fix: lock OAuthConfig init (#412)

Author: ShawkyZ

pkg/app/app_test.go

@@ -1,7 +1,10 @@
 package app
 
 import (
+	"crypto/rand"
+	"crypto/rsa"
 	"encoding/base64"
+	"encoding/json"
 	"errors"
 	"fmt"
 	"log"
@@ -14,15 +17,19 @@ import (
 
 	"github.com/golang/mock/gomock"
 	zlog "github.com/rs/zerolog/log"
-	"github.com/stretchr/testify/assert"
-
 	"github.com/snyk/go-application-framework/internal/api"
 	"github.com/snyk/go-application-framework/internal/constants"
 	"github.com/snyk/go-application-framework/internal/mocks"
+	"github.com/snyk/go-application-framework/pkg/analytics"
 	"github.com/snyk/go-application-framework/pkg/auth"
 	"github.com/snyk/go-application-framework/pkg/configuration"
+	localworkflows "github.com/snyk/go-application-framework/pkg/local_workflows"
+	pkgMocks "github.com/snyk/go-application-framework/pkg/mocks"
 	"github.com/snyk/go-application-framework/pkg/runtimeinfo"
 	"github.com/snyk/go-application-framework/pkg/workflow"
+	"github.com/stretchr/testify/assert"
+	"golang.org/x/oauth2"
+	"golang.org/x/oauth2/jws"
 )
 
