support external JWKS commands (#993)

Author: sivukhin

internal/cmd/db_generatetoken.go

@@ -19,6 +19,7 @@ func init() {
 	flags.AddExpiration(dbGenerateTokenCmd)
 	flags.AddReadOnly(dbGenerateTokenCmd)
 	flags.AddAttachClaims(dbGenerateTokenCmd)
+	flags.AddFineGrainedPermissions(dbGenerateTokenCmd)
 	dbGenerateTokenCmd.Flags().BoolVar(&groupTokenFlag, "group", false, "create a token that is valid for all databases in the group")
 }
 
@@ -55,7 +56,11 @@ var dbGenerateTokenCmd = &cobra.Command{
 				ReadAttach: turso.Entities{DBNames: flags.AttachClaims()},
 			}
 		}
-		token, err := getToken(client, database, expiration, flags.ReadOnly(), groupTokenFlag, claim)
+		permissions, err := flags.FineGrainedPermissionsFlags()
+		if err != nil {
+			return err
+		}
+		token, err := getToken(client, database, expiration, flags.ReadOnly(), groupTokenFlag, claim, permissions)
 		if err != nil {
 			return errors.New("your database does not support token generation")
 		}
@@ -64,12 +69,19 @@ var dbGenerateTokenCmd = &cobra.Command{
 	},
 }
 
-func getToken(client *turso.Client, database turso.Database, expiration string, readOnly, group bool, claim *turso.PermissionsClaim) (string, error) {
+func getToken(
+	client *turso.Client,
+	database turso.Database,
+	expiration string,
+	readOnly, group bool,
+	claim *turso.PermissionsClaim,
+	fineGrainedPermissions []flags.FineGrainedPermissions,
+) (string, error) {
 	if !group {
-		return client.Databases.Token(database.Name, expiration, readOnly, claim)
+		return client.Databases.Token(database.Name, expiration, readOnly, claim, fineGrainedPermissions)
 	}
 	if group && database.Group == "" {
 		return "", errors.New("--group flag can only be set with group databases")
 	}
-	return client.Groups.Token(database.Group, expiration, readOnly, claim)
+	return client.Groups.Token(database.Group, expiration, readOnly, claim, fineGrainedPermissions)
 }

internal/cmd/db_shell.go

@@ -337,14 +337,14 @@ func tokenFromDb(db *turso.Database, client *turso.Client, claim *turso.Permissi
 	}
 	// skip cache and always use token from server when claims are attached
 	if claim != nil {
-		return client.Databases.Token(db.Name, "2d", false, claim)
+		return client.Databases.Token(db.Name, "2d", false, claim, nil)
 	}
 
 	if token := dbTokenCache(db.ID); token != "" {
 		return token, nil
 	}
 
-	token, err := client.Databases.Token(db.Name, "2d", false, nil)
+	token, err := client.Databases.Token(db.Name, "2d", false, nil, nil)
 	if err != nil {
 		return "", err
 	}

internal/cmd/group_tokens.go

@@ -88,6 +88,7 @@ func init() {
 	flags.AddExpiration(groupCreateTokenCmd)
 	flags.AddReadOnly(groupCreateTokenCmd)
 	flags.AddAttachClaims(groupCreateTokenCmd)
+	flags.AddFineGrainedPermissions(groupCreateTokenCmd)
 }
 
 var groupCreateTokenCmd = &cobra.Command{
@@ -122,7 +123,11 @@ var groupCreateTokenCmd = &cobra.Command{
 				ReadAttach: turso.Entities{DBNames: flags.AttachClaims()},
 			}
 		}
-		token, err := client.Groups.Token(group.Name, expiration, flags.ReadOnly(), claim)
+		permission, err := flags.FineGrainedPermissionsFlags()
+		if err != nil {
+			return err
+		}
+		token, err := client.Groups.Token(group.Name, expiration, flags.ReadOnly(), claim, permission)
 		if err != nil {
 			return fmt.Errorf("error creating token: %w", err)
 		}

internal/cmd/org.go

@@ -8,12 +8,17 @@ import (
 
 	"github.com/spf13/cobra"
 	"github.com/tursodatabase/turso-cli/internal"
+	"github.com/tursodatabase/turso-cli/internal/flags"
 	"github.com/tursodatabase/turso-cli/internal/prompt"
 	"github.com/tursodatabase/turso-cli/internal/settings"
 	"github.com/tursodatabase/turso-cli/internal/turso"
 )
 
 var adminFlag bool
+var jwksRegion string
+var jwksDatabase string
+var jwksGroup string
+var jwksScope string
 
