feat: Support OAuth Client Credentials Grant [HEAD-873] (#4970)

PeterSchafer · web-flow · commit 63b7378e6c51 · 2024-01-02T11:39:07.000+01:00
* feat: Support OAuth Client Credentials Grant

* chore: improve help and remove obsolete test

* fix: adapt test expectation to new behaviour

* chore: added some basic oauth client cred tests

* chore: run formatter

* chore: remove test token to not interfer with other tests

* chore: cleanup after auth test

* fix: add missing return

* chore: use final GAF commit
diff --git a/cliv2/cmd/cliv2/main.go b/cliv2/cmd/cliv2/main.go
@@ -21,9 +21,6 @@ import (
 	"github.com/snyk/cli-extension-dep-graph/pkg/depgraph"
 	"github.com/snyk/cli-extension-iac-rules/iacrules"
 	"github.com/snyk/cli-extension-sbom/pkg/sbom"
-	"github.com/snyk/cli/cliv2/internal/cliv2"
-	"github.com/snyk/cli/cliv2/internal/constants"
-	"github.com/snyk/cli/cliv2/pkg/basic_workflows"
 	"github.com/snyk/container-cli/pkg/container"
 	"github.com/snyk/go-application-framework/pkg/analytics"
 	"github.com/snyk/go-application-framework/pkg/app"
@@ -37,6 +34,10 @@ import (
 	"github.com/snyk/go-httpauth/pkg/httpauth"
 	"github.com/snyk/snyk-iac-capture/pkg/capture"
 	snykls "github.com/snyk/snyk-ls/ls_extension"
+
+	"github.com/snyk/cli/cliv2/internal/cliv2"
+	"github.com/snyk/cli/cliv2/internal/constants"
+	"github.com/snyk/cli/cliv2/pkg/basic_workflows"
 )
 
 var internalOS string
@@ -227,7 +228,8 @@ func sendAnalytics(analytics analytics.Analytics, debugLogger *zerolog.Logger) {
 
 func help(_ *cobra.Command, args []string) error {
 	helpProvided = true
-	args = append(os.Args[1:], "--help")
+	args = utils.RemoveSimilar(os.Args[1:], "--") // remove all double dash arguments to avoid issues with the help command
+	args = append(args, "--help")
 	return defaultCmd(args)
 }
 
diff --git a/cliv2/go.mod b/cliv2/go.mod
@@ -13,7 +13,7 @@ require (
 	github.com/snyk/cli-extension-iac-rules v0.0.0-20230601153200-c572cfce46ce
 	github.com/snyk/cli-extension-sbom v0.0.0-20231123083311-52b1cecc1a7a
 	github.com/snyk/container-cli v0.0.0-20230920093251-fe865879a91f
-	github.com/snyk/go-application-framework v0.0.0-20231122083330-bbb0d2002b01
+	github.com/snyk/go-application-framework v0.0.0-20231222162659-c767e4a7440b
 	github.com/snyk/go-httpauth v0.0.0-20231117135515-eb445fea7530
 	github.com/snyk/snyk-iac-capture v0.6.5
 	github.com/snyk/snyk-ls v0.0.0-20231124091213-5a223c21e0aa
diff --git a/cliv2/go.sum b/cliv2/go.sum
@@ -255,8 +255,6 @@ github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWR
 github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI=
 github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
 github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
-github.com/cmars/go-application-framework v0.0.0-20231121235901-2a517c3dca80 h1:/ih3AkS+EPO51JoSgJCbS5D+5ErEEYQ5Kv3UDtBOhKU=
-github.com/cmars/go-application-framework v0.0.0-20231121235901-2a517c3dca80/go.mod h1:Yz/qxFyfhf0xbA+z8Vzr5IM9IDG+BS+2PiGaP1yAsEw=
 github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
 github.com/cncf/udpa/go v0.0.0-20200629203442-efcf912fb354/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
 github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
@@ -667,10 +665,8 @@ github.com/snyk/cli-extension-sbom v0.0.0-20231123083311-52b1cecc1a7a h1:oRrk9bv
 github.com/snyk/cli-extension-sbom v0.0.0-20231123083311-52b1cecc1a7a/go.mod h1:IwRGWjRuNkY08O7NJb7u3JuQkroEB8Qi1MlASpZVu1Q=
 github.com/snyk/container-cli v0.0.0-20230920093251-fe865879a91f h1:ghajT5PEiLP8XNFIdc7Yn4Th74RH/9Q++dDOp6Cb9eo=
 github.com/snyk/container-cli v0.0.0-20230920093251-fe865879a91f/go.mod h1:38w+dcAQp9eG3P5t2eNS9eG0reut10AeJjLv5lJ5lpM=
-github.com/snyk/go-application-framework v0.0.0-20231121110922-9719383f0706 h1:z/g5P0kS7bedN07rNChlPEifKvAe9+hufGEEifPNcJg=
-github.com/snyk/go-application-framework v0.0.0-20231121110922-9719383f0706/go.mod h1:Yz/qxFyfhf0xbA+z8Vzr5IM9IDG+BS+2PiGaP1yAsEw=
-github.com/snyk/go-application-framework v0.0.0-20231122083330-bbb0d2002b01 h1:2WL20Lgh2YSifXNJ4zw3tZqX2Qa4CqM2C2m0+oWtKGw=
-github.com/snyk/go-application-framework v0.0.0-20231122083330-bbb0d2002b01/go.mod h1:Yz/qxFyfhf0xbA+z8Vzr5IM9IDG+BS+2PiGaP1yAsEw=
+github.com/snyk/go-application-framework v0.0.0-20231222162659-c767e4a7440b h1:NNiXGaKELaFmejlw5BOWf8dVThl8iisU9Yhx+FSUrL4=
+github.com/snyk/go-application-framework v0.0.0-20231222162659-c767e4a7440b/go.mod h1:Yz/qxFyfhf0xbA+z8Vzr5IM9IDG+BS+2PiGaP1yAsEw=
 github.com/snyk/go-httpauth v0.0.0-20231117135515-eb445fea7530 h1:s9PHNkL6ueYRiAKNfd8OVxlUOqU3qY0VDbgCD1f6WQY=
 github.com/snyk/go-httpauth v0.0.0-20231117135515-eb445fea7530/go.mod h1:88KbbvGYlmLgee4OcQ19yr0bNpXpOr2kciOthaSzCAg=
 github.com/snyk/policy-engine v0.22.0 h1:od9pduGrXyfWO791X+8M1qmnvWUxaIXh0gBzGKqeseA=
diff --git a/test/acceptance/fake-server.ts b/test/acceptance/fake-server.ts
@@ -577,6 +577,19 @@ export const fakeServer = (basePath: string, snykToken: string): FakeServer => {
     },
   );
 
