Authenticate via Auth0-CLI

Author: duedares-rvj

docs/index.md

@@ -37,6 +37,7 @@ better alternative.
 
 - `api_token` (String) Your Auth0 [management api access token](https://auth0.com/docs/security/tokens/access-tokens/management-api-access-tokens). It can also be sourced from the `AUTH0_API_TOKEN` environment variable. It can be used instead of `client_id` + `client_secret`. If both are specified, `api_token` will be used over `client_id` + `client_secret` fields.
 - `audience` (String) Your Auth0 audience when using a custom domain. It can also be sourced from the `AUTH0_AUDIENCE` environment variable.
+- `cli_login` (Boolean) While toggled on, the API token gets fetched from the keyring for the given domain
 - `client_id` (String) Your Auth0 client ID. It can also be sourced from the `AUTH0_CLIENT_ID` environment variable.
 - `client_secret` (String) Your Auth0 client secret. It can also be sourced from the `AUTH0_CLIENT_SECRET` environment variable.
 - `debug` (Boolean) Enables HTTP request and response logging when TF_LOG=DEBUG is set. It can also be sourced from the `AUTH0_DEBUG` environment variable.

go.mod

@@ -14,10 +14,12 @@ require (
 	github.com/hashicorp/terraform-plugin-sdk/v2 v2.36.1
 	github.com/hashicorp/terraform-plugin-testing v1.12.0
 	github.com/stretchr/testify v1.10.0
+	github.com/zalando/go-keyring v0.2.6
 	gopkg.in/dnaeon/go-vcr.v3 v3.2.0
 )
 
 require (
+	al.essio.dev/pkg/shellescape v1.5.1 // indirect
 	github.com/BurntSushi/toml v1.4.0 // indirect
 	github.com/Kunde21/markdownfmt/v3 v3.1.0 // indirect
 	github.com/Masterminds/goutils v1.1.1 // indirect
@@ -30,10 +32,12 @@ require (
 	github.com/bgentry/speakeasy v0.1.0 // indirect
 	github.com/bmatcuk/doublestar/v4 v4.8.1 // indirect
 	github.com/cloudflare/circl v1.3.8 // indirect
+	github.com/danieljoos/wincred v1.2.2 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/decred/dcrd/dcrec/secp256k1/v4 v4.4.0 // indirect
 	github.com/fatih/color v1.17.0 // indirect
 	github.com/goccy/go-json v0.10.5 // indirect
+	github.com/godbus/dbus/v5 v5.1.0 // indirect
 	github.com/golang/protobuf v1.5.4 // indirect
 	github.com/google/uuid v1.6.0 // indirect
 	github.com/hashicorp/cli v1.1.7 // indirect

