Merge branch 'main' into peterguy/support-http_proxy

Author: peterguy

.tool-versions

@@ -1,3 +1,3 @@
-golang     1.25.4
+golang     1.26.1
 shfmt      3.8.0
 shellcheck 0.10.0

cmd/src/auth.go

@@ -0,0 +1,37 @@
+package main
+
+import (
+	"flag"
+	"fmt"
+)
+
+var authCommands commander
+
+func init() {
+	usage := `'src auth' provides authentication-related helper commands.
+
+Usage:
+
+	src auth command [command options]
+
+The commands are:
+
+	token   prints the current authentication token or Authorization header
+
+Use "src auth [command] -h" for more information about a command.
+`
+
+	flagSet := flag.NewFlagSet("auth", flag.ExitOnError)
+	handler := func(args []string) error {
+		authCommands.run(flagSet, "src auth", usage, args)
+		return nil
+	}
+
+	commands = append(commands, &command{
+		flagSet: flagSet,
+		handler: handler,
+		usageFunc: func() {
+			fmt.Println(usage)
+		},
+	})
+}

cmd/src/auth_token.go

@@ -0,0 +1,88 @@
+package main
+
+import (
+	"context"
+	"flag"
+	"fmt"
+
+	"github.com/sourcegraph/sourcegraph/lib/errors"
+
+	"github.com/sourcegraph/src-cli/internal/oauth"
+)
+
+var (
+	loadOAuthToken         = oauth.LoadToken
+	newOAuthTokenRefresher = func(token *oauth.Token) oauthTokenRefresher {
+		return oauth.NewTokenRefresher(token)
+	}
+)
+
+type oauthTokenRefresher interface {
+	GetToken(ctx context.Context) (oauth.Token, error)
+}
+
+func init() {
+	flagSet := flag.NewFlagSet("token", flag.ExitOnError)
+	header := flagSet.Bool("header", false, "print the token as an Authorization header")
+	usageFunc := func() {
+		fmt.Fprintf(flag.CommandLine.Output(), "Usage of 'src auth token':\n\n")
+		fmt.Fprintf(flag.CommandLine.Output(), "Print the current authentication token.\n")
+		fmt.Fprintf(flag.CommandLine.Output(), "Use --header to print a complete Authorization header instead.\n\n")
+		flagSet.PrintDefaults()
+	}
+
+	handler := func(args []string) error {
+		if err := flagSet.Parse(args); err != nil {
+			return err
+		}
+
+		token, err := resolveAuthToken(context.Background(), cfg)
+		if err != nil {
+			return err
+		}
+
+		token = formatAuthTokenOutput(token, cfg.AuthMode(), *header)
+		fmt.Println(token)
+		return nil
+	}
+
+	authCommands = append(authCommands, &command{
+		flagSet:   flagSet,
+		handler:   handler,
+		usageFunc: usageFunc,
+	})
+}
+
+func resolveAuthToken(ctx context.Context, cfg *config) (string, error) {
+	if err := cfg.requireCIAccessToken(); err != nil {
+		return "", err
+	}
+
+	if cfg.accessToken != "" {
+		return cfg.accessToken, nil
+	}
+
+	oauthToken, err := loadOAuthToken(ctx, cfg.endpointURL)
+	if err != nil {
+		return "", errors.Wrap(err, "error loading OAuth token; set SRC_ACCESS_TOKEN or run `src login`")
+	}
+
+	token, err := newOAuthTokenRefresher(oauthToken).GetToken(ctx)
+	if err != nil {
+		return "", errors.Wrap(err, "refreshing OAuth token")
+	}
+
+	return token.AccessToken, nil
+}
+
+func formatAuthTokenOutput(token string, mode AuthMode, header bool) string {
+	if !header {
+		return token
+	}
+
+	if mode == AuthModeAccessToken {
+		return fmt.Sprintf("Authorization: token %s", token)
+	}
+
+	return fmt.Sprintf("Authorization: Bearer %s", token)
+}

