oauth2-client-credentials-generic

Summary:

- Support for configurable `oauth2` client credentials pattern.
- CICD dead code removed.
- Added robot test `Oauth2 CLient Credentials Auth Should Succeed with Valid Config`.
- Added robot test `Oauth2 CLient Credentials Auth Should Fail with Invalid Config`.

Author: general-kroll-4-life

.github/workflows/build.yaml .github/workflows/build-expt.yaml.github/workflows/build.yaml renamed to .github/workflows/build-expt.yaml

@@ -1,4 +1,4 @@
-name: build
+name: buildexpt
 
 on:
   push:

.github/workflows/go.yml .github/workflows/build.yml.github/workflows/go.yml renamed to .github/workflows/build.yml

@@ -33,6 +33,7 @@ jobs:
   winbuild:
     name: Windows Build
     runs-on: windows-latest
+    timeout-minutes: ${{ vars.DEFAULT_JOB_TIMEOUT_MIN == '' && 120 || vars.DEFAULT_JOB_TIMEOUT_MIN }}
     steps:
 
     - name: Get rid of disruptive line endings before checkout
@@ -78,7 +79,7 @@ jobs:
     - name: Set up mingw
       uses: egor-tensin/setup-mingw@v2.2.0
       id: gccsetup
-      timeout-minutes: 20
+      timeout-minutes: ${{ vars.DEFAULT_STEP_TIMEOUT_MIN == '' && 20 || vars.DEFAULT_STEP_TIMEOUT_MIN }}
       with:
         version: '8.1.0'
 
@@ -93,13 +94,13 @@ jobs:
     
     - name: Choco install openssl
       uses: crazy-max/ghaction-chocolatey@v3.0.0
-      timeout-minutes: 40
+      timeout-minutes: ${{ vars.DEFAULT_LONG_STEP_TIMEOUT_MIN == '' && 40 || vars.DEFAULT_LONG_STEP_TIMEOUT_MIN }}
       with:
         args: "install --force openssl --version 3.1.1"
 
     - name: Choco install packages
       uses: crazy-max/ghaction-chocolatey@v3.0.0
-      timeout-minutes: 40
+      timeout-minutes: ${{ vars.DEFAULT_LONG_STEP_TIMEOUT_MIN == '' && 40 || vars.DEFAULT_LONG_STEP_TIMEOUT_MIN }}
       with:
         args: "install --force postgresql13 sqlite"
 
@@ -206,6 +207,7 @@ jobs:
   linuxbuild:
     name: Linux Build
     runs-on: ubuntu-latest
+    timeout-minutes: ${{ vars.DEFAULT_JOB_TIMEOUT_MIN == '' && 120 || vars.DEFAULT_JOB_TIMEOUT_MIN }}
     steps:
 
     - name: Check out code into the Go module directory
@@ -463,6 +465,7 @@ jobs:
   linuxarmbuild:
     name: Linux arm64 Build
     runs-on: arm-ubuntu-22-04-runner-one
+    timeout-minutes: ${{ vars.DEFAULT_JOB_TIMEOUT_MIN == '' && 120 || vars.DEFAULT_JOB_TIMEOUT_MIN }}
     steps:
 
     - name: Check out code into the Go module directory
@@ -746,6 +749,7 @@ jobs:
     name: WSL Test
     runs-on: windows-latest
     needs: linuxbuild
+    timeout-minutes: ${{ vars.DEFAULT_JOB_TIMEOUT_MIN == '' && 120 || vars.DEFAULT_JOB_TIMEOUT_MIN }}
     steps:
 
     - name: Get rid of disruptive line endings before checkout
@@ -860,6 +864,7 @@ jobs:
   macosbuild:
     name: MacOS Build
     runs-on: macos-12
+    timeout-minutes: ${{ vars.DEFAULT_JOB_TIMEOUT_MIN == '' && 120 || vars.DEFAULT_JOB_TIMEOUT_MIN }}
     steps:
     - name: Check out code into the Go module directory
       uses: actions/checkout@v4.1.1
@@ -998,6 +1003,7 @@ jobs:
   macosarmbuild:
     name: MacOS ARM Build
     runs-on: macos-latest
+    timeout-minutes: ${{ vars.DEFAULT_JOB_TIMEOUT_MIN == '' && 120 || vars.DEFAULT_JOB_TIMEOUT_MIN }}
     steps:
 
     - name: Check out code into the Go module directory
@@ -1075,6 +1081,7 @@ jobs:
   dockerbuild:
     name: Docker Build
     runs-on: ubuntu-latest-m
+    timeout-minutes: ${{ vars.DEFAULT_JOB_TIMEOUT_MIN == '' && 120 || vars.DEFAULT_JOB_TIMEOUT_MIN }}
     steps:
 