 func Test_AddsDefaultFunctionForCustomConfigFiles(t *testing.T) {
@@ -589,3 +596,125 @@ func TestDefaultInputDirectory(t *testing.T) {
 		assert.IsType(t, defaultFunction, defaultFunction)
 	})
 }
+
+func Test_auth_oauth(t *testing.T) {
+	mockCtl := gomock.NewController(t)
+	engine := CreateAppEngine()
+	logger := engine.GetLogger()
+	analytics := analytics.New()
+
+	t.Run("oauth token is set on global config", func(t *testing.T) {
+		// Create separate configs for invocation and global
+		globalConfig := engine.GetConfiguration()
+		invocationConfig := globalConfig.Clone()
+
+		// Expected OAuth token that will be set after authentication
+		expectedOAuthToken := "test-oauth-token-12345"
+
+		invocationConfig.Set(localworkflows.AuthTypeParameter, auth.AUTH_TYPE_OAUTH)
+
+		// Create mocks
+		mockInvocationContext := pkgMocks.NewMockInvocationContext(mockCtl)
+		mockInvocationContext.EXPECT().GetConfiguration().Return(invocationConfig).AnyTimes()
+		mockInvocationContext.EXPECT().GetEnhancedLogger().Return(logger).AnyTimes()
+		mockInvocationContext.EXPECT().GetAnalytics().Return(analytics).AnyTimes()
+		mockInvocationContext.EXPECT().GetEngine().Return(engine).AnyTimes()
+
+		mockAuthenticator := pkgMocks.NewMockAuthenticator(mockCtl)
+		mockAuthenticator.EXPECT().Authenticate().DoAndReturn(func() error {
+			// Simulate successful OAuth authentication by setting the token
+			invocationConfig.Set(auth.CONFIG_KEY_OAUTH_TOKEN, expectedOAuthToken)
+			return nil
+		})
+
+		// Execute the auth workflow
+		err := localworkflows.AuthEntryPointDI(mockInvocationContext, logger, engine, mockAuthenticator)
+		assert.NoError(t, err)
+
+		// Verify that the OAuth token was set on the global config
+		actualToken := globalConfig.Get(auth.CONFIG_KEY_OAUTH_TOKEN)
+		assert.Equal(t, expectedOAuthToken, actualToken, "OAuth token should be set on global config after successful authentication")
+
+		// Verify that the authentication token is not set (should be cleared)
+		assert.Empty(t, globalConfig.GetString(configuration.AUTHENTICATION_TOKEN), "Legacy authentication token should be cleared")
+	})
+
+	t.Run("oauth token change updates api url extraction", func(t *testing.T) {
+		createOAuthTokenWithAudience := func(audience string) string {
+			header := &jws.Header{}
+			claims := &jws.ClaimSet{
+				Aud: audience,
+			}
+			pk, err := rsa.GenerateKey(rand.Reader, 2048)
+			assert.NoError(t, err)
+
+			accessToken, err := jws.Encode(header, claims, pk)
+			assert.NoError(t, err)
+
+			token := oauth2.Token{
+				AccessToken: accessToken,
+			}
+
+			tokenBytes, err := json.Marshal(token)
+			assert.NoError(t, err)
+
+			return string(tokenBytes)
+		}
+
+		globalConfig := engine.GetConfiguration()
+		globalConfig.Set(configuration.API_URL, "https://api.snyk.io")
+		invocationConfig := globalConfig.Clone()
+
+		firstAPIURL := "https://api.eu.snyk.io"
+		firstOAuthToken := createOAuthTokenWithAudience(firstAPIURL)
+
+		// Set auth type to OAuth
+		invocationConfig.Set(localworkflows.AuthTypeParameter, auth.AUTH_TYPE_OAUTH)
+
+		// Create mocks
+		mockInvocationContext := pkgMocks.NewMockInvocationContext(mockCtl)
+		mockInvocationContext.EXPECT().GetConfiguration().Return(invocationConfig).AnyTimes()
+		mockInvocationContext.EXPECT().GetEnhancedLogger().Return(logger).AnyTimes()
+		mockInvocationContext.EXPECT().GetAnalytics().Return(analytics).AnyTimes()
+
+		// First authentication with US token
+		mockAuthenticator := pkgMocks.NewMockAuthenticator(mockCtl)
+		mockAuthenticator.EXPECT().Authenticate().DoAndReturn(func() error {
+			invocationConfig.Set(auth.CONFIG_KEY_OAUTH_TOKEN, firstOAuthToken)
+			return nil
+		})
+
+		// Execute first auth workflow
+		err := localworkflows.AuthEntryPointDI(mockInvocationContext, logger, engine, mockAuthenticator)
+		assert.NoError(t, err)
+
+		// Verify first OAuth token was set
+		actualToken := globalConfig.GetString(auth.CONFIG_KEY_OAUTH_TOKEN)
+		assert.Equal(t, firstOAuthToken, actualToken)
+
+		actualApiUrl := globalConfig.GetString(configuration.API_URL)
+		assert.Equal(t, firstAPIURL, actualApiUrl, "First OAuth token should contain EU API URL")
+
+		// Now simulate re-authentication with EU
+		secondAPIURL := "https://api.us.snyk.io"
+		secondOAuthToken := createOAuthTokenWithAudience(secondAPIURL)
+
+		// Mock second authentication
+		mockAuthenticator.EXPECT().Authenticate().DoAndReturn(func() error {
+			invocationConfig.Set(auth.CONFIG_KEY_OAUTH_TOKEN, secondOAuthToken)
+			return nil
+		})
+
+		// Execute second workflow
+		err = localworkflows.AuthEntryPointDI(mockInvocationContext, logger, engine, mockAuthenticator)
+		assert.NoError(t, err)
+
+		// Verify second OAuth token was set
+		actualToken = globalConfig.GetString(auth.CONFIG_KEY_OAUTH_TOKEN)
+		assert.Equal(t, secondOAuthToken, actualToken)
+
+		// Extract and verify second API URL from token
+		actualApiUrl = globalConfig.GetString(configuration.API_URL)
+		assert.Equal(t, secondAPIURL, actualApiUrl, "Second OAuth token should contain US API URL")
+	})
+}

pkg/auth/oauth2authenticator.go

@@ -273,7 +273,9 @@ func (o *oAuth2Authenticator) Authenticate() error {
 func (o *oAuth2Authenticator) CancelableAuthenticate(ctx context.Context) error {
 	var err error
 
