Merge pull request #10 from overmindtech/api-keys

DavidS-ovm · web-flow · commit bfc511c1c6eb · 2023-07-12T14:13:21.000+02:00
Implement Authentication using API Keys
diff --git a/README.md b/README.md
@@ -1,2 +1,45 @@
 # ovm-cli
+
 CLI to interact with the overmind API
+
+```
+Usage:
+  ovm-cli [command]
+
+Available Commands:
+  change-from-tfplan     Creates a new Change from a given terraform plan file
+  completion             Generate the autocompletion script for the specified shell
+  get-affected-bookmarks Calculates the bookmarks that would be overlapping with a snapshot.
+  get-bookmark           Displays the contents of a bookmark.
+  get-snapshot           Displays the contents of a snapshot.
+  help                   Help about any command
+  request                Runs a request against the overmind API
+
+Flags:
+      --apikey-url string          The overmind API Keys endpoint (defaults to --url)
+      --auth0-client-id string     OAuth Client ID to use when connecting with auth (default "j3LylZtIosVPZtouKI8WuVHmE6Lluva1")
+      --auth0-domain string        Auth0 domain to connect to (default "om-prod.eu.auth0.com")
+      --config string              config file (default is redacted.yaml)
+      --gateway-url string         The overmind Gateway endpoint (defaults to /api/gateway on --url)
+  -h, --help                       help for ovm-cli
+      --honeycomb-api-key string   If specified, configures opentelemetry libraries to submit traces to honeycomb
+      --json-log                   Set to true to emit logs as json for easier parsing
+      --log string                 Set the log level. Valid values: panic, fatal, error, warn, info, debug, trace (default "info")
+      --run-mode string            Set the run mode for this service, 'release', 'debug' or 'test'. Defaults to 'release'. (default "release")
+      --sentry-dsn string          If specified, configures sentry libraries to capture errors
+      --stdout-trace-dump          Dump all otel traces to stdout for debugging
+      --token string               The API token to use for authentication, also read from OVM_TOKEN environment variable
+      --url string                 The overmind API endpoint (default "https://api.prod.overmind.tech")
+
+Use "ovm-cli [command] --help" for more information about a command.
+```
+
+## Examples
+
+Upload a terraform plan to overmind for Blast Radius Analysis:
+
+```
+terraform show -json ./tfplan > ./tfplan.json
+ovm-cli change-from-tfplan --title "example change" --tfplan-json ./tfplan.json
+```
+
diff --git a/cmd/auth_client.go b/cmd/auth_client.go
@@ -11,16 +11,27 @@ import (
 	"go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp"
 )
 
-// AuthenticatedChangesClient Returns a bookmark client that uses the auth
+// AuthenticatedApiKeyClient Returns an apikey client that uses the auth
 // embedded in the context and otel instrumentation
-func AuthenticatedChangesClient(ctx context.Context) sdpconnect.ChangesServiceClient {
+func AuthenticatedApiKeyClient(ctx context.Context) sdpconnect.ApiKeyServiceClient {
 	httpClient := NewAuthenticatedClient(ctx, otelhttp.DefaultClient)
-	url := viper.GetString("changes-url")
+	url := viper.GetString("apikey-url")
 	if url == "" {
 		url = viper.GetString("url")
-		viper.Set("changes-url", url)
+		viper.Set("apikey-url", url)
 	}
-	return sdpconnect.NewChangesServiceClient(httpClient, url)
+	return sdpconnect.NewApiKeyServiceClient(httpClient, url)
+}
+
+// UnauthenticatedApiKeyClient Returns an apikey client with otel instrumentation
+// but no authentication. Can only be used for ExchangeKeyForToken
+func UnauthenticatedApiKeyClient(ctx context.Context) sdpconnect.ApiKeyServiceClient {
+	url := viper.GetString("apikey-url")
+	if url == "" {
+		url = viper.GetString("url")
+		viper.Set("apikey-url", url)
+	}
+	return sdpconnect.NewApiKeyServiceClient(otelhttp.DefaultClient, url)
 }
 
 // AuthenticatedBookmarkClient Returns a bookmark client that uses the auth
@@ -35,6 +46,18 @@ func AuthenticatedBookmarkClient(ctx context.Context) sdpconnect.BookmarksServic
 	return sdpconnect.NewBookmarksServiceClient(httpClient, url)
 }
 
