Support XP7.15 Service Accounts auth #580

Author: anatol-sialitski

go.mod

@@ -28,6 +28,7 @@ require (
 	github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e // indirect
 	github.com/cpuguy83/go-md2man/v2 v2.0.5 // indirect
 	github.com/emirpasic/gods v1.12.0 // indirect
+	github.com/golang-jwt/jwt/v5 v5.2.1 // indirect
 	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
 	github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 // indirect
 	github.com/kevinburke/ssh_config v0.0.0-20190725054713-01f96b0aa0cd // indirect

go.sum

@@ -35,6 +35,8 @@ github.com/fatih/color v1.18.0/go.mod h1:4FelSpRwEGDpQ12mAdzqdOukCy4u8WUtOY6lkT/
 github.com/flynn/go-shlex v0.0.0-20150515145356-3f9db97f8568/go.mod h1:xEzjJPgXI435gkrCt3MPfRiAkVrwSbHsst4LCFVfpJc=
 github.com/gliderlabs/ssh v0.2.2 h1:6zsha5zo/TWhRhwqCD3+EarCAgZ2yN28ipRnGPnwkI0=
 github.com/gliderlabs/ssh v0.2.2/go.mod h1:U7qILu1NlMHj9FlMhZLlkCdDnU1DBEAqr0aevW3Awn0=
+github.com/golang-jwt/jwt/v5 v5.2.1 h1:OuVbFODueb089Lh128TAcimifWaLhJwVflnrgM17wHk=
+github.com/golang-jwt/jwt/v5 v5.2.1/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
 github.com/google/go-cmp v0.3.0 h1:crn/baboCvb5fXaQ0IJ1SGTsTVrWpDsCWC8EGETZijY=
 github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
 github.com/hinshun/vt10x v0.0.0-20180616224451-1954e6464174 h1:WlZsjVhE8Af9IcZDGgJGQpNflI3+MJSBhsgT5PCtzBQ=

internal/app/commands/app/install.go

@@ -31,7 +31,7 @@ var Install = cli.Command{
 			Name:  "file",
 			Usage: "Application file",
 		},
-	}, common.AUTH_FLAG, common.FORCE_FLAG),
+	}, common.AUTH_FLAG, common.CRED_FILE_FLAG, common.FORCE_FLAG),
 	Action: func(c *cli.Context) error {
 
 		file, url := ensureURLOrFileFlag(c)

internal/app/commands/app/start.go

@@ -13,7 +13,7 @@ import (
 var Start = cli.Command{
 	Name:      "start",
 	Usage:     "Start an application",
-	Flags:     append([]cli.Flag{}, common.AUTH_FLAG, common.FORCE_FLAG),
+	Flags:     append([]cli.Flag{}, common.AUTH_FLAG, common.CRED_FILE_FLAG, common.FORCE_FLAG),
 	ArgsUsage: "<app key>",
 	Action: func(c *cli.Context) error {
 

internal/app/commands/app/stop.go

@@ -14,7 +14,7 @@ var Stop = cli.Command{
 	Name:      "stop",
 	Usage:     "Stop an application",
 	ArgsUsage: "<app key>",
-	Flags:     append([]cli.Flag{}, common.AUTH_FLAG, common.FORCE_FLAG),
+	Flags:     append([]cli.Flag{}, common.AUTH_FLAG, common.CRED_FILE_FLAG, common.FORCE_FLAG),
 	Action: func(c *cli.Context) error {
 
 		key := ensureAppKeyArg(c)

internal/app/commands/auditlog/cleanup.go

@@ -22,7 +22,7 @@ var Cleanup = cli.Command{
 			Name:  "age",
 			Usage: "Age of records to be removed. The format based on the ISO-8601 duration format PnDTnHnMn.nS with days considered to be exactly 24 hours.",
 		},
-	}, common.AUTH_FLAG, common.FORCE_FLAG),
+	}, common.AUTH_FLAG, common.CRED_FILE_FLAG, common.FORCE_FLAG),
 	Action: func(c *cli.Context) error {
 
 		age := ensureAgeParam(c)

