Add ability for BSS to perform client credentials grant for access token

cmd/boot-script-service/main.go

@@ -39,6 +39,7 @@
 package main
 
 import (
+	"encoding/json"
 	"flag"
 	"fmt"
 	"log"
@@ -96,6 +97,7 @@ var (
 	useSQL            = false // Use ETCD by default
 	authRetryCount    = authDefaultRetryCount
 	jwksURL           = ""
+	accessToken       = ""
 	sqlDbOpts         = ""
 	spireServiceURL   = "https://spire-tokens.spire:54440"
 )
@@ -443,6 +445,27 @@ func main() {
 		}
 	}
 
+	// register oauth client and receive
+	var client OAuthClient
+	_, err = client.RegisterOAuthClient("http://127.0.0.1:4444/oauth2/register", []string{})
+	if err != nil {
+		log.Fatalf("failed to register OAuth client: %v", err)
+	}
+	_, err = client.AuthorizeClient("http://127.0.0.1:4444/oauth2/auth")
+	if err != nil {
+		log.Fatalf("failed to authorize OAuth client: %v", err)
+	}
+	res, err := client.FetchTokenFromAuthorizationServer("http://127.0.0.1:4444/oauth2/token", []string{})
+	if err != nil {
+		log.Fatalf("failed to fetch token from authorization server: %v", err)
+	}
+
+	// unmarshal the access token
+	var resJson map[string]any
+	json.Unmarshal(res, &resJson)
+	accessToken = resJson["access_token"].(string)
+	log.Printf("Access Token: %v\n", accessToken)
+
 	var svcOpts string
 	if insecure {
 		svcOpts = "insecure,"

cmd/boot-script-service/oauth.go

@@ -0,0 +1,101 @@
+// NOTE: Triad License goes here
+package main
+
+import (
+	"bytes"
+	"encoding/base64"
+	"fmt"
+	"io"
+	"net/http"
+	"net/url"
+	"strings"
+)
+
+type OAuthClient struct {
+	http.Client
+	Id           string
+	Secret       string
+	RedirectUris []string
+}
+
+func (client *OAuthClient) RegisterOAuthClient(registerUrl string, audience []string) ([]byte, error) {
+	// hydra endpoint: POST /clients
+	audience = QuoteArrayStrings(audience)
+	data := []byte(fmt.Sprintf(`{
+		"client_name":                "%s",
+		"token_endpoint_auth_method": "client_secret_post",
+		"scope":                      "openid email profile",
+		"grant_types":                ["client_credentials", "urn:ietf:params:oauth:grant-type:jwt-bearer"],
+		"response_types":             ["token"]
+	}`, client.Id))
+
+	req, err := http.NewRequest("POST", registerUrl, bytes.NewBuffer(data))
+	if err != nil {
+		return nil, fmt.Errorf("failed to make request: %v", err)
+	}
+	req.Header.Add("Content-Type", "application/json")
+	res, err := client.Do(req)
+	if err != nil {
+		return nil, fmt.Errorf("failed to do request: %v", err)
+	}
+	defer res.Body.Close()
+
+	return io.ReadAll(res.Body)
+}
+
+func (client *OAuthClient) AuthorizeClient(authorizeUrl string) ([]byte, error) {
+	// encode ID and secret for authorization header basic authentication
+	basicAuth := base64.StdEncoding.EncodeToString(
+		[]byte(fmt.Sprintf("%s:%s",
+			url.QueryEscape(client.Id),
+			url.QueryEscape(client.Secret),
+		)),
+	)
+	body := []byte("grant_type=client_credentials&scope=read")
+	headers := map[string][]string{
+		"Authorization": {basicAuth},
+		"Content-Type":  {"application/x-www-form-urlencoded"},
+	}
+
+	req, err := http.NewRequest("POST", authorizeUrl, bytes.NewBuffer(body))
+	req.Header = headers
+	if err != nil {
+		return nil, fmt.Errorf("failed to make request: %v", err)
+	}
+	req.Header.Add("Content-Type", "application/json")
+	res, err := client.Do(req)
+	if err != nil {
+		return nil, fmt.Errorf("failed to do request: %v", err)
+	}
+	defer res.Body.Close()
+
+	return io.ReadAll(res.Body)
+}
+
+func (client *OAuthClient) FetchTokenFromAuthorizationServer(remoteUrl string, scope []string) ([]byte, error) {
+	// hydra endpoint: /oauth/token
+	data := "grant_type=" + url.QueryEscape("urn:ietf:params:oauth:grant-type:jwt-bearer") +
+		"&client_id=" + client.Id +
+		"&client_secret=" + client.Secret +
+		"&scope=" + strings.Join(scope, "+")
+	fmt.Printf("encoded params: %v\n\n", data)
+	req, err := http.NewRequest("POST", remoteUrl, bytes.NewBuffer([]byte(data)))
+	req.Header.Add("Content-Type", "application/x-www-form-urlencoded")
+	if err != nil {
+		return nil, fmt.Errorf("failed to make request: %s", err)
+	}
+	res, err := client.Do(req)
+	if err != nil {
+		return nil, fmt.Errorf("failed to do request: %v", err)
+	}
+	defer res.Body.Close()
+
+	return io.ReadAll(res.Body)
+}
+
+func QuoteArrayStrings(arr []string) []string {
+	for i, v := range arr {
+		arr[i] = "\"" + v + "\""
+	}
+	return arr
+}