Add OAuth support for CLI extensions

Author: stephanos

cliext/config.go

@@ -0,0 +1,289 @@
+package cliext
+
+import (
+	"bytes"
+	"fmt"
+	"os"
+	"path/filepath"
+	"sort"
+	"time"
+
+	"github.com/BurntSushi/toml"
+	"go.temporal.io/sdk/contrib/envconfig"
+)
+
+type ClientConfig struct {
+	Profiles map[string]*Profile
+}
+
+type LoadConfigOptions struct {
+	// Override the file path to use to load the TOML file for config. Defaults to TEMPORAL_CONFIG_FILE environment
+	// variable or if that is unset/empty, defaults to [os.UserConfigDir]/temporal/temporal.toml. If ConfigFileData is
+	// set, this cannot be set and no file loading from disk occurs. Ignored if DisableFile is true.
+	ConfigFilePath string
+
+	// Override the environment variable lookup. If nil, defaults to [EnvLookupOS].
+	EnvLookup envconfig.EnvLookup
+}
+
+type LoadConfigResult struct {
+	// Config is the loaded configuration with its profiles.
+	Config ClientConfig
+
+	// ConfigFilePath is the resolved path to the configuration file that was loaded.
+	// This may differ from the input if TEMPORAL_CONFIG_FILE env var was used.
+	ConfigFilePath string
+}
+
+// oauthConfigTOML is the TOML representation of OAuthConfig.
+// We use a separate struct to control TOML field names and handle time.Time.
+type oauthConfigTOML struct {
+	ClientID      string            `toml:"client_id,omitempty"`
+	ClientSecret  string            `toml:"client_secret,omitempty"`
+	TokenURL      string            `toml:"token_url,omitempty"`
+	AuthURL       string            `toml:"auth_url,omitempty"`
+	RedirectURL   string            `toml:"redirect_url,omitempty"`
+	AccessToken   string            `toml:"access_token,omitempty"`
+	RefreshToken  string            `toml:"refresh_token,omitempty"`
+	TokenType     string            `toml:"token_type,omitempty"`
+	ExpiresAt     string            `toml:"expires_at,omitempty"`
+	Scopes        []string          `toml:"scopes,omitempty"`
+	RequestParams map[string]string `toml:"request_params,omitempty"`
+}
+
+type rawProfileWithOAuth struct {
+	OAuth *oauthConfigTOML `toml:"oauth"`
+}
+
+type rawConfigWithOAuth struct {
+	Profile map[string]*rawProfileWithOAuth `toml:"profile"`
+}
+
+// LoadConfig loads the client configuration from the specified file or default location.
+// If ConfigFilePath is empty, the TEMPORAL_CONFIG_FILE environment variable is checked.
+func LoadConfig(options LoadConfigOptions) (LoadConfigResult, error) {
+	envLookup := options.EnvLookup
+	if envLookup == nil {
+		envLookup = envconfig.EnvLookupOS
+	}
+
+	configFilePath := options.ConfigFilePath
+	if configFilePath == "" {
+		configFilePath, _ = envLookup.LookupEnv("TEMPORAL_CONFIG_FILE")
+	}
+
+	clientConfig, err := envconfig.LoadClientConfig(envconfig.LoadClientConfigOptions{
+		ConfigFilePath: configFilePath,
+		EnvLookup:      envLookup,
+	})
+	if err != nil {
+		return LoadConfigResult{}, err
+	}
+
+	// Load OAuth for all profiles by parsing the config file directly
+	var oauthByProfile map[string]*OAuthConfig
+	configFilePathForOAuth := configFilePath
+	if configFilePathForOAuth == "" {