internal/app/commands/cms/reprocess.go

@@ -26,7 +26,7 @@ var Reprocess = cli.Command{
 			Name:  "skip-children",
 			Usage: "Flag to skip processing of content children.",
 		},
-	}, common.AUTH_FLAG, common.FORCE_FLAG),
+	}, common.AUTH_FLAG, common.CRED_FILE_FLAG, common.FORCE_FLAG),
 	Action: func(c *cli.Context) error {
 
 		var result ReprocessResponse

internal/app/commands/common/common.go

@@ -57,6 +57,11 @@ var AUTH_FLAG = cli.StringFlag{
 	Usage: "Authentication token for basic authentication (user:password)",
 }
 
+var CRED_FILE_FLAG = cli.StringFlag{
+	Name:  "cred-file",
+	Usage: "The path to the service account key file (in JSON format). This is only available for XP version 7.15 and later. Key file can be generated by Users application for System ID Provider users (aka Service Accounts). If specified, the flag \"--auth\" or \"-a\" will be ignored",
+}
+
 var FORCE_FLAG = cli.BoolFlag{
 	Name:  "force, f",
 	Usage: "Accept default answers to all prompts and run non-interactively",
@@ -212,13 +217,29 @@ func EnsureAuth(authString string, force bool) (string, string) {
 	return splitAuth[0], splitAuth[1]
 }
 
+func resolveCredFilePath(path string) string {
+	if path != "" {
+		return path
+	} else if pathFromEnv := os.Getenv("ENONIC_CLI_CRED_FILE"); pathFromEnv != "" {
+		return pathFromEnv
+	} else {
+		return ""
+	}
+}
+
 func CreateRequest(c *cli.Context, method, url string, body io.Reader) *http.Request {
-	var auth, user, pass string
+	var auth, user, pass, credFilePath string
 	if c != nil {
 		auth = c.String("auth")
+		credFilePath = resolveCredFilePath(c.String("cred-file"))
 	}
 
-	if url != MARKET_URL && url != SCOOP_MANIFEST_URL && (ReadRuntimeData().SessionID == "" || auth != "") {
+	if url != MARKET_URL && url != SCOOP_MANIFEST_URL && (ReadRuntimeData().SessionID == "" || auth != "" || credFilePath != "") {
+		if credFilePath != "" {
+			jwtToken := generateServiceAccountJwtToken(credFilePath)
+			return doCreateRequestWithBearerToken(method, url, jwtToken, body)
+		}
+
 		if auth == "" {
 			activeRemote := remote.GetActiveRemote()
 			if activeRemote.User != "" || activeRemote.Pass != "" {
@@ -231,19 +252,19 @@ func CreateRequest(c *cli.Context, method, url string, body io.Reader) *http.Req
 	return doCreateRequest(method, url, user, pass, body, IsForceMode(c))
 }
 
-func doCreateRequest(method, reqUrl, user, pass string, body io.Reader, force bool) *http.Request {
+func doCreateSimpleRequest(method, reqUrl string, body io.Reader) *http.Request {
 	var (
-		host, scheme, port, path string
+		host, scheme, port, restPath string
 	)
 
 	parsedUrl, err := url.Parse(reqUrl)
-	util.Fatal(err, "Not a valid url: "+reqUrl)
+	util.Fatal(err, fmt.Sprintf("Not a valid url: %s", reqUrl))
 
 	if parsedUrl.IsAbs() {
 		host = parsedUrl.Hostname()
 		port = parsedUrl.Port()
 		scheme = parsedUrl.Scheme
-		path = parsedUrl.Path
+		restPath = parsedUrl.Path
 	} else {
 		activeRemote := remote.GetActiveRemote()
 		host = activeRemote.Url.Hostname()
@@ -253,18 +274,31 @@ func doCreateRequest(method, reqUrl, user, pass string, body io.Reader, force bo
 		runeUrl := []rune(reqUrl)
 		if runeUrl[0] == '/' {
 			// absolute path
-			path = reqUrl
+			restPath = reqUrl
 		} else {
 			// relative path
-			path = activeRemote.Url.Path + "/" + reqUrl
+			restPath = activeRemote.Url.Path + "/" + reqUrl
 		}
 	}
 
