feat: store credentials per-domain

Use the configured OIDC domain instead of bogus "oidc_domain" string

Signed-off-by: Roman Volosatovs <[email protected]>

Author: rvolosatovs

src/cli/package/info.rs

@@ -7,12 +7,15 @@ use std::ffi::OsString;
 use anyhow::Context;
 use camino::Utf8PathBuf;
 use clap::Args;
+use oauth2::url::Url;
 
 /// Retrieve information about a published package.
 #[derive(Args, Debug)]
 pub struct Options {
     #[clap(long, env = "ENARX_CA_BUNDLE")]
     ca_bundle: Option<Utf8PathBuf>,
+    #[clap(long, default_value = "https://auth.profian.com/")]
+    oidc_domain: Url,
     #[clap(long, env = "ENARX_INSECURE_AUTH_TOKEN")]
     insecure_auth_token: Option<String>,
     #[clap(long, env = "ENARX_CREDENTIAL_HELPER")]
@@ -24,6 +27,7 @@ impl Options {
     pub fn execute(self) -> anyhow::Result<()> {
         let cl = client(
             &self.spec.host,
+            &self.oidc_domain,
             &self.insecure_auth_token,
             &self.ca_bundle,
             &self.credential_helper,

src/cli/package/publish.rs

@@ -7,12 +7,15 @@ use std::ffi::OsString;
 use anyhow::Context;
 use camino::Utf8PathBuf;
 use clap::Args;
+use oauth2::url::Url;
 
 /// Publish a new package.
 #[derive(Args, Debug)]
 pub struct Options {
     #[clap(long, env = "ENARX_CA_BUNDLE")]
     ca_bundle: Option<Utf8PathBuf>,
+    #[clap(long, default_value = "https://auth.profian.com/")]
+    oidc_domain: Url,
     #[clap(long, env = "ENARX_INSECURE_AUTH_TOKEN")]
     insecure_auth_token: Option<String>,
     #[clap(long, env = "ENARX_CREDENTIAL_HELPER")]
@@ -25,6 +28,7 @@ impl Options {
     pub fn execute(self) -> anyhow::Result<()> {
         let cl = client(
             &self.spec.host,
+            &self.oidc_domain,
             &self.insecure_auth_token,
             &self.ca_bundle,
             &self.credential_helper,

src/cli/repo/info.rs

@@ -8,6 +8,7 @@ use anyhow::Context;
 use camino::Utf8PathBuf;
 use clap::Args;
 use drawbridge_client::types::{RepositoryConfig, TagName};
+use oauth2::url::Url;
 use serde::Serialize;
 
 #[derive(Serialize)]
@@ -21,6 +22,8 @@ struct RepoInfo {
 pub struct Options {
     #[clap(long, env = "ENARX_CA_BUNDLE")]
     ca_bundle: Option<Utf8PathBuf>,
+    #[clap(long, default_value = "https://auth.profian.com/")]
+    oidc_domain: Url,
     #[clap(long, env = "ENARX_INSECURE_AUTH_TOKEN")]
     insecure_auth_token: Option<String>,
     #[clap(long, env = "ENARX_CREDENTIAL_HELPER")]
@@ -32,6 +35,7 @@ impl Options {
     pub fn execute(self) -> anyhow::Result<()> {
         let cl = client(
             &self.spec.host,
+            &self.oidc_domain,
             &self.insecure_auth_token,
             &self.ca_bundle,
             &self.credential_helper,

src/cli/repo/register.rs

@@ -8,12 +8,15 @@ use anyhow::Context;
 use camino::Utf8PathBuf;
 use clap::Args;
 use drawbridge_client::types::RepositoryConfig;
+use oauth2::url::Url;
 
 /// Register a new repository.
 #[derive(Args, Debug)]
 pub struct Options {
     #[clap(long, env = "ENARX_CA_BUNDLE")]
     ca_bundle: Option<Utf8PathBuf>,
+    #[clap(long, default_value = "https://auth.profian.com/")]
+    oidc_domain: Url,
     #[clap(long, env = "ENARX_INSECURE_AUTH_TOKEN")]
     insecure_auth_token: Option<String>,
     #[clap(long, env = "ENARX_CREDENTIAL_HELPER")]
@@ -25,6 +28,7 @@ impl Options {
     pub fn execute(self) -> anyhow::Result<()> {
         let cl = client(
             &self.spec.host,
+            &self.oidc_domain,
             &self.insecure_auth_token,
             &self.ca_bundle,
             &self.credential_helper,

src/cli/user/info.rs

@@ -7,12 +7,15 @@ use std::ffi::OsString;
 use anyhow::Context;
 use camino::Utf8PathBuf;
 use clap::Args;
+use oauth2::url::Url;
 
