UNPKG

@dataroadinc/setup-auth

Version:

CLI tool and programmatic API for automated OAuth setup across cloud platforms

github.com/dataroadinc/dr-ts-setup-auth

dataroadinc/dr-ts-setup-auth

324 lines (287 loc) 11.8 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
/** * This file is using the @google-cloud/iap package, do NOT revert back to the googleapis package. */ import { IdentityAwareProxyOAuthServiceClient, protos } from "@google-cloud/iap" import { backOff } from "exponential-backoff" import { EKG_PROJECT_LONG, GCP_OAUTH_BRAND_NAME, } from "../../utils/env-handler.js" import { SetupAuthError } from "../../utils/error.js" import { GcpAuthenticatedIdentity } from "./creds/identity.js" import { BACKOFF_OPTIONS } from "./iam/base-iam.js" // Remove unused interface // interface OAuthBrand { ... } // Type alias for convenience type IapBrand = protos.google.cloud.iap.v1.IBrand /** * This class manages OAuth brands (consent screens) in GCP projects. * It is a core component of the OAuth client management system, working alongside: * - GcpOAuthClientClient (client credential management) * - GcpProjectOAuthSetup (orchestration) * - GcpIamManager (permissions) * * Key responsibilities: * - Creating and managing OAuth consent screens (brands) * - Handling support email configuration * - Managing application display names * - Providing brand verification and retrieval * * @example * ```typescript * const brandClient = new GcpOAuthBrandClient(gaxInstance, projectId); * * // Create or get a brand * const brandName = await brandClient.createOrGetBrand("My Application"); * ``` * * TODO: Why are we using axios and not the GCP SDK? At least document here why. */ export class GcpOAuthBrandClient { private projectId: string private identity: GcpAuthenticatedIdentity private iapClient: IdentityAwareProxyOAuthServiceClient | undefined private initialized: boolean = false constructor(projectId: string, identity: GcpAuthenticatedIdentity) { this.projectId = projectId this.identity = identity } async initialize(): Promise<void> { if (this.initialized) return try { // Use GaxAuthClient for compatibility with @google-cloud libraries const gaxAuth = await this.identity.getGaxAuthClient() this.iapClient = new IdentityAwareProxyOAuthServiceClient({ auth: gaxAuth, }) this.initialized = true } catch (error) { throw new SetupAuthError("Failed to initialize GcpOAuthBrandClient", { cause: error, }) } } private formatProjectName(): string { return `projects/${this.projectId}` } private formatBrandName(brandId: string): string { // Brand ID is usually the project number, but the resource name includes project ID // Example: projects/PROJECT_ID/brands/PROJECT_NUMBER // The SDK methods often just need the parent (project name) // Let's assume brandId passed is the project number if needed, but often only parent is required. // For get/create, we typically need the parent project name. // The actual brand resource name is returned by the API. return `projects/${this.projectId}/brands/${brandId}` } /** * Tries to find an existing brand for the project. * GCP typically allows only one brand per project, associated with the project number. * @returns The found brand object or null if none exists. */ private async findExistingBrand(): Promise<IapBrand | null> { await this.initialize() if (!this.iapClient) throw new SetupAuthError("IAP Client not initialized") const parent = this.formatProjectName() console.log(`Listing brands for project ${parent}...`) try { // Destructure the response object containing the brands array const [response] = await backOff( () => this.iapClient!.listBrands({ parent }), { ...BACKOFF_OPTIONS, retry: (e: unknown) => { // Type error as unknown let code: number | undefined if (e && typeof e === "object" && "code" in e) { code = e.code as number } const retryable = code === 8 || code === 13 || code === 14 // RESOURCE_EXHAUSTED, INTERNAL, UNAVAILABLE if (retryable) console.warn(`Retrying listBrands due to error code ${code}`) return retryable }, } ) // Access the brands array within the response object const brandsList = response.brands if (brandsList && brandsList.length > 0) { console.log(`Found existing brand: ${brandsList[0].name}`) return brandsList[0] } else { console.log("No existing brand found for this project.") return null } } catch (error: unknown) { // ... existing error handling ... console.error("Error listing existing brands:", error) const message = error instanceof Error ? error.message : String(error) throw new SetupAuthError( `Failed to list OAuth Brands for project ${this.projectId}. ` + `Ensure the user/SA has 'clientauthconfig.brands.list' permission. Original Error: ${message}`, { cause: error instanceof Error ? error : new Error(message) } ) } } /** * Creates a new OAuth Brand (Consent Screen). * @param applicationTitle The desired title for the consent screen (e.g., project name). * @returns The newly created brand object. */ private async createBrand(applicationTitle: string): Promise<IapBrand> { await this.initialize() if (!this.iapClient) throw new SetupAuthError("IAP Client not initialized") const parent = this.formatProjectName() console.log( `Attempting to create a new brand for project ${parent} with title '${applicationTitle}'...