+// AuthenticatedChangesClient Returns a bookmark client that uses the auth
+// embedded in the context and otel instrumentation
+func AuthenticatedChangesClient(ctx context.Context) sdpconnect.ChangesServiceClient {
+	httpClient := NewAuthenticatedClient(ctx, otelhttp.DefaultClient)
+	url := viper.GetString("changes-url")
+	if url == "" {
+		url = viper.GetString("url")
+		viper.Set("changes-url", url)
+	}
+	return sdpconnect.NewChangesServiceClient(httpClient, url)
+}
+
 // AuthenticatedSnapshotsClient Returns a Snapshots client that uses the auth
 // embedded in the context and otel instrumentation
 func AuthenticatedSnapshotsClient(ctx context.Context) sdpconnect.SnapshotsServiceClient {
diff --git a/cmd/changefromtfplan.go b/cmd/changefromtfplan.go
@@ -32,7 +32,7 @@ var changeFromTfplanCmd = &cobra.Command{
 	Short: "Creates a new Change from a given terraform plan file",
 	PreRun: func(cmd *cobra.Command, args []string) {
 		// Bind these to viper
-		err := viper.BindPFlags(cmd.PersistentFlags())
+		err := viper.BindPFlags(cmd.Flags())
 		if err != nil {
 			log.WithError(err).Fatal("could not bind `change-from-tfplan` flags")
 		}
@@ -160,16 +160,22 @@ func ChangeFromTfplan(signals chan os.Signal, ready chan bool) int {
 	))
 	defer span.End()
 
-	// Connect to the websocket
-	log.WithContext(ctx).Debugf("Connecting to overmind API: %v", viper.GetString("url"))
+	gatewayUrl := viper.GetString("gateway-url")
+	if gatewayUrl == "" {
+		gatewayUrl = fmt.Sprintf("%v/api/gateway", viper.GetString("url"))
+		viper.Set("gateway-url", gatewayUrl)
+	}
 
 	lf := log.Fields{
-		"url": viper.GetString("url"),
+		"gateway_url": gatewayUrl,
 	}
 
+	// Connect to the websocket
+	log.WithContext(ctx).WithFields(lf).Debug("Connecting to overmind API")
+
 	ctx, err = ensureToken(ctx, signals)
 	if err != nil {
-		log.WithContext(ctx).WithError(err).WithFields(lf).Error("failed to authenticate")
+		log.WithContext(ctx).WithFields(lf).WithField("apikey-url", viper.GetString("apikey-url")).WithError(err).Error("failed to authenticate")
 		return 1
 	}
 
@@ -449,7 +455,7 @@ func init() {
 	changeFromTfplanCmd.PersistentFlags().String("changes-url", "https://api.prod.overmind.tech", "The changes service API endpoint")
 	changeFromTfplanCmd.PersistentFlags().String("frontend", "https://app.overmind.tech", "The frontend base URL")
 
-	changeFromTfplanCmd.PersistentFlags().String("tfplan-json", "./tfplan.json", "Parse changing items from this terraform plan JSON file. Generate this using `terraform show -json PLAN_FILE`")
+	changeFromTfplanCmd.PersistentFlags().String("tfplan-json", "./tfplan.json", "Parse changing items from this terraform plan JSON file. Generate this using 'terraform show -json PLAN_FILE'")
 
