Skip to content

Commit

Permalink
fix(auth): missing auth issue with oauth
Browse files Browse the repository at this point in the history
  • Loading branch information
PeterSchafer committed Sep 6, 2024
1 parent 9083ee1 commit 20ff23f
Show file tree
Hide file tree
Showing 3 changed files with 17 additions and 18 deletions.
1 change: 1 addition & 0 deletions cliv2/internal/constants/constants.go
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ const SNYK_NPM_ALL_PROXY = "ALL_PROXY"
const SNYK_CA_CERTIFICATE_LOCATION_ENV = "NODE_EXTRA_CA_CERTS"
const SNYK_INTERNAL_NO_PROXY = "localhost,127.0.0.1,::1"
const SNYK_OAUTH_ACCESS_TOKEN_ENV = "SNYK_OAUTH_TOKEN"
const SNYK_API_TOKEN_ENV = "SNYK_TOKEN"
const SNYK_ANALYTICS_DISABLED_ENV = "SNYK_DISABLE_ANALYTICS"
const SNYK_INTERNAL_ORGID_ENV = "SNYK_INTERNAL_ORGID"
const SNYK_INTERNAL_PREVIEW_FEATURES_ENABLED = "SNYK_INTERNAL_PREVIEW_FEATURES"
Expand Down
25 changes: 7 additions & 18 deletions cliv2/pkg/basic_workflows/legacycli.go
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,6 @@ import (

"github.com/pkg/errors"
"github.com/rs/zerolog"
"github.com/snyk/go-application-framework/pkg/auth"
"github.com/snyk/go-application-framework/pkg/configuration"
"github.com/snyk/go-application-framework/pkg/logging"
"github.com/snyk/go-application-framework/pkg/networking"
Expand Down Expand Up @@ -76,7 +75,6 @@ func legacycliWorkflow(
debugLoggerDefault := invocation.GetLogger() // uses log
networkAccess := invocation.GetNetworkAccess()

oauthIsAvailable := config.GetBool(configuration.FF_OAUTH_AUTH_FLOW_ENABLED)
args := config.GetStringSlice(configuration.RAW_CMD_ARGS)
useStdIo := config.GetBool(configuration.WORKFLOW_USE_STDIO)
isDebug := config.GetBool(configuration.DEBUG)
Expand Down Expand Up @@ -104,23 +102,14 @@ func legacycliWorkflow(
cli.AppendEnvironmentVariables(env)
}

if oauthIsAvailable {
// The Legacy CLI doesn't support oauth authentication. Oauth authentication is implemented in the Extensible CLI and is added
// to the legacy CLI by forwarding network traffic through the internal proxy of the Extensible CLI.
// The legacy CLI always expects some sort of token to be available, otherwise some functionality isn't available. This is why we inject
// a random token value to bypass these checks and replace the proper authentication headers in the internal proxy.
// Injecting the real token here and not in the proxy would create an issue when the token expires during CLI execution.
if oauth := config.GetString(auth.CONFIG_KEY_OAUTH_TOKEN); len(oauth) > 0 {
envMap := pkg_utils.ToKeyValueMap(os.Environ(), "=")
if _, ok := envMap[constants.SNYK_OAUTH_ACCESS_TOKEN_ENV]; !ok {
env := []string{constants.SNYK_OAUTH_ACCESS_TOKEN_ENV + "=randomtoken"}
cli.AppendEnvironmentVariables(env)
debugLogger.Print("Authentication: Oauth token handling delegated to Extensible CLI.")
} else {
debugLogger.Print("Authentication: Using oauth token from Environment Variable.")
}
}
// In general all authentication if handled through the Extensible CLI now. But there is some legacy logic
// that checks for an API token to be available. Until this logic is safely removed, we will be injecting a
// fake/random API token to bypass this logic.
apiToken := config.GetString(configuration.AUTHENTICATION_TOKEN)
if len(apiToken) == 0 {
apiToken = "random"
}
cli.AppendEnvironmentVariables([]string{constants.SNYK_API_TOKEN_ENV + "=" + apiToken})

err = cli.Init()
if err != nil {
Expand Down
9 changes: 9 additions & 0 deletions test/jest/acceptance/auth.spec.ts
Original file line number Diff line number Diff line change
Expand Up @@ -55,6 +55,15 @@ describe('Auth', () => {
},
);
expect(code).toEqual(0);

// Run this command to verify that it succeeds with oauth, since it is implemented in TS
const ignoreCode = await runSnykCLI(
`ignore --id=das`,
{
env,
},
);
expect(ignoreCode.code).toEqual(0);
});

it('fails to us oauth client credentials grant to authenticate', async () => {
Expand Down

0 comments on commit 20ff23f

Please sign in to comment.