:"location"`
 	Name                    string         `json:"name" yaml:"name"`
+	TokenURL                string         `json:"token_url" yaml:"token_url"`
+	GrantType               string         `json:"grant_type" yaml:"grant_type"`
+	ClientID                string         `json:"client_id" yaml:"client_id"`
+	ClientSecret            string         `json:"client_secret" yaml:"client_secret"`
+	ClientIDEnvVar          string         `json:"client_id_env_var" yaml:"client_id_env_var"`
+	ClientSecretEnvVar      string         `json:"client_secret_env_var" yaml:"client_secret_env_var"`
+	Values                  url.Values     `json:"values" yaml:"values"`
+	AuthStyle               int            `json:"auth_style" yaml:"auth_style"`
 }
 
 func (ac *AuthCtx) GetSQLCfg() (SQLBackendCfg, bool) {
@@ -78,10 +87,26 @@ func (ac *AuthCtx) Clone() *AuthCtx {
 		EncodedBasicCredentials: ac.EncodedBasicCredentials,
 		Location:                ac.Location,
 		Name:                    ac.Name,
+		Subject:                 ac.Subject,
+		TokenURL:                ac.TokenURL,
+		GrantType:               ac.GrantType,
+		ClientID:                ac.ClientID,
+		ClientSecret:            ac.ClientSecret,
+		ClientIDEnvVar:          ac.ClientIDEnvVar,
+		ClientSecretEnvVar:      ac.ClientSecretEnvVar,
+		Values:                  ac.Values,
+		AuthStyle:               ac.AuthStyle,
 	}
 	return rv
 }
 
+func (ac *AuthCtx) GetValues() url.Values {
+	if ac.Values == nil {
+		return url.Values{}
+	}
+	return ac.Values
+}
+
 func (ac *AuthCtx) GetSuccessor() (*AuthCtx, bool) {
 	if ac.Successor != nil {
 		return ac.Successor, true
@@ -188,6 +213,46 @@ func (ac *AuthCtx) GetCredentialsBytes() ([]byte, error) {
 	return nil, fmt.Errorf("no credentials found")
 }
 
+func (ac *AuthCtx) GetClientID() (string, error) {
+	if ac.ClientIDEnvVar != "" {
+		rv := os.Getenv(ac.ClientIDEnvVar)
+		if rv == "" {
+			return "", fmt.Errorf("client_id_env_var references empty string")
+		}
+		return rv, nil
+	}
+	if ac.ClientID == "" {
+		return "", fmt.Errorf("client_id is empty")
+	}
+	return ac.ClientID, nil
+}
+
+func (ac *AuthCtx) GetClientSecret() (string, error) {
+	if ac.ClientSecretEnvVar != "" {
+		rv := os.Getenv(ac.ClientSecretEnvVar)
+		if rv == "" {
+			return "", fmt.Errorf("client_secret_env_var references empty string")
+		}
+		return rv, nil
+	}
+	if ac.ClientSecret == "" {
+		return "", fmt.Errorf("client_secret is empty")
+	}
+	return ac.ClientSecret, nil
+}
+
+func (ac *AuthCtx) GetGrantType() string {
+	return ac.GrantType
+}
+
+func (ac *AuthCtx) GetTokenURL() string {
+	return ac.TokenURL
+}
+
+func (ac *AuthCtx) GetAuthStyle() int {
+	return ac.AuthStyle
+}
+
 func (ac *AuthCtx) GetCredentialsSourceDescriptorString() string {
 	if ac.KeyEnvVar != "" {
 		return fmt.Sprintf("credentialsenvvar:%s", ac.KeyEnvVar)