+	globalRefreshMutex.Lock()
 	o.oauthConfig = getOAuthConfiguration(o.config)
+	globalRefreshMutex.Unlock()
 
 	if o.grantType == ClientCredentialsGrant {
 		err = o.authenticateWithClientCredentialsGrant(ctx)

pkg/local_workflows/auth_workflow.go

@@ -18,7 +18,7 @@ import (
 const (
 	workflowNameAuth  = "auth"
 	headlessFlag      = "headless"
-	authTypeParameter = "auth-type"
+	AuthTypeParameter = "auth-type"
 )
 
 var authTypeDescription = fmt.Sprint("Authentication type (", auth.AUTH_TYPE_TOKEN, ", ", auth.AUTH_TYPE_OAUTH, ")")
@@ -39,7 +39,7 @@ var ConfigurationNewAuthenticationToken = "internal_new_snyk_token"
 // InitAuth initializes the auth workflow before registering it with the engine.
 func InitAuth(engine workflow.Engine) error {
 	config := pflag.NewFlagSet(workflowNameAuth, pflag.ExitOnError)
-	config.String(authTypeParameter, "", authTypeDescription)
+	config.String(AuthTypeParameter, "", authTypeDescription)
 	config.Bool(headlessFlag, false, "Enable headless OAuth authentication")
 	config.String(auth.PARAMETER_CLIENT_SECRET, "", "Client Credential Grant, client secret")
 	config.String(auth.PARAMETER_CLIENT_ID, "", "Client Credential Grant, client id")
@@ -59,7 +59,7 @@ func authEntryPoint(invocationCtx workflow.InvocationContext, _ []workflow.Data)
 	config := invocationCtx.GetConfiguration()
 	logger := invocationCtx.GetEnhancedLogger()
 	engine := invocationCtx.GetEngine()
-	globalConfig := invocationCtx.GetEngine().GetConfiguration()
+	globalConfig := engine.GetConfiguration()
 
 	// cache always interferes with auth
 	globalConfig.ClearCache()
@@ -76,7 +76,7 @@ func authEntryPoint(invocationCtx workflow.InvocationContext, _ []workflow.Data)
 		auth.WithLogger(logger),
 	)
 
-	err = entryPointDI(invocationCtx, logger, engine, authenticator)
+	err = AuthEntryPointDI(invocationCtx, logger, engine, authenticator)
 	return nil, err
 }
 
@@ -102,18 +102,18 @@ func autoDetectAuthType(config configuration.Configuration) string {
 	return auth.AUTH_TYPE_OAUTH
 }
 
-func entryPointDI(invocationCtx workflow.InvocationContext, logger *zerolog.Logger, engine workflow.Engine, authenticator auth.Authenticator) (err error) {
+func AuthEntryPointDI(invocationCtx workflow.InvocationContext, logger *zerolog.Logger, engine workflow.Engine, authenticator auth.Authenticator) (err error) {
 	analytics := invocationCtx.GetAnalytics()
 	globalConfig := engine.GetConfiguration()
 	config := invocationCtx.GetConfiguration()
 
-	authType := config.GetString(authTypeParameter)
+	authType := config.GetString(AuthTypeParameter)
 	if len(authType) == 0 {
 		authType = autoDetectAuthType(config)
 	}
 
 	logger.Printf("Authentication Type: %s", authType)
-	analytics.AddExtensionStringValue(authTypeParameter, authType)
+	analytics.AddExtensionStringValue(AuthTypeParameter, authType)
 
 	existingSnykToken := config.GetString(configuration.AUTHENTICATION_TOKEN)
 	// always attempt to clear existing tokens before triggering auth for current config clone and global config