go.sum

@@ -1,3 +1,5 @@
+al.essio.dev/pkg/shellescape v1.5.1 h1:86HrALUujYS/h+GtqoB26SBEdkWfmMI6FubjXlsXyho=
+al.essio.dev/pkg/shellescape v1.5.1/go.mod h1:6sIqp7X2P6mThCQ7twERpZTuigpr6KbZWtls1U8I890=
 dario.cat/mergo v1.0.0 h1:AGCNq9Evsj31mOgNPcLyXc+4PNABt905YmuqPYYpBWk=
 dario.cat/mergo v1.0.0/go.mod h1:uNxQE+84aUszobStD9th8a29P2fMDhsBdgRYvZOxGmk=
 github.com/BurntSushi/toml v1.4.0 h1:kuoIxZQy2WRRk1pttg9asf+WVv6tWQuBNVmK8+nqPr0=
@@ -40,6 +42,8 @@ github.com/cloudflare/circl v1.3.8 h1:j+V8jJt09PoeMFIu2uh5JUyEaIHTXVOHslFoLNAKqw
 github.com/cloudflare/circl v1.3.8/go.mod h1:PDRU+oXvdD7KCtgKxW95M5Z8BpSCJXQORiZFnBQS5QU=
 github.com/cyphar/filepath-securejoin v0.2.5 h1:6iR5tXJ/e6tJZzzdMc1km3Sa7RRIVBKAK32O2s7AYfo=
 github.com/cyphar/filepath-securejoin v0.2.5/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxGGx79pTxQpKOJNYHHl4=
+github.com/danieljoos/wincred v1.2.2 h1:774zMFJrqaeYCK2W57BgAem/MLi6mtSE47MB6BOJ0i0=
+github.com/danieljoos/wincred v1.2.2/go.mod h1:w7w4Utbrz8lqeMbDAK0lkNJUv5sAOkFi7nd/ogr0Uh8=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@@ -67,6 +71,8 @@ github.com/go-test/deep v1.0.3 h1:ZrJSEWsXzPOxaZnFteGEfooLba+ju3FYIbOrS+rQd68=
 github.com/go-test/deep v1.0.3/go.mod h1:wGDj63lr65AM2AQyKZd/NYHGb0R+1RLqB8NKt3aSFNA=
 github.com/goccy/go-json v0.10.5 h1:Fq85nIqj+gXn/S5ahsiTlK3TmC85qgirsdTP/+DeaC4=
 github.com/goccy/go-json v0.10.5/go.mod h1:oq7eo15ShAhp70Anwd5lgX2pLfOS3QCiwU/PULtXL6M=
+github.com/godbus/dbus/v5 v5.1.0 h1:4KLkAxT3aOY8Li4FRJe/KvhoNFFxo0m6fNuFUO8QJUk=
+github.com/godbus/dbus/v5 v5.1.0/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
 github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE=
 github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/protobuf v1.1.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
@@ -78,6 +84,8 @@ github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMyw
 github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
 github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
+github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 h1:El6M4kTTCOh6aBiKaUGG7oYTSPP8MxqL4YI3kZKwcP4=
+github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510/go.mod h1:pupxD2MaaD3pAXIBCelhxNneeOaAeabZDe5s4K6zSpQ=
 github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
@@ -214,6 +222,8 @@ github.com/spf13/cast v1.3.1/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkU
 github.com/spf13/cast v1.6.0 h1:GEiTHELF+vaR5dhz3VqZfFSzZjYbgeKDpBxQVS4GYJ0=
 github.com/spf13/cast v1.6.0/go.mod h1:ancEpBxwJDODSW/UG4rDrAqiKolqNNh2DX3mk86cAdo=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY=
+github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
 github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
 github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
@@ -237,6 +247,8 @@ github.com/yuin/goldmark v1.7.7 h1:5m9rrB1sW3JUMToKFQfb+FGt1U7r57IHu5GrYrG2nqU=
 github.com/yuin/goldmark v1.7.7/go.mod h1:uzxRWxtg69N339t3louHJ7+O03ezfj6PlliRlaOzY1E=
 github.com/yuin/goldmark-meta v1.1.0 h1:pWw+JLHGZe8Rk0EGsMVssiNb/AaPMHfSRszZeUeiOUc=
 github.com/yuin/goldmark-meta v1.1.0/go.mod h1:U4spWENafuA7Zyg+Lj5RqK/MF+ovMYtBvXi1lBb2VP0=
+github.com/zalando/go-keyring v0.2.6 h1:r7Yc3+H+Ux0+M72zacZoItR3UDxeWfKTcabvkI8ua9s=
+github.com/zalando/go-keyring v0.2.6/go.mod h1:2TCrxYrbUNYfNS/Kgy/LSrkSQzZ5UPVH85RwfczwvcI=
 github.com/zclconf/go-cty v1.16.2 h1:LAJSwc3v81IRBZyUVQDUdZ7hs3SYs9jv0eZJDWHD/70=
 github.com/zclconf/go-cty v1.16.2/go.mod h1:VvMs5i0vgZdhYawQNq5kePSpLAoz8u1xvZgrPIxfnZE=
 github.com/zclconf/go-cty-debug v0.0.0-20240509010212-0d6042c53940 h1:4r45xpDWB6ZMSMNJFMOjqrGHynW3DIBuR2H9j0ug+Mo=

internal/config/config.go

@@ -4,24 +4,33 @@ import (
 	"context"
 	"crypto/tls"
 	"crypto/x509"
+	"encoding/base64"
+	"encoding/json"
+	"errors"
 	"fmt"
 	"net/http"
 	"net/url"
 	"regexp"
 	"strconv"
+	"strings"
 	"time"
 
 	"github.com/PuerkitoBio/rehttp"
 	"github.com/auth0/go-auth0"
 	"github.com/auth0/go-auth0/management"
+	"github.com/auth0/terraform-provider-auth0/internal/mutex"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/meta"
-
-	"github.com/auth0/terraform-provider-auth0/internal/mutex"
+	"github.com/zalando/go-keyring"
 )
 
