@dcode-dev/dcode-cli 1.0.0

package/internal/auth/oauth2.go

@@ -0,0 +1,227 @@
+package auth
+
+import (
+	"context"
+	"fmt"
+	"net/http"
+	"time"
+
+	"golang.org/x/oauth2"
+	"golang.org/x/oauth2/google"
+)
+
+// OAuth2Auth implements OAuth2 authentication
+type OAuth2Auth struct {
+	provider     string
+	config       *oauth2.Config
+	token        *oauth2.Token
+	store        CredentialStore
+}
+
+// NewOAuth2Auth creates a new OAuth2 authenticator
+func NewOAuth2Auth(provider string, clientID, clientSecret string, scopes []string, store CredentialStore) *OAuth2Auth {
+	config := &oauth2.Config{
+		ClientID:     clientID,
+		ClientSecret: clientSecret,
+		Scopes:       scopes,
+		Endpoint:     google.Endpoint,
+		RedirectURL:  "http://localhost:8085/callback",
+	}
+	
+	return &OAuth2Auth{
+		provider: provider,
+		config:   config,
+		store:    store,
+	}
+}
+
+// StartAuthFlow initiates the OAuth2 flow
+func (a *OAuth2Auth) StartAuthFlow(ctx context.Context) (string, error) {
+	// Generate auth URL
+	authURL := a.config.AuthCodeURL("state", oauth2.AccessTypeOffline)
+	return authURL, nil
+}
+
+// CompleteAuthFlow completes the OAuth2 flow with the authorization code
+func (a *OAuth2Auth) CompleteAuthFlow(ctx context.Context, code string) error {
+	// Exchange code for token
+	token, err := a.config.Exchange(ctx, code)
+	if err != nil {
+		return fmt.Errorf("failed to exchange code: %w", err)
+	}
+	
+	a.token = token
+	
+	// Store credentials
+	if a.store != nil {
+		creds := &Credentials{
+			Type:         AuthTypeOAuth2,
+			Provider:     a.provider,
+			Token:        token.AccessToken,
+			RefreshToken: token.RefreshToken,
+			ExpiresAt:    token.Expiry,
+			Metadata:     make(map[string]string),
+		}
+		
+		if err := a.store.Save(a.provider, creds); err != nil {
+			return fmt.Errorf("failed to store credentials: %w", err)
+		}
+	}
+	
+	return nil
+}
+
+// GetToken returns a valid access token, refreshing if necessary
+func (a *OAuth2Auth) GetToken(ctx context.Context) (string, error) {
+	// Load token from store if not in memory
+	if a.token == nil {
+		if err := a.loadToken(); err != nil {
+			return "", fmt.Errorf("no valid token, please login: %w", err)
+		}
+	}
+	
+	// Check if token needs refresh
+	if a.token.Expiry.Before(time.Now().Add(5 * time.Minute)) {
+		if err := a.Refresh(ctx); err != nil {
+			return "", fmt.Errorf("failed to refresh token: %w", err)
+		}
+	}
+	
+	return a.token.AccessToken, nil
+}
+
+// Refresh refreshes the access token
+func (a *OAuth2Auth) Refresh(ctx context.Context) error {
+	if a.token == nil || a.token.RefreshToken == "" {
+		return fmt.Errorf("no refresh token available")
+	}
+	
+	// Create token source and get fresh token
+	tokenSource := a.config.TokenSource(ctx, a.token)
+	newToken, err := tokenSource.Token()
+	if err != nil {
+		return fmt.Errorf("failed to refresh token: %w", err)
+	}
+	
+	a.token = newToken
+	
+	// Update stored credentials
+	if a.store != nil {
+		creds := &Credentials{
+			Type:         AuthTypeOAuth2,
+			Provider:     a.provider,
+			Token:        newToken.AccessToken,
+			RefreshToken: newToken.RefreshToken,
+			ExpiresAt:    newToken.Expiry,
+			Metadata:     make(map[string]string),
+		}
+		
+		if err := a.store.Save(a.provider, creds); err != nil {
