Add authorizer v2 commands

go.mod

@@ -10,12 +10,12 @@ go 1.19
 
 require (
 	github.com/alecthomas/kong v0.7.1
-	github.com/aserto-dev/aserto-go v0.8.13
 	github.com/aserto-dev/certs v0.0.3
 	github.com/aserto-dev/clui v0.8.2
+	github.com/aserto-dev/go-aserto v0.20.3
+	github.com/aserto-dev/go-authorizer v0.20.2
 	github.com/aserto-dev/go-decision-logs v0.0.4
 	github.com/aserto-dev/go-grpc v0.8.56
-	github.com/aserto-dev/go-grpc-authz v0.8.0
 	github.com/aserto-dev/logger v0.0.3
 	github.com/cli/browser v1.1.0
 	github.com/fatih/color v1.15.0
@@ -40,7 +40,6 @@ require (
 require (
 	github.com/PuerkitoBio/rehttp v1.0.0 // indirect
 	github.com/alessio/shellescape v1.4.1 // indirect
-	github.com/benbjohnson/clock v1.1.0 // indirect
 	github.com/danieljoos/wincred v1.1.2 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/fsnotify/fsnotify v1.6.0 // indirect

go.sum

@@ -46,24 +46,24 @@ github.com/alecthomas/kong v0.7.1/go.mod h1:n1iCIO2xS46oE8ZfYCNDqdR0b0wZNrXAIAqr
 github.com/alecthomas/repr v0.1.0 h1:ENn2e1+J3k09gyj2shc0dHr/yjaWSHRlrJ4DPMevDqE=
 github.com/alessio/shellescape v1.4.1 h1:V7yhSDDn8LP4lc4jS8pFkt0zCnzVJlG5JXy9BVKJUX0=
 github.com/alessio/shellescape v1.4.1/go.mod h1:PZAiSCk0LJaZkiCSkPv8qIobYglO3FPpyFjDCtHLS30=
-github.com/aserto-dev/aserto-go v0.8.13 h1:IkD2nB8dmZ2ws0j1U0wwFBVnHwDkFnekTpsDQKyP4E8=
-github.com/aserto-dev/aserto-go v0.8.13/go.mod h1:OFVnSJeMxsnzNuBmsY9yeVo9lTtwSGkv9Kr7YRC2ndM=
 github.com/aserto-dev/certs v0.0.3 h1:FiCJwh3nMHm/g1hRzKng1ZghLhNJgbMFxQd6ppJSVEE=
 github.com/aserto-dev/certs v0.0.3/go.mod h1:9mFvZ1NR92aEGj4ce6QleZGPXJuDZKTv+CWIOX28Xj8=
 github.com/aserto-dev/clui v0.8.2 h1:QPyAsKnZrafSfPMWPni6w5JyZUJOThbqVmHWWxWPi+M=
+github.com/aserto-dev/clui v0.8.2/go.mod h1:b3hhCepxBKdbeaIwYXRtlt07jnn7tgnfF4onVOwSEL4=
+github.com/aserto-dev/go-aserto v0.20.3 h1:yUhMIENFIdKA6TxE36E+99N3baEIuzfj7Y+onsOuLyg=
+github.com/aserto-dev/go-aserto v0.20.3/go.mod h1:6e5FdSQNvVvaRVIVrAqlQk9uh5k3jtIcDIXciQtN+GQ=
+github.com/aserto-dev/go-authorizer v0.20.2 h1:jDjPeaD3lyJmgWFDL6+B8ebG9nrRsqFyMP16HVdNhj4=
+github.com/aserto-dev/go-authorizer v0.20.2/go.mod h1:RTpBixDT2WIPOkXcewCXG3NxOWDt22yiXMb+qvdxucM=
 github.com/aserto-dev/go-decision-logs v0.0.4 h1:beu/mhqZ92ovhSIPOv2f4q0Ci7HWNLla/j/x+ZD5eHw=
 github.com/aserto-dev/go-decision-logs v0.0.4/go.mod h1:W50DNu4HPCk+iyI39cP3+KBytdrQYVieSPXh9StuRzA=
 github.com/aserto-dev/go-grpc v0.8.56 h1:64FRLNF4G51ASt1pTtTP/UuWJboZHA6I4CeGIYZwHmc=
 github.com/aserto-dev/go-grpc v0.8.56/go.mod h1:ZHKobEadfjzb39dKhc/iy8JyQDRuB/IsSwVa8YuWkQY=
-github.com/aserto-dev/go-grpc-authz v0.8.0 h1:D/D/DJAWdshIIF6BYFKT9ILh0/ClAGrb64zpsGP8vuQ=
-github.com/aserto-dev/go-grpc-authz v0.8.0/go.mod h1:ssdQrzxQf+IZ+jy8ATz9S6Ys+nqsTMZyKmPpdj0kwHo=
 github.com/aserto-dev/logger v0.0.3 h1:lBB5LMdOsHCJKfEej2xY7s4OzCWUWCBhkhUU6RJ4LbM=
 github.com/aserto-dev/logger v0.0.3/go.mod h1:8HIZAwlf+Y0V33YnGILYZOtYh1Eue5mz1YNf1XbqPbI=
 github.com/aybabtme/iocontrol v0.0.0-20150809002002-ad15bcfc95a0 h1:0NmehRCgyk5rljDQLKUO+cRJCnduDyn11+zGZIc9Z48=
 github.com/aybabtme/iocontrol v0.0.0-20150809002002-ad15bcfc95a0/go.mod h1:6L7zgvqo0idzI7IO8de6ZC051AfXb5ipkIJ7bIA2tGA=
+github.com/benbjohnson/clock v1.0.3 h1:vkLuvpK4fmtSCuo60+yC63p7y0BmQ8gm5ZXGuBCJyXg=
 github.com/benbjohnson/clock v1.0.3/go.mod h1:bGMdMPoPVvcYyt1gHDf4J2KE153Yf9BuiUKYMaxlTDM=
-github.com/benbjohnson/clock v1.1.0 h1:Q92kusRqC1XV2MjkWETPvjJVqKetz1OzxZB7mHJLju8=
-github.com/benbjohnson/clock v1.1.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA=
 github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
 github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI=
 github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI=
@@ -394,6 +394,7 @@ golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.3.0 h1:ftCYgMx6zT/asHUrPw8BLLscYtGznsLAnjq5RH9P66E=
+golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -437,8 +438,10 @@ golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.11.0 h1:eG7RXZHdqOJ1i+0lgLgCpSXAp6M3LYlAo6osgSi0xOM=
+golang.org/x/sys v0.11.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.11.0 h1:F9tnn/DA/Im8nCwm+fX+1/eBwi4qFjRT++MhtVC4ZX0=
+golang.org/x/term v0.11.0/go.mod h1:zC9APTIj3jG3FdV/Ons+XE1riIZXG4aZ4GTHiPZJPIU=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@@ -448,6 +451,7 @@ golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.12.0 h1:k+n5B8goJNdU7hSvEtMUz3d1Q6D/XW4COJSJR6fN0mc=
+golang.org/x/text v0.12.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=