-const providerName = "Terraform-Provider-Auth0" // #nosec G101
+const providerName = "Terraform-Provider-Auth0"    // #nosec G101
+const secretAccessToken = "Auth0 CLI Access Token" // #nosec G101
+
+// Access tokens have no size limit, but should be smaller than (50*2048) bytes.
+// The max number of loops safeguards against infinite loops, however unlikely.
+const secretAccessTokenMaxChunks = 50
 
 var version = "dev"
 
@@ -55,23 +64,92 @@ func (c *Config) GetMutex() *mutex.KeyValue {
 // and passed into the subsequent resources as the meta parameter.
 func ConfigureProvider(terraformVersion *string) schema.ConfigureContextFunc {
 	return func(_ context.Context, data *schema.ResourceData) (interface{}, diag.Diagnostics) {
+		var apiToken string
 		domain := data.Get("domain").(string)
 		clientID := data.Get("client_id").(string)
 		clientSecret := data.Get("client_secret").(string)
-		apiToken := data.Get("api_token").(string)
+		apiToken = data.Get("api_token").(string)
 		audience := data.Get("audience").(string)
 		debug := data.Get("debug").(bool)
 		dynamicCredentials := data.Get("dynamic_credentials").(bool)
+		cliLogin := data.Get("cli_login").(bool)
+
+		switch {
+		case dynamicCredentials:
+			if domain == "" {
+				return nil, diag.Diagnostics{{
+					Severity: diag.Error,
+					Summary:  "Missing required configuration",
+					Detail:   "The 'AUTH0_DOMAIN' must be specified along with the 'AUTH0_DYNAMIC_CREDENTIALS'.",
+				}}
+			}
+		case cliLogin:
+			// Ensure domain is present.
+			if domain == "" {
+				return nil, diag.Diagnostics{{
+					Severity: diag.Error,
+					Summary:  "Missing required configuration",
+					Detail:   "The 'AUTH0_DOMAIN' must be specified along with the 'AUTH0_CLI_LOGIN'.",
+				}}
+			}
 
-		if !dynamicCredentials && apiToken == "" && (clientID == "" || clientSecret == "" || domain == "") {
-			return nil, diag.Diagnostics{
-				{
+			// Check for tempToken when cliLogin is enabled.
+			var tempToken string
+			for i := 0; i < secretAccessTokenMaxChunks; i++ {
+				a, err := keyring.Get(fmt.Sprintf("%s %d", secretAccessToken, i), domain)
+				if errors.Is(err, keyring.ErrNotFound) || err != nil {
+					break
+				}
+				tempToken += a
+			}
+
+			if tempToken == "" {
+				return nil, diag.Diagnostics{{
 					Severity: diag.Error,
-					Summary:  "Missing environment variables",
-					Detail: fmt.Sprintf("Either AUTH0_API_TOKEN or AUTH0_DOMAIN:AUTH0_CLIENT_ID:AUTH0_CLIENT_SECRET must be configured. " +
-						"Ref: https://registry.terraform.io/providers/auth0/auth0/latest/docs"),
-				},
+					Summary:  "Authentication required",
+					Detail:   "No CLI token found. Please log in using 'auth0 login' via auth0-cli or disable 'AUTH0_CLI_LOGIN'.",
+				}}
 			}
+
+			// Check if the token is expired.
+			if err := validateTokenExpiry(tempToken); err != nil {
+				return nil, diag.Diagnostics{{
+					Severity: diag.Error,
+					Summary:  "Token validation failed",
+					Detail:   err.Error(),
+				}}
+			}
+
+			// Set the apiToken to the tempToken.
+			apiToken = tempToken
+
+		case apiToken != "":
+			// Ensure domain is present.
+			if domain == "" {
+				return nil, diag.Diagnostics{{
+					Severity: diag.Error,
+					Summary:  "Missing required configuration",
+					Detail:   "The 'AUTH0_DOMAIN' must be specified along with the 'AUTH0_API_TOKEN'.",
+				}}
+			}
+
+		case clientID != "" && clientSecret != "":
+			// Ensure domain is present.
+			if domain == "" {
+				return nil, diag.Diagnostics{{
+					Severity: diag.Error,
+					Summary:  "Missing required configuration",
+					Detail:   "The 'AUTH0_DOMAIN' must be specified.",
+				}}
+			}
+
+		default:
+			return nil, diag.Diagnostics{{
+				Severity: diag.Error,
+				Summary:  "Missing environment variables",
+				Detail: "AUTH0_DOMAIN is required. Then, configure either AUTH0_API_TOKEN, " +
+					"or both AUTH0_CLIENT_ID and AUTH0_CLIENT_SECRET. Or enable CLI login with AUTH0_CLI_LOGIN=true",
+			}}
 		}
 
 		apiClient, err := management.New(domain,
@@ -90,6 +168,58 @@ func ConfigureProvider(terraformVersion *string) schema.ConfigureContextFunc {
 	}
 }
 
