Implementation of auth status and auth login with-api-key (#181)

* Implementation of auth status and auth login with-api-key

* Point go-sdk to main version

Author: daniel-de-vera

go.mod

@@ -17,7 +17,7 @@ require (
 	github.com/nsf/jsondiff v0.0.0-20210926074059-1e845ec5d249
 	github.com/oklog/run v1.1.0
 	github.com/panta/machineid v1.0.2
-	github.com/signadot/go-sdk v0.3.8-0.20250430123824-06bc5f2b307c
+	github.com/signadot/go-sdk v0.3.8-0.20250502141929-71adbfb62bd0
 	github.com/signadot/libconnect v0.1.1-0.20250502144057-7eab70077f7f
 	github.com/spf13/cobra v1.8.1
 	github.com/spf13/viper v1.11.0

go.sum

@@ -331,8 +331,8 @@ github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3 h1:n661drycOFuPLCN3Uc8sB6B/s6Z4t2xvBgU1htSHuq8=
 github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3/go.mod h1:A0bzQcvG0E7Rwjx0REVgAGH58e96+X0MeOfepqsbeW4=
-github.com/signadot/go-sdk v0.3.8-0.20250430123824-06bc5f2b307c h1:sD42geQA/uDnx4Fuv271cXIyx1HHTrEPGg0r2HpIdBI=
-github.com/signadot/go-sdk v0.3.8-0.20250430123824-06bc5f2b307c/go.mod h1:pnXR9BhGedBWjtAZGwGGY94sMgh6VuAbP/4vq4Qw1Fg=
+github.com/signadot/go-sdk v0.3.8-0.20250502141929-71adbfb62bd0 h1:ujylkC2g7u05OYm91oa+ovPK8nmjQq7PO39PNexNP3o=
+github.com/signadot/go-sdk v0.3.8-0.20250502141929-71adbfb62bd0/go.mod h1:pnXR9BhGedBWjtAZGwGGY94sMgh6VuAbP/4vq4Qw1Fg=
 github.com/signadot/libconnect v0.1.1-0.20250502144057-7eab70077f7f h1:V4kQgQsEJhDfh1LYa2LW2SoJLMaoCP2IYnCpIcMuQXc=
 github.com/signadot/libconnect v0.1.1-0.20250502144057-7eab70077f7f/go.mod h1:MWfhryOARFnhDnmYGcTmmu+kHJbE6z0dDgKQpxOKVLQ=
 github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=

internal/auth/auth.go

@@ -0,0 +1,67 @@
+package auth
+
+import (
+	"time"
+
+	"github.com/spf13/viper"
+)
+
+type AuthSource string
+
+const (
+	ConfigAuthSource  AuthSource = "config"
+	KeyringAuthSource AuthSource = "keyring"
+)
+
+type Auth struct {
+	APIKey      string     `json:"apiKey,omitempty"`
+	BearerToken string     `json:"bearerToken,omitempty"`
+	OrgName     string     `json:"orgName"`
+	ExpiresAt   *time.Time `json:"expiresAt,omitempty"`
+}
+
+type ResolvedAuth struct {
+	Auth
+	Source AuthSource `json:"source"`
+}
+
+func ResolveAuth() (*ResolvedAuth, error) {
+	auth, err := loadAuth()
+	if err != nil {
+		return nil, err
+	}
+	if auth == nil {
+		return nil, nil
+	}
+
+	// fall back to config file for org if not defined
+	if auth.OrgName == "" {
+		auth.OrgName = viper.GetString("org")
+	}
+	return auth, nil
+}
+
+func loadAuth() (*ResolvedAuth, error) {
+	// give precedence to config
+	apiKey := viper.GetString("api_key")
+	if apiKey != "" {
+		return &ResolvedAuth{
+			Source: ConfigAuthSource,
+			Auth: Auth{
+				APIKey: apiKey,
+			},
+		}, nil
+	}
+
+	auth, err := GetAuthFromKeyring()
+	if err != nil {
+		return nil, err
+	}
+	if auth == nil {
+		return nil, nil
+	}
+	return &ResolvedAuth{
+		Source: KeyringAuthSource,
+		Auth:   *auth,
+	}, nil
+}

internal/auth/keyring.go

@@ -1,36 +1,46 @@
 package auth
 
-import "github.com/zalando/go-keyring"
+import (
+	"encoding/json"
+	"errors"
+
+	"github.com/zalando/go-keyring"
+)
 
 const (
 	keyringService = "signadot-cli"
-	tokenKey       = "token"
-	orgKey         = "org"
+	authKey        = "auth"
 )
 