` ) try { const userEmail = await this.identity.getCurrentUserEmail() // Needed for support email if (!userEmail) throw new SetupAuthError("Could not get user email for brand creation.") const [brand] = await backOff( () => this.iapClient!.createBrand({ parent, brand: { applicationTitle: applicationTitle, supportEmail: userEmail, // Org internal only is default, we might need flags later to set external }, }), BACKOFF_OPTIONS ) console.log(`Successfully created brand: ${brand.name}`) return brand } catch (error: unknown) { // Log the detailed error first console.error("DEBUG: Raw error during createBrand SDK call:", error) // Initialize variables for specific details let code: number | string | undefined let details: string | undefined let message = "Unknown error during brand creation." // Attempt to extract details if (error instanceof Error) { message = error.message // Check for gRPC-like error properties if (typeof error === "object" && error !== null) { if ("code" in error) code = error.code as number | string if ("details" in error) details = error.details as string } } else { message = String(error) } // Check for specific known issues if (message.includes("permission denied") || code === 7) { throw new SetupAuthError( `Permission denied creating OAuth Brand for project ${this.projectId}. ` + `Ensure the user/SA has 'clientauthconfig.brands.create' permission. Original Error: ${message}`, { cause: error instanceof Error ? error : new Error(message) } ) } if (message.includes("Brand already exists")) { console.warn( "Brand creation failed because it already exists (unexpected). Attempting to find it again." ) const existing = await this.findExistingBrand() if (existing) return existing throw new SetupAuthError( "Brand already exists but could not be retrieved after creation attempt.", { cause: error instanceof Error ? error : new Error(message), } ) } // Throw a more generic error including extracted details if possible throw new SetupAuthError( `Failed to create OAuth Brand for project ${this.projectId}. Code: ${code ?? "N/A"}, Details: ${details ?? "N/A"}, Message: ${message}`, { cause: error instanceof Error ? error : new Error(message) } ) } } /** * Gets an existing OAuth brand or creates a new one if none exists. * @param applicationTitle The title to use if creating a new brand. * @returns The resource name of the brand (e.g., projects/PROJECT_ID/brands/PROJECT_NUMBER). */ async createOrGetBrand(applicationTitle: string): Promise<string> { await this.initialize() const existingBrand = await this.findExistingBrand() if (existingBrand?.name) { // Optionally update the brand if needed? // For now, just return the existing one. console.log(`Using existing brand: ${existingBrand.name}`) return existingBrand.name } // If no brand exists, create one console.log("No existing brand found, creating a new one...") const newBrand = await this.createBrand(applicationTitle) if (!newBrand?.name) { // This shouldn't happen if createBrand succeeded, but check defensively throw new SetupAuthError( "Brand creation process did not return a valid brand name." ) } return newBrand.name } // Keep getBrandByName if used elsewhere, otherwise it can be removed. // It might need refactoring based on how Brand IDs vs Names are handled. async getBrandByName(name: string): Promise<IapBrand | null> { await this.initialize() if (!this.iapClient) throw new SetupAuthError("IAP Client not initialized") console.warn("getBrandByName might be unreliable, prefer findExistingBrand") try { const [brand] = await this.iapClient.getBrand({ name: this.formatBrandName(name), }) return brand } catch (error) { console.error(`Error getting brand by name ${name}:`, error) return null // Treat errors as "not found" } } } async function gcpGetOauthBrandName(options: { oauthBrandName?: string }): Promise<{ success: boolean; oauthBrandName?: string; error?: string }> { // If the GCP OAuth brand name is explicitly provided, use it if (options.oauthBrandName) { const oauthBrandName = options.oauthBrandName console.log( `Using explicitly provided GCP OAuth brand name: ${oauthBrandName}` ) return { success: true, oauthBrandName: oauthBrandName } } // If the GCP OAuth Brand Name is provided in the environment, use it. // (.env.local has been loaded into process.env) if (process.env[GCP_OAUTH_BRAND_NAME]) { options.oauthBrandName = process.env[GCP_OAUTH_BRAND_NAME] console.log( `Using GCP OAuth Brand Name from environment: ${options.oauthBrandName}` ) return { success: true, oauthBrandName: options.oauthBrandName } } // Fall back to other environment variables if (process.env[EKG_PROJECT_LONG]) { options.oauthBrandName = process.env.EKG_PROJECT_LONG console.log( `Found brand name in environment variable ${EKG_PROJECT_LONG}: ${options.oauthBrandName}` ) return { success: true, oauthBrandName: options.oauthBrandName } } return { success: false, error: "Could not determine brand name.\n" + `Please set ${GCP_OAUTH_BRAND_NAME} or ${EKG_PROJECT_LONG} ` + "in .env.local or environment variables.", } } export async function gcpCheckOauthBrandName(options: { oauthBrandName: string }): Promise<{ success: boolean; error?: string }> { const { success, oauthBrandName, error } = await gcpGetOauthBrandName(options) if (!success) return { success: false, error } process.env.GCP_OAUTH_BRAND_NAME = oauthBrandName! options.oauthBrandName = oauthBrandName! return { success: true } }