 	changeFromTfplanCmd.PersistentFlags().String("title", "", "Short title for this change.")
 	changeFromTfplanCmd.PersistentFlags().String("description", "", "Quick description of the change.")
diff --git a/cmd/getaffectedbookmarks.go b/cmd/getaffectedbookmarks.go
@@ -25,7 +25,7 @@ var getAffectedBookmarksCmd = &cobra.Command{
 	Short: "Calculates the bookmarks that would be overlapping with a snapshot.",
 	PreRun: func(cmd *cobra.Command, args []string) {
 		// Bind these to viper
-		err := viper.BindPFlags(cmd.PersistentFlags())
+		err := viper.BindPFlags(cmd.Flags())
 		if err != nil {
 			log.WithError(err).Fatal("could not bind `get-affected-bookmarks` flags")
 		}
diff --git a/cmd/getbookmark.go b/cmd/getbookmark.go
@@ -25,7 +25,7 @@ var getBookmarkCmd = &cobra.Command{
 	Short: "Displays the contents of a bookmark.",
 	PreRun: func(cmd *cobra.Command, args []string) {
 		// Bind these to viper
-		err := viper.BindPFlags(cmd.PersistentFlags())
+		err := viper.BindPFlags(cmd.Flags())
 		if err != nil {
 			log.WithError(err).Fatal("could not bind `get-bookmark` flags")
 		}
diff --git a/cmd/getsnapshot.go b/cmd/getsnapshot.go
@@ -25,7 +25,7 @@ var getSnapshotCmd = &cobra.Command{
 	Short: "Displays the contents of a snapshot.",
 	PreRun: func(cmd *cobra.Command, args []string) {
 		// Bind these to viper
-		err := viper.BindPFlags(cmd.PersistentFlags())
+		err := viper.BindPFlags(cmd.Flags())
 		if err != nil {
 			log.WithError(err).Fatal("could not bind `get-snapshot` flags")
 		}
diff --git a/cmd/request.go b/cmd/request.go
@@ -31,7 +31,7 @@ var requestCmd = &cobra.Command{
 	Short: "Runs a request against the overmind API",
 	PreRun: func(cmd *cobra.Command, args []string) {
 		// Bind these to viper
-		err := viper.BindPFlags(cmd.PersistentFlags())
+		err := viper.BindPFlags(cmd.Flags())
 		if err != nil {
 			log.WithError(err).Fatal("could not bind `request` flags")
 		}
@@ -66,16 +66,23 @@ func Request(signals chan os.Signal, ready chan bool) int {
 		return 1
 	}
 
+	gatewayUrl := viper.GetString("gateway-url")
+	if gatewayUrl == "" {
+		gatewayUrl = fmt.Sprintf("%v/api/gateway", viper.GetString("url"))
+		viper.Set("gateway-url", gatewayUrl)
+	}
+
 	lf := log.Fields{
-		"url": viper.GetString("url"),
+		"gateway_url": gatewayUrl,
+		"url":         viper.GetString("url"),
 	}
 
 	// Connect to the websocket
-	log.WithContext(ctx).Debugf("Connecting to overmind API: %v", viper.GetString("url"))
+	log.WithContext(ctx).WithFields(lf).Debug("Connecting to overmind API")
 
 	ctx, err = ensureToken(ctx, signals)
 	if err != nil {
-		log.WithContext(ctx).WithFields(lf).WithError(err).Error("failed to authenticate")
+		log.WithContext(ctx).WithFields(lf).WithField("apikey-url", viper.GetString("apikey-url")).WithError(err).Error("failed to authenticate")
 		return 1
 	}
 
@@ -87,7 +94,7 @@ func Request(signals chan os.Signal, ready chan bool) int {
 		HTTPClient: NewAuthenticatedClient(ctx, otelhttp.DefaultClient),
 	}
 
-	c, _, err := websocket.Dial(ctx, viper.GetString("url"), options)
+	c, _, err := websocket.Dial(ctx, gatewayUrl, options)
 	if err != nil {
 		log.WithContext(ctx).WithFields(lf).WithError(err).Error("Failed to connect to overmind API")
 		return 1
diff --git a/cmd/root.go b/cmd/root.go
@@ -10,6 +10,7 @@ import (
 	"strings"
 	"time"
 
+	"github.com/bufbuild/connect-go"
 	"github.com/google/uuid"
 	"github.com/overmindtech/ovm-cli/tracing"
 	"github.com/overmindtech/sdp-go"
@@ -33,7 +34,7 @@ var rootCmd = &cobra.Command{
 	Long:  `The ovm-cli allows direct access to the overmind API`,
 	PreRun: func(cmd *cobra.Command, args []string) {
 		// Bind these to viper
-		err := viper.BindPFlags(cmd.PersistentFlags())
+		err := viper.BindPFlags(cmd.Flags())
 		if err != nil {
 			log.WithError(err).Fatal("could not bind `root` flags")
 		}
@@ -53,7 +54,23 @@ func Execute() {
 func ensureToken(ctx context.Context, signals chan os.Signal) (context.Context, error) {
 	// shortcut if we already have a token set
 	if viper.GetString("token") != "" {
-		return context.WithValue(ctx, sdp.UserTokenContextKey{}, viper.GetString("token")), nil
+		token := viper.GetString("token")
+		if strings.HasPrefix(token, "ovm_api_") {
+			// exchange api token for JWT
+			client := UnauthenticatedApiKeyClient(ctx)
+			resp, err := client.ExchangeKeyForToken(ctx, &connect.Request[sdp.ExchangeKeyForTokenRequest]{
+				Msg: &sdp.ExchangeKeyForTokenRequest{
+					ApiKey: token,
+				},
+			})
+			if err != nil {
+				return ctx, fmt.Errorf("error authenticating the API token: %w", err)
+			}
+			token = resp.Msg.AccessToken
+		} else {
+			return ctx, errors.New("token does not match pattern 'ovm_api_*'")
+		}
+		return context.WithValue(ctx, sdp.UserTokenContextKey{}, token), nil
 	}
 
