nix-cache-login/cmd/login.go

package cmd

import (
	"context"
	"crypto/rand"
	"encoding/hex"
	"fmt"
	"net"
	"net/http"
	"os"
	"path/filepath"
	"time"

	gooidc "github.com/coreos/go-oidc/v3/oidc"
	"github.com/spf13/cobra"
	"golang.org/x/oauth2"

	"guardianproject.dev/ops/nix-cache-login/internal/browser"
	"guardianproject.dev/ops/nix-cache-login/internal/config"
	"guardianproject.dev/ops/nix-cache-login/internal/netrc"
	"guardianproject.dev/ops/nix-cache-login/internal/token"
)

var loginCmd = &cobra.Command{
	Use:   "login",
	Short: "Authenticate via browser (Authorization Code + PKCE)",
	Long: `Opens a browser for OIDC authentication with Keycloak.
Uses Authorization Code flow with PKCE (S256). The access token
is written to the netrc file for Nix to use.`,
	RunE: runLogin,
}

func init() {
	rootCmd.AddCommand(loginCmd)
}

func runLogin(cmd *cobra.Command, args []string) error {
	ctx := context.Background()

	// OIDC discovery
	provider, err := gooidc.NewProvider(ctx, cfg.Issuer)
	if err != nil {
		return fmt.Errorf("OIDC discovery failed: %w", err)
	}

	// Start listener on random port
	listener, err := net.Listen("tcp", "127.0.0.1:0")
	if err != nil {
		return fmt.Errorf("starting callback server: %w", err)
	}
	port := listener.Addr().(*net.TCPAddr).Port
	redirectURL := fmt.Sprintf("http://127.0.0.1:%d", port)

	oauthCfg := oauth2.Config{
		ClientID:    cfg.ClientID,
		Endpoint:    provider.Endpoint(),
		RedirectURL: redirectURL,
		Scopes:      []string{gooidc.ScopeOpenID},
	}

	// Generate PKCE verifier
	verifier := oauth2.GenerateVerifier()

	// Generate random state
	stateBytes := make([]byte, 16)
	if _, err := rand.Read(stateBytes); err != nil {
		return fmt.Errorf("generating state: %w", err)
	}
	state := hex.EncodeToString(stateBytes)

	// Build auth URL
	authURL := oauthCfg.AuthCodeURL(state, oauth2.S256ChallengeOption(verifier))

	// Channel to receive the token
	type result struct {
		token *oauth2.Token
		err   error
	}
	resultCh := make(chan result, 1)

	// HTTP handler for callback
	mux := http.NewServeMux()
	mux.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
		if r.URL.Query().Get("state") != state {
			http.Error(w, "Invalid state parameter", http.StatusBadRequest)
			resultCh <- result{err: fmt.Errorf("state mismatch")}
			return
		}

		if errParam := r.URL.Query().Get("error"); errParam != "" {
			desc := r.URL.Query().Get("error_description")
			http.Error(w, fmt.Sprintf("Authentication failed: %s", desc), http.StatusBadRequest)
			resultCh <- result{err: fmt.Errorf("auth error: %s (%s)", errParam, desc)}
			return
		}

		code := r.URL.Query().Get("code")
		if code == "" {
			http.Error(w, "Missing code parameter", http.StatusBadRequest)
			resultCh <- result{err: fmt.Errorf("missing code parameter")}
			return
		}

		tok, err := oauthCfg.Exchange(ctx, code, oauth2.VerifierOption(verifier))
		if err != nil {
			http.Error(w, "Token exchange failed", http.StatusInternalServerError)
			resultCh <- result{err: fmt.Errorf("token exchange: %w", err)}
			return
		}

		fmt.Fprintf(w, "<html><body><h2>Authentication successful!</h2><p>You can close this window.</p></body></html>")
		resultCh <- result{token: tok}
	})

	server := &http.Server{Handler: mux}

	// Start server in background
	go func() {
		if err := server.Serve(listener); err != nil && err != http.ErrServerClosed {
			resultCh <- result{err: fmt.Errorf("callback server: %w", err)}
		}
	}()