+			return fmt.Errorf("failed to update stored credentials: %w", err)
+		}
+	}
+	
+	return nil
+}
+
+// Validate checks if credentials are valid
+func (a *OAuth2Auth) Validate(ctx context.Context) error {
+	token, err := a.GetToken(ctx)
+	if err != nil {
+		return err
+	}
+	
+	if token == "" {
+		return fmt.Errorf("invalid token")
+	}
+	
+	// Test token with a simple API call
+	client := a.config.Client(ctx, a.token)
+	resp, err := client.Get("https://www.googleapis.com/oauth2/v2/userinfo")
+	if err != nil {
+		return fmt.Errorf("token validation failed: %w", err)
+	}
+	defer resp.Body.Close()
+	
+	if resp.StatusCode != http.StatusOK {
+		return fmt.Errorf("token validation failed with status: %d", resp.StatusCode)
+	}
+	
+	return nil
+}
+
+// GetType returns the auth type
+func (a *OAuth2Auth) GetType() AuthType {
+	return AuthTypeOAuth2
+}
+
+// GetProvider returns the provider name
+func (a *OAuth2Auth) GetProvider() string {
+	return a.provider
+}
+
+// Revoke revokes the OAuth2 token
+func (a *OAuth2Auth) Revoke(ctx context.Context) error {
+	if a.token == nil {
+		return nil
+	}
+	
+	// Revoke token with Google
+	revokeURL := fmt.Sprintf("https://oauth2.googleapis.com/revoke?token=%s", a.token.AccessToken)
+	resp, err := http.Post(revokeURL, "application/x-www-form-urlencoded", nil)
+	if err != nil {
+		return fmt.Errorf("failed to revoke token: %w", err)
+	}
+	defer resp.Body.Close()
+	
+	// Delete from store
+	if a.store != nil {
+		if err := a.store.Delete(a.provider); err != nil {
+			return fmt.Errorf("failed to delete stored credentials: %w", err)
+		}
+	}
+	
+	a.token = nil
+	
+	return nil
+}
+
+// loadToken loads token from store
+func (a *OAuth2Auth) loadToken() error {
+	if a.store == nil {
+		return fmt.Errorf("no credential store available")
+	}
+	
+	creds, err := a.store.Load(a.provider)
+	if err != nil {
+		return err
+	}
+	
+	a.token = &oauth2.Token{
+		AccessToken:  creds.Token,
+		RefreshToken: creds.RefreshToken,
+		Expiry:       creds.ExpiresAt,
+		TokenType:    "Bearer",
+	}
+	
+	return nil
+}
+
+// GetTokenInfo returns token information
+func (a *OAuth2Auth) GetTokenInfo(ctx context.Context) (*TokenInfo, error) {
+	if a.token == nil {
+		if err := a.loadToken(); err != nil {
+			return &TokenInfo{Valid: false, Provider: a.provider}, nil
+		}
+	}
+	
+	expiresIn := time.Until(a.token.Expiry)
+	valid := a.token.Valid()
+	
+	return &TokenInfo{
+		Valid:     valid,
+		ExpiresAt: a.token.Expiry,
+		ExpiresIn: expiresIn,
+		Provider:  a.provider,
+	}, nil
+}

package/internal/auth/store.go

@@ -0,0 +1,216 @@
+package auth
+
+import (
+	"encoding/json"
+	"fmt"
+	"os"
+	"path/filepath"
+	"sync"
+
+	"github.com/zalando/go-keyring"
+)
+
+const (
+	keyringService = "dcode"
+)
+
+// KeyringStore stores credentials in the OS keyring
+type KeyringStore struct {
+	mu sync.RWMutex
+}
+
+// NewKeyringStore creates a new keyring-based credential store
+func NewKeyringStore() *KeyringStore {
+	return &KeyringStore{}
+}
+
+// Save stores credentials in the keyring
+func (s *KeyringStore) Save(provider string, creds *Credentials) error {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	
+	// Marshal credentials to JSON
+	data, err := json.Marshal(creds)
+	if err != nil {
+		return fmt.Errorf("failed to marshal credentials: %w", err)
