feat: support custom credential helpers

Signed-off-by: Roman Volosatovs <[email protected]>

Author: rvolosatovs

src/cli/package/info.rs

@@ -2,6 +2,8 @@
 
 use crate::drawbridge::{client, TagSpec};
 
+use std::ffi::OsString;
+
 use anyhow::Context;
 use camino::Utf8PathBuf;
 use clap::Args;
@@ -13,12 +15,19 @@ pub struct Options {
     ca_bundle: Option<Utf8PathBuf>,
     #[clap(long, env = "ENARX_INSECURE_AUTH_TOKEN")]
     insecure_auth_token: Option<String>,
+    #[clap(long, env = "ENARX_CREDENTIAL_HELPER")]
+    credential_helper: Option<OsString>,
     spec: TagSpec,
 }
 
 impl Options {
     pub fn execute(self) -> anyhow::Result<()> {
-        let cl = client(self.spec.host, self.insecure_auth_token, self.ca_bundle)?;
+        let cl = client(
+            &self.spec.host,
+            &self.insecure_auth_token,
+            &self.ca_bundle,
+            &self.credential_helper,
+        )?;
         let tag = cl.tag(&self.spec.ctx);
         let tag_entry = tag
             .get()

src/cli/package/publish.rs

@@ -2,6 +2,8 @@
 
 use crate::drawbridge::{client, TagSpec};
 
+use std::ffi::OsString;
+
 use anyhow::Context;
 use camino::Utf8PathBuf;
 use clap::Args;
@@ -13,13 +15,20 @@ pub struct Options {
     ca_bundle: Option<Utf8PathBuf>,
     #[clap(long, env = "ENARX_INSECURE_AUTH_TOKEN")]
     insecure_auth_token: Option<String>,
+    #[clap(long, env = "ENARX_CREDENTIAL_HELPER")]
+    credential_helper: Option<OsString>,
     spec: TagSpec,
     path: Utf8PathBuf,
 }
 
 impl Options {
     pub fn execute(self) -> anyhow::Result<()> {
-        let cl = client(self.spec.host, self.insecure_auth_token, self.ca_bundle)?;
+        let cl = client(
+            &self.spec.host,
+            &self.insecure_auth_token,
+            &self.ca_bundle,
+            &self.credential_helper,
+        )?;
         let tag = cl.tag(&self.spec.ctx);
         let (_tag_created, _tree_created) = tag
             .create_from_path_unsigned(self.path)

src/cli/repo/info.rs

@@ -2,6 +2,8 @@
 
 use crate::drawbridge::{client, RepoSpec};
 
+use std::ffi::OsString;
+
 use anyhow::Context;
 use camino::Utf8PathBuf;
 use clap::Args;
@@ -21,12 +23,19 @@ pub struct Options {
     ca_bundle: Option<Utf8PathBuf>,
     #[clap(long, env = "ENARX_INSECURE_AUTH_TOKEN")]
     insecure_auth_token: Option<String>,
+    #[clap(long, env = "ENARX_CREDENTIAL_HELPER")]
+    credential_helper: Option<OsString>,
     spec: RepoSpec,
 }
 
 impl Options {
     pub fn execute(self) -> anyhow::Result<()> {
-        let cl = client(self.spec.host, self.insecure_auth_token, self.ca_bundle)?;
+        let cl = client(
+            &self.spec.host,
+            &self.insecure_auth_token,
+            &self.ca_bundle,
+            &self.credential_helper,
+        )?;
         let repo = cl.repository(&self.spec.ctx);
         let config = repo
             .get()

src/cli/repo/register.rs

@@ -2,6 +2,8 @@
 
 use crate::drawbridge::{client, RepoSpec};
 
+use std::ffi::OsString;
+
 use anyhow::Context;
 use camino::Utf8PathBuf;
 use clap::Args;
@@ -14,12 +16,19 @@ pub struct Options {
     ca_bundle: Option<Utf8PathBuf>,
     #[clap(long, env = "ENARX_INSECURE_AUTH_TOKEN")]
     insecure_auth_token: Option<String>,
+    #[clap(long, env = "ENARX_CREDENTIAL_HELPER")]
+    credential_helper: Option<OsString>,
     spec: RepoSpec,
 }
 
 impl Options {
     pub fn execute(self) -> anyhow::Result<()> {
-        let cl = client(self.spec.host, self.insecure_auth_token, self.ca_bundle)?;
+        let cl = client(
+            &self.spec.host,
+            &self.insecure_auth_token,
+            &self.ca_bundle,
+            &self.credential_helper,
+        )?;
         let repo = cl.repository(&self.spec.ctx);
         let repo_config = RepositoryConfig {
             // TODO: support deploying from private repos

src/cli/user/info.rs

@@ -2,6 +2,8 @@
 
 use crate::drawbridge::{client, UserSpec};
 