+		configFilePathForOAuth, _ = envconfig.DefaultConfigFilePath()
+	}
+	if configFilePathForOAuth != "" {
+		data, err := os.ReadFile(configFilePathForOAuth)
+		if err == nil {
+			var raw rawConfigWithOAuth
+			if _, err := toml.Decode(string(data), &raw); err == nil {
+				oauthByProfile = make(map[string]*OAuthConfig)
+				for profileName, profile := range raw.Profile {
+					if profile == nil || profile.OAuth == nil {
+						continue
+					}
+					cfg := profile.OAuth
+					oauth := &OAuthConfig{
+						OAuthClientConfig: OAuthClientConfig{
+							ClientID:      cfg.ClientID,
+							ClientSecret:  cfg.ClientSecret,
+							TokenURL:      cfg.TokenURL,
+							AuthURL:       cfg.AuthURL,
+							RedirectURL:   cfg.RedirectURL,
+							RequestParams: cfg.RequestParams,
+							Scopes:        cfg.Scopes,
+						},
+						OAuthToken: OAuthToken{
+							AccessToken:  cfg.AccessToken,
+							RefreshToken: cfg.RefreshToken,
+							TokenType:    cfg.TokenType,
+						},
+					}
+					if cfg.ExpiresAt != "" {
+						if t, err := time.Parse(time.RFC3339, cfg.ExpiresAt); err == nil {
+							oauth.ExpiresAt = t
+						}
+					}
+					oauthByProfile[profileName] = oauth
+				}
+			}
+		}
+	}
+
+	// Build profiles map combining base config and OAuth
+	profiles := make(map[string]*Profile)
+	for name, baseProfile := range clientConfig.Profiles {
+		profiles[name] = &Profile{
+			ClientConfigProfile: *baseProfile,
+			OAuth:               oauthByProfile[name],
+		}
+	}
+
+	// Add any profiles that only have OAuth config
+	for name, oauth := range oauthByProfile {
+		if _, exists := profiles[name]; !exists {
+			profiles[name] = &Profile{
+				OAuth: oauth,
+			}
+		}
+	}
+
+	return LoadConfigResult{
+		Config:         ClientConfig{Profiles: profiles},
+		ConfigFilePath: configFilePath,
+	}, nil
+}
+
+// WriteConfigOptions contains options for writing configuration.
+type WriteConfigOptions struct {
+	// Config is the configuration to write.
+	Config ClientConfig
+
+	// ConfigFilePath is the path to write the configuration file to.
+	// If empty, TEMPORAL_CONFIG_FILE env var is checked, then the default path is used.
+	ConfigFilePath string
+
+	// EnvLookup is used for environment variable lookups.
+	// If nil, envconfig.EnvLookupOS is used.
+	EnvLookup envconfig.EnvLookup
+}
+
+// WriteConfigToBytes serializes the configuration to TOML bytes.
+func WriteConfigToBytes(config *ClientConfig) ([]byte, error) {
+	profiles := config.Profiles
+	if profiles == nil {
+		profiles = make(map[string]*Profile)
+	}
+
+	// Build envconfig.ClientConfig from profiles
+	envConfig := &envconfig.ClientConfig{
+		Profiles: make(map[string]*envconfig.ClientConfigProfile),
+	}
+	for name, p := range profiles {
+		if p != nil {
+			envConfig.Profiles[name] = &p.ClientConfigProfile
+		}
+	}
+
+	// Convert base config to TOML
+	b, err := envConfig.ToTOML(envconfig.ClientConfigToTOMLOptions{})
+	if err != nil {
+		return nil, fmt.Errorf("failed building TOML: %w", err)
+	}
+
+	// Append OAuth sections per profile
+	var buf bytes.Buffer
+	buf.Write(b)
+
+	// Sort keys for deterministic output