 	// Check to see if the URL is secure
@@ -162,16 +179,18 @@ func init() {
 	rootCmd.PersistentFlags().StringVar(&logLevel, "log", "info", "Set the log level. Valid values: panic, fatal, error, warn, info, debug, trace")
 
 	// api endpoint
-	rootCmd.PersistentFlags().String("url", "https://api.prod.overmind.tech/api/gateway", "The overmind API endpoint")
+	rootCmd.PersistentFlags().String("url", "https://api.prod.overmind.tech", "The overmind API endpoint")
+	rootCmd.PersistentFlags().String("gateway-url", "", "The overmind Gateway endpoint (defaults to /api/gateway on --url)")
 
 	// authorization
-	rootCmd.PersistentFlags().String("auth0-client-id", "j3LylZtIosVPZtouKI8WuVHmE6Lluva1", "OAuth Client ID to use when connecting with auth")
-	rootCmd.PersistentFlags().String("auth0-domain", "om-prod.eu.auth0.com", "Auth0 domain to connect to")
-	rootCmd.PersistentFlags().String("token", "", "The token to use for authentication")
+	rootCmd.PersistentFlags().String("token", "", "The API token to use for authentication, also read from OVM_TOKEN environment variable")
 	err := viper.BindEnv("token", "OVM_TOKEN", "TOKEN")
 	if err != nil {
 		log.WithError(err).Fatal("could not bind token")
 	}
+	rootCmd.PersistentFlags().String("apikey-url", "", "The overmind API Keys endpoint (defaults to --url)")
+	rootCmd.PersistentFlags().String("auth0-client-id", "j3LylZtIosVPZtouKI8WuVHmE6Lluva1", "OAuth Client ID to use when connecting with auth")
+	rootCmd.PersistentFlags().String("auth0-domain", "om-prod.eu.auth0.com", "Auth0 domain to connect to")
 
 	// tracing
 	rootCmd.PersistentFlags().String("honeycomb-api-key", "", "If specified, configures opentelemetry libraries to submit traces to honeycomb")

Original file line number	Diff line number	Diff line change
`@@ -25,7 +25,7 @@ var getAffectedBookmarksCmd = &cobra.Command{`
`25`	`25`	`Short: "Calculates the bookmarks that would be overlapping with a snapshot.",`
`26`	`26`	`PreRun: func(cmd *cobra.Command, args []string) {`
`27`	`27`	`// Bind these to viper`
`28`		`- err := viper.BindPFlags(cmd.PersistentFlags())`
	`28`	`+ err := viper.BindPFlags(cmd.Flags())`
`29`	`29`	`if err != nil {`
`30`	`30`	log.WithError(err).Fatal("could not bind `get-affected-bookmarks` flags")
`31`	`31`	`}`
Original file line number	Diff line number	Diff line change
`@@ -25,7 +25,7 @@ var getBookmarkCmd = &cobra.Command{`
`25`	`25`	`Short: "Displays the contents of a bookmark.",`
`26`	`26`	`PreRun: func(cmd *cobra.Command, args []string) {`
`27`	`27`	`// Bind these to viper`
`28`		`- err := viper.BindPFlags(cmd.PersistentFlags())`
	`28`	`+ err := viper.BindPFlags(cmd.Flags())`
`29`	`29`	`if err != nil {`
`30`	`30`	log.WithError(err).Fatal("could not bind `get-bookmark` flags")
`31`	`31`	`}`
Original file line number	Diff line number	Diff line change
`@@ -25,7 +25,7 @@ var getSnapshotCmd = &cobra.Command{`
`25`	`25`	`Short: "Displays the contents of a snapshot.",`
`26`	`26`	`PreRun: func(cmd *cobra.Command, args []string) {`
`27`	`27`	`// Bind these to viper`
`28`		`- err := viper.BindPFlags(cmd.PersistentFlags())`
	`28`	`+ err := viper.BindPFlags(cmd.Flags())`
`29`	`29`	`if err != nil {`
`30`	`30`	log.WithError(err).Fatal("could not bind `get-snapshot` flags")
`31`	`31`	`}`