     - name: Check out code into the Go module directory
@@ -1227,13 +1234,13 @@ jobs:
 
     - name: Run robot mocked functional tests
       if: success()
-      timeout-minutes: 20
+      timeout-minutes: ${{ vars.DEFAULT_STEP_TIMEOUT_MIN == '' && 20 || vars.DEFAULT_STEP_TIMEOUT_MIN }}
       run: |
         python cicd/python/build.py --robot-test --config='{ "variables":  { "EXECUTION_PLATFORM": "docker" } }'
 
     - name: Run POSTGRES BACKEND robot mocked functional tests
       if: success()
-      timeout-minutes: 20
+      timeout-minutes: ${{ vars.DEFAULT_STEP_TIMEOUT_MIN == '' && 20 || vars.DEFAULT_STEP_TIMEOUT_MIN }}
       run: |
         echo "## Stray docker containers before postgres robot tests ##"
         docker container ls --format "table {{.ID}}\t{{.Names}}\t{{.Ports}}" -a

cicd/requirements.txt

@@ -1,5 +1,7 @@
+Flask==3.0.3
 psycopg2-binary>=2.9.9
 psycopg[binary]>=3.1.16
 PyYaml>=6.0.1
-robotframework>=6.1.1
-sqlalchemy==1.4.44
+requests==2.32.3
+robotframework==6.1.1
+sqlalchemy==1.4.44

cicd/version.txt

@@ -1,2 +1,2 @@
 MajorVersion=0
-MinorVersion=5
+MinorVersion=6

go.mod

@@ -21,7 +21,7 @@ require (
 	github.com/spf13/cobra v1.4.0
 	github.com/spf13/pflag v1.0.5
 	github.com/spf13/viper v1.10.1
-	github.com/stackql/any-sdk v0.0.3-beta17
+	github.com/stackql/any-sdk v0.0.3-beta21
 	github.com/stackql/go-suffix-map v0.0.1-alpha01
 	github.com/stackql/psql-wire v0.1.1-alpha07
 	github.com/stackql/stackql-parser v0.0.14-alpha04

go.sum

@@ -471,8 +471,8 @@ github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
 github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/spf13/viper v1.10.1 h1:nuJZuYpG7gTj/XqiUwg8bA0cp1+M2mC3J4g5luUYBKk=
 github.com/spf13/viper v1.10.1/go.mod h1:IGlFPqhNAPKRxohIzWpI5QEy4kuI7tcl5WvR+8qy1rU=
-github.com/stackql/any-sdk v0.0.3-beta17 h1:eajJfNOZBvWwaUD9WdsS81PAKHFxyHndmpdOo3P867A=
-github.com/stackql/any-sdk v0.0.3-beta17/go.mod h1:CIMFo3fC2ScpqzkzeCkzUQQuzYA1VuqpG0p1EZXN+wY=
+github.com/stackql/any-sdk v0.0.3-beta21 h1:1x76S9scXukHKcBUmzSVYpwWG8TnZXMhlgU0HHcTO2g=
+github.com/stackql/any-sdk v0.0.3-beta21/go.mod h1:CIMFo3fC2ScpqzkzeCkzUQQuzYA1VuqpG0p1EZXN+wY=
 github.com/stackql/go-suffix-map v0.0.1-alpha01 h1:TDUDS8bySu41Oo9p0eniUeCm43mnRM6zFEd6j6VUaz8=
 github.com/stackql/go-suffix-map v0.0.1-alpha01/go.mod h1:QAi+SKukOyf4dBtWy8UMy+hsXXV+yyEE4vmBkji2V7g=
 github.com/stackql/psql-wire v0.1.1-alpha07 h1:LQWVUlx4Bougk6dztDNG5tmXxpIVeeTSsInTj801xCs=

internal/stackql/dto/auth_ctx.go

@@ -3,6 +3,7 @@ package dto
 import (
 	"encoding/base64"
 	"fmt"
+	"net/url"
 	"os"
 	"strings"
 )
@@ -42,6 +43,14 @@ type AuthCtx struct {
 	Active                  bool           `json:"-" yaml:"-"`
 	Location                string         `json:"location" yaml:"location"`
 	Name                    string         `json:"name" yaml:"name"`
+	TokenURL                string         `json:"token_url" yaml:"token_url"`
+	GrantType               string         `json:"grant_type" yaml:"grant_type"`
+	ClientID                string         `json:"client_id" yaml:"client_id"`
+	ClientSecret            string         `json:"client_secret" yaml:"client_secret"`
+	ClientIDEnvVar          string         `json:"client_id_env_var" yaml:"client_id_env_var"`
+	ClientSecretEnvVar      string         `json:"client_secret_env_var" yaml:"client_secret_env_var"`
+	Values                  url.Values     `json:"values" yaml:"values"`
+	AuthStyle               int            `json:"auth_style" yaml:"auth_style"`
 }
 