	// Open browser
	fmt.Fprintln(os.Stderr, "Opening browser for authentication...")
	if err := browser.Open(authURL); err != nil {
		fmt.Fprintf(os.Stderr, "Could not open browser: %v\n", err)
	}
	fmt.Fprintf(os.Stderr, "If the browser didn't open, visit:\n  %s\n", authURL)

	// Wait for callback
	res := <-resultCh

	// Shut down server
	shutdownCtx, cancel := context.WithTimeout(ctx, 5*time.Second)
	defer cancel()
	server.Shutdown(shutdownCtx)

	if res.err != nil {
		return res.err
	}

	// Write access token to netrc
	if err := netrc.Upsert(cfg.NetrcPath, cfg.CacheHost, res.token.AccessToken); err != nil {
		return fmt.Errorf("writing netrc: %w", err)
	}

	// Store refresh token
	if res.token.RefreshToken != "" {
		rtPath := config.RefreshTokenPath()
		if err := os.MkdirAll(filepath.Dir(rtPath), 0700); err != nil {
			return fmt.Errorf("creating config directory: %w", err)
		}
		if err := os.WriteFile(rtPath, []byte(res.token.RefreshToken), 0600); err != nil {
			return fmt.Errorf("writing refresh token: %w", err)
		}
	}

	// Decode JWT to show expiry
	claims, err := token.DecodePayload(res.token.AccessToken)
	if err != nil {
		fmt.Fprintln(os.Stderr, "Authenticated successfully (could not decode token expiry).")
		return nil
	}

	exp, _ := token.ExpiryInfo(claims)
	if !exp.IsZero() {
		fmt.Fprintf(os.Stderr, "Authenticated. Token valid until %s.\n", exp.Local().Format(time.RFC1123))
	} else {
		fmt.Fprintln(os.Stderr, "Authenticated successfully.")
	}

	return nil
}
initial working version 2026-02-26 11:05:16 +01:00			`package cmd`

			`import (`
			`"context"`
			`"crypto/rand"`
			`"encoding/hex"`
			`"fmt"`
			`"net"`
			`"net/http"`
			`"os"`
			`"path/filepath"`
			`"time"`

			`gooidc "github.com/coreos/go-oidc/v3/oidc"`
			`"github.com/spf13/cobra"`
			`"golang.org/x/oauth2"`

			`"guardianproject.dev/ops/nix-cache-login/internal/browser"`
			`"guardianproject.dev/ops/nix-cache-login/internal/config"`
			`"guardianproject.dev/ops/nix-cache-login/internal/netrc"`
			`"guardianproject.dev/ops/nix-cache-login/internal/token"`
			`)`

			`var loginCmd = &cobra.Command{`
			`Use: "login",`
			`Short: "Authenticate via browser (Authorization Code + PKCE)",`
			Long: `Opens a browser for OIDC authentication with Keycloak.
			`Uses Authorization Code flow with PKCE (S256). The access token`
			is written to the netrc file for Nix to use.`,
			`RunE: runLogin,`
			`}`

			`func init() {`
			`rootCmd.AddCommand(loginCmd)`
			`}`

			`func runLogin(cmd *cobra.Command, args []string) error {`
			`ctx := context.Background()`

			`// OIDC discovery`
			`provider, err := gooidc.NewProvider(ctx, cfg.Issuer)`
			`if err != nil {`
			`return fmt.Errorf("OIDC discovery failed: %w", err)`
			`}`

			`// Start listener on random port`
			`listener, err := net.Listen("tcp", "127.0.0.1:0")`
			`if err != nil {`
			`return fmt.Errorf("starting callback server: %w", err)`
			`}`
			`port := listener.Addr().(*net.TCPAddr).Port`
			`redirectURL := fmt.Sprintf("http://127.0.0.1:%d", port)`

			`oauthCfg := oauth2.Config{`
			`ClientID: cfg.ClientID,`
			`Endpoint: provider.Endpoint(),`
			`RedirectURL: redirectURL,`
			`Scopes: []string{gooidc.ScopeOpenID},`
			`}`

			`// Generate PKCE verifier`
			`verifier := oauth2.GenerateVerifier()`

			`// Generate random state`
			`stateBytes := make([]byte, 16)`
			`if _, err := rand.Read(stateBytes); err != nil {`
			`return fmt.Errorf("generating state: %w", err)`
			`}`
			`state := hex.EncodeToString(stateBytes)`