+	}
+	
+	// Store in keyring
+	err = keyring.Set(keyringService, provider, string(data))
+	if err != nil {
+		// Fall back to file-based storage if keyring fails
+		return s.saveToFile(provider, creds)
+	}
+	
+	return nil
+}
+
+// Load retrieves credentials from the keyring
+func (s *KeyringStore) Load(provider string) (*Credentials, error) {
+	s.mu.RLock()
+	defer s.mu.RUnlock()
+	
+	// Get from keyring
+	data, err := keyring.Get(keyringService, provider)
+	if err != nil {
+		// Fall back to file-based storage
+		return s.loadFromFile(provider)
+	}
+	
+	// Unmarshal credentials
+	var creds Credentials
+	if err := json.Unmarshal([]byte(data), &creds); err != nil {
+		return nil, fmt.Errorf("failed to unmarshal credentials: %w", err)
+	}
+	
+	return &creds, nil
+}
+
+// Delete removes credentials from the keyring
+func (s *KeyringStore) Delete(provider string) error {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	
+	// Delete from keyring
+	err := keyring.Delete(keyringService, provider)
+	if err != nil {
+		// Try to delete from file as well
+		_ = s.deleteFromFile(provider)
+	}
+	
+	return nil
+}
+
+// List returns all stored provider names
+func (s *KeyringStore) List() ([]string, error) {
+	// Keyring doesn't support listing, so we fall back to file-based listing
+	return s.listFromFiles()
+}
+
+// File-based fallback methods
+
+func (s *KeyringStore) getCredsDir() (string, error) {
+	homeDir, err := os.UserHomeDir()
+	if err != nil {
+		return "", fmt.Errorf("failed to get home directory: %w", err)
+	}
+	
+	credsDir := filepath.Join(homeDir, ".dcode", "credentials")
+	if err := os.MkdirAll(credsDir, 0700); err != nil {
+		return "", fmt.Errorf("failed to create credentials directory: %w", err)
+	}
+	
+	return credsDir, nil
+}
+
+func (s *KeyringStore) saveToFile(provider string, creds *Credentials) error {
+	credsDir, err := s.getCredsDir()
+	if err != nil {
+		return err
+	}
+	
+	data, err := json.MarshalIndent(creds, "", "  ")
+	if err != nil {
+		return fmt.Errorf("failed to marshal credentials: %w", err)
+	}
+	
+	filePath := filepath.Join(credsDir, provider+".json")
+	if err := os.WriteFile(filePath, data, 0600); err != nil {
+		return fmt.Errorf("failed to write credentials file: %w", err)
+	}
+	
+	return nil
+}
+
+func (s *KeyringStore) loadFromFile(provider string) (*Credentials, error) {
+	credsDir, err := s.getCredsDir()
+	if err != nil {
+		return nil, err
+	}
+	
+	filePath := filepath.Join(credsDir, provider+".json")
+	data, err := os.ReadFile(filePath)
+	if err != nil {
+		return nil, fmt.Errorf("credentials not found for provider: %s", provider)
+	}
+	
+	var creds Credentials
+	if err := json.Unmarshal(data, &creds); err != nil {
+		return nil, fmt.Errorf("failed to unmarshal credentials: %w", err)
+	}
+	
+	return &creds, nil
+}
+
+func (s *KeyringStore) deleteFromFile(provider string) error {
+	credsDir, err := s.getCredsDir()
+	if err != nil {
+		return err
+	}
+	
+	filePath := filepath.Join(credsDir, provider+".json")
+	return os.Remove(filePath)
+}
+
+func (s *KeyringStore) listFromFiles() ([]string, error) {
+	credsDir, err := s.getCredsDir()
+	if err != nil {
+		return nil, err
+	}
+	
+	entries, err := os.ReadDir(credsDir)
+	if err != nil {
+		if os.IsNotExist(err) {