cmd/src/auth_token_test.go

@@ -0,0 +1,197 @@
+package main
+
+import (
+	"context"
+	"fmt"
+	"net/url"
+	"testing"
+
+	"github.com/sourcegraph/src-cli/internal/oauth"
+)
+
+func TestResolveAuthToken(t *testing.T) {
+	t.Run("uses configured access token before keyring", func(t *testing.T) {
+		reset := stubAuthTokenDependencies(t)
+		defer reset()
+
+		newRefresherCalled := false
+		newOAuthTokenRefresher = func(*oauth.Token) oauthTokenRefresher {
+			newRefresherCalled = true
+			return fakeOAuthTokenRefresher{}
+		}
+
+		token, err := resolveAuthToken(context.Background(), &config{
+			accessToken: "access-token",
+			endpointURL: mustParseURL(t, "https://example.com"),
+		})
+		if err != nil {
+			t.Fatal(err)
+		}
+		if token != "access-token" {
+			t.Fatalf("token = %q, want %q", token, "access-token")
+		}
+		if newRefresherCalled {
+			t.Fatal("expected OAuth token refresher not to be created")
+		}
+	})
+
+	t.Run("requires access token in CI", func(t *testing.T) {
+		reset := stubAuthTokenDependencies(t)
+		defer reset()
+
+		loadCalled := false
+		loadOAuthToken = func(context.Context, *url.URL) (*oauth.Token, error) {
+			loadCalled = true
+			return nil, nil
+		}
+
+		_, err := resolveAuthToken(context.Background(), &config{
+			inCI:        true,
+			endpointURL: mustParseURL(t, "https://example.com"),
+		})
+		if err != errCIAccessTokenRequired {
+			t.Fatalf("err = %v, want %v", err, errCIAccessTokenRequired)
+		}
+		if loadCalled {
+			t.Fatal("expected OAuth token loader not to be called")
+		}
+	})
+
+	t.Run("uses stored oauth token", func(t *testing.T) {
+		reset := stubAuthTokenDependencies(t)
+		defer reset()
+
+		loadOAuthToken = func(context.Context, *url.URL) (*oauth.Token, error) {
+			return &oauth.Token{
+				AccessToken: "oauth-token",
+			}, nil
+		}
+
+		newOAuthTokenRefresher = func(*oauth.Token) oauthTokenRefresher {
+			return fakeOAuthTokenRefresher{token: oauth.Token{AccessToken: "oauth-token"}}
+		}
+
+		token, err := resolveAuthToken(context.Background(), &config{
+			endpointURL: mustParseURL(t, "https://example.com"),
+		})
+		if err != nil {
+			t.Fatal(err)
+		}
+		if token != "oauth-token" {
+			t.Fatalf("token = %q, want %q", token, "oauth-token")
+		}
+	})
+
+	t.Run("refreshes expiring oauth token", func(t *testing.T) {
+		reset := stubAuthTokenDependencies(t)
+		defer reset()
+
+		loadOAuthToken = func(context.Context, *url.URL) (*oauth.Token, error) {
+			return &oauth.Token{AccessToken: "old-token"}, nil
+		}
+
+		newOAuthTokenRefresher = func(*oauth.Token) oauthTokenRefresher {
+			return fakeOAuthTokenRefresher{token: oauth.Token{AccessToken: "new-token"}}
+		}
+
+		token, err := resolveAuthToken(context.Background(), &config{
+			endpointURL: mustParseURL(t, "https://example.com"),
+		})
+		if err != nil {
+			t.Fatal(err)
+		}
+		if token != "new-token" {
+			t.Fatalf("token = %q, want %q", token, "new-token")
+		}
+	})
+
+	t.Run("returns refresh error when shared refresh logic fails", func(t *testing.T) {
+		reset := stubAuthTokenDependencies(t)
+		defer reset()
+
+		loadOAuthToken = func(context.Context, *url.URL) (*oauth.Token, error) {
+			return &oauth.Token{AccessToken: "old-token"}, nil
+		}
+		newOAuthTokenRefresher = func(*oauth.Token) oauthTokenRefresher {
+			return fakeOAuthTokenRefresher{err: fmt.Errorf("refresh failed")}
+		}
+
+		_, err := resolveAuthToken(context.Background(), &config{
+			endpointURL: mustParseURL(t, "https://example.com"),
+		})
+		if err == nil {
+			t.Fatal("expected error")
+		}
+	})
+}
+
+func TestFormatAuthTokenOutput(t *testing.T) {
+	tests := []struct {
+		name   string
+		token  string
+		mode   AuthMode
+		header bool
+		want   string
+	}{
+		{
+			name:   "raw access token",
+			token:  "access-token",
+			mode:   AuthModeAccessToken,
+			header: false,
+			want:   "access-token",
+		},
+		{
+			name:   "raw oauth token",
+			token:  "oauth-token",
+			mode:   AuthModeOAuth,
+			header: false,
+			want:   "oauth-token",
+		},
+		{
+			name:   "authorization header for access token",
+			token:  "access-token",
+			mode:   AuthModeAccessToken,
+			header: true,
+			want:   "Authorization: token access-token",
+		},
+		{
+			name:   "authorization header for oauth token",
+			token:  "oauth-token",
+			mode:   AuthModeOAuth,
+			header: true,
+			want:   "Authorization: Bearer oauth-token",
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			if got := formatAuthTokenOutput(test.token, test.mode, test.header); got != test.want {
+				t.Fatalf("formatAuthTokenOutput(%q, %v, %v) = %q, want %q", test.token, test.mode, test.header, got, test.want)
+			}
+		})
+	}
+}
+
+func stubAuthTokenDependencies(t *testing.T) func() {
+	t.Helper()
+
+	prevLoad := loadOAuthToken
+	prevNewRefresher := newOAuthTokenRefresher
+
+	return func() {
+		loadOAuthToken = prevLoad
+		newOAuthTokenRefresher = prevNewRefresher
+	}
+}
+
+type fakeOAuthTokenRefresher struct {
+	token oauth.Token
+	err   error
+}
+
+func (r fakeOAuthTokenRefresher) GetToken(context.Context) (oauth.Token, error) {
+	if r.err != nil {
+		return oauth.Token{}, r.err
+	}
+	return r.token, nil
+}

