feat: add GitHub Social login. (#1609)

## What this PR does / why we need it:

Add support for `github` login with `terramate cloud login --github`.

## Which issue(s) this PR fixes:
none

## Special notes for your reviewer:

- [x] still requires TMC backend support.

## Does this PR introduce a user-facing change?
```
yes
```

Author: i4ki

CHANGELOG.md

@@ -24,6 +24,7 @@ Given a version number `MAJOR.MINOR.PATCH`, we increment the:
 
 ### Added
 
+- Add `terramate cloud login --github` for authenticating with the Github account.
 - Add experimental support for `tmgen` file extension for easy code generation/templating
   of existing infrastructure. You can enable it with `terramate.config.experimental = ["tmgen"]`.
 - Make cloud-related options more concise by dropping the `cloud` prefix.

cmd/terramate/cli/cli.go

@@ -216,7 +216,10 @@ type cliSpec struct {
 	} `cmd:"" help:"Debug Terramate configuration."`
 
 	Cloud struct {
-		Login struct{} `cmd:"" help:"Sign in to Terramate Cloud."`
+		Login struct {
+			Google bool `optional:"true" help:"authenticate with google credentials"`
+			Github bool `optional:"true" help:"authenticate with github credentials"`
+		} `cmd:"" help:"Sign in to Terramate Cloud."`
 		Info  struct{} `cmd:"" help:"Show your current Terramate Cloud login status."`
 		Drift struct {
 			Show struct {
@@ -513,8 +516,54 @@ func newCLI(version string, args []string, stdin io.Reader, stdout, stderr io.Wr
 	case "experimental cloud login": // Deprecated: use cloud login
 		fallthrough
 	case "cloud login":
-		err := googleLogin(output, idpkey(), clicfg)
+		var err error
+		var email string
+		var alreadyUsedProviders []string
+		var provider string
+		if parsedArgs.Cloud.Login.Github {
+			provider = "GitHub"
+			email, alreadyUsedProviders, err = githubLogin(output, cloudBaseURL(), idpkey(), clicfg)
+		} else {
+			provider = "Google"
+			email, alreadyUsedProviders, err = googleLogin(output, idpkey(), clicfg)
+		}
 		if err != nil {
+			if errors.IsKind(err, ErrEmailNotVerified) {
+				printer.Stderr.Error(stdfmt.Sprintf("email %s is not verified", email))
+				printer.Stderr.Println(
+					"Please login to https://cloud.terramate.io first to verify your email and continue the sign up process.",
+				)
+				os.Exit(1)
+			}
+			if errors.IsKind(err, ErrIDPNeedConfirmation) {
+				printer.Stderr.Error(err.Error())
+
+				bufs := []strings.Builder{}
+				for _, providerDomain := range alreadyUsedProviders {
+					switch providerDomain {
+					case "google.com":
+						b := strings.Builder{}
+						b.WriteString("- terramate cloud login --google (For login with your Google account)")
+						bufs = append(bufs, b)
+					case "github.com":
+						b := strings.Builder{}
+						b.WriteString("- terramate cloud login --github (For login with your GitHub account)")
+						bufs = append(bufs, b)
+					}
+				}
+
+				var buf strings.Builder
+				if len(bufs) > 0 {
+					buf.WriteString("Please login using one of the methods below:\n")
+					for _, b := range bufs {
+						buf.WriteString(b.String() + "\n")
+					}
+					buf.WriteString("or alternatively:\n")
+				}
+				buf.WriteString(stdfmt.Sprintf("- Go to https://cloud.terramate.io and authenticate with the %s Social login to link the accounts.", provider))
+				printer.Stderr.Println(buf.String())
+				os.Exit(1)
+			}
 			fatal("authentication failed", err)
 		}
 		output.MsgStdOut("authenticated successfully")

cmd/terramate/cli/cloud_credential.go

@@ -0,0 +1,17 @@
+// Copyright 2024 Terramate GmbH
+// SPDX-License-Identifier: MPL-2.0
+
+package cli
+
+type providerID string
+
+func (p providerID) String() string {
+	switch p {
+	case "google.com":
+		return "Google"
+	case "github.com":
+		return "GitHub"
+	default:
+		return string(p)
+	}
+}

cmd/terramate/cli/cloud_credential_github.go

@@ -1,222 +1,93 @@
-// Copyright 2023 Terramate GmbH
+// Copyright 2024 Terramate GmbH
 // SPDX-License-Identifier: MPL-2.0
 
 package cli
 
 import (
-	"context"
 	"fmt"
-	"math"
 	"net/url"
 	"os"
-	"sync"
+	"strconv"
 	"time"
 