 func init() {
 	rootCmd.AddCommand(orgCmd)
@@ -38,6 +43,21 @@ func init() {
 	orgCmd.AddCommand(orgBillingCmd)
 	membersAddCmd.Flags().BoolVarP(&adminFlag, "admin", "a", false, "Add the user as an admin")
 	membersInviteCmd.Flags().BoolVarP(&adminFlag, "admin", "a", false, "Invite the user as an admin")
+
+	orgCmd.AddCommand(jwksCmd)
+	jwksCmd.AddCommand(jwksList)
+	jwksCmd.AddCommand(jwksRemove)
+	jwksCmd.AddCommand(jwksSave)
+	jwksCmd.AddCommand(jwksTemplate)
+
+	jwksSave.Flags().StringVarP(&jwksRegion, "region", "r", "", "region")
+	jwksSave.Flags().MarkHidden("region")
+	jwksRemove.Flags().StringVarP(&jwksRegion, "region", "r", "", "region")
+	jwksRemove.Flags().MarkHidden("region")
+	jwksTemplate.Flags().StringVarP(&jwksDatabase, "database", "d", "", "database")
+	jwksTemplate.Flags().StringVarP(&jwksGroup, "group", "g", "", "group")
+	jwksTemplate.Flags().StringVarP(&jwksScope, "scope", "s", "full-access", "claims scope (full-access or read-only)")
+	flags.AddFineGrainedPermissions(jwksTemplate)
 }
 
 func switchToOrg(client *turso.Client, slug string, showHowToGoBack bool) error {
@@ -622,6 +642,165 @@ func BillingPortal() error {
 	return billingPortal(org)
 }
 
+func currentOrg(client *turso.Client) (turso.Organization, error) {
+	orgs, err := client.Organizations.List()
+	if err != nil {
+		return turso.Organization{}, err
+	}
+
+	settingsObj, err := settings.ReadSettings()
+	if err != nil {
+		return turso.Organization{}, err
+	}
+
+	current := settingsObj.Organization()
+
+	for _, org := range orgs {
+		if isCurrentOrg(org, current) {
+			return org, nil
+		}
+	}
+	return turso.Organization{}, fmt.Errorf("current organization is not set")
+}
+
+var jwksCmd = &cobra.Command{
+	Use:   "jwks",
+	Short: "[BETA] Manage your organization external JWKS sources",
+}
+
+var jwksList = &cobra.Command{
+	Use:               "list",
+	Short:             "List saved external JWKS sources",
+	ValidArgsFunction: noFilesArg,
+	RunE: func(cmd *cobra.Command, args []string) error {
+		cmd.SilenceUsage = true
+
+		client, err := authedTursoClient()
+		if err != nil {
+			return err
+		}
+
+		org, err := currentOrg(client)
+		if err != nil {
+			return err
+		}
+
+		jwksList, err := client.Organizations.ListJwks(org.Slug)
+		if err != nil {
+			return err
+		}
+		table := make([][]string, 0)
+		for _, jwks := range jwksList {
+			table = append(table, []string{jwks.JwksName, jwks.JwksUrl})
+		}
+		printTable([]string{"name", "url"}, table)
+		return nil
+	},
+}
+
+var jwksTemplate = &cobra.Command{
+	Use:               "template",
+	Short:             "Generate JWT claims template for external auth provider",
+	ValidArgsFunction: noFilesArg,
+	RunE: func(cmd *cobra.Command, args []string) error {
+		cmd.SilenceUsage = true
+
+		client, err := authedTursoClient()
+		if err != nil {
+			return err
+		}
+
+		org, err := currentOrg(client)
+		if err != nil {
+			return err
+		}
+
+		var database *string
+		var group *string
+
+		if jwksDatabase != "" {
+			database = &jwksDatabase
+		}
+		if jwksGroup != "" {
+			group = &jwksGroup
+		}
+		permissions, err := flags.FineGrainedPermissionsFlags()
+		if err != nil {
+			return err
+		}
+		params := turso.OrgJwksTemplateParams{
+			Database:    database,
+			Group:       group,
+			Scope:       jwksScope,
+			Permissions: permissions,
+		}
+		template, err := client.Organizations.JwksTemplate(org.Slug, params)
+		if err != nil {
+			return err
+		}
+		fmt.Printf("%v\n", internal.Emph(template))
+		return nil
+	},
+}
+
+var jwksSave = &cobra.Command{
+	Use:               "save <name> <url>",
+	Short:             "Save external JWKS source with given name and URL (e.g. save clerk https://.../.well-known/jwks.json)",
+	Args:              cobra.ExactArgs(2),
+	ValidArgsFunction: noFilesArg,
+	RunE: func(cmd *cobra.Command, args []string) error {
+		cmd.SilenceUsage = true
+
+		name, url := args[0], args[1]
+
+		client, err := authedTursoClient()
+		if err != nil {
+			return err
+		}
+
+		org, err := currentOrg(client)
+		if err != nil {
+			return err
+		}
+
+		err = client.Organizations.SaveJwks(org.Slug, name, url, jwksRegion)
+		if err != nil {
+			return err
+		}
+		fmt.Printf("JWKS %v saved for organization %s.\n", internal.Emph(name), internal.Emph(org.Slug))
+		return nil
+	},
+}
+
+var jwksRemove = &cobra.Command{
+	Use:               "remove <name>",
+	Short:             "Remove external JWKS source with given name",
+	Args:              cobra.ExactArgs(1),
+	ValidArgsFunction: noFilesArg,
+	RunE: func(cmd *cobra.Command, args []string) error {
+		cmd.SilenceUsage = true
+
+		name := args[0]
+
+		client, err := authedTursoClient()
+		if err != nil {
+			return err
+		}
+
+		org, err := currentOrg(client)
+		if err != nil {
+			return err
+		}
+
+		err = client.Organizations.RemoveJwks(org.Slug, name, jwksRegion)
+		if err != nil {
+			return err
+		}
+		fmt.Printf("JWKS %v removed from organization %s.\n", internal.Emph(name), internal.Emph(org.Slug))
+		return nil
+	},
+}
+
 func listOrganizations(client *turso.Client, fresh ...bool) ([]turso.Organization, error) {
 	skipCache := len(fresh) > 0 && fresh[0]
 	if cache := getOrgsCache(); !skipCache && cache != nil {