internal/stackql/dto/dto.go

@@ -16,6 +16,7 @@ const (
 	APIRequestTimeoutKey            string = "apirequesttimeout"
 	CacheKeyCountKey                string = "cachekeycount"
 	CacheTTLKey                     string = "metadatattl"
+	ClientCredentialsStr            string = "client_credentials"
 	ColorSchemeKey                  string = "colorscheme" // deprecated
 	ConfigFilePathKey               string = "configfile"
 	CPUProfileKey                   string = "cpuprofile"
@@ -37,6 +38,7 @@ const (
 	AllowInsecureKey                string = "tls.allowInsecure"
 	InfilePathKey                   string = "infile"
 	LogLevelStrKey                  string = "loglevel"
+	OAuth2Str                       string = "oauth2"
 	OutfilePathKey                  string = "outfile"
 	OutputFormatKey                 string = "output"
 	ApplicationFilesRootPathKey     string = "approot"

internal/stackql/handler/handler.go

@@ -575,6 +575,14 @@ func transformOpenapiStackqlAuthToLocal(authDTO anysdk.AuthDTO) *dto.AuthCtx {
 		EncodedBasicCredentials: authDTO.GetInlineBasicCredentials(),
 		Location:                authDTO.GetLocation(),
 		Name:                    authDTO.GetName(),
+		TokenURL:                authDTO.GetTokenURL(),
+		GrantType:               authDTO.GetGrantType(),
+		ClientID:                authDTO.GetClientID(),
+		ClientSecret:            authDTO.GetClientSecret(),
+		ClientIDEnvVar:          authDTO.GetClientIDEnvVar(),
+		ClientSecretEnvVar:      authDTO.GetClientSecretEnvVar(),
+		Values:                  authDTO.GetValues(),
+		AuthStyle:               authDTO.GetAuthStyle(),
 	}
 	successor, successorExists := authDTO.GetSuccessor()
 	currentParent := rv

internal/stackql/provider/auth_util.go

@@ -15,6 +15,7 @@ import (
 	"regexp"
 
 	"golang.org/x/oauth2"
+	"golang.org/x/oauth2/clientcredentials"
 	"golang.org/x/oauth2/google"
 	"golang.org/x/oauth2/jwt"
 )
@@ -161,11 +162,16 @@ func parseServiceAccountFile(ac *dto.AuthCtx) (serviceAccount, error) {
 	return c, json.Unmarshal(b, &c)
 }
 
-func getJWTConfig(provider string, credentialsBytes []byte, scopes []string, subject string) (*jwt.Config, error) {
+func getGoogleJWTConfig(provider string, credentialsBytes []byte, scopes []string, subject string) (*jwt.Config, error) {
 	switch provider {
 	case "google", "googleads", "googleanalytics",
 		"googledevelopers", "googlemybusiness", "googleworkspace",
 		"youtube", "googleadmin":
+		if scopes == nil {
+			scopes = []string{
+				"https://www.googleapis.com/auth/cloud-platform",
+			}
+		}
 		rv, err := google.JWTConfigFromJSON(credentialsBytes, scopes...)
 		if err != nil {
 			return nil, err
@@ -179,7 +185,31 @@ func getJWTConfig(provider string, credentialsBytes []byte, scopes []string, sub
 	}
 }
 