 func (ac *AuthCtx) GetSQLCfg() (SQLBackendCfg, bool) {
@@ -78,10 +87,26 @@ func (ac *AuthCtx) Clone() *AuthCtx {
 		EncodedBasicCredentials: ac.EncodedBasicCredentials,
 		Location:                ac.Location,
 		Name:                    ac.Name,
+		Subject:                 ac.Subject,
+		TokenURL:                ac.TokenURL,
+		GrantType:               ac.GrantType,
+		ClientID:                ac.ClientID,
+		ClientSecret:            ac.ClientSecret,
+		ClientIDEnvVar:          ac.ClientIDEnvVar,
+		ClientSecretEnvVar:      ac.ClientSecretEnvVar,
+		Values:                  ac.Values,
+		AuthStyle:               ac.AuthStyle,
 	}
 	return rv
 }
 
+func (ac *AuthCtx) GetValues() url.Values {
+	if ac.Values == nil {
+		return url.Values{}
+	}
+	return ac.Values
+}
+
 func (ac *AuthCtx) GetSuccessor() (*AuthCtx, bool) {
 	if ac.Successor != nil {
 		return ac.Successor, true
@@ -188,6 +213,46 @@ func (ac *AuthCtx) GetCredentialsBytes() ([]byte, error) {
 	return nil, fmt.Errorf("no credentials found")
 }
 
+func (ac *AuthCtx) GetClientID() (string, error) {
+	if ac.ClientIDEnvVar != "" {
+		rv := os.Getenv(ac.ClientIDEnvVar)
+		if rv == "" {
+			return "", fmt.Errorf("client_id_env_var references empty string")
+		}
+		return rv, nil
+	}
+	if ac.ClientID == "" {
+		return "", fmt.Errorf("client_id is empty")
+	}
+	return ac.ClientID, nil
+}
+
+func (ac *AuthCtx) GetClientSecret() (string, error) {
+	if ac.ClientSecretEnvVar != "" {
+		rv := os.Getenv(ac.ClientSecretEnvVar)
+		if rv == "" {
+			return "", fmt.Errorf("client_secret_env_var references empty string")
+		}
+		return rv, nil
+	}
+	if ac.ClientSecret == "" {
+		return "", fmt.Errorf("client_secret is empty")
+	}
+	return ac.ClientSecret, nil
+}
+
+func (ac *AuthCtx) GetGrantType() string {
+	return ac.GrantType
+}
+
+func (ac *AuthCtx) GetTokenURL() string {
+	return ac.TokenURL
+}
+
+func (ac *AuthCtx) GetAuthStyle() int {
+	return ac.AuthStyle
+}
+
 func (ac *AuthCtx) GetCredentialsSourceDescriptorString() string {
 	if ac.KeyEnvVar != "" {
 		return fmt.Sprintf("credentialsenvvar:%s", ac.KeyEnvVar)

internal/stackql/dto/dto.go

@@ -16,6 +16,7 @@ const (
 	APIRequestTimeoutKey            string = "apirequesttimeout"
 	CacheKeyCountKey                string = "cachekeycount"
 	CacheTTLKey                     string = "metadatattl"
+	ClientCredentialsStr            string = "client_credentials"
 	ColorSchemeKey                  string = "colorscheme" // deprecated
 	ConfigFilePathKey               string = "configfile"
 	CPUProfileKey                   string = "cpuprofile"
@@ -37,6 +38,7 @@ const (
 	AllowInsecureKey                string = "tls.allowInsecure"
 	InfilePathKey                   string = "infile"
 	LogLevelStrKey                  string = "loglevel"
+	OAuth2Str                       string = "oauth2"
 	OutfilePathKey                  string = "outfile"
 	OutputFormatKey                 string = "output"
 	ApplicationFilesRootPathKey     string = "approot"

internal/stackql/handler/handler.go

@@ -575,6 +575,14 @@ func transformOpenapiStackqlAuthToLocal(authDTO anysdk.AuthDTO) *dto.AuthCtx {
 		EncodedBasicCredentials: authDTO.GetInlineBasicCredentials(),
 		Location:                authDTO.GetLocation(),
 		Name:                    authDTO.GetName(),
+		TokenURL:                authDTO.GetTokenURL(),
+		GrantType:               authDTO.GetGrantType(),
+		ClientID:                authDTO.GetClientID(),
+		ClientSecret:            authDTO.GetClientSecret(),
+		ClientIDEnvVar:          authDTO.GetClientIDEnvVar(),
+		ClientSecretEnvVar:      authDTO.GetClientSecretEnvVar(),
+		Values:                  authDTO.GetValues(),
+		AuthStyle:               authDTO.GetAuthStyle(),
 	}
 	successor, successorExists := authDTO.GetSuccessor()
 	currentParent := rv

internal/stackql/provider/auth_util.go

@@ -15,6 +15,7 @@ import (
 	"regexp"
 