-// StoreToken stores the auth token securely in the system keyring
-func StoreToken(token string) error {
-	return keyring.Set(keyringService, tokenKey, token)
-}
-
-// GetToken retrieves the auth token from the system keyring
-func GetToken() (string, error) {
-	return keyring.Get(keyringService, tokenKey)
-}
-
-// DeleteToken removes the auth token from the system keyring
-func DeleteToken() error {
-	return keyring.Delete(keyringService, tokenKey)
-}
-
-func StoreOrg(org string) error {
-	return keyring.Set(keyringService, orgKey, org)
+func StoreAuthInKeyring(auth *Auth) error {
+	authJson, err := json.Marshal(auth)
+	if err != nil {
+		return err
+	}
+	return keyring.Set(keyringService, authKey, string(authJson))
 }
 
-func GetOrg() (string, error) {
-	return keyring.Get(keyringService, orgKey)
+func GetAuthFromKeyring() (*Auth, error) {
+	// read the auth from keyring
+	authJson, err := keyring.Get(keyringService, authKey)
+	if err != nil {
+		if errors.Is(err, keyring.ErrNotFound) {
+			return nil, nil
+		}
+		return nil, err
+	}
+
+	// decode the auth
+	var auth Auth
+	err = json.Unmarshal([]byte(authJson), &auth)
+	if err != nil {
+		// this is an unlikely state. Remove the entry from the keyring and
+		// allow the user to log in again.
+		return nil, DeleteAuthFromKeyring()
+	}
+	return &auth, nil
 }
 
-func DeleteOrg() error {
-	return keyring.Delete(keyringService, orgKey)
+func DeleteAuthFromKeyring() error {
+	return keyring.Delete(keyringService, authKey)
 }

internal/command/auth/auth.go

@@ -16,6 +16,7 @@ func New(api *config.API) *cobra.Command {
 	// Subcommands
 	cmd.AddCommand(
 		newLogin(cfg),
+		newStatus(cfg),
 		newLogout(cfg),
 	)
 

internal/command/auth/login.go

@@ -1,6 +1,7 @@
 package auth
 
 import (
+	"errors"
 	"fmt"
 	"io"
 	"time"
@@ -10,6 +11,7 @@ import (
 	"github.com/signadot/cli/internal/config"
 	"github.com/signadot/cli/internal/spinner"
 	sdkauth "github.com/signadot/go-sdk/client/auth"
+	"github.com/signadot/go-sdk/client/orgs"
 	"github.com/signadot/go-sdk/models"
 	"github.com/spf13/cobra"
 )
@@ -24,12 +26,64 @@ func newLogin(cfg *config.Auth) *cobra.Command {
 			return runLogin(loginCfg, cmd.OutOrStdout())
 		},
 	}
+	loginCfg.AddFlags(cmd)
 