+			return []string{}, nil
+		}
+		return nil, err
+	}
+	
+	providers := make([]string, 0, len(entries))
+	for _, entry := range entries {
+		if !entry.IsDir() && filepath.Ext(entry.Name()) == ".json" {
+			provider := entry.Name()[:len(entry.Name())-5] // Remove .json
+			providers = append(providers, provider)
+		}
+	}
+	
+	return providers, nil
+}
+
+// FileStore is a simple file-based credential store (no keyring)
+type FileStore struct {
+	KeyringStore // Reuse keyring store's file methods
+}
+
+// NewFileStore creates a new file-based credential store
+func NewFileStore() *FileStore {
+	return &FileStore{
+		KeyringStore: KeyringStore{},
+	}
+}
+
+// Save stores credentials in a file
+func (s *FileStore) Save(provider string, creds *Credentials) error {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	return s.saveToFile(provider, creds)
+}
+
+// Load retrieves credentials from a file
+func (s *FileStore) Load(provider string) (*Credentials, error) {
+	s.mu.RLock()
+	defer s.mu.RUnlock()
+	return s.loadFromFile(provider)
+}
+
+// Delete removes credentials file
+func (s *FileStore) Delete(provider string) error {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	return s.deleteFromFile(provider)
+}
+
+// List returns all stored provider names
+func (s *FileStore) List() ([]string, error) {
+	return s.listFromFiles()
+}

package/internal/auth/types.go

@@ -0,0 +1,79 @@
+package auth
+
+import (
+	"context"
+	"time"
+)
+
+// AuthType represents the type of authentication
+type AuthType string
+
+const (
+	// AuthTypeAPIKey uses a simple API key
+	AuthTypeAPIKey AuthType = "api_key"
+	
+	// AuthTypeOAuth2 uses OAuth2 flow
+	AuthTypeOAuth2 AuthType = "oauth2"
+	
+	// AuthTypeADC uses Application Default Credentials
+	AuthTypeADC AuthType = "adc"
+	
+	// AuthTypeVertexAI uses Vertex AI authentication
+	AuthTypeVertexAI AuthType = "vertex_ai"
+)
+
+// Credentials represents authentication credentials
+type Credentials struct {
+	Type         AuthType
+	Provider     string
+	Token        string
+	RefreshToken string
+	ExpiresAt    time.Time
+	Metadata     map[string]string
+}
+
+// Authenticator interface for all auth types
+type Authenticator interface {
+	// GetToken returns a valid access token
+	GetToken(ctx context.Context) (string, error)
+	
+	// Refresh refreshes the token if needed
+	Refresh(ctx context.Context) error
+	
+	// Validate checks if credentials are valid
+	Validate(ctx context.Context) error
+	
+	// GetType returns the auth type
+	GetType() AuthType
+	
+	// GetProvider returns the provider name
+	GetProvider() string
+	
+	// Revoke revokes/logs out the credentials
+	Revoke(ctx context.Context) error
+}
+
+// CredentialStore interface for storing credentials securely
+type CredentialStore interface {
+	// Save stores credentials
+	Save(provider string, creds *Credentials) error
+	
+	// Load retrieves credentials
+	Load(provider string) (*Credentials, error)
+	
+	// Delete removes credentials
+	Delete(provider string) error
+	
+	// List returns all stored provider names
+	List() ([]string, error)
+}
+
+// TokenInfo represents token metadata
+type TokenInfo struct {
+	Valid      bool
+	ExpiresAt  time.Time
+	ExpiresIn  time.Duration
+	Provider   string
+	User       string
+	Scopes     []string
+}