+use std::ffi::OsString;
+
 use anyhow::Context;
 use camino::Utf8PathBuf;
 use clap::Args;
@@ -13,12 +15,19 @@ pub struct Options {
     ca_bundle: Option<Utf8PathBuf>,
     #[clap(long, env = "ENARX_INSECURE_AUTH_TOKEN")]
     insecure_auth_token: Option<String>,
+    #[clap(long, env = "ENARX_CREDENTIAL_HELPER")]
+    credential_helper: Option<OsString>,
     spec: UserSpec,
 }
 
 impl Options {
     pub fn execute(self) -> anyhow::Result<()> {
-        let cl = client(self.spec.host, self.insecure_auth_token, self.ca_bundle)?;
+        let cl = client(
+            &self.spec.host,
+            &self.insecure_auth_token,
+            &self.ca_bundle,
+            &self.credential_helper,
+        )?;
         let user = cl.user(&self.spec.ctx);
         let record = user
             .get()

src/cli/user/login.rs

@@ -2,6 +2,8 @@
 
 use crate::drawbridge::login;
 
+use std::ffi::OsString;
+
 use clap::Args;
 use oauth2::url::Url;
 
@@ -12,16 +14,19 @@ pub struct Options {
     oidc_domain: Url,
     #[clap(long, default_value = "4NuaJxkQv8EZBeJKE56R57gKJbxrTLG2")]
     oidc_client_id: String,
+    #[clap(long, env = "ENARX_CREDENTIAL_HELPER")]
+    credential_helper: Option<OsString>,
 }
 
 impl Options {
     pub fn execute(self) -> anyhow::Result<()> {
         let Self {
-            oidc_domain,
+            ref oidc_domain,
             oidc_client_id,
+            ref credential_helper,
         } = self;
 
-        login(oidc_domain, oidc_client_id)?;
+        login(oidc_domain, oidc_client_id, credential_helper)?;
 
         println!("Login successful.");
 

src/cli/user/register.rs

@@ -2,6 +2,8 @@
 
 use crate::drawbridge::{client, get_token, login, UserSpec};
 
+use std::ffi::OsString;
+
 use anyhow::Context;
 use camino::Utf8PathBuf;
 use clap::Args;
@@ -19,6 +21,8 @@ pub struct Options {
     ca_bundle: Option<Utf8PathBuf>,
     #[clap(long, env = "ENARX_INSECURE_AUTH_TOKEN")]
     insecure_auth_token: Option<String>,
+    #[clap(long, env = "ENARX_CREDENTIAL_HELPER")]
+    credential_helper: Option<OsString>,
     #[clap(long, default_value = "https://auth.profian.com/")]
     oidc_domain: Url,
     #[clap(long, default_value = "4NuaJxkQv8EZBeJKE56R57gKJbxrTLG2")]
@@ -28,25 +32,38 @@ pub struct Options {
 
 impl Options {
     pub fn execute(self) -> anyhow::Result<()> {
+        let Self {
+            ref ca_bundle,
+            ref insecure_auth_token,
+            ref oidc_domain,
+            oidc_client_id,
+            ref spec,
+            ref credential_helper,
+        } = self;
+
         // If we don't find a token saved locally, initiate an interactive login
-        let token = match get_token(self.insecure_auth_token.clone()) {
+        let token = match get_token(insecure_auth_token, credential_helper) {
             Ok(token) => token,
-            _ => login(self.oidc_domain.clone(), self.oidc_client_id.clone())?,
+            _ => login(oidc_domain, oidc_client_id.clone(), credential_helper)?,
         };
 
-        let cl = client(self.spec.host, Some(token.clone()), self.ca_bundle)?;
-        let user = cl.user(&self.spec.ctx);
+        let cl = client(
+            &spec.host,
+            &Some(token.clone()),
+            ca_bundle,
+            credential_helper,
+        )?;
+        let user = cl.user(&spec.ctx);
 
         let provider_metadata = CoreProviderMetadata::discover(
-            &IssuerUrl::new(self.oidc_domain.to_string())
-                .context("Failed to construct issuer URL")?,
+            &IssuerUrl::new(oidc_domain.to_string()).context("Failed to construct issuer URL")?,
             http_client,
         )
         .context("Failed to discover provider metadata")?;
 
         let oidc_client = CoreClient::from_provider_metadata(
             provider_metadata,
-            ClientId::new(self.oidc_client_id),
+            ClientId::new(oidc_client_id),
             None,
         )
         .set_auth_type(AuthType::RequestBody);

src/drawbridge.rs

@@ -1,10 +1,15 @@
 // SPDX-License-Identifier: Apache-2.0
 
+use std::borrow::Borrow;
+use std::ffi::OsStr;
 use std::fs::File;
+use std::io::{stderr, Write};
+use std::process::{Command, Stdio};
 use std::str::FromStr;
+use std::thread::spawn;
 use std::time::Duration;
 