-	req, err := http.NewRequest(method, fmt.Sprintf("%s://%s:%s%s", scheme, host, port, path), body)
-	if err != nil {
-		fmt.Fprintln(os.Stderr, "Params error: ", err)
-		os.Exit(1)
-	}
+	req, err := http.NewRequest(method, fmt.Sprintf("%s://%s:%s%s", scheme, host, port, restPath), body)
+	util.Fatal(err, "Params error: ")
+
+	return req
+}
+
+func doCreateRequestWithBearerToken(method, reqUrl, jwtToken string, body io.Reader) *http.Request {
+	req := doCreateSimpleRequest(method, reqUrl, body)
+
+	req.Header.Set("Content-Type", "application/json")
+	req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", jwtToken))
+
+	return req
+}
+
+func doCreateRequest(method, reqUrl, user, pass string, body io.Reader, force bool) *http.Request {
+	req := doCreateSimpleRequest(method, reqUrl, body)
+
 	req.Header.Set("Content-Type", "application/json")
 	req.AddCookie(&http.Cookie{Name: FORCE_COOKIE, Value: strconv.FormatBool(force)})
 

internal/app/commands/common/service-account.go

@@ -0,0 +1,63 @@
+package common
+
+import (
+	"cli-enonic/internal/app/util"
+	"encoding/json"
+	"fmt"
+	"github.com/golang-jwt/jwt/v5"
+	"github.com/pkg/errors"
+	"os"
+	"strings"
+	"time"
+)
+
+type ServiceAccountData struct {
+	Algorithm    string `json:"algorithm"`
+	Kid          string `json:"kid"`
+	Label        string `json:"label"`
+	PrincipalKey string `json:"principalKey"`
+	PrivateKey   string `json:"privateKey"`
+}
+
+func hasJsonExtension(filepath string) bool {
+	return strings.ToLower(filepath[len(filepath)-5:]) == ".json"
+}
+
+func parseServiceAccountData(credFilePath string) ServiceAccountData {
+	if !hasJsonExtension(credFilePath) {
+		util.Fatal(errors.New(fmt.Sprintf("Error: %s is not a JSON file", credFilePath)), "")
+	}
+
+	fileData, err := os.ReadFile(credFilePath)
+	util.Fatal(err, fmt.Sprintf("Error reading JSON file: %v", err))
+
+	var serviceAccountData ServiceAccountData
+	if err := json.Unmarshal(fileData, &serviceAccountData); err != nil {
+		util.Fatal(err, fmt.Sprintf("Error parsing JSON: %v", err))
+	}
+	return serviceAccountData
+}
+
+func generateServiceAccountJwtToken(credFilePath string) string {
+	serviceAccountData := parseServiceAccountData(credFilePath)
+
+	privateKey, err := jwt.ParseRSAPrivateKeyFromPEM([]byte(serviceAccountData.PrivateKey))
+	util.Fatal(err, fmt.Sprintf("Error parsing private key: %v", err))
+
+	now := time.Now()
+
+	claims := jwt.MapClaims{
+		"sub": serviceAccountData.PrincipalKey,
+		"iat": now.Unix(),
+		"exp": now.Add(30 * time.Second).Unix(),
+	}
+
+	token := jwt.NewWithClaims(jwt.SigningMethodRS256, claims)
+
+	token.Header["kid"] = serviceAccountData.Kid
+
+	signedToken, err := token.SignedString(privateKey)
+	util.Fatal(err, fmt.Sprintf("Error signing token: %v", err))
+
+	return signedToken
+}

internal/app/commands/dump/list.go

@@ -14,7 +14,7 @@ var List = cli.Command{
 	Name:    "list",
 	Aliases: []string{"ls"},
 	Usage:   "List available dumps",
-	Flags:   append([]cli.Flag{}, common.AUTH_FLAG, common.FORCE_FLAG),
+	Flags:   append([]cli.Flag{}, common.AUTH_FLAG, common.CRED_FILE_FLAG, common.FORCE_FLAG),
 	Action: func(c *cli.Context) error {
 
 		dumps := listExistingDumpNames()