package/internal/auth/vertex.go

@@ -0,0 +1,138 @@
+package auth
+
+import (
+	"context"
+	"fmt"
+	"time"
+
+	"cloud.google.com/go/compute/metadata"
+)
+
+// VertexAIAuth implements Vertex AI authentication
+type VertexAIAuth struct {
+	provider string
+	project  string
+	location string
+	apiKey   string
+	store    CredentialStore
+}
+
+// NewVertexAIAuth creates a new Vertex AI authenticator
+func NewVertexAIAuth(provider, project, location, apiKey string, store CredentialStore) *VertexAIAuth {
+	return &VertexAIAuth{
+		provider: provider,
+		project:  project,
+		location: location,
+		apiKey:   apiKey,
+		store:    store,
+	}
+}
+
+// GetToken returns a valid access token for Vertex AI
+func (a *VertexAIAuth) GetToken(ctx context.Context) (string, error) {
+	// If API key is provided, use it directly
+	if a.apiKey != "" {
+		return a.apiKey, nil
+	}
+	
+	// Otherwise, use ADC
+	adcAuth := NewADCAuth(a.provider, []string{
+		"https://www.googleapis.com/auth/cloud-platform",
+		"https://www.googleapis.com/auth/generative-language",
+	})
+	
+	return adcAuth.GetToken(ctx)
+}
+
+// Refresh refreshes the token if using ADC
+func (a *VertexAIAuth) Refresh(ctx context.Context) error {
+	if a.apiKey != "" {
+		return nil // API key doesn't need refresh
+	}
+	
+	// ADC handles refresh automatically
+	return nil
+}
+
+// Validate checks if Vertex AI credentials are valid
+func (a *VertexAIAuth) Validate(ctx context.Context) error {
+	if a.project == "" {
+		return fmt.Errorf("project ID is required for Vertex AI")
+	}
+	
+	if a.location == "" {
+		a.location = "us-central1" // Default location
+	}
+	
+	// Try to get token
+	_, err := a.GetToken(ctx)
+	if err != nil {
+		return fmt.Errorf("failed to get Vertex AI token: %w", err)
+	}
+	
+	// For Vertex AI, just check that we can get a token
+	// Full validation would require actual API calls which we skip for now
+	return nil
+}
+
+// GetType returns the auth type
+func (a *VertexAIAuth) GetType() AuthType {
+	return AuthTypeVertexAI
+}
+
+// GetProvider returns the provider name
+func (a *VertexAIAuth) GetProvider() string {
+	return a.provider
+}
+
+// Revoke revokes the credentials
+func (a *VertexAIAuth) Revoke(ctx context.Context) error {
+	if a.apiKey != "" {
+		a.apiKey = ""
+		return nil
+	}
+	
+	// For ADC, we can't revoke
+	return fmt.Errorf("cannot revoke Vertex AI ADC credentials")
+}
+
+// GetTokenInfo returns token information
+func (a *VertexAIAuth) GetTokenInfo(ctx context.Context) (*TokenInfo, error) {
+	if a.apiKey != "" {
+		return &TokenInfo{
+			Valid:     true,
+			Provider:  a.provider,
+			ExpiresAt: time.Time{}, // API keys don't expire
+		}, nil
+	}
+	
+	// Use ADC for token info
+	adcAuth := NewADCAuth(a.provider, []string{
+		"https://www.googleapis.com/auth/cloud-platform",
+	})
+	
+	return adcAuth.GetTokenInfo(ctx)
+}
+
+// GetProject returns the GCP project ID
+func (a *VertexAIAuth) GetProject() string {
+	if a.project != "" {
+		return a.project
+	}
+	
+	// Try to get from metadata server
+	if metadata.OnGCE() {
+		project, _ := metadata.ProjectID()
+		return project
+	}
+	
+	return ""
+}
+
+// GetLocation returns the GCP location
+func (a *VertexAIAuth) GetLocation() string {
+	if a.location != "" {
+		return a.location
+	}
+	return "us-central1" // Default
+}