 /// Retrieve information about a user account on an Enarx package host.
 #[derive(Args, Debug)]
 pub struct Options {
     #[clap(long, env = "ENARX_CA_BUNDLE")]
     ca_bundle: Option<Utf8PathBuf>,
+    #[clap(long, default_value = "https://auth.profian.com/")]
+    oidc_domain: Url,
     #[clap(long, env = "ENARX_INSECURE_AUTH_TOKEN")]
     insecure_auth_token: Option<String>,
     #[clap(long, env = "ENARX_CREDENTIAL_HELPER")]
@@ -24,6 +27,7 @@ impl Options {
     pub fn execute(self) -> anyhow::Result<()> {
         let cl = client(
             &self.spec.host,
+            &self.oidc_domain,
             &self.insecure_auth_token,
             &self.ca_bundle,
             &self.credential_helper,

src/cli/user/register.rs

@@ -42,13 +42,14 @@ impl Options {
         } = self;
 
         // If we don't find a token saved locally, initiate an interactive login
-        let token = match get_token(insecure_auth_token, credential_helper) {
+        let token = match get_token(oidc_domain, insecure_auth_token, credential_helper) {
             Ok(token) => token,
             _ => login(oidc_domain, oidc_client_id.clone(), credential_helper)?,
         };
 
         let cl = client(
             &spec.host,
+            oidc_domain,
             &Some(token.clone()),
             ca_bundle,
             credential_helper,

src/drawbridge.rs

@@ -9,7 +9,7 @@ use std::str::FromStr;
 use std::thread::spawn;
 use std::time::Duration;
 
-use anyhow::{bail, Context};
+use anyhow::{anyhow, bail, Context};
 use camino::Utf8PathBuf;
 use drawbridge_client::types::{RepositoryContext, TagContext, UserContext};
 use drawbridge_client::Client;
@@ -100,14 +100,20 @@ fn parse_user(slug: &str) -> (String, &str) {
 }
 
 pub fn get_token(
+    oidc_domain: &impl Borrow<Url>,
     provided_token: &Option<impl AsRef<str>>,
     helper: &Option<impl AsRef<OsStr>>,
 ) -> anyhow::Result<String> {
+    let oidc_domain = oidc_domain
+        .borrow()
+        .host_str()
+        .ok_or_else(|| anyhow!("invalid OpenID Connect domain"))?;
     if let Some(token) = provided_token {
         Ok(token.as_ref().into())
     } else if let Some(helper) = helper {
         let output = Command::new(helper)
             .arg("show")
+            .arg(oidc_domain)
             .output()
             .context("Failed to execute credential helper")?;
         stderr()
@@ -121,19 +127,20 @@ pub fn get_token(
             bail!("Credential helper was killed")
         }
     } else {
-        keyring::Entry::new("enarx", "oidc_domain")
+        keyring::Entry::new("enarx", oidc_domain)
             .get_password()
             .context("Failed to read credentials from keyring")
     }
 }
 
 pub fn client(
     host: &str,
+    oidc_domain: &impl Borrow<Url>,
     insecure_token: &Option<String>,
     ca_bundle: &Option<Utf8PathBuf>,
     helper: &Option<impl AsRef<OsStr>>,
 ) -> anyhow::Result<Client> {
-    let token = get_token(insecure_token, helper)?;
+    let token = get_token(oidc_domain, insecure_token, helper)?;
 
     let url = format!("https://{host}");
 
@@ -215,11 +222,16 @@ pub fn login(
         .context("Failed to exchange device code for a token")?;
 
     // TODO: graceful timeout, so that users are not forced to Ctrl+C if the server errors
+    let oidc_domain = oidc_domain
+        .borrow()
+        .host_str()
+        .ok_or_else(|| anyhow!("invalid OpenID Connect domain"))?;
     let secret = res.access_token().secret();
     if let Some(helper) = helper {
         let mut helper = Command::new(helper)
             .stdin(Stdio::piped())
             .arg("insert")
+            .arg(oidc_domain)
             .spawn()
             .context("Failed to spawn credential helper command")?;
         let mut stdin = helper.stdin.take().context("Failed to open stdin")?;
@@ -242,7 +254,7 @@ pub fn login(
             }
         }
     } else {
-        keyring::Entry::new("enarx", "oidc_domain")
+        keyring::Entry::new("enarx", oidc_domain)
             .set_password(secret)
             .context("Failed to save user credentials")?;
     }