Add support for EMBootkit and native golang IO mode (#655)

Author: ppanigra

device-discovery-agent/go.mod

@@ -9,6 +9,7 @@ require (
 	github.com/open-edge-platform/infra-onboarding/onboarding-manager v1.39.10
 	github.com/sirupsen/logrus v1.9.4
 	golang.org/x/oauth2 v0.36.0
+	golang.org/x/term v0.40.0
 	google.golang.org/grpc v1.81.0-dev
 )
 

device-discovery-agent/go.sum

@@ -42,6 +42,8 @@ golang.org/x/oauth2 v0.36.0 h1:peZ/1z27fi9hUOFCAZaHyrpWG5lwe0RJEEEeH0ThlIs=
 golang.org/x/oauth2 v0.36.0/go.mod h1:YDBUJMTkDnJS+A4BP4eZBjCqtokkg1hODuPjwiGPO7Q=
 golang.org/x/sys v0.42.0 h1:omrd2nAlyT5ESRdCLYdm3+fMfNFE/+Rf4bDIQImRJeo=
 golang.org/x/sys v0.42.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
+golang.org/x/term v0.40.0 h1:36e4zGLqU4yhjlmxEaagx2KuYbJq3EwY8K943ZsHcvg=
+golang.org/x/term v0.40.0/go.mod h1:w2P8uVp06p2iyKKuvXIm7N/y0UCRt3UfJTfZ7oOpglM=
 golang.org/x/text v0.34.0 h1:oL/Qq0Kdaqxa1KbNeMKwQq0reLCCaFtqu2eNuSeNHbk=
 golang.org/x/text v0.34.0/go.mod h1:homfLqTYRFyVYemLBFl5GgL/DWEiH5wcsQ5gSh1yziA=
 gonum.org/v1/gonum v0.17.0 h1:VbpOemQlsSMrYmn7T2OUvQ4dqxQXU+ouZFQsZOx50z4=

device-discovery-agent/internal/auth/auth.go

@@ -4,180 +4,31 @@
 package auth
 
 import (
-	"bytes"
-	"crypto/tls"
-	"crypto/x509"
-	"encoding/json"
+	"context"
 	"fmt"
-	"io"
-	"net/http"
-	"net/url"
-	"os"
 	"strings"
 )
 