pkg/auth0/api/token.go

@@ -14,6 +14,9 @@ type Token struct {
 	RegistryDownloadKey string    `json:"registry_download_key"`
 	RegistryUploadKey   string    `json:"registry_upload_key"`
 	DecisionLogsKey     string    `json:"decision_logs_key"`
+	DirectoryReadKey    string    `json:"directory_read_key"`
+	DirectoryWriteKey   string    `json:"directory_write_key"`
+	DiscoveryKey        string    `json:"discovery_key"`
 }
 
 func (t *Token) IsExpired() bool {

pkg/auth0/auth0.go

@@ -2,10 +2,18 @@ package auth0
 
 import "fmt"
 
+const (
+	Issuer    string = "aserto.us.auth0.com"
+	ClientID  string = "wxB6q804bWWiPqWRtauOeBGtZobfBWD9"
+	Audience  string = "https://console.aserto.com"
+	GrantType string = "urn:ietf:params:oauth:grant-type:device_code"
+)
+
 type Settings struct {
 	Issuer                 string
 	Audience               string
 	ClientID               string
+	GrantType              string
 	RedirectURL            string
 	LogoutURL              string
 	AuthorizationURL       string
@@ -16,20 +24,14 @@ type Settings struct {
 	JWKS                   string
 }
 
