add support for caching refresh token in armadactl

Signed-off-by: Dejan Zele Pejchev <[email protected]>

Author: dejanzele

pkg/client/auth/oidc/cache.go

@@ -0,0 +1,204 @@
+package oidc
+
+import (
+	"context"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"time"
+
+	"github.com/99designs/keyring"
+	"golang.org/x/oauth2"
+
+	log "github.com/armadaproject/armada/internal/common/logging"
+)
+
+const (
+	keyringServiceName = "armada-oidc"
+)
+
+type TokenCache struct {
+	ring        keyring.Keyring
+	providerUrl string
+	clientId    string
+}
+
+type CachedToken struct {
+	RefreshToken  string     `json:"refresh_token"`
+	TokenType     string     `json:"token_type"`
+	StoredAt      time.Time  `json:"stored_at"`
+	RefreshExpiry *time.Time `json:"refresh_expiry,omitempty"`
+}
+
+func NewTokenCache(providerUrl, clientId string) (*TokenCache, error) {
+	ring, err := keyring.Open(keyring.Config{
+		ServiceName:                    keyringServiceName,
+		AllowedBackends:                keyring.AvailableBackends(),
+		KeychainTrustApplication:       true,
+		KeychainSynchronizable:         false,
+		KeychainAccessibleWhenUnlocked: true,
+		KWalletAppID:                   "armada",
+		KWalletFolder:                  "armada",
+		LibSecretCollectionName:        "armada",
+		WinCredPrefix:                  "armada",
+	})
+	if err != nil {
+		log.Debug("No secure keyring backend available, token caching disabled")
+		return nil, fmt.Errorf("no secure keyring backend available: %w", err)
+	}
+
+	return &TokenCache{
+		ring:        ring,
+		providerUrl: providerUrl,
+		clientId:    clientId,
+	}, nil
+}
+
+func (tc *TokenCache) getKey() string {
+	return fmt.Sprintf("%s:%s", tc.providerUrl, tc.clientId)
+}
+
+func (tc *TokenCache) GetCachedRefreshToken() (string, error) {
+	if tc == nil || tc.ring == nil {
+		return "", errors.New("token cache not initialized")
+	}
+
+	key := tc.getKey()
+	item, err := tc.ring.Get(key)
+	if err != nil {
+		if errors.Is(err, keyring.ErrKeyNotFound) {
+			return "", nil // No cached token
+		}
+		return "", fmt.Errorf("failed to get token from keyring: %w", err)
+	}
+
+	var cached CachedToken
+	if err := json.Unmarshal(item.Data, &cached); err != nil {
+		return "", fmt.Errorf("failed to unmarshal cached token: %w", err)
+	}
+
+	if cached.RefreshExpiry != nil && time.Now().After(*cached.RefreshExpiry) {
+		_ = tc.DeleteToken()
+		return "", nil
+	}
+
+	return cached.RefreshToken, nil
+}
+
+func (tc *TokenCache) SaveRefreshToken(refreshToken string) error {
+	if tc == nil || tc.ring == nil {
+		return errors.New("token cache not initialized")
+	}
+
+	if refreshToken == "" {
+		return errors.New("refresh token is empty")
+	}
+
+	key := tc.getKey()
+	cached := CachedToken{
+		RefreshToken: refreshToken,
+		TokenType:    "Bearer",
+		StoredAt:     time.Now(),
+	}
+
+	data, err := json.Marshal(cached)
+	if err != nil {
+		return fmt.Errorf("failed to marshal token: %w", err)
+	}
+
+	item := keyring.Item{
+		Key:         key,
+		Data:        data,
+		Label:       fmt.Sprintf("Armada OIDC Refresh Token (%s)", tc.clientId),
+		Description: fmt.Sprintf("OAuth2 refresh token for %s", tc.providerUrl),
+	}
+
+	if err := tc.ring.Set(item); err != nil {
+		return fmt.Errorf("failed to save refresh token to keyring: %w", err)
+	}
+
+	return nil
+}
+
+func (tc *TokenCache) DeleteToken() error {
+	if tc == nil || tc.ring == nil {
+		return errors.New("token cache not initialized")
+	}
+
+	if err := tc.ring.Remove(tc.getKey()); err != nil && !errors.Is(err, keyring.ErrKeyNotFound) {
+		return fmt.Errorf("failed to delete token from keyring: %w", err)
+	}
+	return nil
+}
+
+func RefreshTokenSecurely(ctx context.Context, config *oauth2.Config, refreshToken string, cache *TokenCache) (*oauth2.Token, error) {
+	if refreshToken == "" {
+		return nil, errors.New("no refresh token available")
+	}
+
+	oldToken := &oauth2.Token{
+		RefreshToken: refreshToken,
+		TokenType:    "Bearer",
+		Expiry:       time.Now().Add(-1 * time.Hour),
+	}
+
+	tokenSource := config.TokenSource(ctx, oldToken)
+
+	newToken, err := tokenSource.Token()
+	if err != nil {
+		return nil, fmt.Errorf("failed to refresh token: %w", err)
+	}
+
+	if newToken.RefreshToken != "" {
+		if cache != nil {
+			if saveErr := cache.SaveRefreshToken(newToken.RefreshToken); saveErr != nil {
+				log.WithError(saveErr).Error("Failed to save refreshed token to cache")
+			}
+		}
+	} else {
+		newToken.RefreshToken = refreshToken
+	}
+
+	return newToken, nil
+}
+
+func TryGetCachedToken(
+	ctx context.Context,
+	config *oauth2.Config,
+	providerUrl string,
+	clientId string,
+	cacheEnabled bool,
+) (*oauth2.Token, *TokenCache, error) {
+	if !cacheEnabled {
+		return nil, nil, nil
+	}
+
+	cache, err := NewTokenCache(providerUrl, clientId)
+	if err != nil {
+		log.Debug("Token cache unavailable, proceeding without caching")
+		return nil, nil, nil
+	}
+
+	cachedRefreshToken, err := cache.GetCachedRefreshToken()
+	if err != nil || cachedRefreshToken == "" {
+		return nil, cache, nil
+	}
+
+	newToken, err := RefreshTokenSecurely(ctx, config, cachedRefreshToken, cache)
+	if err != nil {
+		_ = cache.DeleteToken()
+		return nil, cache, nil
+	}
+
+	return newToken, cache, nil
+}
+
+func SaveTokenToCache(token *oauth2.Token, cache *TokenCache) {
+	if cache == nil || token == nil || token.RefreshToken == "" {
+		return
+	}
+
+	if err := cache.SaveRefreshToken(token.RefreshToken); err != nil {
+		log.WithError(err).Debug("Failed to save token to cache")
+	}
+}