 	return cmd
 }
 
 func runLogin(cfg *config.AuthLogin, out io.Writer) error {
-	if err := cfg.UnauthInitAPIConfig(); err != nil {
+	var err error
+	if cfg.WithAPIKey != "" {
+		err = apiKeyLogin(cfg, out)
+	} else {
+		err = bearerTokenLogin(cfg, out)
+	}
+	if err != nil {
+		return err
+	}
+
+	green := color.New(color.FgGreen).SprintFunc()
+	fmt.Fprintf(out, "%s Successfully logged in\n", green("✓"))
+	return nil
+}
+
+func apiKeyLogin(cfg *config.AuthLogin, out io.Writer) error {
+	// init the API client with the provided api key
+	if err := cfg.InitAPIConfigWithApiKey(cfg.WithAPIKey); err != nil {
+		return err
+	}
+
+	spin := spinner.Start(out, "Checking provided API key")
+	defer spin.Stop()
+
+	// resolve the org from the api key
+	res, err := cfg.Client.Orgs.GetOrgName(&orgs.GetOrgNameParams{}, nil)
+	if err != nil {
+		spin.StopFail()
+		return err
+	}
+	orgInfo := res.Payload
+	if len(orgInfo.Orgs) == 0 {
+		spin.StopFail()
+		return errors.New("could not resolve org from API key")
+	}
+	org := orgInfo.Orgs[0]
+
+	// store the auth info
+	err = auth.StoreAuthInKeyring(&auth.Auth{
+		APIKey:  cfg.WithAPIKey,
+		OrgName: org.Name,
+	})
+	if err != nil {
+		spin.StopFail()
+		return fmt.Errorf("failed to store auth info: %w", err)
+	}
+	return nil
+}
+
+func bearerTokenLogin(cfg *config.AuthLogin, out io.Writer) error {
+	// init an unauthirezed API client
+	if err := cfg.InitUnauthAPIConfig(); err != nil {
 		return err
 	}
 
@@ -45,16 +99,16 @@ func runLogin(cfg *config.AuthLogin, out io.Writer) error {
 		return err
 	}
 
-	// store the access token and org name
-	if err := auth.StoreToken(token.AccessToken); err != nil {
-		return fmt.Errorf("failed to store access token: %w", err)
-	}
-	if err := auth.StoreOrg(token.OrgName); err != nil {
-		return fmt.Errorf("failed to store org name: %w", err)
+	// store the auth info
+	expiresAt := time.Now().Add(time.Duration(token.ExpiresIn) * time.Second)
+	err = auth.StoreAuthInKeyring(&auth.Auth{
+		BearerToken: token.AccessToken,
+		OrgName:     token.OrgName,
+		ExpiresAt:   &expiresAt,
+	})
+	if err != nil {
+		return fmt.Errorf("failed to store auth info: %w", err)
 	}
-
-	green := color.New(color.FgGreen).SprintFunc()
-	fmt.Fprintf(out, "%s Successfully logged in\n", green("✓"))
 	return nil
 }
 
@@ -85,6 +139,7 @@ func waitForUserAuth(cfg *config.AuthLogin, out io.Writer,
 
 		res, err := cfg.Client.Auth.AuthDeviceGetToken(param)
 		if err != nil {
+			spin.StopFail()
 			return nil, fmt.Errorf("couldn't get device token: %w", err)
 		}
 		token := res.Payload

internal/command/auth/logout.go

@@ -9,7 +9,6 @@ import (
 	"github.com/signadot/cli/internal/auth"
 	"github.com/signadot/cli/internal/config"
 	"github.com/spf13/cobra"
-	"github.com/zalando/go-keyring"
 )
 
 func newLogout(cfg *config.Auth) *cobra.Command {
@@ -27,11 +26,21 @@ func newLogout(cfg *config.Auth) *cobra.Command {
 }
 
 func runLogout(cfg *config.AuthLogout, out io.Writer) error {
-	if err := auth.DeleteToken(); err != nil {
-		if errors.Is(err, keyring.ErrNotFound) {
-			return errors.New("you are already logged out")
-		}
-		return fmt.Errorf("failed to delete token: %w", err)
+	authInfo, err := auth.ResolveAuth()
+	if err != nil {
+		return fmt.Errorf("could not resolve auth: %w", err)
+	}
+	if authInfo == nil {
+		return errors.New("You are already logged out.")
+	}
+	if authInfo.Source == auth.ConfigAuthSource {
+		return errors.New(`You are currently logged in using an API key specified via a configuration file
+or environment variable. To log out, you must manually unset the environment variable
+or remove the API key from the configuration file.`)
+	}
+
+	if err := auth.DeleteAuthFromKeyring(); err != nil {
+		return fmt.Errorf("failed to delete auth info: %w", err)
 	}
 
 	green := color.New(color.FgGreen).SprintFunc()