internal/flags/fine_grained_permissions.go

@@ -0,0 +1,38 @@
+package flags
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/spf13/cobra"
+)
+
+type FineGrainedPermissions struct {
+	TableNames        []string `json:"t"`
+	AllowedOperations []string `json:"a"`
+}
+
+var fineGrainedPermissions []string
+
+func AddFineGrainedPermissions(cmd *cobra.Command) {
+	cmd.Flags().StringArrayVarP(&fineGrainedPermissions, "permissions", "p", nil, "fine-grained permissions in format <table-name|all>:<action1>,...\n(e.g: -p all:data_read -p comments:data_insert)")
+}
+
+func FineGrainedPermissionsFlags() ([]FineGrainedPermissions, error) {
+	permissions := make([]FineGrainedPermissions, 0)
+	for _, permission := range fineGrainedPermissions {
+		tokens := strings.SplitN(permission, ":", 2)
+		if len(tokens) != 2 {
+			return nil, fmt.Errorf("invalid permission format: '%v'", permission)
+		}
+		var tableNames []string
+		if tokens[0] != "all" {
+			tableNames = append(tableNames, tokens[0])
+		}
+		permissions = append(permissions, FineGrainedPermissions{
+			TableNames:        tableNames,
+			AllowedOperations: strings.Split(tokens[1], ","),
+		})
+	}
+	return permissions, nil
+}

internal/turso/databases.go

@@ -11,6 +11,7 @@ import (
 	"time"
 
 	"github.com/tursodatabase/turso-cli/internal"
+	"github.com/tursodatabase/turso-cli/internal/flags"
 	"github.com/tursodatabase/turso-cli/internal/prompt"
 )
 
@@ -218,7 +219,7 @@ func (d *DatabasesClient) Create(name, location, image, extensions, group string
 //     turso-server will perform validations on the file and 'activate' the db if everything is ok.
 func (d *DatabasesClient) UploadDatabaseAWS(resp *CreateDatabaseResponse, group string, uploadFilepath string, spinner *prompt.SpinnerT) (*CreateDatabaseResponse, error) {
 	// Create a short-lived DB token for the newly created database to facilitate the upload
-	token, err := d.Token(resp.Database.Name, "1h", false, nil)
+	token, err := d.Token(resp.Database.Name, "1h", false, nil, nil)
 	if err != nil {
 		return nil, fmt.Errorf("could not create database token: %w", err)
 	}
@@ -272,7 +273,7 @@ func (d *DatabasesClient) Export(dbName, dbUrl, outputFile string, withMetadata
 			return fmt.Errorf("file %s already exists, use `--overwrite` flag to overwrite it", outputFile)
 		}
 	}
-	token, err := d.Token(dbName, "1h", false, nil)
+	token, err := d.Token(dbName, "1h", false, nil, nil)
 	if err != nil {
 		return fmt.Errorf("could not create database token: %w", err)
 	}
@@ -336,17 +337,24 @@ func (d *DatabasesClient) UploadDump(dbFile *os.File) (string, error) {
 }
 
 type DatabaseTokenRequest struct {
-	Permissions *PermissionsClaim `json:"permissions,omitempty"`
+	Permissions            *PermissionsClaim              `json:"permissions,omitempty"`
+	FineGrainedPermissions []flags.FineGrainedPermissions `json:"fine_grained_permissions,omitempty"`
 }
 
-func (d *DatabasesClient) Token(database string, expiration string, readOnly bool, permissions *PermissionsClaim) (string, error) {
+func (d *DatabasesClient) Token(
+	database string,
+	expiration string,
+	readOnly bool,
+	permissions *PermissionsClaim,
+	fineGrainedPermissions []flags.FineGrainedPermissions,
+) (string, error) {
 	authorization := ""
 	if readOnly {
 		authorization = "&authorization=read-only"
 	}
 	url := d.URL(fmt.Sprintf("/%s/auth/tokens?expiration=%s%s", database, expiration, authorization))
 
-	req := DatabaseTokenRequest{permissions}
+	req := DatabaseTokenRequest{Permissions: permissions, FineGrainedPermissions: fineGrainedPermissions}
 	body, err := marshal(req)
 	if err != nil {
 		return "", fmt.Errorf("could not serialize request body: %w", err)