+func decodeSegment(seg string) ([]byte, error) {
+	// Add padding if necessary.
+	if l := len(seg) % 4; l > 0 {
+		seg += strings.Repeat("=", 4-l)
+	}
+	return base64.URLEncoding.DecodeString(seg)
+}
+
+func decodeJWT(token string) (map[string]interface{}, map[string]interface{}, error) {
+	parts := strings.Split(token, ".")
+	if len(parts) != 3 {
+		return nil, nil, fmt.Errorf("invalid JWT format")
+	}
+
+	headerBytes, err := decodeSegment(parts[0])
+	if err != nil {
+		return nil, nil, fmt.Errorf("error decoding header: %w", err)
+	}
+	payloadBytes, err := decodeSegment(parts[1])
+	if err != nil {
+		return nil, nil, fmt.Errorf("error decoding payload: %w", err)
+	}
+
+	var header, payload map[string]interface{}
+	if err := json.Unmarshal(headerBytes, &header); err != nil {
+		return nil, nil, fmt.Errorf("error unmarshalling header: %w", err)
+	}
+	if err := json.Unmarshal(payloadBytes, &payload); err != nil {
+		return nil, nil, fmt.Errorf("error unmarshalling payload: %w", err)
+	}
+
+	return header, payload, nil
+}
+
+func validateTokenExpiry(tokenString string) error {
+	_, payload, err := decodeJWT(tokenString)
+	if err != nil {
+		return err
+	}
+
+	exp, ok := payload["exp"]
+	if !ok {
+		return fmt.Errorf("missing expiration: the token does not contain an expiration claim")
+	}
+
+	if time.Now().Unix() > exp.(int64) {
+		return fmt.Errorf("expired token: the stored auth0-cli token has expired. Please log in again")
+	}
+
+	return nil
+}
+
 // userAgent computes the desired User-Agent header for the *management.Management client.
 func userAgent(terraformVersion *string) string {
 	sdkVersion := auth0.Version

internal/config/config_test.go

@@ -49,15 +49,14 @@ func TestConfigureProvider(t *testing.T) {
 			expectedDiagnostics: nil,
 		},
 		{
-			name: "it returns an error when it can't initialize the api client",
-			givenTerraformConfig: map[string]interface{}{
-				"domain": "example.com:path",
-			},
+			name:                 "it returns an error when it can't initialize the api client",
+			givenTerraformConfig: map[string]interface{}{},
 			expectedDiagnostics: diag.Diagnostics{
 				diag.Diagnostic{
 					Severity: diag.Error,
 					Summary:  "Missing environment variables",
-					Detail:   "Either AUTH0_API_TOKEN or AUTH0_DOMAIN:AUTH0_CLIENT_ID:AUTH0_CLIENT_SECRET must be configured. Ref: https://registry.terraform.io/providers/auth0/auth0/latest/docs",
+					Detail: "AUTH0_DOMAIN is required. Then, configure either AUTH0_API_TOKEN, " +
+						"or both AUTH0_CLIENT_ID and AUTH0_CLIENT_SECRET. Or enable CLI login with AUTH0_CLI_LOGIN=true",
 				},
 			},
 		},

internal/provider/provider.go

@@ -11,7 +11,7 @@ import (
 
 	"github.com/auth0/terraform-provider-auth0/internal/auth0/form"
 
-	selfserviceprofile "github.com/auth0/terraform-provider-auth0/internal/auth0/selfserviceprofile"
+	"github.com/auth0/terraform-provider-auth0/internal/auth0/selfserviceprofile"
 
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 
@@ -110,6 +110,18 @@ func New() *schema.Provider {
 				Description: "Indicates whether credentials will be dynamically passed to the provider from" +
 					"other terraform resources.",
 			},
+			"cli_login": {
+				Type:     schema.TypeBool,
+				Optional: true,
+				DefaultFunc: func() (interface{}, error) {
+					v := os.Getenv("AUTH0_CLI_LOGIN")
+					if v == "" {
+						return false, nil
+					}
+					return v == "1" || v == "true" || v == "on", nil
+				},
+				Description: "While toggled on, the API token gets fetched from the keyring for the given domain",
+			},
 		},
 		ResourcesMap: map[string]*schema.Resource{
 			"auth0_action":                           action.NewResource(),