feat: add management api for client credentials (#329)

Author: ltucker

diode-server/auth/errors.go

@@ -0,0 +1,19 @@
+package auth
+
+// Error auth service error
+type Error struct {
+	Message    string `json:"message"`
+	StatusCode int    `json:"status_code"`
+}
+
+func (e *Error) Error() string {
+	return e.Message
+}
+
+// NewAuthError creates a new auth service error
+func NewAuthError(message string, statusCode int) *Error {
+	return &Error{
+		Message:    message,
+		StatusCode: statusCode,
+	}
+}

diode-server/auth/manager.go

@@ -4,18 +4,28 @@ import (
 	"context"
 	"crypto/rand"
 	"encoding/base64"
+	"encoding/hex"
+	"fmt"
+	"strings"
+
+	"github.com/gosimple/slug"
 )
 
 // ClientInfo is a struct that contains information about a client.
 type ClientInfo struct {
 	ClientID     string `json:"client_id"`
 	Scope        string `json:"scope"`
 	ClientSecret string `json:"client_secret,omitempty"`
+	Owner        string `json:"owner,omitempty"`
+	ClientName   string `json:"client_name,omitempty"`
+	CreatedAt    string `json:"created_at,omitempty"`
 }
 
 // RetrieveClientsRequest is a struct that contains information about a request to retrieve clients.
 type RetrieveClientsRequest struct {
+	Owner     string
 	PageToken string
+	PageSize  int
 }
 
 // RetrieveClientsResponse reponse struct for listing clients
@@ -44,3 +54,21 @@ func GenerateClientSecret() (string, error) {
 	}
 	return base64.StdEncoding.EncodeToString(secret), nil
 }
+
+// GenerateClientID generates a ClientID for a client.
+func GenerateClientID(clientInfo ClientInfo) (string, error) {
+	clientSlug := slug.Make(clientInfo.ClientName)
+	if len(clientSlug) > 15 {
+		clientSlug = clientSlug[:15]
+	}
+	clientSlug = strings.Trim(clientSlug, "-")
+
+	// generate a random 64 bit identifier
+	randomID := make([]byte, 8)
+	if _, err := rand.Read(randomID); err != nil {
+		return "", err
+	}
+	randomIDStr := hex.EncodeToString(randomID)
+
+	return fmt.Sprintf("%s-%s", clientSlug, randomIDStr), nil
+}

diode-server/auth/manager_hydra.go

@@ -7,10 +7,18 @@ import (
 	"net/http"
 	"net/url"
 	"strings"
+	"time"
 
 	hydra "github.com/ory/hydra-client-go/v2"
 )
 
+const (
+	hydraAuthMethodClientSecretPost = "client_secret_post"
+	hydraGrantTypeClientCredentials = "client_credentials"
+	hydraResponseTypeToken          = "token"
+	hydraClientFormatJSON           = "json"
+)
+
 // HydraClientManager is a ClientManager for a hydra server
 type HydraClientManager struct {
 	hydraAdmin *hydra.APIClient
@@ -34,14 +42,23 @@ func NewHydraClientManager(adminURL string, logger *slog.Logger) *HydraClientMan
 
 // CreateClient creates a new client
 func (h *HydraClientManager) CreateClient(ctx context.Context, clientInfo ClientInfo) (ClientInfo, error) {
+	authMethod := hydraAuthMethodClientSecretPost
 	newClient := hydra.OAuth2Client{
-		ClientId:   &clientInfo.ClientID,
-		Scope:      &clientInfo.Scope,
-		GrantTypes: []string{"client_credentials"},
+		ClientId:                &clientInfo.ClientID,
+		Scope:                   &clientInfo.Scope,
+		GrantTypes:              []string{hydraGrantTypeClientCredentials},
+		TokenEndpointAuthMethod: &authMethod,
+		ResponseTypes:           []string{hydraResponseTypeToken},
 	}
 	if clientInfo.ClientSecret != "" {
 		newClient.ClientSecret = &clientInfo.ClientSecret
 	}
+	if clientInfo.Owner != "" {
+		newClient.Owner = &clientInfo.Owner
+	}
+	if clientInfo.ClientName != "" {
+		newClient.ClientName = &clientInfo.ClientName
+	}
 
