refactor token exchange into auth package

Author: MichaelEischer

internal/cmd/ske/kubeconfig/login/login.go

@@ -8,12 +8,9 @@ import (
 	"encoding/pem"
 	"errors"
 	"fmt"
-	"io"
 	"net/http"
-	"net/url"
 	"os"
 	"strconv"
-	"strings"
 	"time"
 
 	"github.com/spf13/cobra"
@@ -326,24 +323,21 @@ func getAccessToken(params *types.CmdParams) (string, error) {
 }
 
 func retrieveTokenFromIDP(ctx context.Context, idpClient *http.Client, accessToken string, clusterConfig *clusterConfig) (string, error) {
-	tokenEndpoint, err := auth.GetAuthField(auth.IDP_TOKEN_ENDPOINT)
-	if err != nil {
-		return "", fmt.Errorf("get idp token endpoint: %w", err)
-	}
+	resource := resourceForCluster(clusterConfig)
 
 	cachedToken := getCachedToken(clusterConfig.cacheKey)
 	if cachedToken == "" {
-		return exchangeToken(ctx, idpClient, tokenEndpoint, accessToken, clusterConfig)
+		return exchangeAndCacheToken(ctx, idpClient, accessToken, resource, clusterConfig.cacheKey)
 	}
 
 	expiry, err := auth.TokenExpirationTime(cachedToken)
 	if err != nil {
 		// token is expired or invalid, request new
 		_ = cache.DeleteObject(clusterConfig.cacheKey)
-		return exchangeToken(ctx, idpClient, tokenEndpoint, accessToken, clusterConfig)
+		return exchangeAndCacheToken(ctx, idpClient, accessToken, resource, clusterConfig.cacheKey)
 	} else if time.Now().Add(refreshTokenBeforeDuration).After(expiry) {
 		// token expires soon -> refresh
-		token, err := exchangeToken(ctx, idpClient, tokenEndpoint, accessToken, clusterConfig)
+		token, err := exchangeAndCacheToken(ctx, idpClient, accessToken, resource, clusterConfig.cacheKey)
 		// try to get a new one but use cache on failure
 		if err != nil {
 			return cachedToken, nil
@@ -354,69 +348,6 @@ func retrieveTokenFromIDP(ctx context.Context, idpClient *http.Client, accessTok
 	return cachedToken, nil
 }
 
-func getCachedToken(key string) string {
-	token, err := cache.GetObject(key)
-	if err != nil {
-		return ""
-	}
-	return string(token)
-}
-
-func exchangeToken(ctx context.Context, idpClient *http.Client, tokenEndpoint, accessToken string, config *clusterConfig) (string, error) {
-	req, err := buildRequestToExchangeTokens(ctx, tokenEndpoint, accessToken, config)
-	if err != nil {
-		return "", fmt.Errorf("build request: %w", err)
-	}
-	resp, err := idpClient.Do(req)
-	if err != nil {
-		return "", fmt.Errorf("call API: %w", err)
-	}
-	defer func() {
-		tempErr := resp.Body.Close()
-		if tempErr != nil {
-			err = fmt.Errorf("close response body: %w", tempErr)
-		}
-	}()
-
-	clusterToken, err := parseTokenExchangeResponse(resp)
-	if err != nil {
-		return "", fmt.Errorf("parse API response: %w", err)
-	}
-	if err = cache.PutObject(config.cacheKey, []byte(clusterToken)); err != nil {
-		return "", fmt.Errorf("cache token: %w", err)
-	}
-	return clusterToken, err
-}
-
-func buildRequestToExchangeTokens(ctx context.Context, tokenEndpoint, accessToken string, config *clusterConfig) (*http.Request, error) {
-	idpClientID, err := auth.GetIDPClientID()
-	if err != nil {
-		return nil, err
-	}
-
-	form := url.Values{}
-	form.Set("grant_type", "urn:ietf:params:oauth:grant-type:token-exchange")
-	form.Set("client_id", idpClientID)
-	form.Set("subject_token_type", "urn:ietf:params:oauth:token-type:access_token")
-	form.Set("requested_token_type", "urn:ietf:params:oauth:token-type:id_token")
-	form.Set("scope", "openid profile email groups")
-	form.Set("subject_token", accessToken)
-	form.Set("resource", resourceForCluster(config))
-
-	req, err := http.NewRequestWithContext(
-		ctx,
-		http.MethodPost,
-		tokenEndpoint,
-		strings.NewReader(form.Encode()),
-	)
-	if err != nil {
-		return nil, fmt.Errorf("build exchange request: %w", err)
-	}
-	req.Header.Add("Content-Type", "application/x-www-form-urlencoded")
-
-	return req, nil
-}
-
 func resourceForCluster(config *clusterConfig) string {
 	return fmt.Sprintf(
 		"resource://organizations/%s/projects/%s/regions/%s/ske/%s",
@@ -427,26 +358,23 @@ func resourceForCluster(config *clusterConfig) string {
 	)
 }
 
