auth: rewrite terraform provider auth (#103)

Before this PR, the terraform provider
looks at your existing Docker credential
store, grabs your pull credentials, and uses
them to make API calls.

This works well in CI environments when you
have an OAT or username/password auth.

It works very poorly in Desktop environments.
Desktop generates a PAT that doesn't work
well for interacting with APIs.

To handle this case, we first try to check
if there's a Desktop JWT with a valid session.
If there is, we use the Desktop JWT for making
API calls. This works much better, particularly
for orgs that enforce SSO on Desktop.

Fixes #84

Signed-off-by: Nick Santos <[email protected]>

Author: nicks

.gitignore

@@ -3,4 +3,4 @@
 *.tfstate.backup
 
 # Store acceptance testing secrets in .env
-.env
+.env

internal/auth/config.go

@@ -0,0 +1,118 @@
+/*
+   Copyright 2024 Docker Terraform Provider authors
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package auth
+
+import (
+	"fmt"
+	"os"
+	"strings"
+	"time"
+
+	"github.com/docker/cli/cli/config"
+	"github.com/docker/cli/cli/config/configfile"
+	"github.com/go-jose/go-jose/v3/jwt"
+)
+
+// ConfigStore wraps the  config file and provides credential access methods
+type ConfigStore struct {
+	configFile *configfile.ConfigFile
+}
+
+// NewConfigStore creates a new ConfigStore with the default  config file
+func NewConfigStore() *ConfigStore {
+	return &ConfigStore{
+		configFile: config.LoadDefaultConfigFile(os.Stderr),
+	}
+}
+
+// GetCredentialStorePullTokens retrieves the user credentials the the user is
+// using to pull. This may be a username/password, a PAT, or an OAT.
+func (c *ConfigStore) GetCredentialStorePullTokens(registryEntry string) (string, string, error) {
+	return c.readUserCreds(registryEntry)
+}
+
+// GetCredentialStoreAccessTokens retrieves the JWT that Desktop uses for API
+// sessions.
+func (c *ConfigStore) GetCredentialStoreAccessTokens(registryEntry string) (string, string, error) {
+	accessTokenKey := c.getAccessTokenConfigKey(registryEntry)
+	username, accessToken, err := c.readUserCreds(accessTokenKey)
+	if err == nil && accessToken != "" {
+		// Check if the accessToken is a valid JWT and not expired
+		if isJWTAcceptable(accessToken) {
+			return username, accessToken, nil
+		}
+	}
+
+	return "", "", fmt.Errorf("no valid JWT found for %s", registryEntry)
+}
+
+// readUserCreds reads user credentials from the config file for a given
+// registry entry
+func (c *ConfigStore) readUserCreds(registryEntry string) (string, string, error) {
+	authConfig, err := c.configFile.GetAuthConfig(registryEntry)
+	if err != nil {
+		return "", "", fmt.Errorf("get auth config: %w", err)
+	}
+	username := authConfig.Username
+	secret := authConfig.Password
+	if authConfig.IdentityToken != "" {
+		secret = authConfig.IdentityToken
+	}
+
+	return username, secret, nil
+}
+
+// getAccessTokenConfigKey generates the config key for access tokens
+// (used by Desktop)
+func (c *ConfigStore) getAccessTokenConfigKey(configKey string) string {
+	result := configKey
+	if !strings.HasSuffix(result, "/") {
+		result = result + "/"
+	}
+	return result + "access-token"
+}
+
+// Check if we think the JWT is still usable
+// and worth sending. Not used for security, just used
+// as a simple heuristic of which token is better.
+func isJWTAcceptable(token string) bool {
+	claims, err := getClaims(token)
+	if err != nil {
+		return false
+	}
+	if claims.Expiry == nil {
+		return false
+	}
+	expiry := claims.Expiry.Time()
+	return time.Now().Before(expiry)
+}
+
+// getClaims returns claims from an access token without verification.
+func getClaims(accessToken string) (*jwt.Claims, error) {
+	token, err := jwt.ParseSigned(accessToken)
+	if err != nil {
+		return nil, err
+	}
+
+	var claims jwt.Claims
+	err = token.UnsafeClaimsWithoutVerification(&claims)
+	if err != nil {
+		return nil, err
+	}
+
+	return &claims, nil
+}

