add support for GetAccessToken

This adds support for the Identity service's GetAccessToken rpc call.

To ease in local testing a number of sources have been included:

- command: allows you to execute a command to retrieve a token.
- client-credentials: lets you specify an issuer with client creds to retrieve a token.
- generated: generates a token (used by default if no other source is defined)

Additionally, a token exchange is supported so you can exchange a source token with another issuing service.

Signed-off-by: Mike Mason <[email protected]>

.gitignore

@@ -1,4 +1,5 @@
 *~
 bin/*
 coverage.out
-.tools/*
+.tools/*
+config.yaml

README.md

@@ -19,4 +19,8 @@ $ ALICE_TOKEN=a1ic3 BOB_TOKEN=B0b ./bin/iam-runtime-static serve --policy policy
 
 To configure iam-runtime-static, you must define the static tokens that correspond to subjects and the resources those subjects have access to. An [example policy][example-policy] is available in this repository.
 
+Additionally you may configure the Identity service by providing a config file with additional access token configuration.
+An [example config][example-config] is available in this repository.
+
 [example-policy]: ./policy.example.yaml
+[example-config]: ./config.example.yaml

cmd/serve.go

@@ -7,10 +7,12 @@ import (
 	"os/signal"
 	"syscall"
 
+	"github.com/metal-toolbox/iam-runtime-static/internal/accesstoken"
 	"github.com/metal-toolbox/iam-runtime-static/internal/server"
 
 	"github.com/metal-toolbox/iam-runtime/pkg/iam/runtime/authentication"
 	"github.com/metal-toolbox/iam-runtime/pkg/iam/runtime/authorization"
+	"github.com/metal-toolbox/iam-runtime/pkg/iam/runtime/identity"
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
 	"google.golang.org/grpc"
@@ -36,7 +38,7 @@ func init() {
 	viperBindFlag("policy", serveCmd.Flags().Lookup("policy"))
 }
 
-func serve(_ context.Context, v *viper.Viper) error {
+func serve(ctx context.Context, v *viper.Viper) error {
 	c := make(chan os.Signal, 1)
 	signal.Notify(c, os.Interrupt)
 
@@ -51,14 +53,26 @@ func serve(_ context.Context, v *viper.Viper) error {
 		}
 	}
 
-	iamSrv, err := server.NewServer(policyPath, logger)
+	var accessTokenConfig accesstoken.Config
+
+	if err := viper.UnmarshalKey("accesstoken", &accessTokenConfig); err != nil {
+		logger.Fatalw("failed to unmarshal access token config", "error", err)
+	}
+
+	tokenSource, err := accesstoken.NewTokenSource(ctx, accessTokenConfig)
+	if err != nil {
+		logger.Fatalw("failed to create new token source", "error", err)
+	}
+
+	iamSrv, err := server.NewServer(policyPath, logger, tokenSource)
 	if err != nil {
 		logger.Fatalw("failed to create server", "error", err)
 	}
 
 	grpcSrv := grpc.NewServer()
 	authorization.RegisterAuthorizationServer(grpcSrv, iamSrv)
 	authentication.RegisterAuthenticationServer(grpcSrv, iamSrv)
+	identity.RegisterIdentityServer(grpcSrv, iamSrv)
 
 	listener, err := net.Listen("unix", socketPath)
 	if err != nil {

config.example.yaml

@@ -0,0 +1,19 @@
+---
+accessToken:
+  source:
+    command:
+      shell: ""
+      command: ""
+      noReuseToken: false
+    clientCredentials:
+      issuer: ""
+      clientID: ""
+      clientSecret: ""
+    generate:
+      issuer: ""
+      subject: ""
+      expiry: ""
+  exchange:
+    issuer: ""
+    grantType: ""
+    tokenType: ""

go.mod

@@ -3,21 +3,26 @@ module github.com/metal-toolbox/iam-runtime-static
 go 1.21.6
 
 require (
-	github.com/metal-toolbox/iam-runtime v0.3.0
+	github.com/MicahParks/jwkset v0.5.17
+	github.com/MicahParks/keyfunc/v3 v3.3.2
+	github.com/go-jose/go-jose/v4 v4.0.1
+	github.com/golang-jwt/jwt/v5 v5.2.1
+	github.com/metal-toolbox/iam-runtime v0.4.1
 	github.com/mitchellh/go-homedir v1.1.0
 	github.com/spf13/cobra v1.7.0
 	github.com/spf13/pflag v1.0.5
 	github.com/spf13/viper v1.17.0
 	github.com/stretchr/testify v1.8.4
 	go.uber.org/zap v1.26.0
-	google.golang.org/grpc v1.58.3
+	golang.org/x/oauth2 v0.17.0
+	google.golang.org/grpc v1.63.2
 	gopkg.in/yaml.v3 v3.0.1
 )
 
 require (
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/fsnotify/fsnotify v1.6.0 // indirect
-	github.com/golang/protobuf v1.5.3 // indirect
+	github.com/golang/protobuf v1.5.4 // indirect
 	github.com/hashicorp/hcl v1.0.0 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/magiconair/properties v1.8.7 // indirect
@@ -31,12 +36,15 @@ require (
 	github.com/spf13/cast v1.5.1 // indirect
 	github.com/subosito/gotenv v1.6.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
+	golang.org/x/crypto v0.21.0 // indirect
 	golang.org/x/exp v0.0.0-20230905200255-921286631fa9 // indirect
-	golang.org/x/net v0.17.0 // indirect
-	golang.org/x/sys v0.13.0 // indirect
-	golang.org/x/text v0.13.0 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20230920204549-e6e6cdab5c13 // indirect
-	google.golang.org/protobuf v1.31.0 // indirect
+	golang.org/x/net v0.23.0 // indirect
+	golang.org/x/sys v0.18.0 // indirect
+	golang.org/x/text v0.14.0 // indirect
+	golang.org/x/time v0.5.0 // indirect
+	google.golang.org/appengine v1.6.8 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20240227224415-6ceb2ff114de // indirect
+	google.golang.org/protobuf v1.33.0 // indirect
 	gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
 )