[ID-1462] add OAuth support

DOCUMENTATION.md

@@ -77,7 +77,28 @@ your profiles by running the ***content-cli profile list*** command.
 | Note: Please do not use blanks in profile names |
 |-------------------------------------------------|
 
-#### API Token
+#### Profile Types
+You can create profiles of two types: using OAuth (Device Code 
+or Client Credentials) or using API Tokens (Application Key / API Key):
+
+##### OAuth
+
+OAuth supports with two grant types: Device Code & Client Credentials. 
+
+With Device Code, creating the profile will trigger an authorization flow 
+(using the OAuth 2.0 Device code). You will be prompted to follow an authorization 
+link where you must authorize the **Content CLI** to be able to access the EMS environment 
+on your behalf. 
+
+With Client Credentials, you need to provide the credentials (Client ID, Client Secret)
+and Client Authentication Method configured for your OAuth client. You can create and configure 
+an OAuth clients in the `Team Settings` section of your EMS account, under `Applications`. 
+The OAuth client needs to have the following scopes configured: studio.spaces, studio.packages, 
+studio.widgets, integration.data-models:read, integration.data-pools, transformation-center.kpis, 
+transformation-center.content:export. After creating an OAuth client, you can assign it different
+permissions based on how much power you want to give to the client owner.
+
+##### API Token
 
 You can choose between two different options when asked for an API token. 
 The first option is to use an API key, which identifies the user that created 

package.json

@@ -20,6 +20,7 @@
     "axios": "1.6.2",
     "commander": "^6.0.0",
     "form-data": "4.0.0",
+    "openid-client": "^5.6.1",
     "semver": "^7.3.2",
     "valid-url": "^1.0.9",
     "winston": "^3.1.0",

src/commands/profile.command.ts

@@ -2,7 +2,7 @@ import { QuestionService } from "../services/question.service";
 import { Profile } from "../interfaces/profile.interface";
 import { ProfileService } from "../services/profile.service";
 import { ProfileValidator } from "../validators/profile.validator";
-import { logger } from "../util/logger";
+import { FatalError, logger } from "../util/logger";
 
 export class ProfileCommand {
     private profileService = new ProfileService();
@@ -11,8 +11,37 @@ export class ProfileCommand {
         const profile: Profile = {} as Profile;
         profile.name = await QuestionService.ask("Name of the profile: ");
         profile.team = await QuestionService.ask("Your team (please provide the full url): ");
-        profile.apiToken = await QuestionService.ask("Your api token: ");
+        const type = await QuestionService.ask("Profile type: OAuth Device Code (1), OAuth Client Credentials (2) or Application Key / API Key (3): " );
+        switch (type) {
+            case "1":
+                profile.type = "Device Code";
+                break;
+            case "2":
+                profile.type = "Client Credentials";
+                profile.clientId = await QuestionService.ask("Your client id: ");
+                profile.clientSecret = await QuestionService.ask("Your client secret: ");
+                const authenticationMethod = await QuestionService.ask("Client authentication method: Client Secret Basic (1) or Client Secret Post (2): " );
+                if (authenticationMethod === "1") {
+                    profile.clientAuthenticationMethod = "client_secret_basic";
+                }
+                else if (authenticationMethod === "2") {
+                    profile.clientAuthenticationMethod = "client_secret_post";
+                }
+                else {
+                    logger.error(new FatalError("Invalid authentication method"));
+                }
+                break;
+            case "3":
+                profile.type = "Key";
+                profile.apiToken = await QuestionService.ask("Your api token: ");
+                break;
+            default:
+                logger.error(new FatalError("Invalid type"));
+                break;
+        }
         profile.authenticationType = await ProfileValidator.validateProfile(profile);
+        await this.profileService.authorizeProfile(profile);
+
         this.profileService.storeProfile(profile);
         if (setAsDefault) {
             await this.makeDefaultProfile(profile.name);

src/interfaces/profile.interface.ts

@@ -1,11 +1,20 @@
 export interface Profile {
     name: string;
     team: string;
+    type: ProfileType;
     apiToken: string;
     authenticationType: AuthenticationType;
+    clientId?: string;
+    clientSecret?: string;
+    scopes?: string[];
+    clientAuthenticationMethod?: ClientAuthenticationMethod;
+    refreshToken?: string;
+    expiresAt?: number;
 }
 
 export type AuthenticationType = "Bearer" | "AppKey";
+export type ProfileType = "Device Code" | "Client Credentials" | "Key";
+export type ClientAuthenticationMethod = "client_secret_basic" | "client_secret_post";
 // tslint:disable-next-line:variable-name
 export const AuthenticationType: { [key: string]: AuthenticationType } = {
     BEARER: "Bearer",