cmd/src/login.go

@@ -100,6 +100,10 @@ const (
 )
 
 func loginCmd(ctx context.Context, p loginParams) error {
+	if err := p.cfg.requireCIAccessToken(); err != nil {
+		return err
+	}
+
 	if p.cfg.configFilePath != "" {
 		fmt.Fprintln(p.out)
 		fmt.Fprintf(p.out, "⚠️  Warning: Configuring src with a JSON file is deprecated. Please migrate to using the env vars SRC_ENDPOINT, SRC_ACCESS_TOKEN, and SRC_PROXY instead, and then remove %s. See https://github.com/sourcegraph/src-cli#readme for more information.\n", p.cfg.configFilePath)

cmd/src/login_test.go

@@ -61,6 +61,17 @@ func TestLogin(t *testing.T) {
 		}
 	})
 
+	t.Run("CI requires access token", func(t *testing.T) {
+		u := &url.URL{Scheme: "https", Host: "example.com"}
+		out, err := check(t, &config{endpointURL: u, inCI: true}, u)
+		if err != errCIAccessTokenRequired {
+			t.Fatalf("err = %v, want %v", err, errCIAccessTokenRequired)
+		}
+		if out != "" {
+			t.Fatalf("output = %q, want empty output", out)
+		}
+	})
+
 	t.Run("warning when using config file", func(t *testing.T) {
 		endpoint := &url.URL{Scheme: "https", Host: "example.com"}
 		out, err := check(t, &config{endpointURL: endpoint, configFilePath: "f"}, endpoint)