-func oauthServiceAccount(
+func getGenericClientCredentialsConfig(authCtx *dto.AuthCtx, scopes []string) (*clientcredentials.Config, error) {
+	clientID, clientIDErr := authCtx.GetClientID()
+	if clientIDErr != nil {
+		return nil, clientIDErr
+	}
+	clientSecret, secretErr := authCtx.GetClientSecret()
+	if secretErr != nil {
+		return nil, secretErr
+	}
+	rv := &clientcredentials.Config{
+		ClientID:     clientID,
+		ClientSecret: clientSecret,
+		Scopes:       scopes,
+		TokenURL:     authCtx.GetTokenURL(),
+	}
+	if len(authCtx.GetValues()) > 0 {
+		rv.EndpointParams = authCtx.GetValues()
+	}
+	if authCtx.GetAuthStyle() > 0 {
+		rv.AuthStyle = oauth2.AuthStyle(authCtx.GetAuthStyle())
+	}
+	return rv, nil
+}
+
+func googleOauthServiceAccount(
 	provider string,
 	authCtx *dto.AuthCtx,
 	scopes []string,
@@ -189,14 +219,27 @@ func oauthServiceAccount(
 	if err != nil {
 		return nil, fmt.Errorf("service account credentials error: %w", err)
 	}
-	config, errToken := getJWTConfig(provider, b, scopes, authCtx.Subject)
+	config, errToken := getGoogleJWTConfig(provider, b, scopes, authCtx.Subject)
 	if errToken != nil {
 		return nil, errToken
 	}
 	activateAuth(authCtx, "", dto.AuthServiceAccountStr)
 	httpClient := netutils.GetHTTPClient(runtimeCtx, http.DefaultClient)
-	//nolint:staticcheck // TODO: fix this
-	return config.Client(context.WithValue(oauth2.NoContext, oauth2.HTTPClient, httpClient)), nil
+	return config.Client(context.WithValue(context.Background(), oauth2.HTTPClient, httpClient)), nil
+}
+
+func genericOauthClientCredentials(
+	authCtx *dto.AuthCtx,
+	scopes []string,
+	runtimeCtx dto.RuntimeCtx,
+) (*http.Client, error) {
+	config, errToken := getGenericClientCredentialsConfig(authCtx, scopes)
+	if errToken != nil {
+		return nil, errToken
+	}
+	activateAuth(authCtx, "", dto.ClientCredentialsStr)
+	httpClient := netutils.GetHTTPClient(runtimeCtx, http.DefaultClient)
+	return config.Client(context.WithValue(context.Background(), oauth2.HTTPClient, httpClient)), nil
 }
 
 func apiTokenAuth(authCtx *dto.AuthCtx, runtimeCtx dto.RuntimeCtx, enforceBearer bool) (*http.Client, error) {

internal/stackql/provider/generic.go

@@ -89,6 +89,8 @@ func (gp *GenericProvider) inferAuthType(authCtx dto.AuthCtx, authTypeRequested
 		return dto.AuthAWSSigningv4Str
 	case dto.AuthCustomStr:
 		return dto.AuthCustomStr
+	case dto.OAuth2Str:
+		return dto.OAuth2Str
 	}
 	if authCtx.KeyFilePath != "" || authCtx.KeyEnvVar != "" {
 		return dto.AuthServiceAccountStr
@@ -109,7 +111,11 @@ func (gp *GenericProvider) Auth(
 	case dto.AuthBearerStr:
 		return gp.apiTokenFileAuth(authCtx, true)
 	case dto.AuthServiceAccountStr:
-		return gp.keyFileAuth(authCtx)
+		return gp.googleKeyFileAuth(authCtx)
+	case dto.OAuth2Str:
+		if authCtx.GrantType == dto.ClientCredentialsStr {
+			return gp.clientCredentialsAuth(authCtx)
+		}
 	case dto.AuthBasicStr:
 		return gp.basicAuth(authCtx)
 	case dto.AuthCustomStr:
@@ -269,14 +275,14 @@ func (gp *GenericProvider) oAuth(authCtx *dto.AuthCtx, enforceRevokeFirst bool)
 	return client, nil
 }
 
-func (gp *GenericProvider) keyFileAuth(authCtx *dto.AuthCtx) (*http.Client, error) {
+func (gp *GenericProvider) googleKeyFileAuth(authCtx *dto.AuthCtx) (*http.Client, error) {
 	scopes := authCtx.Scopes
-	if scopes == nil {
-		scopes = []string{
-			"https://www.googleapis.com/auth/cloud-platform",
-		}
-	}
-	return oauthServiceAccount(gp.GetProviderString(), authCtx, scopes, gp.runtimeCtx)
+	return googleOauthServiceAccount(gp.GetProviderString(), authCtx, scopes, gp.runtimeCtx)
+}
+
+func (gp *GenericProvider) clientCredentialsAuth(authCtx *dto.AuthCtx) (*http.Client, error) {
+	scopes := authCtx.Scopes
+	return genericOauthClientCredentials(authCtx, scopes, gp.runtimeCtx)
 }
 
 func (gp *GenericProvider) apiTokenFileAuth(authCtx *dto.AuthCtx, enforceBearer bool) (*http.Client, error) {