pkg/client/auth/oidc/device.go

@@ -22,7 +22,7 @@ type DeviceDetails struct {
 	Scopes      []string
 }
 
-func AuthenticateDevice(config DeviceDetails) (*TokenCredentials, error) {
+func AuthenticateDevice(config DeviceDetails, cacheToken bool) (*TokenCredentials, error) {
 	ctx := context.Background()
 
 	httpClient := http.DefaultClient
@@ -63,6 +63,12 @@ func AuthenticateDevice(config DeviceDetails) (*TokenCredentials, error) {
 		Scopes:   scopes,
 	}
 
+	// Try to use cached refresh token if enabled
+	token, cache, err := TryGetCachedToken(ctx, &oauth, config.ProviderUrl, config.ClientId, cacheToken)
+	if err == nil && token != nil {
+		return &TokenCredentials{oauth.TokenSource(ctx, token)}, nil
+	}
+
 	deviceFlowResponse, err := requestDeviceAuthorization(ctx, httpClient, claims.DeviceAuthorizationEndpoint, config.ClientId, scopes)
 	if err != nil {
 		return nil, err
@@ -97,6 +103,7 @@ func AuthenticateDevice(config DeviceDetails) (*TokenCredentials, error) {
 			token, err := requestToken(ctx, httpClient, oauth.Endpoint.TokenURL, config.ClientId, deviceFlowResponse.DeviceCode)
 			if err == nil {
 				fmt.Printf("\nAuthentication successful!\n\n")
+				SaveTokenToCache(token, cache)
 				return &TokenCredentials{oauth.TokenSource(ctx, token)}, nil
 			}
 

pkg/client/auth/oidc/password.go

@@ -15,7 +15,7 @@ type ClientPasswordDetails struct {
 	Password    string
 }
 
-func AuthenticateWithPassword(config ClientPasswordDetails) (*TokenCredentials, error) {
+func AuthenticateWithPassword(config ClientPasswordDetails, cacheToken bool) (*TokenCredentials, error) {
 	ctx := context.Background()
 
 	provider, err := openId.NewProvider(ctx, config.ProviderUrl)
@@ -29,6 +29,16 @@ func AuthenticateWithPassword(config ClientPasswordDetails) (*TokenCredentials,
 		Endpoint: provider.Endpoint(),
 	}
 
