gitpod-io · roboquat · Mar 3, 2023 · Feb 20, 2023 · Feb 20, 2023 · Feb 20, 2023
@@ -13,6 +13,7 @@ packages:
       - components/gitpod-protocol/go:lib
       - components/common-go:lib
       - components/ide-metrics-api/go:lib
+      - components/public-api/go:lib
     config:
       packaging: app
       buildCommand: ["go", "build", "-trimpath", "-ldflags", "-buildid= -w -s -X 'github.com/gitpod-io/gitpod/gitpod-cli/pkg/gitpod.Version=commit-${__git_commit}'"]
@@ -0,0 +1,89 @@
+// Copyright (c) 2022 Gitpod GmbH. All rights reserved.
+// Licensed under the GNU Affero General Public License (AGPL).
+// See License.AGPL.txt in the project root for license information.
+
+package cmd
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"time"
+
+	"github.com/spf13/cobra"
+)
+
+const (
+	idpAudienceAWS = "sts.amazonaws.com"
+)
+
+var idpLoginAwsOpts struct {
+	RoleARN         string
+	CredentialsFile string
+}
+
+var idpLoginAwsCmd = &cobra.Command{
+	Use:   "aws",
+	Short: "Login to AWS",
+	RunE: func(cmd *cobra.Command, args []string) error {
+		cmd.SilenceUsage = true
+		if idpLoginAwsOpts.RoleARN == "" {
+			return fmt.Errorf("missing --role-arn or IDP_AWS_ROLE_ARN env var")
-			return fmt.Errorf("missing --role-arn or IDP_AWS_ROLE_ARN env var")
+			return xerrors.Errorf("missing --role-arn or IDP_AWS_ROLE_ARN env var")
-			return fmt.Errorf("missing --role-arn or IDP_AWS_ROLE_ARN env var")
+			return xerrors.Errorf("missing --role-arn or IDP_AWS_ROLE_ARN env var")
+		}
+
+		ctx, cancel := context.WithTimeout(cmd.Context(), 5*time.Second)
+		defer cancel()
+
+		tkn, err := idpToken(ctx, []string{idpAudienceAWS})
+		if err != nil {
+			return err
+		}
+
+		awsCmd := exec.Command("aws", "sts", "assume-role-with-web-identity", "--role-arn", idpLoginAwsOpts.RoleARN, "--role-session-name", fmt.Sprintf("gitpod-%d", time.Now().Unix()), "--web-identity-token", tkn)
+		out, err := awsCmd.CombinedOutput()
+		if err != nil {
+			return fmt.Errorf("%w: %s", err, string(out))
-			return fmt.Errorf("%w: %s", err, string(out))
+			return xerrors.Errorf("%w: %s", err, string(out))
-			return fmt.Errorf("%w: %s", err, string(out))
+			return xerrors.Errorf("%w: %s", err, string(out))
+		}
+
+		var result struct {
+			Credentials struct {
+				AccessKeyId     string
+				SecretAccessKey string
+				SessionToken    string
+			}
+		}
+		err = json.Unmarshal(out, &result)
+		if err != nil {
+			return err
+		}
+
+		credentials := "[default]\n"
+		credentials += fmt.Sprintf("aws_access_key_id=%s\n", result.Credentials.AccessKeyId)
+		credentials += fmt.Sprintf("aws_secret_access_key=%s\n", result.Credentials.SecretAccessKey)
+		credentials += fmt.Sprintf("aws_session_token=%s\n", result.Credentials.SessionToken)
+
+		_ = os.MkdirAll(filepath.Dir(idpLoginAwsOpts.CredentialsFile), 0755)
+		err = os.WriteFile(idpLoginAwsOpts.CredentialsFile, []byte(credentials), 0600)
+		if err != nil {
+			return err
+		}
+
+		return nil
+	},
+}
+
+func init() {
+	idpLoginCmd.AddCommand(idpLoginAwsCmd)
+
+	idpLoginAwsCmd.Flags().StringVar(&idpLoginAwsOpts.RoleARN, "role-arn", os.Getenv("IDP_AWS_ROLE_ARN"), "AWS role to assume (defaults to IDP_AWS_ROLE_ARN env var)")
+
+	home, err := os.UserHomeDir()
+	if err != nil {
+		panic(err)
+	}
+	idpLoginAwsCmd.Flags().StringVar(&idpLoginAwsOpts.CredentialsFile, "credentials-file", filepath.Join(home, ".aws", "credentials"), "path to the AWS credentials file")
+	_ = idpLoginAwsCmd.MarkFlagFilename("credentials-file")
+}
@@ -0,0 +1,67 @@
+// Copyright (c) 2022 Gitpod GmbH. All rights reserved.
+// Licensed under the GNU Affero General Public License (AGPL).
+// See License.AGPL.txt in the project root for license information.