+	profileNames := make([]string, 0, len(profiles))
+	for name := range profiles {
+		profileNames = append(profileNames, name)
+	}
+	sort.Strings(profileNames)
+
+	for _, profileName := range profileNames {
+		profile := profiles[profileName]
+		if profile == nil || profile.OAuth == nil {
+			continue
+		}
+
+		// Convert OAuthConfig to oauthConfigTOML (without RequestParams - handled separately)
+		oauthTOML := &oauthConfigTOML{
+			ClientID:     profile.OAuth.ClientID,
+			ClientSecret: profile.OAuth.ClientSecret,
+			TokenURL:     profile.OAuth.TokenURL,
+			AuthURL:      profile.OAuth.AuthURL,
+			RedirectURL:  profile.OAuth.RedirectURL,
+			AccessToken:  profile.OAuth.AccessToken,
+			RefreshToken: profile.OAuth.RefreshToken,
+			TokenType:    profile.OAuth.TokenType,
+			Scopes:       profile.OAuth.Scopes,
+			// RequestParams omitted - toml.Marshal creates a separate table section which breaks nesting
+		}
+		if !profile.OAuth.ExpiresAt.IsZero() {
+			oauthTOML.ExpiresAt = profile.OAuth.ExpiresAt.Format(time.RFC3339)
+		}
+
+		// Marshal to TOML
+		oauthBytes, err := toml.Marshal(oauthTOML)
+		if err != nil {
+			return nil, fmt.Errorf("failed marshaling OAuth config: %w", err)
+		}
+
+		// Write the section header and content
+		fmt.Fprintf(&buf, "\n[profile.%s.oauth]\n", profileName)
+		buf.Write(oauthBytes)
+
+		// Manually write request_params as inline table (toml.Marshal would create a separate [request_params] section)
+		if len(profile.OAuth.RequestParams) > 0 {
+			keys := make([]string, 0, len(profile.OAuth.RequestParams))
+			for k := range profile.OAuth.RequestParams {
+				keys = append(keys, k)
+			}
+			sort.Strings(keys)
+			buf.WriteString("request_params = { ")
+			for i, k := range keys {
+				if i > 0 {
+					buf.WriteString(", ")
+				}
+				fmt.Fprintf(&buf, "%s = %q", k, profile.OAuth.RequestParams[k])
+			}
+			buf.WriteString(" }\n")
+		}
+	}
+	return buf.Bytes(), nil
+}
+
+// WriteConfig writes the configuration to the specified file or default location.
+//
+// Example:
+//
+//	result, _ := cliext.LoadProfile(cliext.LoadProfileOptions{CreateIfMissing: true})
+//	result.Profile.OAuth = oauthConfig
+//	err := cliext.WriteConfig(cliext.WriteConfigOptions{Config: result.Config})
+func WriteConfig(opts WriteConfigOptions) error {
+	envLookup := opts.EnvLookup
+	if envLookup == nil {
+		envLookup = envconfig.EnvLookupOS
+	}
+
+	configFilePath := opts.ConfigFilePath
+	if configFilePath == "" {
+		configFilePath, _ = envLookup.LookupEnv("TEMPORAL_CONFIG_FILE")
+		if configFilePath == "" {
+			var err error
+			if configFilePath, err = envconfig.DefaultConfigFilePath(); err != nil {
+				return err
+			}
+		}
+	}
+
+	b, err := WriteConfigToBytes(&opts.Config)
+	if err != nil {
+		return err
+	}
+
+	// Write to file, making dirs as needed
+	if err := os.MkdirAll(filepath.Dir(configFilePath), 0700); err != nil {
+		return fmt.Errorf("failed making config file parent dirs: %w", err)
+	}
+	if err := os.WriteFile(configFilePath, b, 0600); err != nil {
+		return fmt.Errorf("failed writing config file: %w", err)
+	}
+	return nil
+}