+	// Try to use cached refresh token if enabled
+	token, cache, err := TryGetCachedToken(ctx, authConfig, config.ProviderUrl, config.ClientId, cacheToken)
+	if err == nil && token != nil {
+		return &TokenCredentials{oauth2.ReuseTokenSource(token, &FunctionTokenSource{
+			func() (*oauth2.Token, error) {
+				return authConfig.PasswordCredentialsToken(ctx, config.Username, config.Password)
+			},
+		})}, nil
+	}
+
 	source := &FunctionTokenSource{
 		func() (*oauth2.Token, error) {
 			return authConfig.PasswordCredentialsToken(ctx, config.Username, config.Password)
@@ -38,6 +48,8 @@ func AuthenticateWithPassword(config ClientPasswordDetails) (*TokenCredentials,
 	if err != nil {
 		return nil, err
 	}
+
+	SaveTokenToCache(t, cache)
 	cachedSource := oauth2.ReuseTokenSource(t, source)
 	return &TokenCredentials{cachedSource}, nil
 }

pkg/client/auth/oidc/pkce.go

@@ -25,26 +25,33 @@ type PKCEDetails struct {
 	Scopes      []string
 }
 
-func AuthenticatePkce(config PKCEDetails) (*TokenCredentials, error) {
+func AuthenticatePkce(config PKCEDetails, cacheToken bool) (*TokenCredentials, error) {
 	ctx := context.Background()
 
-	result := make(chan *oauth2.Token)
-	errorResult := make(chan error)
-
 	provider, err := openId.NewProvider(ctx, config.ProviderUrl)
 	if err != nil {
 		return nil, err
 	}
 
-	localUrl := "localhost:" + strconv.Itoa(int(config.LocalPort))
-
 	oauth := oauth2.Config{
 		ClientID:    config.ClientId,
 		Endpoint:    provider.Endpoint(),
-		RedirectURL: "http://" + localUrl + "/auth/callback",
+		RedirectURL: "http://localhost:" + strconv.Itoa(int(config.LocalPort)) + "/auth/callback",
 		Scopes:      append(config.Scopes, openId.ScopeOpenID),
 	}
 
+	// Try to use cached refresh token if enabled
+	token, cache, err := TryGetCachedToken(ctx, &oauth, config.ProviderUrl, config.ClientId, cacheToken)
+	if err == nil && token != nil {
+		return &TokenCredentials{oauth.TokenSource(ctx, token)}, nil
+	}
+
+	// Perform interactive authentication if no valid cached token
+	result := make(chan *oauth2.Token)
+	errorResult := make(chan error)
+
+	localUrl := "localhost:" + strconv.Itoa(int(config.LocalPort))
+
 	state := randomStringBase64() // xss protection
 	challenge := randomStringBase64()
 	challengeSum := sha256.Sum256([]byte(challenge))
@@ -111,6 +118,7 @@ func AuthenticatePkce(config PKCEDetails) (*TokenCredentials, error) {
 
 	select {
 	case t := <-result:
+		SaveTokenToCache(t, cache)
 		return &TokenCredentials{oauth.TokenSource(ctx, t)}, nil
 	case e := <-errorResult:
 		return nil, e

pkg/client/connection.go

@@ -45,6 +45,7 @@ type ApiConnectionDetails struct {
 	OpenIdKubernetesAuth        oidc.KubernetesDetails
 	ForceNoTls                  bool
 	ExecAuth                    exec.CommandDetails
+	CacheRefreshToken           bool
 }
 
 type ConnectionDetails func() (*ApiConnectionDetails, error)
@@ -101,11 +102,11 @@ func perRpcCredentials(config *ApiConnectionDetails) (credentials.PerRPCCredenti
 	} else if config.KubernetesNativeAuth.Enabled {
 		return kubernetes.AuthenticateKubernetesNative(config.KubernetesNativeAuth)
 	} else if config.OpenIdAuth.ProviderUrl != "" {
-		return oidc.AuthenticatePkce(config.OpenIdAuth)
+		return oidc.AuthenticatePkce(config.OpenIdAuth, config.CacheRefreshToken)
 	} else if config.OpenIdDeviceAuth.ProviderUrl != "" {
-		return oidc.AuthenticateDevice(config.OpenIdDeviceAuth)
+		return oidc.AuthenticateDevice(config.OpenIdDeviceAuth, config.CacheRefreshToken)
 	} else if config.OpenIdPasswordAuth.ProviderUrl != "" {
-		return oidc.AuthenticateWithPassword(config.OpenIdPasswordAuth)
+		return oidc.AuthenticateWithPassword(config.OpenIdPasswordAuth, config.CacheRefreshToken)
 	} else if config.OpenIdClientCredentialsAuth.ProviderUrl != "" {
 		return oidc.AuthenticateWithClientCredentials(config.OpenIdClientCredentialsAuth)
 	} else if config.OpenIdKubernetesAuth.ProviderUrl != "" {