-func parseTokenExchangeResponse(resp *http.Response) (accessToken string, err error) {
-	respBody, err := io.ReadAll(resp.Body)
+func getCachedToken(key string) string {
+	token, err := cache.GetObject(key)
 	if err != nil {
-		return "", fmt.Errorf("read body: %w", err)
-	}
-	if resp.StatusCode != http.StatusOK {
-		return "", fmt.Errorf("non-OK %d status: %s", resp.StatusCode, string(respBody))
+		return ""
 	}
+	return string(token)
+}
 
-	respContent := struct {
-		AccessToken string `json:"access_token"`
-	}{}
-	err = json.Unmarshal(respBody, &respContent)
+func exchangeAndCacheToken(ctx context.Context, idpClient *http.Client, accessToken, resource, cacheKey string) (string, error) {
+	clusterToken, err := auth.ExchangeToken(ctx, idpClient, accessToken, resource)
 	if err != nil {
-		return "", fmt.Errorf("unmarshal body: %w", err)
+		return "", err
 	}
-	if respContent.AccessToken == "" {
-		return "", fmt.Errorf("no access token found")
+	if err = cache.PutObject(cacheKey, []byte(clusterToken)); err != nil {
+		return "", fmt.Errorf("cache token: %w", err)
 	}
-	return respContent.AccessToken, nil
+	return clusterToken, err
 }
 
 func outputTokenKubeconfig(p *print.Printer, cacheKey, token string) error {

internal/cmd/ske/kubeconfig/login/login_test.go

@@ -3,20 +3,13 @@ package login
 import (
 	"context"
 	"encoding/json"
-	"io"
-	"net/http"
-	"net/http/httptest"
-	"net/http/httputil"
-	"net/url"
-	"strings"
 	"testing"
 	"time"
 
 	"github.com/golang-jwt/jwt/v5"
 	"github.com/google/go-cmp/cmp"
 	"github.com/google/go-cmp/cmp/cmpopts"
 	"github.com/google/uuid"
-	"github.com/stackitcloud/stackit-cli/internal/pkg/cache"
 	"github.com/stackitcloud/stackit-cli/internal/pkg/utils"
 	"github.com/stackitcloud/stackit-sdk-go/services/ske"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -31,9 +24,6 @@ var testClient = &ske.APIClient{}
 var testProjectId = uuid.NewString()
 var testClusterName = "cluster"
 var testOrganization = uuid.NewString()
-var testAccessToken = "access-token-test-" + uuid.NewString()
-var testExchangedToken = "access-token-exchanged-" + uuid.NewString()
-var testTokenEndpoint = "https://accounts.stackit.cloud/test/endpoint" //nolint:gosec // Actually just a URL
 
 const testRegion = "eu01"
 
@@ -60,40 +50,6 @@ func fixtureLoginRequest(mods ...func(request *ske.ApiCreateKubeconfigRequest))
 	return request
 }
 
-func fixtureTokenExchangeRequest(tokenEndpoint string) *http.Request {
-	form := url.Values{}
-	form.Set("grant_type", "urn:ietf:params:oauth:grant-type:token-exchange")
-	form.Set("client_id", "stackit-cli-0000-0000-000000000001")
-	form.Set("subject_token_type", "urn:ietf:params:oauth:token-type:access_token")
-	form.Set("requested_token_type", "urn:ietf:params:oauth:token-type:id_token")
-	form.Set("scope", "openid profile email groups")
-	form.Set("subject_token", testAccessToken)
-	form.Set("resource", "resource://organizations/"+testOrganization+"/projects/"+testProjectId+"/regions/"+testRegion+"/ske/"+testClusterName)
-
-	req, _ := http.NewRequestWithContext(
-		testCtx,
-		http.MethodPost,
-		tokenEndpoint,
-		strings.NewReader(form.Encode()),
-	)
-	req.Header.Add("Content-Type", "application/x-www-form-urlencoded")
-	return req
-}
-
-func fixtureTokenExchangeResponse() string {
-	type exchangeReponse struct {
-		AccessToken    string `json:"access_token"`
-		IssuedTokeType string `json:"issued_token_type"`
-		TokenType      string `json:"token_type"`
-	}
-	response, _ := json.Marshal(exchangeReponse{
-		AccessToken:    testExchangedToken,
-		IssuedTokeType: "urn:ietf:params:oauth:token-type:id_token",
-		TokenType:      "Bearer",
-	})
-	return string(response)
-}
-
 func TestBuildRequest(t *testing.T) {
 	tests := []struct {
 		description     string
@@ -191,135 +147,6 @@ zbRjZmli7cnenEnfnNoFIGbgkbjGXRUCIC5zFtWXFK7kA+B2vDxD0DlLcQodNwi4
 	}
 }
 