internal/auth/token.go

@@ -0,0 +1,188 @@
+/*
+   Copyright 2024 Docker Terraform Provider authors
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package auth
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"fmt"
+	"net/http"
+	"sync"
+	"time"
+)
+
+// LoginTokenProvider uses static username/password to obtain tokens via login API
+// The name of this struct was specifically chosen
+// to troll iam-team :)
+type LoginTokenProvider struct {
+	username    string
+	password    string
+	baseURL     string
+	httpClient  *http.Client
+	token       string
+	tokenExpiry time.Time
+	mu          sync.Mutex
+}
+
+// NewLoginTokenProvider creates a token provider that uses username/password
+func NewLoginTokenProvider(username, password, baseURL string) *LoginTokenProvider {
+	return &LoginTokenProvider{
+		username:   username,
+		password:   password,
+		baseURL:    baseURL,
+		httpClient: http.DefaultClient,
+	}
+}
+
+// EnsureToken returns a cached token if valid, otherwise authenticates with
+// username/password to get a new token from the Docker Hub API.
+func (p *LoginTokenProvider) EnsureToken(ctx context.Context) (string, error) {
+	p.mu.Lock()
+	defer p.mu.Unlock()
+
+	// Return cached token if still valid
+	if p.token != "" && time.Now().Before(p.tokenExpiry) {
+		return p.token, nil
+	}
+
+	// Request new token
+	auth := struct {
+		Identifier string `json:"identifier"`
+		Secret     string `json:"secret"`
+	}{
+		Identifier: p.username,
+		Secret:     p.password,
+	}
+
+	authJSON, err := json.Marshal(auth)
+	if err != nil {
+		return "", fmt.Errorf("marshal auth: %v", err)
+	}
+
+	req, err := http.NewRequestWithContext(ctx, "POST", fmt.Sprintf("%s/auth/token", p.baseURL), bytes.NewBuffer(authJSON))
+	if err != nil {
+		return "", err
+	}
+	req.Header.Set("Content-Type", "application/json")
+
+	res, err := p.httpClient.Do(req)
+	if err != nil {
+		return "", fmt.Errorf("login request: %v", err)
+	}
+	defer res.Body.Close()
+
+	if res.StatusCode < http.StatusOK || res.StatusCode >= http.StatusBadRequest {
+		return "", fmt.Errorf("login failed: %s", res.Status)
+	}
+
+	var tokenResponse struct {
+		AccessToken string `json:"access_token"`
+	}
+	if err := json.NewDecoder(res.Body).Decode(&tokenResponse); err != nil {
+		return "", fmt.Errorf("decode token response: %v", err)
+	}
+
+	// Parse token expiry
+	claims, err := getClaims(tokenResponse.AccessToken)
+	if err != nil {
+		return "", fmt.Errorf("parse token claims: %v", err)
+	}
+	if claims.Expiry == nil {
+		return "", fmt.Errorf("token does not contain expiry")
+	}
+
+	// Cache the token
+	p.token = tokenResponse.AccessToken
+	p.tokenExpiry = claims.Expiry.Time()
+
+	return p.token, nil
+}
+
+func (p *LoginTokenProvider) Username() string {
+	return p.username
+}
+
+// AccessTokenProvider uses access tokens directly from the credential store
+type AccessTokenProvider struct {
+	configKey      string
+	cachedUsername string
+	configStore    *ConfigStore
+	mu             sync.Mutex
+}
+
+// NewAccessTokenProvider creates a token provider that uses access tokens from the credential store
+func NewAccessTokenProvider(configStore *ConfigStore, configKey string) *AccessTokenProvider {
+	return &AccessTokenProvider{
+		configKey:   configKey,
+		configStore: configStore,
+	}
+}
+
+func (p *AccessTokenProvider) EnsureToken(ctx context.Context) (string, error) {
+	p.mu.Lock()
+	defer p.mu.Unlock()
+
+	// Always get fresh access token from store (no caching for access tokens)
+	username, accessToken, err := p.configStore.GetCredentialStoreAccessTokens(p.configKey)
+	if err != nil {
+		return "", fmt.Errorf("get access token from store: %v", err)
+	}
+
+	// Cache username for display purposes
+	p.cachedUsername = username
+
+	return accessToken, nil
+}
+
+func (p *AccessTokenProvider) Username() string {
+	p.mu.Lock()
+	defer p.mu.Unlock()
+	return p.cachedUsername
+}
+
+// Helper methods for creating token providers
+
+// NewAccessTokenProviderFromStore creates an AccessTokenProvider from a ConfigStore
+// Returns error if no valid access token is available
+func NewAccessTokenProviderFromStore(configStore *ConfigStore, configKey string) (*AccessTokenProvider, error) {
+	// Test if we can get a valid access token
+	_, _, err := configStore.GetCredentialStoreAccessTokens(configKey)
+	if err != nil {
+		return nil, fmt.Errorf("no valid access token available: %v", err)
+	}
+
+	return NewAccessTokenProvider(configStore, configKey), nil
+}
+
+// NewLoginTokenProviderFromStore creates a LoginTokenProvider from pull credentials in the ConfigStore
+func NewLoginTokenProviderFromStore(configStore *ConfigStore, configKey, baseURL string) (*LoginTokenProvider, error) {
+	username, password, err := configStore.GetCredentialStorePullTokens(configKey)
+	if err != nil {
+		return nil, fmt.Errorf("no pull credentials available: %v", err)
+	}
+
+	if username == "" {
+		return nil, fmt.Errorf("empty username found in store")
+	}
+
+	if password == "" {
+		return nil, fmt.Errorf("empty password found in store")
+	}
+
+	return NewLoginTokenProvider(username, password, baseURL), nil
+}