-const (
-	IssuerProduction   = "aserto.us.auth0.com"
-	ClientIDProduction = "98ofxNoUdgVu7vuYAddWW2WpglFM4til"
-
-	Audience = "https://console.aserto.com"
-)
-
 func GetSettings(issuer, clientID, audience string) *Settings {
 	return &Settings{
 		Issuer:                 issuer,
 		Audience:               audience,
 		ClientID:               clientID,
 		RedirectURL:            "http://localhost:3987",
 		LogoutURL:              "http://localhost:3987",
+		GrantType:              GrantType,
 		AuthorizationURL:       fmt.Sprintf("https://%s/authorize", issuer),
 		DeviceAuthorizationURL: fmt.Sprintf("https://%s/oauth/device/code", issuer),
 		TokenURL:               fmt.Sprintf("https://%s/oauth/token", issuer),

pkg/auth0/device/device_flow.go

@@ -0,0 +1,234 @@
+package device
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"io"
+	"net/http"
+	u "net/url"
+	"os"
+	"strings"
+	"time"
+
+	"github.com/aserto-dev/aserto/pkg/auth0/api"
+)
+
+type DeviceCodeFlow struct {
+	DeviceAuthorizationURL string
+	TokenURL               string
+	ClientID               string
+	Audience               string
+	GrantType              string
+	Scopes                 []string
+	deviceCode             *DeviceCode
+	accessToken            *TokenResponse
+}
+
+type DeviceCodeOption func(*DeviceCodeFlow)
+
+func New(opts ...DeviceCodeOption) *DeviceCodeFlow {
+	d := &DeviceCodeFlow{}
+	for _, opt := range opts {
+		opt(d)
+	}
+	return d
+}
+
+func WithDeviceAuthorizationURL(url string) DeviceCodeOption {
+	return func(i *DeviceCodeFlow) {
+		i.DeviceAuthorizationURL = url
+	}
+}
+
+func WithTokenURL(url string) DeviceCodeOption {
+	return func(i *DeviceCodeFlow) {
+		i.TokenURL = url
+	}
+}
+
+func WithClientID(id string) DeviceCodeOption {
+	return func(i *DeviceCodeFlow) {
+		i.ClientID = id
+	}
+}
+
+func WithAudience(audience string) DeviceCodeOption {
+	return func(i *DeviceCodeFlow) {
+		i.Audience = audience
+	}
+}
+
+func WithGrantType(grantType string) DeviceCodeOption {
+	return func(i *DeviceCodeFlow) {
+		i.GrantType = grantType
+	}
+}
+
+func WithScope(scopes ...string) DeviceCodeOption {
+	return func(i *DeviceCodeFlow) {
+		i.Scopes = append(i.Scopes, scopes...)
+	}
+}
+
+func (f *DeviceCodeFlow) Reader() io.Reader {
+	q := u.Values{}
+	q.Set("client_id", f.ClientID)
+	q.Set("scope", strings.Join(f.Scopes, " "))
+	q.Set("audience", f.Audience)
+	return strings.NewReader(q.Encode())
+}
+
+type DeviceCode struct {
+	DeviceCode              string `json:"device_code"`
+	UserCode                string `json:"user_code"`
+	VerificationURI         string `json:"verification_uri"`
+	VerificationURIComplete string `json:"verification_uri_complete"`
+	ExpiresIn               int    `json:"expires_in"`
+	Interval                int    `json:"interval"`
+}
+
+type TokenRequest struct {
+	URL        string
+	GrantType  string
+	DeviceCode string
+	ClientID   string
+	ExpiresIn  int
+	Interval   int
+}
+
+func (f *DeviceCodeFlow) TokenReader() io.Reader {
+	q := u.Values{}
+	q.Set("grant_type", f.GrantType)
+	q.Set("device_code", f.deviceCode.DeviceCode)
+	q.Set("client_id", f.ClientID)
+	return strings.NewReader(q.Encode())
+}
+
+type TokenResponse struct {
+	AccessToken      string `json:"access_token"`
+	IDToken          string `json:"id_token"`
+	RefreshToken     string `json:"refresh_token"`
+	TokenType        string `json:"token_type"`
+	ExpiresIn        int    `json:"expires_in"`