 	createdClient, response, err := h.hydraAdmin.OAuth2API.CreateOAuth2Client(ctx).OAuth2Client(newClient).Execute()
 	if response != nil {
@@ -51,13 +68,13 @@ func (h *HydraClientManager) CreateClient(ctx context.Context, clientInfo Client
 			}
 		}()
 		if response.StatusCode == 409 {
-			return ClientInfo{}, fmt.Errorf("failed to create client: client with id %s already exists", *newClient.ClientId)
+			return ClientInfo{}, NewAuthError(fmt.Sprintf("failed to create client: client with id %s already exists", *newClient.ClientId), http.StatusConflict)
 		}
 		if response.StatusCode == 400 {
-			return ClientInfo{}, fmt.Errorf("failed to create client: invalid request")
+			return ClientInfo{}, NewAuthError("failed to create client: invalid request", http.StatusBadRequest)
 		}
 		if response.StatusCode != 201 {
-			return ClientInfo{}, fmt.Errorf("failed to create client: status=%s", response.Status)
+			return ClientInfo{}, NewAuthError("failed to create client", response.StatusCode)
 		}
 	}
 	// these can be confusing and related to internal client failures, so handled after http status codes
@@ -78,10 +95,10 @@ func (h *HydraClientManager) DeleteClientByID(ctx context.Context, clientID stri
 			}
 		}()
 		if response.StatusCode == 404 {
-			return fmt.Errorf("client %s not found", clientID)
+			return NewAuthError(fmt.Sprintf("client %s not found", clientID), http.StatusNotFound)
 		}
 		if response.StatusCode != 204 {
-			return fmt.Errorf("failed to delete client from hydra: status=%s", response.Status)
+			return NewAuthError("failed to delete client from hydra", response.StatusCode)
 		}
 	}
 	// these can be confusing and related to internal client failures, so handled after http status codes
@@ -102,10 +119,10 @@ func (h *HydraClientManager) RetrieveClientByID(ctx context.Context, clientID st
 			}
 		}()
 		if response.StatusCode == 404 {
-			return ClientInfo{}, fmt.Errorf("client %s not found", clientID)
+			return ClientInfo{}, NewAuthError(fmt.Sprintf("client %s not found", clientID), http.StatusNotFound)
 		}
 		if response.StatusCode != 200 {
-			return ClientInfo{}, fmt.Errorf("failed to retrieve client: status=%s", response.Status)
+			return ClientInfo{}, NewAuthError("failed to retrieve client", response.StatusCode)
 		}
 	}
 	// these tend to be confusing and related to internal client failures, so handled after http status codes
@@ -120,15 +137,26 @@ func (h *HydraClientManager) RetrieveClientByID(ctx context.Context, clientID st
 func (h *HydraClientManager) RetrieveClients(ctx context.Context, q RetrieveClientsRequest) (RetrieveClientsResponse, error) {
 	var out RetrieveClientsResponse
 
-	clients, response, err := h.hydraAdmin.OAuth2API.ListOAuth2Clients(ctx).PageToken(q.PageToken).Execute()
+	req := h.hydraAdmin.OAuth2API.ListOAuth2Clients(ctx)
+	if q.Owner != "" {
+		req = req.Owner(q.Owner)
+	}
+	if q.PageToken != "" {
+		req = req.PageToken(q.PageToken)
+	}
+	if q.PageSize > 0 {
+		req = req.PageSize(int64(q.PageSize))
+	}
+
+	clients, response, err := req.Execute()
 	if response != nil {
 		defer func() {
 			if err := response.Body.Close(); err != nil {
 				h.logger.Error("failed to close response body", "error", err)
 			}
 		}()
 		if response.StatusCode != 200 {
-			return out, fmt.Errorf("failed to retrieve clients: status=%s", response.Status)
+			return out, NewAuthError("failed to retrieve clients", response.StatusCode)
 		}
 	}
 	if err != nil {
@@ -150,43 +178,62 @@ func clientInfoFromHydraClient(client *hydra.OAuth2Client) ClientInfo {
 	if client == nil {
 		return clientInfo
 	}
-
 	if client.ClientId != nil {
 		clientInfo.ClientID = *client.ClientId
 	}
 	if client.Scope != nil {
 		clientInfo.Scope = *client.Scope
 	}
-
+	if client.Owner != nil {
+		clientInfo.Owner = *client.Owner
+	}
+	if client.ClientName != nil {
+		clientInfo.ClientName = *client.ClientName
+	}
+	if client.CreatedAt != nil {
+		clientInfo.CreatedAt = client.CreatedAt.Format(time.RFC3339)
+	}
+	if client.ClientSecret != nil {
+		clientInfo.ClientSecret = *client.ClientSecret
+	}
 	return clientInfo
 }
 