-// loadCACertPool loads the CA certificate from a file and returns a certificate pool.
-func loadCACertPool(caCertPath string) (*x509.CertPool, error) {
-	caCert, err := os.ReadFile(caCertPath)
-	if err != nil {
-		return nil, fmt.Errorf("failed to read CA certificate: %w", err)
-	}
-	caCertPool := x509.NewCertPool()
-	if !caCertPool.AppendCertsFromPEM(caCert) {
-		return nil, fmt.Errorf("failed to append CA certificate")
-	}
-	return caCertPool, nil
-}
-
-func fetchAccessToken(keycloakURL string, clientID string, clientSecret string, caCertPath string) (string, error) {
-	// Prepare the request data
-	data := url.Values{}
-	data.Set("grant_type", "client_credentials")
-	data.Set("client_id", clientID)
-	data.Set("client_secret", clientSecret)
-	reqBody := bytes.NewBufferString(data.Encode())
-
-	// Create the HTTP request
-	req, err := http.NewRequest("POST", "https://"+keycloakURL, reqBody)
-	if err != nil {
-		return "", err
-	}
-	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
-
-	// Configure TLS
-	var tlsConfig *tls.Config
-	if caCertPath != "" {
-		// Load the CA certificate from provided path
-		caCertPool, err := loadCACertPool(caCertPath)
-		if err != nil {
-			return "", fmt.Errorf("error loading CA certificate: %v", err)
-		}
-		tlsConfig = &tls.Config{
-			RootCAs:    caCertPool,
-			MinVersion: tls.VersionTLS12,
-		}
-	} else {
-		// Use system default CA certificates
-		tlsConfig = &tls.Config{
-			MinVersion: tls.VersionTLS12,
-		}
-	}
-
-	// Create an HTTP client with TLS configuration
-	client := &http.Client{
-		Transport: &http.Transport{
-			TLSClientConfig: tlsConfig,
-		},
-	}
-
-	// Perform the request
-	resp, err := client.Do(req)
-	if err != nil {
-		return "", err
-	}
-	defer resp.Body.Close()
-
-	// Check for a successful response
-	if resp.StatusCode != http.StatusOK {
-		return "", fmt.Errorf("failed to get access token, status: %s", resp.Status)
-	}
-
-	// Parse the JSON response
-	var result map[string]interface{}
-	if err := json.NewDecoder(resp.Body).Decode(&result); err != nil {
-		return "", err
-	}
-
-	// Extract the access token
-	token, ok := result["access_token"].(string)
-	if !ok || token == "" {
-		return "", fmt.Errorf("access token not found in response")
-	}
-
-	return token, nil
-}
-
-func fetchReleaseToken(releaseServerURL string, accessToken string, caCertPath string) (string, error) {
-	// Ensure the access token is not empty
-	if accessToken == "" {
-		return "", fmt.Errorf("access token is required")
-	}
-
-	// Configure TLS
-	var tlsConfig *tls.Config
-	if caCertPath != "" {
-		// Load CA certificate from provided path
-		caCertPool, err := loadCACertPool(caCertPath)
-		if err != nil {
-			return "", fmt.Errorf("error loading CA certificate: %v", err)
-		}
-		tlsConfig = &tls.Config{
-			RootCAs:    caCertPool,
-			MinVersion: tls.VersionTLS12,
-		}
-	} else {
-		// Use system default CA certificates
-		tlsConfig = &tls.Config{
-			MinVersion: tls.VersionTLS12,
-		}
-	}
-
-	// Construct the HTTP request
-	req, err := http.NewRequest("GET", "https://"+releaseServerURL, nil)
-	if err != nil {
-		return "", fmt.Errorf("error creating request: %v", err)
-	}
-
-	// Add the authorization header with the bearer token
-	req.Header.Set("Authorization", "Bearer "+accessToken)
-
-	// Create an HTTP client with TLS configuration
-	client := &http.Client{
-		Transport: &http.Transport{
-			TLSClientConfig: tlsConfig,
-		},
-	}
-
-	// Send the request
-	resp, err := client.Do(req)
-	if err != nil {
-		return "", fmt.Errorf("error sending request: %v", err)
-	}
-	defer resp.Body.Close()
-
-	// Check if the response status is 200 OK
-	if resp.StatusCode != http.StatusOK {
-		return "", fmt.Errorf("failed to get release token, status: %s", resp.Status)
-	}
-
-	// Read the response body
-	body, err := io.ReadAll(resp.Body)
-	if err != nil {
-		return "", fmt.Errorf("error reading response body: %v", err)
-	}
-
-	// Convert the response body to a string (the token)
-	token := string(body)
-
-	// Validate the received token
-	if token == "null" || token == "" {
-		return "", fmt.Errorf("invalid token received")
-	}
-
-	return token, nil
-}
-
-// ClientAuth handles authentication and retrieves tokens.
+// ClientAuth handles authentication and retrieves tokens using client credentials.
+// This function is used in non-interactive mode after the device has been onboarded.
 func ClientAuth(clientID string, clientSecret string, keycloakURL string, accessTokenURL string, releaseTokenURL string, caCertPath string) (idpAccessToken string, releaseToken string, err error) {
-	// Fetch JWT access token from Keycloak
-	idpAccessToken, err = fetchAccessToken(keycloakURL+accessTokenURL, clientID, clientSecret, caCertPath)
+	ctx := context.Background()
+
+	// Fetch JWT access token from Keycloak using client_credentials flow
+	idpAccessToken, err = FetchClientCredentialsToken(ctx, ClientCredentialsParams{
+		KeycloakURL:  keycloakURL,
+		TokenPath:    accessTokenURL,
+		ClientID:     clientID,
+		ClientSecret: clientSecret,
+		CACertPath:   caCertPath,
+	})
 	if err != nil {
 		return "", "", fmt.Errorf("failed to get JWT access token from Keycloak: %v", err)
 	}
 