			`// Build auth URL`
			`authURL := oauthCfg.AuthCodeURL(state, oauth2.S256ChallengeOption(verifier))`

			`// Channel to receive the token`
			`type result struct {`
			`token *oauth2.Token`
			`err error`
			`}`
			`resultCh := make(chan result, 1)`

			`// HTTP handler for callback`
			`mux := http.NewServeMux()`
			`mux.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {`
			`if r.URL.Query().Get("state") != state {`
			`http.Error(w, "Invalid state parameter", http.StatusBadRequest)`
			`resultCh <- result{err: fmt.Errorf("state mismatch")}`
			`return`
			`}`

			`if errParam := r.URL.Query().Get("error"); errParam != "" {`
			`desc := r.URL.Query().Get("error_description")`
			`http.Error(w, fmt.Sprintf("Authentication failed: %s", desc), http.StatusBadRequest)`
			`resultCh <- result{err: fmt.Errorf("auth error: %s (%s)", errParam, desc)}`
			`return`
			`}`

			`code := r.URL.Query().Get("code")`
			`if code == "" {`
			`http.Error(w, "Missing code parameter", http.StatusBadRequest)`
			`resultCh <- result{err: fmt.Errorf("missing code parameter")}`
			`return`
			`}`

			`tok, err := oauthCfg.Exchange(ctx, code, oauth2.VerifierOption(verifier))`
			`if err != nil {`
			`http.Error(w, "Token exchange failed", http.StatusInternalServerError)`
			`resultCh <- result{err: fmt.Errorf("token exchange: %w", err)}`
			`return`
			`}`

			`fmt.Fprintf(w, "<html><body><h2>Authentication successful!</h2><p>You can close this window.</p></body></html>")`
			`resultCh <- result{token: tok}`
			`})`

			`server := &http.Server{Handler: mux}`

			`// Start server in background`
			`go func() {`
			`if err := server.Serve(listener); err != nil && err != http.ErrServerClosed {`
			`resultCh <- result{err: fmt.Errorf("callback server: %w", err)}`
			`}`
			`}()`

			`// Open browser`
			`fmt.Fprintln(os.Stderr, "Opening browser for authentication...")`
			`if err := browser.Open(authURL); err != nil {`
			`fmt.Fprintf(os.Stderr, "Could not open browser: %v\n", err)`
			`}`
			`fmt.Fprintf(os.Stderr, "If the browser didn't open, visit:\n %s\n", authURL)`

			`// Wait for callback`
			`res := <-resultCh`

			`// Shut down server`
			`shutdownCtx, cancel := context.WithTimeout(ctx, 5*time.Second)`
			`defer cancel()`
			`server.Shutdown(shutdownCtx)`

			`if res.err != nil {`
			`return res.err`
			`}`

			`// Write access token to netrc`
			`if err := netrc.Upsert(cfg.NetrcPath, cfg.CacheHost, res.token.AccessToken); err != nil {`
			`return fmt.Errorf("writing netrc: %w", err)`
			`}`

			`// Store refresh token`
			`if res.token.RefreshToken != "" {`
			`rtPath := config.RefreshTokenPath()`
			`if err := os.MkdirAll(filepath.Dir(rtPath), 0700); err != nil {`
			`return fmt.Errorf("creating config directory: %w", err)`
			`}`
			`if err := os.WriteFile(rtPath, []byte(res.token.RefreshToken), 0600); err != nil {`
			`return fmt.Errorf("writing refresh token: %w", err)`
			`}`
			`}`

			`// Decode JWT to show expiry`
			`claims, err := token.DecodePayload(res.token.AccessToken)`
			`if err != nil {`
			`fmt.Fprintln(os.Stderr, "Authenticated successfully (could not decode token expiry).")`
			`return nil`
			`}`

			`exp, _ := token.ExpiryInfo(claims)`
			`if !exp.IsZero() {`
			`fmt.Fprintf(os.Stderr, "Authenticated. Token valid until %s.\n", exp.Local().Format(time.RFC1123))`
			`} else {`
			`fmt.Fprintln(os.Stderr, "Authenticated successfully.")`
			`}`

			`return nil`
			`}`