-	"github.com/golang-jwt/jwt"
-	"github.com/terramate-io/terramate/cloud"
+	"github.com/terramate-io/terramate/cmd/terramate/cli/cliconfig"
 	"github.com/terramate-io/terramate/cmd/terramate/cli/github"
 	"github.com/terramate-io/terramate/cmd/terramate/cli/out"
 	"github.com/terramate-io/terramate/errors"
 	"github.com/terramate-io/terramate/printer"
 )
 
-const githubOIDCProviderName = "GitHub Actions OIDC"
+const defaultGitHubClientID = "08e1f8d6f599c7ec48c5"
 
-type githubOIDC struct {
-	mu        sync.RWMutex
-	token     string
-	jwtClaims jwt.MapClaims
-
-	expireAt  time.Time
-	repoOwner string
-	repoName  string
-
-	reqURL   string
-	reqToken string
-	orgs     cloud.MemberOrganizations
-
-	output out.O
-	client *cloud.Client
-}
-
-func newGithubOIDC(output out.O, client *cloud.Client) *githubOIDC {
-	return &githubOIDC{
-		output: output,
-		client: client,
+func githubLogin(output out.O, tmcBaseURL string, idpKey string, clicfg cliconfig.Config) (string, []string, error) {
+	token, err := githubAuth()
+	if err != nil {
+		return "", nil, err
 	}
-}
 
-func (g *githubOIDC) Load() (bool, error) {
-	const envReqURL = "ACTIONS_ID_TOKEN_REQUEST_URL"
-	const envReqTok = "ACTIONS_ID_TOKEN_REQUEST_TOKEN"
-
-	g.reqURL = os.Getenv(envReqURL)
-	if g.reqURL == "" {
-		return false, nil
+	postBody := url.Values{
+		"access_token": []string{token},
+		"providerId":   []string{"github.com"},
 	}
 
-	g.reqToken = os.Getenv(envReqTok)
-
-	audience := oidcAudience()
-	if audience != "" {
-		u, err := url.Parse(g.reqURL)
-		if err != nil {
-			return false, errors.E(err, "invalid ACTIONS_ID_TOKEN_REQUEST_URL env var")
-		}
-
-		qr := u.Query()
-		qr.Set("audience", audience)
-		u.RawQuery = qr.Encode()
-		g.reqURL = u.String()
+	reqPayload := googleSignInPayload{
+		PostBody:            postBody.Encode(),
+		RequestURI:          tmcBaseURL + "/__/auth/handler",
+		ReturnIdpCredential: true,
+		ReturnSecureToken:   true,
 	}
 
-	err := g.Refresh()
+	cred, email, alreadyUsedProviders, err := signInWithIDP(reqPayload, idpKey)
 	if err != nil {
-		return false, err
+		return email, alreadyUsedProviders, err
 	}
-	g.client.Credential = g
-	return true, g.fetchDetails()
-}
 
-func (g *githubOIDC) Name() string {
-	return githubOIDCProviderName
+	output.MsgStdOut("Logged in as %s", cred.UserDisplayName())
+	output.MsgStdOutV("Token: %s", cred.IDToken)
+	expire, _ := strconv.Atoi(cred.ExpiresIn)
+	output.MsgStdOutV("Expire at: %s", time.Now().Add(time.Second*time.Duration(expire)).Format(time.RFC822Z))
+	return email, nil, saveCredential(output, cred, clicfg)
 }
 
-func (g *githubOIDC) IsExpired() bool {
-	g.mu.RLock()
-	defer g.mu.RUnlock()
-	return time.Now().After(g.expireAt)
-}
-
-func (g *githubOIDC) ExpireAt() time.Time {
-	g.mu.RLock()
-	defer g.mu.RUnlock()
-	return g.expireAt
-}
-
-func (g *githubOIDC) Refresh() (err error) {
-	if g.token != "" {
-		g.output.MsgStdOutV("refreshing token...")
-
-		defer func() {
-			if err == nil {
-				g.output.MsgStdOutV("token successfully refreshed.")
-				g.output.MsgStdOutV("next token refresh in: %s", time.Until(g.ExpireAt()))
-			}
-		}()
-	}
-
-	ctx, cancel := context.WithTimeout(context.Background(), defaultGithubTimeout)
-	defer cancel()
-
-	token, err := github.OIDCToken(ctx, github.OIDCVars{
-		ReqURL:   g.reqURL,
-		ReqToken: g.reqToken,
-	})
-
+func githubAuth() (string, error) {
+	oauthCtx, err := github.OAuthDeviceFlowAuthStart(ghClientID())
 	if err != nil {
-		return errors.E(err, "requesting new Github OIDC token")
+		return "", err
 	}
 