 func getHydraNextPageToken(response *http.Response, logger *slog.Logger) string {
 	for _, linkHeader := range response.Header.Values("Link") {
-		params := strings.Split(linkHeader, ";")
-		link := params[0]
-		params = params[1:]
-		// search for rel="next"
-		for _, param := range params {
-			vs := strings.Split(param, "=")
-			if len(vs) != 2 {
+		links := strings.Split(linkHeader, ",")
+		for _, link := range links {
+			params := strings.Split(link, ";")
+			if len(params) < 2 {
 				continue
 			}
-			k, v := strings.TrimSpace(vs[0]), strings.TrimSpace(vs[1])
-			if k == "rel" && (v == "next" || v == "\"next\"") {
-				parsedURL, err := url.Parse(link)
-				if err != nil {
-					logger.Warn("failed to parse url in rel=next link", "error", err, "link", linkHeader)
-					return ""
+			link := params[0]
+			params = params[1:]
+			// search for rel="next"
+			for _, param := range params {
+				vs := strings.Split(param, "=")
+				if len(vs) != 2 {
+					continue
 				}
-				queryParams := parsedURL.Query()
-				for key, values := range queryParams {
-					if key == "page_token" {
-						return values[0]
+				k, v := strings.TrimSpace(vs[0]), strings.TrimSpace(vs[1])
+				if k == "rel" && (v == "next" || v == "\"next\"") {
+					link = strings.TrimPrefix(link, "<")
+					link = strings.TrimSuffix(link, ">")
+					parsedURL, err := url.Parse(link)
+					if err != nil {
+						logger.Warn("failed to parse url in rel=next link", "error", err, "link", linkHeader)
+						return ""
 					}
+					queryParams := parsedURL.Query()
+					for key, values := range queryParams {
+						if key == "page_token" {
+							logger.Info("found next page token", "token", values[0])
+							return values[0]
+						}
+					}
+					logger.Warn("failed to find next page token in rel=next url", "link", linkHeader)
+					return ""
 				}
-				logger.Warn("failed to find next page token in rel=next url", "link", linkHeader)
-				return ""
 			}
 		}
 	}

diode-server/auth/manager_hydra_integration_test.go

@@ -17,9 +17,14 @@ import (
 	"github.com/netboxlabs/diode/diode-server/auth"
 )
 
-type logDumpConsumer struct{}
+type logDumpConsumer struct {
+	enabled bool
+}
 
 func (c *logDumpConsumer) Accept(log testcontainers.Log) {
+	if !c.enabled {
+		return
+	}
 	fmt.Printf("HYDRA LOG: %s\n", string(log.Content))
 }
 
@@ -58,7 +63,6 @@ func TestHydraClientManager(t *testing.T) {
 	authEndpoint, err := hydraC.Endpoint(ctx, "")
 	require.NoError(t, err)
 	authEndpoint = fmt.Sprintf("http://%s", authEndpoint)
-	fmt.Printf("HYDRA ENDPOINT: %s\n", authEndpoint)
 	manager = auth.NewHydraClientManager(authEndpoint, logger)
 
 	// no client initially
@@ -75,7 +79,7 @@ func TestHydraClientManager(t *testing.T) {
 	require.NoError(t, err)
 	require.NotNil(t, createdClient)
 	require.Equal(t, "diode-test-client-1", createdClient.ClientID)
-	require.Equal(t, "", createdClient.ClientSecret)
+	require.Equal(t, "secret-material", createdClient.ClientSecret)
 	require.Equal(t, "test:diode:1 test:diode:2", createdClient.Scope)
 
 	// fetch the client by id