+  app.post(basePath.replace('/v1', '') + '/oauth2/token', (req, res) => {
+    const fake_oauth_token =
+      '{"access_token":"access_token_value","token_type":"b","expiry":"3023-12-20T08:49:15.504539Z"}';
+
+    // client credentials grant: expecting client id = a and client secret = b
+    if (req.headers.authorization?.includes('Basic YTpi')) {
+      res.status(200).send(fake_oauth_token);
+      return;
+    }
+
+    res.status(401).send({});
+  });
+
   const listenPromise = (port: string | number) => {
     return new Promise<void>((resolve) => {
       server = http.createServer(app).listen(Number(port), resolve);
diff --git a/test/jest/acceptance/auth.spec.ts b/test/jest/acceptance/auth.spec.ts
@@ -0,0 +1,55 @@
+import { fakeServer } from '../../acceptance/fake-server';
+import { runSnykCLI } from '../util/runSnykCLI';
+
+jest.setTimeout(1000 * 60);
+
+describe('Auth', () => {
+  let server: ReturnType<typeof fakeServer>;
+  let env: Record<string, string>;
+
+  beforeAll((done) => {
+    const apiPath = '/api/v1';
+    const apiPort = process.env.PORT || process.env.SNYK_PORT || '12345';
+    env = {
+      ...process.env,
+      SNYK_API: 'http://localhost:' + apiPort + apiPath,
+      SNYK_DISABLE_ANALYTICS: '1',
+    };
+
+    server = fakeServer(apiPath, env.SNYK_TOKEN);
+    server.listen(apiPort, () => done());
+  });
+
+  afterEach(() => {
+    server.restore();
+  });
+
+  afterAll((done) => {
+    server.close(() => done());
+  });
+
+  it('successfully uses oauth client credentials grant to authenticate', async () => {
+    const { code } = await runSnykCLI(
+      `auth --auth-type=oauth --client-id a --client-secret b`,
+      {
+        env,
+      },
+    );
+    expect(code).toEqual(0);
+
+    // delete test token
+    await runSnykCLI(`config unset INTERNAL_OAUTH_TOKEN_STORAGE`, {
+      env,
+    });
+  });
+
+  it('fails to us oauth client credentials grant to authenticate', async () => {
+    const { code } = await runSnykCLI(
+      `auth --auth-type=oauth --client-id wrong --client-secret b`,
+      {
+        env,
+      },
+    );
+    expect(code).toEqual(2);
+  });
+});
diff --git a/test/jest/acceptance/cli-args.spec.ts b/test/jest/acceptance/cli-args.spec.ts
@@ -245,9 +245,7 @@ describe('cli args', () => {
   });
 
   [
-    'auth',
     'config',
-    'help',
     'ignore',
     'modules',
     'monitor',

Original file line number	Diff line number	Diff line change
`@@ -245,9 +245,7 @@ describe('cli args', () => {`
`245`	`245`	`});`
`246`	`246`
`247`	`247`	`[`
`248`		`- 'auth',`
`249`	`248`	`'config',`
`250`		`- 'help',`
`251`	`249`	`'ignore',`
`252`	`250`	`'modules',`
`253`	`251`	`'monitor',`