+	Error            string `json:"error"`
+	ErrorDescription string `json:"error_description"`
+	StatusCode       int    `json:"status_code"`
+}
+
+func (f *DeviceCodeFlow) GetDeviceCode(ctx context.Context) error {
+	req, err := http.NewRequestWithContext(ctx, "POST", f.DeviceAuthorizationURL, f.Reader())
+	if err != nil {
+		return err
+	}
+
+	req.Header.Add("content-type", "application/x-www-form-urlencoded")
+	res, err := http.DefaultClient.Do(req)
+	if err != nil {
+		return err
+	}
+
+	defer res.Body.Close()
+
+	body, err := io.ReadAll(res.Body)
+	if err != nil {
+		return err
+	}
+
+	var resp DeviceCode
+
+	if res.StatusCode == http.StatusOK {
+		if err := json.Unmarshal(body, &resp); err != nil {
+			return err
+		}
+	}
+
+	if res.StatusCode != http.StatusOK {
+		fmt.Fprintf(os.Stderr, "Status %s %d\n", res.Status, res.StatusCode)
+		fmt.Println(res)
+	}
+
+	f.deviceCode = &resp
+
+	return nil
+}
+
+func (f *DeviceCodeFlow) RequestAccessToken(ctx context.Context) (bool, error) {
+	req, err := http.NewRequestWithContext(ctx, "POST", f.TokenURL, f.TokenReader())
+	if err != nil {
+		return false, err
+	}
+
+	req.Header.Add("content-type", "application/x-www-form-urlencoded")
+
+	var resp TokenResponse
+	res, err := http.DefaultClient.Do(req)
+	if err != nil {
+		return false, err
+	}
+
+	defer res.Body.Close()
+
+	body, err := io.ReadAll(res.Body)
+	if err != nil {
+		return false, err
+	}
+
+	if err := json.Unmarshal(body, &resp); err != nil {
+		return false, err
+	}
+
+	f.accessToken = &resp
+
+	return res.StatusCode == http.StatusOK, nil
+}
+
+func (f *DeviceCodeFlow) AccessToken() *api.Token {
+	if f.accessToken == nil {
+		return nil
+	}
+
+	return &api.Token{
+		Type:      f.accessToken.TokenType,
+		Scope:     strings.Join(f.Scopes, " "),
+		Identity:  f.accessToken.IDToken,
+		Access:    f.accessToken.AccessToken,
+		ExpiresIn: f.accessToken.ExpiresIn,
+		ExpiresAt: time.Now().UTC().Add(time.Second * time.Duration(f.accessToken.ExpiresIn)),
+	}
+}
+
+func (f *DeviceCodeFlow) GetUserCode() string {
+	if f.deviceCode == nil {
+		return ""
+	}
+	return f.deviceCode.UserCode
+}
+
+func (f *DeviceCodeFlow) GetVerificationURI() string {
+	if f.deviceCode == nil {
+		return ""
+	}
+	return f.deviceCode.VerificationURI
+}
+
+func (f *DeviceCodeFlow) GetVerificationURIComplete() string {
+	if f.deviceCode == nil {
+		return ""
+	}
+	return f.deviceCode.VerificationURIComplete
+}
+
+func (f *DeviceCodeFlow) ExpiresIn() time.Duration {
+	if f.deviceCode == nil {
+		return 0
+	}
+	return time.Duration(f.deviceCode.ExpiresIn) * time.Second
+}
+
+func (f *DeviceCodeFlow) Interval() time.Duration {
+	if f.deviceCode == nil {
+		return 0
+	}
+	return time.Duration(f.deviceCode.Interval) * time.Second
+}

pkg/cc/clients/factory.go

@@ -4,11 +4,11 @@ import (
 	"context"
 	"log"
 
-	aserto "github.com/aserto-dev/aserto-go/client"
-	"github.com/aserto-dev/aserto-go/client/authorizer"
-	tenant_ "github.com/aserto-dev/aserto-go/client/tenant"
 	token_ "github.com/aserto-dev/aserto/pkg/cc/token"
+	tenant_ "github.com/aserto-dev/aserto/pkg/client/tenant"
 	"github.com/aserto-dev/aserto/pkg/x"
+	aserto "github.com/aserto-dev/go-aserto/client"
+	"github.com/aserto-dev/go-aserto/client/authorizer"
 	dl "github.com/aserto-dev/go-decision-logs/aserto/decision-logs/v2"
 	"github.com/aserto-dev/go-grpc/aserto/management/v2"
 	"github.com/pkg/errors"