pkg/local_workflows/auth_workflow_test.go

@@ -7,12 +7,11 @@ import (
 
 	"github.com/golang/mock/gomock"
 	"github.com/rs/zerolog"
-	"github.com/stretchr/testify/assert"
-
 	"github.com/snyk/go-application-framework/pkg/analytics"
 	"github.com/snyk/go-application-framework/pkg/auth"
 	"github.com/snyk/go-application-framework/pkg/configuration"
 	"github.com/snyk/go-application-framework/pkg/mocks"
+	"github.com/stretchr/testify/assert"
 )
 
 func Test_auth_oauth(t *testing.T) {
@@ -34,26 +33,26 @@ func Test_auth_oauth(t *testing.T) {
 	assert.NoError(t, err)
 
 	t.Run("happy", func(t *testing.T) {
-		config.Set(authTypeParameter, nil)
+		config.Set(AuthTypeParameter, nil)
 		authenticator.EXPECT().Authenticate().Times(2).Return(nil)
 		mockInvocationContext := mocks.NewMockInvocationContext(mockCtl)
 		mockInvocationContext.EXPECT().GetConfiguration().Return(config).AnyTimes()
 		mockInvocationContext.EXPECT().GetEnhancedLogger().Return(&logger).AnyTimes()
 		mockInvocationContext.EXPECT().GetAnalytics().Return(analytics).AnyTimes()
-		err = entryPointDI(mockInvocationContext, &logger, engine, authenticator)
-		err = entryPointDI(mockInvocationContext, &logger, engine, authenticator)
+		err = AuthEntryPointDI(mockInvocationContext, &logger, engine, authenticator)
+		err = AuthEntryPointDI(mockInvocationContext, &logger, engine, authenticator)
 		assert.NoError(t, err)
 	})
 
 	t.Run("unhappy", func(t *testing.T) {
-		config.Set(authTypeParameter, nil)
+		config.Set(AuthTypeParameter, nil)
 		expectedErr := fmt.Errorf("someting went wrong")
 		authenticator.EXPECT().Authenticate().Times(1).Return(expectedErr)
 		mockInvocationContext := mocks.NewMockInvocationContext(mockCtl)
 		mockInvocationContext.EXPECT().GetConfiguration().Return(config).AnyTimes()
 		mockInvocationContext.EXPECT().GetEnhancedLogger().Return(&logger).AnyTimes()
 		mockInvocationContext.EXPECT().GetAnalytics().Return(analytics).AnyTimes()
-		err = entryPointDI(mockInvocationContext, &logger, engine, authenticator)
+		err = AuthEntryPointDI(mockInvocationContext, &logger, engine, authenticator)
 		assert.Equal(t, expectedErr, err)
 	})
 }
@@ -77,27 +76,27 @@ func Test_auth_token(t *testing.T) {
 	assert.NoError(t, err)
 
 	t.Run("happy", func(t *testing.T) {
-		config.Set(authTypeParameter, auth.AUTH_TYPE_TOKEN)
+		config.Set(AuthTypeParameter, auth.AUTH_TYPE_TOKEN)
 		engine.EXPECT().InvokeWithConfig(gomock.Any(), gomock.Any())
 		mockInvocationContext := mocks.NewMockInvocationContext(mockCtl)
 		mockInvocationContext.EXPECT().GetConfiguration().Return(config).AnyTimes()
 		mockInvocationContext.EXPECT().GetEnhancedLogger().Return(&logger).AnyTimes()
 		mockInvocationContext.EXPECT().GetAnalytics().Return(analytics).AnyTimes()
 
-		err = entryPointDI(mockInvocationContext, &logger, engine, authenticator)
+		err = AuthEntryPointDI(mockInvocationContext, &logger, engine, authenticator)
 		assert.NoError(t, err)
 	})
 
 	t.Run("automatically switch to token when API token is given", func(t *testing.T) {
-		config.Set(authTypeParameter, nil)
+		config.Set(AuthTypeParameter, nil)
 		config.Set(ConfigurationNewAuthenticationToken, "00000000-0000-0000-0000-000000000000")
 		engine.EXPECT().InvokeWithConfig(gomock.Any(), gomock.Any())
 		mockInvocationContext := mocks.NewMockInvocationContext(mockCtl)
 		mockInvocationContext.EXPECT().GetConfiguration().Return(config).AnyTimes()
 		mockInvocationContext.EXPECT().GetEnhancedLogger().Return(&logger).AnyTimes()
 		mockInvocationContext.EXPECT().GetAnalytics().Return(analytics).AnyTimes()
 