internal/devserver/freeport.go cliext/freeport.gointernal/devserver/freeport.go renamed to cliext/freeport.go

@@ -1,4 +1,4 @@
-package devserver
+package cliext
 
 import (
 	"fmt"

internal/devserver/freeport_test.go cliext/freeport_test.gointernal/devserver/freeport_test.go renamed to cliext/freeport_test.go

@@ -1,18 +1,16 @@
-package devserver_test
+package cliext
 
 import (
 	"fmt"
 	"net"
 	"testing"
-
-	"github.com/temporalio/cli/internal/devserver"
 )
 
 func TestFreePort_NoDouble(t *testing.T) {
 	host := "127.0.0.1"
 	portSet := make(map[int]bool)
 	for i := 0; i < 2000; i++ {
-		p, err := devserver.GetFreePort(host)
+		p, err := GetFreePort(host)
 		if err != nil {
 			t.Fatalf("Error: %s", err)
 			break
@@ -30,7 +28,7 @@ func TestFreePort_NoDouble(t *testing.T) {
 func TestFreePort_CanBindImmediatelySameProcess(t *testing.T) {
 	host := "127.0.0.1"
 	for i := 0; i < 500; i++ {
-		p, err := devserver.GetFreePort(host)
+		p, err := GetFreePort(host)
 		if err != nil {
 			t.Fatalf("Error: %s", err)
 			break
@@ -45,7 +43,7 @@ func TestFreePort_CanBindImmediatelySameProcess(t *testing.T) {
 
 func TestFreePort_IPv4Unspecified(t *testing.T) {
 	host := "0.0.0.0"
-	p, err := devserver.GetFreePort(host)
+	p, err := GetFreePort(host)
 	if err != nil {
 		t.Fatalf("Error: %s", err)
 		return
@@ -59,7 +57,7 @@ func TestFreePort_IPv4Unspecified(t *testing.T) {
 
 func TestFreePort_IPv6Unspecified(t *testing.T) {
 	host := "::"
-	p, err := devserver.GetFreePort(host)
+	p, err := GetFreePort(host)
 	if err != nil {
 		t.Fatalf("Error: %s", err)
 		return
@@ -73,7 +71,7 @@ func TestFreePort_IPv6Unspecified(t *testing.T) {
 
 // This function is used as part of unit tests, to ensure that the port
 func tryListenAndDialOn(host string, port int) error {
-	host = devserver.MaybeEscapeIPv6(host)
+	host = MaybeEscapeIPv6(host)
 	l, err := net.Listen("tcp", fmt.Sprintf("%s:%d", host, port))
 	if err != nil {
 		return err

cliext/go.mod

@@ -0,0 +1,43 @@
+module github.com/temporalio/cli/cliext
+
+go 1.24.0
+
+require (
+	github.com/spf13/pflag v1.0.9
+	github.com/stretchr/testify v1.10.0
+	go.temporal.io/api v1.44.1
+	go.temporal.io/sdk v1.32.1
+	go.temporal.io/sdk/contrib/envconfig v0.1.0
+	google.golang.org/grpc v1.66.0
+)
+
+require (
+	github.com/BurntSushi/toml v1.4.0 // indirect
+	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/facebookgo/clock v0.0.0-20150410010913-600d898af40a // indirect
+	github.com/gogo/protobuf v1.3.2 // indirect
+	github.com/golang/mock v1.6.0 // indirect
+	github.com/google/uuid v1.6.0 // indirect
+	github.com/grpc-ecosystem/go-grpc-middleware v1.4.0 // indirect
+	github.com/grpc-ecosystem/grpc-gateway/v2 v2.22.0 // indirect
+	github.com/inconshreveable/mousetrap v1.1.0 // indirect
+	github.com/mattn/go-isatty v0.0.20 // indirect
+	github.com/nexus-rpc/sdk-go v0.3.0 // indirect
+	github.com/pborman/uuid v1.2.1 // indirect
+	github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c // indirect
+	github.com/pmezard/go-difflib v1.0.0 // indirect
+	github.com/robfig/cron v1.2.0 // indirect
+	github.com/spf13/cobra v1.10.2 // indirect
+	github.com/stretchr/objx v0.5.2 // indirect
+	golang.org/x/exp v0.0.0-20231127185646-65229373498e // indirect
+	golang.org/x/net v0.28.0 // indirect
+	golang.org/x/oauth2 v0.33.0 // indirect
+	golang.org/x/sync v0.8.0 // indirect
+	golang.org/x/sys v0.24.0 // indirect
+	golang.org/x/text v0.17.0 // indirect
+	golang.org/x/time v0.3.0 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20240827150818-7e3bb234dfed // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20240827150818-7e3bb234dfed // indirect
+	google.golang.org/protobuf v1.34.2 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
+)