src/services/profile.service.ts

@@ -3,9 +3,15 @@ import { ProfileValidator } from "../validators/profile.validator";
 import * as path from "path";
 import * as fs from "fs";
 import { FatalError, logger } from "../util/logger";
-
+import { Issuer } from "openid-client";
+import axios from "axios";
 import os = require("os");
+
 const homedir = os.homedir();
+// use 5 seconds buffer to avoid rare cases when accessToken is just about to expire before the command is sent
+const expiryBuffer = 5000;
+const scopes = ["studio.spaces", "studio.packages", "studio.widgets", "integration.data-models:read",
+    "integration.data-pools", "transformation-center.kpis", "transformation-center.content:export", "action-engine.projects"];
 
 export interface Config {
     defaultProfile: string;
@@ -25,7 +31,9 @@ export class ProfileService {
                         path.resolve(this.profileContainerPath, this.constructProfileFileName(profileName)),
                         { encoding: "utf-8" }
                     );
-                    resolve(JSON.parse(file));
+                    const profile : Profile = JSON.parse(file);
+                    this.refreshProfile(profile)
+                        .then(() => resolve(profile));
                 }
             } catch (e) {
                 reject(
@@ -75,6 +83,7 @@ export class ProfileService {
             team: profileVariables.teamUrl,
             apiToken: profileVariables.apiToken,
             authenticationType: AuthenticationType.BEARER,
+            type: "Key"
         };
         profile.authenticationType = await ProfileValidator.validateProfile(profile);
         return profile;
@@ -120,6 +129,105 @@ export class ProfileService {
         return fileNames;
     }
 
+    public async authorizeProfile(profile: Profile) : Promise<void> {
+        switch (profile.type) {
+            case "Key":
+                const url = profile.team.replace(/\/?$/, "/api/cloud/team");
+                this.tryKeyAuthentication(url, AuthenticationType.BEARER, profile.apiToken).then(() => {
+                    profile.authenticationType = AuthenticationType.BEARER;
+                }).catch(() => {
+                    this.tryKeyAuthentication(url, AuthenticationType.APPKEY, profile.apiToken).then(() => {
+                        profile.authenticationType = AuthenticationType.APPKEY;
+                    }).catch(() => {
+                        logger.error(new FatalError("The provided team or api key is wrong."));
+                    })
+                });
+                break;
+            case "Device Code":
+                try {
+                    const deviceCodeIssuer = await Issuer.discover(profile.team);
+                    const deviceCodeOAuthClient = new deviceCodeIssuer.Client({
+                        client_id: "content-cli",
+                        token_endpoint_auth_method: "none",
+                    });
+                    const deviceCodeHandle = await deviceCodeOAuthClient.deviceAuthorization({
+                        scope: scopes.join(" ")
+                    });
+                    logger.info(`Continue authorization here: ${deviceCodeHandle.verification_uri_complete}`);
+                    const deviceCodeTokenSet = await deviceCodeHandle.poll();
+                    profile.apiToken = deviceCodeTokenSet.access_token;
+                    profile.refreshToken = deviceCodeTokenSet.refresh_token;
+                    profile.expiresAt = deviceCodeTokenSet.expires_at;
+                } catch (err) {
+                    logger.error(new FatalError("The provided team is wrong."));
+                }
+                break;
+            case "Client Credentials":
+                try {
+                    const clientCredentialsIssuer = await Issuer.discover(profile.team);
+                    const clientCredentialsOAuthClient = new clientCredentialsIssuer.Client({
+                        client_id: profile.clientId,
+                        client_secret: profile.clientSecret,
+                        token_endpoint_auth_method: profile.clientAuthenticationMethod,
+                    });
+                    const clientCredentialsTokenSet = await clientCredentialsOAuthClient.grant({
+                        grant_type: "client_credentials",
+                        scope: scopes.join(" ")
+                    });
+                    profile.scopes = [...scopes];
+                    profile.apiToken = clientCredentialsTokenSet.access_token;
+                    profile.expiresAt = clientCredentialsTokenSet.expires_at;
+                } catch (err) {
+                    logger.error(new FatalError("The OAuth client configuration is incorrect. " +
+                        "Check the id, secret and scopes for correctness."));
+                }
+                break;
+            default:
+                logger.error(new FatalError("Unsupported profile type"));
+                break;
+        }
+    }
+
+    public async refreshProfile(profile: Profile) : Promise<void> {
+        if (!this.isProfileExpired(profile, expiryBuffer)) {
+            return;
+        }
+        const issuer = await Issuer.discover(profile.team);
+        if (profile.type === "Device Code") {
+            try {
+                const oauthClient = new issuer.Client({
+                    client_id: "content-cli",
+                    token_endpoint_auth_method: "none",
+                });
+                const tokenSet = await oauthClient.refresh(profile.refreshToken);
+                profile.apiToken = tokenSet.access_token;
+                profile.expiresAt = tokenSet.expires_at;
+                profile.refreshToken = tokenSet.refresh_token;
+            } catch (err) {
+                logger.error(new FatalError("The profile cannot be refreshed. Please retry or recreate profile."));
+            }
+        }
+        else {
+            try {
+                const oauthClient = new issuer.Client({
+                    client_id: profile.clientId,
+                    client_secret: profile.clientSecret,
+                    token_endpoint_auth_method: profile.clientAuthenticationMethod,
+                });
+                const tokenSet = await oauthClient.grant({
+                    grant_type: "client_credentials",
+                    scope: profile.scopes.join(" ")
+                });
+                profile.apiToken = tokenSet.access_token;
+                profile.expiresAt = tokenSet.expires_at;
+            } catch (err) {
+                logger.error(new FatalError("The profile cannot be refreshed. Please retry or recreate profile."));
+            }
+        }
+
+        this.storeProfile(profile);
+    }
+
     private getProfileEnvVariables(): any {
         return {
             teamUrl: this.getBaseTeamUrl(process.env.TEAM_URL),
@@ -135,6 +243,34 @@ export class ProfileService {
         const url = new URL(teamUrl);
         return url.origin;
     }
+
+    private isProfileExpired(profile: Profile, buffer: number = 0): boolean {
+        if (profile.type === "Key") {
+            return false;
+        }
+        const now = new Date();
+        const expirationTime = new Date(profile.expiresAt * 1000 - buffer);
+
+        return now > expirationTime;
+    }
+
+    private tryKeyAuthentication(url: string, authType: AuthenticationType, apiToken: string): Promise<void> {
+        return new Promise<void>((resolve, reject) => {
+            axios.get(url, {
+                headers: {
+                    Authorization: `${authType} ${apiToken}`
+                }
+            }).then(response => {
+                if (response.status === 200 && response.data.domain) {
+                    resolve();
+                } else {
+                    reject();
+                }
+            }).catch(() => {
+                reject();
+            })
+        })
+    }
 }
 