-func TestBuildTokenExchangeRequest(t *testing.T) {
-	cfg := fixtureClusterConfig()
-	expectedRequest := fixtureTokenExchangeRequest(testTokenEndpoint)
-	req, err := buildRequestToExchangeTokens(testCtx, testTokenEndpoint, testAccessToken, cfg)
-	if err != nil {
-		t.Fatalf("func returned error: %s", err)
-	}
-	// directly using cmp.Diff is not possible, so dump the requests first
-	expected, err := httputil.DumpRequest(expectedRequest, true)
-	if err != nil {
-		t.Fatalf("fail to dump expected: %s", err)
-	}
-	actual, err := httputil.DumpRequest(req, true)
-	if err != nil {
-		t.Fatalf("fail to dump actual: %s", err)
-	}
-	diff := cmp.Diff(actual, expected)
-	if diff != "" {
-		t.Fatalf("Data does not match: %s", diff)
-	}
-}
-
-func TestParseTokenExchangeResponse(t *testing.T) {
-	response := fixtureTokenExchangeResponse()
-
-	tests := []struct {
-		description string
-		response    string
-		status      int
-		expectError bool
-	}{
-		{
-			description: "valid response",
-			response:    response,
-			status:      http.StatusOK,
-		},
-		{
-			description: "error status",
-			response:    response, // valid response to make sure the status code is checked
-			status:      http.StatusForbidden,
-			expectError: true,
-		},
-		{
-			description: "error content",
-			response:    "{}",
-			status:      http.StatusOK,
-			expectError: true,
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.description, func(t *testing.T) {
-			w := httptest.NewRecorder()
-			w.WriteHeader(tt.status)
-			_, _ = w.WriteString(tt.response)
-			resp := w.Result()
-
-			defer func() {
-				tempErr := resp.Body.Close()
-				if tempErr != nil {
-					t.Fatalf("failed to close response body: %v", tempErr)
-				}
-			}()
-			accessToken, err := parseTokenExchangeResponse(resp)
-			if tt.expectError {
-				if err == nil {
-					t.Fatal("expected error got nil")
-				}
-			} else {
-				if err != nil {
-					t.Fatalf("func returned error: %s", err)
-				}
-				diff := cmp.Diff(accessToken, testExchangedToken)
-				if diff != "" {
-					t.Fatalf("Token does not match: %s", diff)
-				}
-			}
-		})
-	}
-}
-
-func TestExchangeToken(t *testing.T) {
-	config := fixtureClusterConfig(func(clusterConfig *clusterConfig) {
-		clusterConfig.cacheKey = "test-exchange-token-" + uuid.NewString()
-	})
-	var request *http.Request
-	response := fixtureTokenExchangeResponse()
-	defer cache.OverwriteCacheDir(t)()
-	if err := cache.Init(); err != nil {
-		t.Fatalf("cache init failed: %s", err)
-	}
-
-	handler := http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
-		// only compare body as the headers will differ
-		expected, err := io.ReadAll(request.Body)
-		if err != nil {
-			t.Errorf("fail to dump expected: %s", err)
-		}
-		actual, err := io.ReadAll(req.Body)
-		if err != nil {
-			t.Errorf("fail to dump actual: %s", err)
-		}
-		diff := cmp.Diff(actual, expected)
-		if diff != "" {
-			w.WriteHeader(http.StatusBadRequest)
-			t.Errorf("request mismatch: %v", diff)
-			return
-		}
-
-		w.Header().Set("Content-Type", "application/json")
-		_, err = w.Write([]byte(response))
-		if err != nil {
-			t.Errorf("Failed to write response: %v", err)
-		}
-	})
-	server := httptest.NewServer(handler)
-	defer server.Close()
-
-	request = fixtureTokenExchangeRequest(server.URL)
-	idToken, err := exchangeToken(testCtx, server.Client(), server.URL, testAccessToken, config)
-	if err != nil {
-		t.Fatalf("func returned error: %s", err)
-	}
-	diff := cmp.Diff(idToken, testExchangedToken)
-	if diff != "" {
-		t.Fatalf("Exchanged token does not match: %s", diff)
-	}
-}
-
 func TestParseTokenToExecCredential(t *testing.T) {
 	expirationTime := time.Now().Add(30 * time.Minute)
 	expectedTime := expirationTime.Add(-5 * time.Minute)
@@ -369,3 +196,13 @@ func TestParseTokenToExecCredential(t *testing.T) {
 		})
 	}
 }
+
+func TestResourceForCluster(t *testing.T) {
+	cc := fixtureClusterConfig()
+	resource := resourceForCluster(cc)
+	// somewhat redundant, but the resource string must not change unexpectedly
+	expectedResource := "resource://organizations/" + testOrganization + "/projects/" + testProjectId + "/regions/" + testRegion + "/ske/" + testClusterName
+	if resource != expectedResource {
+		t.Fatalf("unexpected resource, got %v expected %v", resource, expectedResource)
+	}
+}