-		err = entryPointDI(mockInvocationContext, &logger, engine, authenticator)
+		err = AuthEntryPointDI(mockInvocationContext, &logger, engine, authenticator)
 		assert.NoError(t, err)
 	})
 }
@@ -116,7 +115,7 @@ func Test_pat(t *testing.T) {
 
 	t.Run("happy", func(t *testing.T) {
 		config := configuration.NewWithOpts()
-		config.Set(authTypeParameter, auth.AUTH_TYPE_PAT)
+		config.Set(AuthTypeParameter, auth.AUTH_TYPE_PAT)
 		config.Set(ConfigurationNewAuthenticationToken, pat)
 
 		config.Set(auth.CONFIG_KEY_OAUTH_TOKEN, "some-oauth-token")
@@ -130,7 +129,7 @@ func Test_pat(t *testing.T) {
 		engine.EXPECT().GetConfiguration().Return(config).AnyTimes()
 		engine.EXPECT().InvokeWithConfig(gomock.Any(), gomock.Any())
 
-		err := entryPointDI(mockInvocationContext, &logger, engine, authenticator)
+		err := AuthEntryPointDI(mockInvocationContext, &logger, engine, authenticator)
 		assert.NoError(t, err)
 
 		assert.Empty(t, config.GetString(auth.CONFIG_KEY_OAUTH_TOKEN))
@@ -139,7 +138,7 @@ func Test_pat(t *testing.T) {
 
 	t.Run("invalid pat should fail", func(t *testing.T) {
 		config := configuration.NewWithOpts()
-		config.Set(authTypeParameter, auth.AUTH_TYPE_PAT)
+		config.Set(AuthTypeParameter, auth.AUTH_TYPE_PAT)
 		config.Set(ConfigurationNewAuthenticationToken, pat)
 
 		config.Set(auth.CONFIG_KEY_OAUTH_TOKEN, "some-oauth-token")
@@ -155,7 +154,7 @@ func Test_pat(t *testing.T) {
 		mockWhoAmIError := fmt.Errorf("mock whoami failure")
 		engine.EXPECT().InvokeWithConfig(gomock.Any(), gomock.Any()).Return(nil, mockWhoAmIError)
 
-		err := entryPointDI(mockInvocationContext, &logger, engine, authenticator)
+		err := AuthEntryPointDI(mockInvocationContext, &logger, engine, authenticator)
 		assert.ErrorIs(t, err, mockWhoAmIError)
 
 		assert.Empty(t, config.GetString(auth.CONFIG_KEY_OAUTH_TOKEN))
@@ -205,7 +204,7 @@ func Test_clearAllCredentialsBeforeAuth(t *testing.T) {
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
 			config := configuration.NewWithOpts()
-			config.Set(authTypeParameter, tc.authType)
+			config.Set(AuthTypeParameter, tc.authType)
 			if tc.authType == auth.AUTH_TYPE_PAT {
 				config.Set(ConfigurationNewAuthenticationToken, "snyk_uat.12345678.abcdefg-hijklmnop.qrstuvwxyz-123456")
 			}
@@ -221,7 +220,7 @@ func Test_clearAllCredentialsBeforeAuth(t *testing.T) {
 
 			tc.setupMocks()
 
-			err := entryPointDI(mockInvocationContext, &logger, engine, authenticator)
+			err := AuthEntryPointDI(mockInvocationContext, &logger, engine, authenticator)
 			assert.NoError(t, err)
 
 			// Verify both tokens are cleared regardless of auth type