 	"golang.org/x/oauth2"
+	"golang.org/x/oauth2/clientcredentials"
 	"golang.org/x/oauth2/google"
 	"golang.org/x/oauth2/jwt"
 )
@@ -161,11 +162,21 @@ func parseServiceAccountFile(ac *dto.AuthCtx) (serviceAccount, error) {
 	return c, json.Unmarshal(b, &c)
 }
 
-func getJWTConfig(provider string, credentialsBytes []byte, scopes []string, subject string) (*jwt.Config, error) {
+func getGoogleJWTConfig(
+	provider string,
+	credentialsBytes []byte,
+	scopes []string,
+	subject string,
+) (*jwt.Config, error) {
 	switch provider {
 	case "google", "googleads", "googleanalytics",
 		"googledevelopers", "googlemybusiness", "googleworkspace",
 		"youtube", "googleadmin":
+		if scopes == nil {
+			scopes = []string{
+				"https://www.googleapis.com/auth/cloud-platform",
+			}
+		}
 		rv, err := google.JWTConfigFromJSON(credentialsBytes, scopes...)
 		if err != nil {
 			return nil, err
@@ -179,7 +190,31 @@ func getJWTConfig(provider string, credentialsBytes []byte, scopes []string, sub
 	}
 }
 
-func oauthServiceAccount(
+func getGenericClientCredentialsConfig(authCtx *dto.AuthCtx, scopes []string) (*clientcredentials.Config, error) {
+	clientID, clientIDErr := authCtx.GetClientID()
+	if clientIDErr != nil {
+		return nil, clientIDErr
+	}
+	clientSecret, secretErr := authCtx.GetClientSecret()
+	if secretErr != nil {
+		return nil, secretErr
+	}
+	rv := &clientcredentials.Config{
+		ClientID:     clientID,
+		ClientSecret: clientSecret,
+		Scopes:       scopes,
+		TokenURL:     authCtx.GetTokenURL(),
+	}
+	if len(authCtx.GetValues()) > 0 {
+		rv.EndpointParams = authCtx.GetValues()
+	}
+	if authCtx.GetAuthStyle() > 0 {
+		rv.AuthStyle = oauth2.AuthStyle(authCtx.GetAuthStyle())
+	}
+	return rv, nil
+}
+
+func googleOauthServiceAccount(
 	provider string,
 	authCtx *dto.AuthCtx,
 	scopes []string,
@@ -189,14 +224,27 @@ func oauthServiceAccount(
 	if err != nil {
 		return nil, fmt.Errorf("service account credentials error: %w", err)
 	}
-	config, errToken := getJWTConfig(provider, b, scopes, authCtx.Subject)
+	config, errToken := getGoogleJWTConfig(provider, b, scopes, authCtx.Subject)
 	if errToken != nil {
 		return nil, errToken
 	}
 	activateAuth(authCtx, "", dto.AuthServiceAccountStr)
 	httpClient := netutils.GetHTTPClient(runtimeCtx, http.DefaultClient)
-	//nolint:staticcheck // TODO: fix this
-	return config.Client(context.WithValue(oauth2.NoContext, oauth2.HTTPClient, httpClient)), nil
+	return config.Client(context.WithValue(context.Background(), oauth2.HTTPClient, httpClient)), nil
+}
+
+func genericOauthClientCredentials(
+	authCtx *dto.AuthCtx,
+	scopes []string,
+	runtimeCtx dto.RuntimeCtx,
+) (*http.Client, error) {
+	config, errToken := getGenericClientCredentialsConfig(authCtx, scopes)
+	if errToken != nil {
+		return nil, errToken
+	}
+	activateAuth(authCtx, "", dto.ClientCredentialsStr)
+	httpClient := netutils.GetHTTPClient(runtimeCtx, http.DefaultClient)
+	return config.Client(context.WithValue(context.Background(), oauth2.HTTPClient, httpClient)), nil
 }
 
 func apiTokenAuth(authCtx *dto.AuthCtx, runtimeCtx dto.RuntimeCtx, enforceBearer bool) (*http.Client, error) {