-	g.mu.Lock()
-	defer g.mu.Unlock()
-
-	g.token = token
-	g.jwtClaims, err = tokenClaims(g.token)
-	if err != nil {
-		return err
-	}
-	exp, ok := g.jwtClaims["exp"].(float64)
-	if !ok {
-		return errors.E(`cached JWT token has no "exp" field`)
-	}
-	sec, dec := math.Modf(exp)
-	g.expireAt = time.Unix(int64(sec), int64(dec*(1e9)))
+	printer.Stdout.Println(fmt.Sprintf("Please visit: %s", oauthCtx.VerificationURI))
+	printer.Stdout.Println(fmt.Sprintf("and enter code: %s", oauthCtx.UserCode))
 
-	repoOwner, ok := g.jwtClaims["repository_owner"].(string)
-	if !ok {
-		return errors.E(`GitHub OIDC JWT with no "repository_owner" payload field.`)
-	}
-	repoName, ok := g.jwtClaims["repository"].(string)
-	if !ok {
-		return errors.E(`GitHub OIDC JWT with no "repository" payload field.`)
-	}
-	g.repoOwner = repoOwner
-	g.repoName = repoName
-	return nil
-}
+	for {
+		var token string
+		token, err = oauthCtx.ProbeAuthState()
+		if err == nil {
+			return token, nil
+		}
 
-func (g *githubOIDC) Claims() jwt.MapClaims {
-	g.mu.RLock()
-	defer g.mu.RUnlock()
-	return g.jwtClaims
-}
+		var errInfo *errors.Error
+		if !errors.As(err, &errInfo) {
+			return "", err // unexpected err
+		}
 
-func (g *githubOIDC) DisplayClaims() []keyValue {
-	return []keyValue{
-		{
-			key:   "owner",
-			value: g.repoOwner,
-		},
-		{
-			key:   "repository",
-			value: g.repoName,
-		},
-	}
-}
+		interval := time.Duration(oauthCtx.Interval) * time.Second
 
-func (g *githubOIDC) Token() (string, error) {
-	if g.IsExpired() {
-		err := g.Refresh()
-		if err != nil {
+		switch errInfo.Kind {
+		case github.ErrDeviceFlowSlowDown:
+			interval += 5 * time.Second
+			fallthrough
+		case github.ErrDeviceFlowAuthPending:
+			time.Sleep(interval)
+		default:
 			return "", err
 		}
 	}
-	g.mu.RLock()
-	defer g.mu.RUnlock()
-	return g.token, nil
-}
-
-// Validate if the credential is ready to be used.
-func (g *githubOIDC) fetchDetails() error {
-	const apiTimeout = 5 * time.Second
-
-	ctx, cancel := context.WithTimeout(context.Background(), apiTimeout)
-	defer cancel()
-	orgs, err := g.client.MemberOrganizations(ctx)
-	if err != nil {
-		return err
-	}
-	g.orgs = orgs
-	return nil
 }
 
-func (g *githubOIDC) info(selectedOrgName string) {
-	if len(g.orgs) > 0 && g.orgs[0].Status == "trusted" {
-		printer.Stdout.Println("status: signed in")
-	} else {
-		printer.Stdout.Println("status: untrusted")
-	}
-
-	printer.Stdout.Println(fmt.Sprintf("provider: %s", g.Name()))
-
-	for _, kv := range g.DisplayClaims() {
-		printer.Stdout.Println(fmt.Sprintf("%s: %s", kv.key, kv.value))
-	}
-
-	if len(g.orgs) > 0 {
-		printer.Stdout.Println(fmt.Sprintf("organizations: %s", g.orgs))
+func ghClientID() string {
+	idpKey := os.Getenv("TMC_API_GITHUB_CLIENT_ID")
+	if idpKey == "" {
+		idpKey = defaultGitHubClientID
 	}
-
-	if selectedOrgName == "" && len(g.orgs) > 1 {
-		printer.Stderr.Warn("User is member of multiple organizations but none was selected")
-	}
-
-	if len(g.orgs) == 0 {
-		printer.Stderr.Warn("You are not part of an organization. Please visit cloud.terramate.io to create an organization.")
-	}
-}
-
-func (g *githubOIDC) organizations() cloud.MemberOrganizations {
-	return g.orgs
+	return idpKey
 }