 	// Fetch release service token
-	releaseTokenURL = strings.Replace(keycloakURL, "keycloak", "release", 1) + releaseTokenURL
-	releaseToken, err = fetchReleaseToken(releaseTokenURL, idpAccessToken, caCertPath)
+	releaseURL := strings.Replace(keycloakURL, "keycloak", "release", 1) + releaseTokenURL
+	releaseToken, err = FetchReleaseToken(ctx, releaseURL, idpAccessToken, caCertPath)
 	if err != nil {
 		return "", "", fmt.Errorf("failed to get release service token: %v", err)
 	}

device-discovery-agent/internal/auth/auth_fuzz_test.go

@@ -46,18 +46,18 @@ BQADQQBvZmZzZXQgdGVzdCBkYXRhIGZvciBmdXp6aW5nIHB1cnBvc2VzIG9ubHk=
 			t.Skip("Failed to write test file")
 		}
 
-		// Test loadCACertPool - should not panic
-		pool, err := loadCACertPool(certPath)
+		// Test LoadCACertPool - should not panic
+		pool, err := LoadCACertPool(certPath)
 
 		// Validate results
 		if err == nil {
 			// If no error, pool should be valid and non-nil
 			if pool == nil {
-				t.Error("loadCACertPool returned nil pool without error")
+				t.Error("LoadCACertPool returned nil pool without error")
 			}
 			// Verify it's a valid x509.CertPool
 			if _, ok := interface{}(pool).(*x509.CertPool); !ok {
-				t.Error("loadCACertPool returned invalid type")
+				t.Error("LoadCACertPool returned invalid type")
 			}
 		}
 		// If error occurred, that's fine - we just don't want panics
@@ -84,7 +84,7 @@ func FuzzJSONTokenResponse(f *testing.F) {
 	f.Add([]byte(`{"access_token":"` + strings.Repeat("x", 10000) + `"}`)) // Very long token
 
 	f.Fuzz(func(t *testing.T, jsonData []byte) {
-		// Simulate the JSON parsing logic from fetchAccessToken
+		// Simulate the JSON parsing logic from FetchClientCredentialsToken
 		var result map[string]interface{}
 		err := json.Unmarshal(jsonData, &result)
 
@@ -125,7 +125,7 @@ func FuzzReleaseTokenResponse(f *testing.F) {
 	f.Add([]byte("{\"token\":\"value\"}"))    // JSON when expecting plain text
 
 	f.Fuzz(func(t *testing.T, tokenData []byte) {
-		// Simulate the token validation logic from fetchReleaseToken
+		// Simulate the token validation logic from FetchReleaseToken
 		token := string(tokenData)
 
 		// Test the validation logic
@@ -170,7 +170,7 @@ func FuzzURLConstruction(f *testing.F) {
 		fullURL := "https://" + urlStr
 
 		// Validate URL parsing doesn't panic
-		// This simulates the URL construction in fetchAccessToken and fetchReleaseToken
+		// This simulates the URL construction in FetchClientCredentialsToken and FetchReleaseToken
 		_ = fullURL
 
 		// Test strings.Replace operation from ClientAuth
@@ -199,7 +199,7 @@ func FuzzAuthorizationHeader(f *testing.F) {
 	f.Add(strings.Repeat("a", 10000)) // Very long token
 
 	f.Fuzz(func(t *testing.T, token string) {
-		// Simulate Authorization header construction from fetchReleaseToken
+		// Simulate Authorization header construction from FetchReleaseToken
 		authHeader := "Bearer " + token
 
 		// Check for potential header injection vulnerabilities