 export  const profileService = new ProfileService();

src/validators/profile.validator.ts

@@ -1,53 +1,23 @@
-import { AuthenticationType, Profile } from "../interfaces/profile.interface";
+import { Profile } from "../interfaces/profile.interface";
 import { FatalError, logger } from "../util/logger";
 import validUrl = require("valid-url");
-import axios from "axios";
 
 export class ProfileValidator {
     public static async validateProfile(profile: Profile): Promise<any> {
-        return new Promise<any>(async (resolve, reject) => {
-            if (profile.name == null) {
-                logger.error(new FatalError("The name can not be empty"));
-            }
-            if (profile.team == null) {
-                logger.error(new FatalError("The team can not be empty"));
-            }
-            if (profile.apiToken == null) {
-                logger.error(new FatalError("The api token can not be empty"));
-            }
-            if (!validUrl.isUri(profile.team)) {
-                logger.error(new FatalError("The provided url is not a valid url."));
-            }
-            const url = profile.team.replace(/\/?$/, "/api/cloud/team");
-
-            this.tryAuthenticationType(url, AuthenticationType.BEARER, profile.apiToken).then(() => {
-                resolve(AuthenticationType.BEARER);
-            }).catch(() => {
-                this.tryAuthenticationType(url, AuthenticationType.APPKEY, profile.apiToken).then(() => {
-                    resolve(AuthenticationType.APPKEY);
-                }).catch(() => {
-                    logger.error(new FatalError("The provided team or api key is wrong."));
-                    reject();
-                })
-            });
-        });
-    }
-
-    private static tryAuthenticationType(url: string, authType: AuthenticationType, apiToken: string): Promise<void> {
-        return new Promise<void>((resolve, reject) => {
-            axios.get(url, {
-                headers: {
-                    Authorization: `${authType} ${apiToken}`
-                }
-            }).then(response => {
-                if (response.status === 200 && response.data.domain) {
-                    resolve();
-                } else {
-                    reject();
-                }
-            }).catch(() => {
-                reject();
-            })
-        })
+        if (profile.name == null) {
+            logger.error(new FatalError("The name can not be empty"));
+        }
+        if (profile.team == null) {
+            logger.error(new FatalError("The team can not be empty"));
+        }
+        if (profile.type === "Key" && profile.apiToken == null) {
+            logger.error(new FatalError("The api token can not be empty for this profile type"));
+        }
+        if (profile.type === "Client Credentials" && (profile.clientId == null || profile.clientSecret == null)) {
+            logger.error(new FatalError("The client id and secret can not be empty for this profile type"));
+        }
+        if (!validUrl.isUri(profile.team)) {
+            logger.error(new FatalError("The provided url is not a valid url."));
+        }
     }
 }

tests/utls/context-mock.ts

@@ -4,9 +4,10 @@ export function setDefaultProfile(): void {
     contextService.setContext({
         profile: {
             name: "test",
+            type: "Key",
             team: "https://myTeam.celonis.cloud/",
             apiToken: "YnQ3N2M0M2ItYzQ3OS00YzgyLTg0ODgtOWNkNzhiNzYwOTU2OlFkNnBpVCs0M0JBYm1ZWGlCZ2hPd245aldwWTNubFQyYVFOTFBUeHEwdUxM",
             authenticationType: "Bearer"
         }
     });
-}
+}