-use anyhow::Context;
+use anyhow::{bail, Context};
 use camino::Utf8PathBuf;
 use drawbridge_client::types::{RepositoryContext, TagContext, UserContext};
 use drawbridge_client::Client;
@@ -94,23 +99,41 @@ fn parse_user(slug: &str) -> (String, &str) {
     (host.to_string(), user)
 }
 
-pub fn get_token(provided_token: Option<String>) -> anyhow::Result<String> {
-    let token = match provided_token {
-        Some(token) => token,
-        None => keyring::Entry::new("enarx", "oidc_domain")
+pub fn get_token(
+    provided_token: &Option<impl AsRef<str>>,
+    helper: &Option<impl AsRef<OsStr>>,
+) -> anyhow::Result<String> {
+    if let Some(token) = provided_token {
+        Ok(token.as_ref().into())
+    } else if let Some(helper) = helper {
+        let output = Command::new(helper)
+            .arg("show")
+            .output()
+            .context("Failed to execute credential helper")?;
+        stderr()
+            .write_all(&output.stderr)
+            .context("Failed to write stderr")?;
+        if output.status.success() {
+            String::from_utf8(output.stdout).context("Credential helper stdout is not valid UTF-8")
+        } else if let Some(code) = output.status.code() {
+            bail!("Credential helper failed with exit code {code}")
+        } else {
+            bail!("Credential helper was killed")
+        }
+    } else {
+        keyring::Entry::new("enarx", "oidc_domain")
             .get_password()
-            .context("Failed to read credentials from keyring")?,
-    };
-
-    Ok(token)
+            .context("Failed to read credentials from keyring")
+    }
 }
 
 pub fn client(
-    host: String,
-    insecure_token: Option<String>,
-    ca_bundle: Option<Utf8PathBuf>,
+    host: &str,
+    insecure_token: &Option<String>,
+    ca_bundle: &Option<Utf8PathBuf>,
+    helper: &Option<impl AsRef<OsStr>>,
 ) -> anyhow::Result<Client> {
-    let token = get_token(insecure_token)?;
+    let token = get_token(insecure_token, helper)?;
 
     let url = format!("https://{host}");
 
@@ -147,7 +170,12 @@ pub fn client(
     Ok(cl)
 }
 
-pub fn login(oidc_domain: Url, oidc_client_id: String) -> anyhow::Result<String> {
+pub fn login(
+    oidc_domain: &impl Borrow<Url>,
+    oidc_client_id: String,
+    helper: &Option<impl AsRef<OsStr>>,
+) -> anyhow::Result<String> {
+    let oidc_domain = oidc_domain.borrow();
     let dev_auth_url = DeviceAuthorizationUrl::new(format!("{oidc_domain}oauth/device/code"))
         .context("Failed to construct device authorization URL")?;
     let auth_url = AuthUrl::new(format!("{oidc_domain}authorize"))
@@ -188,9 +216,36 @@ pub fn login(oidc_domain: Url, oidc_client_id: String) -> anyhow::Result<String>
 
     // TODO: graceful timeout, so that users are not forced to Ctrl+C if the server errors
     let secret = res.access_token().secret();
-    keyring::Entry::new("enarx", "oidc_domain")
-        .set_password(secret)
-        .context("Failed to save user credentials")?;
+    if let Some(helper) = helper {
+        let mut helper = Command::new(helper)
+            .stdin(Stdio::piped())
+            .arg("insert")
+            .spawn()
+            .context("Failed to spawn credential helper command")?;
+        let mut stdin = helper.stdin.take().context("Failed to open stdin")?;
+        let secret = secret.clone();
+        spawn(move || {
+            stdin
+                .write_all(secret.as_bytes())
+                .context("Failed to write secret to credential helper stdin")
+        })
+        .join()
+        .expect("Failed to join stdin pipe thread")?;
+        let output = helper
+            .wait()
+            .context("Failed to wait for credential helper to exit")?;
+        if !output.success() {
+            if let Some(code) = output.code() {
+                bail!("Credential helper failed with exit code {code}")
+            } else {
+                bail!("Credential helper was killed")
+            }
+        }
+    } else {
+        keyring::Entry::new("enarx", "oidc_domain")
+            .set_password(secret)
+            .context("Failed to save user credentials")?;
+    }
     println!("Credentials saved locally.");
 
     Ok(secret.to_string())