earl 0.5.2

AI-safe CLI for AI agents
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159

use anyhow::{Context, Result, bail};
use oauth2::reqwest::Client;
use serde::Deserialize;
use url::Url;

use crate::config::{Config, OAuthFlow};
use crate::secrets::SecretManager;
use crate::secrets::store::require_secret;
use crate::security::dns::resolve_and_validate_host;

#[derive(Debug, Clone)]
pub struct ResolvedOAuthProfile {
    pub name: String,
    pub flow: OAuthFlow,
    pub client_id: String,
    pub client_secret: Option<String>,
    pub authorization_url: Option<String>,
    pub token_url: String,
    pub device_authorization_url: Option<String>,
    pub redirect_url: Option<String>,
    pub scopes: Vec<String>,
    pub use_auth_request_body: bool,
}

#[derive(Debug, Deserialize)]
struct OidcMetadata {
    authorization_endpoint: Option<String>,
    token_endpoint: Option<String>,
    device_authorization_endpoint: Option<String>,
}

pub async fn resolve_profile(
    name: &str,
    config: &Config,
    secrets: &SecretManager,
    http_client: &Client,
) -> Result<ResolvedOAuthProfile> {
    let profile = config
        .auth
        .profiles
        .get(name)
        .ok_or_else(|| anyhow::anyhow!("unknown auth profile `{name}`"))?;

    let mut authorization_url = profile.authorization_url.clone();
    let mut token_url = profile.token_url.clone();
    let mut device_authorization_url = profile.device_authorization_url.clone();

    if let Some(issuer) = &profile.issuer {
        let metadata = discover_oidc(issuer, http_client).await?;
        if authorization_url.is_none() {
            authorization_url = metadata.authorization_endpoint;
        }
        if token_url.is_none() {
            token_url = metadata.token_endpoint;
        }
        if device_authorization_url.is_none() {
            device_authorization_url = metadata.device_authorization_endpoint;
        }
    }

    let token_url =
        token_url.ok_or_else(|| anyhow::anyhow!("profile `{name}` missing token_url"))?;

    let client_secret = match &profile.client_secret_key {
        Some(secret_key) => Some(require_secret(
            secrets.store(),
            secrets.resolvers(),
            secret_key,
        )?),
        None => None,
    };

    if matches!(profile.flow, OAuthFlow::AuthCodePkce) && authorization_url.is_none() {
        bail!("profile `{name}` requires authorization_url for auth_code_pkce");
    }

    if matches!(profile.flow, OAuthFlow::DeviceCode) && device_authorization_url.is_none() {
        bail!("profile `{name}` requires device_authorization_url for device_code");
    }

    validate_oauth_endpoint("token_url", &token_url).await?;
    if let Some(url) = authorization_url.as_ref() {
        validate_oauth_endpoint("authorization_url", url).await?;
    }
    if let Some(url) = device_authorization_url.as_ref() {
        validate_oauth_endpoint("device_authorization_url", url).await?;
    }

    Ok(ResolvedOAuthProfile {
        name: name.to_string(),
        flow: profile.flow.clone(),
        client_id: profile.client_id.clone(),
        client_secret,
        authorization_url,
        token_url,
        device_authorization_url,
        redirect_url: profile.redirect_url.clone(),
        scopes: profile.scopes.clone(),
        use_auth_request_body: profile.use_auth_request_body,
    })
}

async fn discover_oidc(issuer: &str, http_client: &Client) -> Result<OidcMetadata> {
    let parsed = Url::parse(issuer).with_context(|| format!("invalid issuer URL `{issuer}`"))?;
    validate_endpoint_url("issuer", &parsed).await?;

    let issuer = parsed.as_str().trim_end_matches('/');
    let url = format!("{issuer}/.well-known/openid-configuration");

    let response = http_client
        .get(&url)
        .send()
        .await
        .with_context(|| format!("failed OIDC discovery request to `{url}`"))?;

    if !response.status().is_success() {
        bail!(
            "OIDC discovery failed at `{url}` with status {}",
            response.status()
        );
    }

    let body = response
        .text()
        .await
        .with_context(|| format!("failed reading OIDC discovery response from `{url}`"))?;
    serde_json::from_str::<OidcMetadata>(&body)
        .with_context(|| format!("invalid OIDC discovery response from `{url}`"))
}

async fn validate_oauth_endpoint(field: &str, raw: &str) -> Result<()> {
    let parsed = Url::parse(raw).with_context(|| format!("invalid {field} URL `{raw}`"))?;
    validate_endpoint_url(field, &parsed).await
}

async fn validate_endpoint_url(field: &str, parsed: &Url) -> Result<()> {
    let host = parsed
        .host_str()
        .ok_or_else(|| anyhow::anyhow!("{field} URL `{parsed}` is missing host"))?;

    match parsed.scheme() {
        "https" => {
            resolve_and_validate_host(host, false).await?;
            Ok(())
        }
        "http" if is_loopback_host(host) => Ok(()),
        scheme => bail!(
            "{field} URL `{parsed}` uses unsupported scheme `{scheme}`; expected https (or loopback http for local development)"
        ),
    }
}

fn is_loopback_host(host: &str) -> bool {
    host.eq_ignore_ascii_case("localhost")
        || host
            .parse::<std::net::IpAddr>()
            .map(|ip| ip.is_loopback())
            .unwrap_or(false)
}