+
+package cmd
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"os"
+	"os/exec"
+	"time"
+
+	"github.com/spf13/cobra"
+)
+
+const (
+	idpAudienceVault = "vault.hashicorp.com"
+)
+
+var idpLoginVaultOpts struct {
+	Role string
+}
+
+var idpLoginVaultCmd = &cobra.Command{
+	Use:   "vault",
+	Short: "Login to HashiCorp's Vault",
+	RunE: func(cmd *cobra.Command, args []string) error {
+		cmd.SilenceUsage = true
+
+		ctx, cancel := context.WithTimeout(cmd.Context(), 5*time.Second)
+		defer cancel()
+
+		tkn, err := idpToken(ctx, []string{idpAudienceVault})
+		if err != nil {
+			return err
+		}
+
+		// vault write auth/jwt/login role=demo jwt=$TKN -format=json
+		out, err := exec.Command("vault", "write", "-format=json", "auth/jwt/login", "role="+idpLoginVaultOpts.Role, "jwt="+tkn).CombinedOutput()
+		if err != nil {
+			return fmt.Errorf("%w: %s", err, string(out))
-			return fmt.Errorf("%w: %s", err, string(out))
+			return xerrors.Errorf("%w: %s", err, string(out))
-			return fmt.Errorf("%w: %s", err, string(out))
+			return xerrors.Errorf("%w: %s", err, string(out))
+		}
+
+		var result struct {
+			Auth struct {
+				ClientToken string `json:"client_token"`
+			} `json:"auth"`
+		}
+		err = json.Unmarshal(out, &result)
+		if err != nil {
+			return err
+		}
+
+		vaultCmd := exec.Command("vault", "login", result.Auth.ClientToken)
+		vaultCmd.Stdout = os.Stdout
+		vaultCmd.Stderr = os.Stderr
+		return vaultCmd.Run()
+	},
+}
+
+func init() {
+	idpLoginCmd.AddCommand(idpLoginVaultCmd)
+
+	idpLoginVaultCmd.Flags().StringVar(&idpLoginVaultOpts.Role, "role", os.Getenv("IDP_VAULT_ROLE"), "Vault role to assume (defaults to IDP_VAULT_ROLE env var)")
+}
@@ -0,0 +1,18 @@
+// Copyright (c) 2022 Gitpod GmbH. All rights reserved.
+// Licensed under the GNU Affero General Public License (AGPL).
+// See License.AGPL.txt in the project root for license information.
+
+package cmd
+
+import (
+	"github.com/spf13/cobra"
+)
+
+var idpLoginCmd = &cobra.Command{
+	Use:   "login",
+	Short: "Login to a service for which trust has been established",
+}
+
+func init() {
+	idpCmd.AddCommand(idpLoginCmd)
+}
@@ -0,0 +1,89 @@
+// Copyright (c) 2022 Gitpod GmbH. All rights reserved.
+// Licensed under the GNU Affero General Public License (AGPL).
+// See License.AGPL.txt in the project root for license information.
+
+package cmd
+
+import (
+	"context"
+	"fmt"
+	"time"
+
+	connect "github.com/bufbuild/connect-go"
+	"github.com/gitpod-io/gitpod/common-go/util"
+	"github.com/gitpod-io/gitpod/components/public-api/go/client"
+	v1 "github.com/gitpod-io/gitpod/components/public-api/go/experimental/v1"
+	"github.com/gitpod-io/gitpod/gitpod-cli/pkg/gitpod"
+	supervisor "github.com/gitpod-io/gitpod/supervisor/api"
+	"github.com/spf13/cobra"
+	"golang.org/x/xerrors"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/credentials/insecure"
+)
+
+var idpTokenOpts struct {
+	Audience []string
+}
+
+var idpTokenCmd = &cobra.Command{
+	Use:   "token",
+	Short: "Requests an ID token for this workspace",
+	RunE: func(cmd *cobra.Command, args []string) error {
+		cmd.SilenceUsage = true
+
+		ctx, cancel := context.WithTimeout(cmd.Context(), 5*time.Second)
+		defer cancel()
+
+		tkn, err := idpToken(ctx, idpTokenOpts.Audience)
+		if err != nil {
+			return err
+		}
+
+		fmt.Println(tkn)
+		return nil
+	},
+}
+
+func idpToken(ctx context.Context, audience []string) (idToken string, err error) {
+	wsInfo, err := gitpod.GetWSInfo(ctx)
+	if err != nil {
+		return "", err
+	}
+	supervisorConn, err := grpc.Dial(util.GetSupervisorAddress(), grpc.WithTransportCredentials(insecure.NewCredentials()))
+	if err != nil {
+		return "", xerrors.Errorf("failed connecting to supervisor: %w", err)
+	}
+	defer supervisorConn.Close()
+	clientToken, err := supervisor.NewTokenServiceClient(supervisorConn).GetToken(ctx, &supervisor.GetTokenRequest{
+		Host: wsInfo.GitpodApi.Host,
+		Kind: "gitpod",
+		Scope: []string{
+			"function:getWorkspace",
+		},
+	})
+	if err != nil {
+		return "", xerrors.Errorf("failed getting token from supervisor: %w", err)
+	}
+
+	c, err := client.New(client.WithCredentials(clientToken.Token), client.WithURL("https://api."+wsInfo.GitpodApi.Host))
+	if err != nil {
+		return "", err
+	}
+	tkn, err := c.IdentityProvider.GetIDToken(ctx, &connect.Request[v1.GetIDTokenRequest]{
+		Msg: &v1.GetIDTokenRequest{
+			Audience:    audience,
+			WorkspaceId: wsInfo.WorkspaceId,
+		},
+	})
+	if err != nil {
+		return "", err
+	}
+	return tkn.Msg.Token, nil
+}
+
+func init() {
+	idpCmd.AddCommand(idpTokenCmd)
+
+	idpTokenCmd.Flags().StringArrayVar(&idpTokenOpts.Audience, "audience", nil, "audience of the ID token")
+	_ = idpTokenCmd.MarkFlagRequired("audience")
+}
@@ -0,0 +1,19 @@
+// Copyright (c) 2022 Gitpod GmbH. All rights reserved.
+// Licensed under the GNU Affero General Public License (AGPL).
+// See License.AGPL.txt in the project root for license information.
+
+package cmd
+
+import (
+	"github.com/spf13/cobra"
+)
+
+var idpCmd = &cobra.Command{
+	Use:    "idp",
+	Short:  "Interact Gitpod's OIDC identity provider",
+	Hidden: true,
+}
+
+func init() {
+	rootCmd.AddCommand(idpCmd)
+}
@@ -3,8 +3,10 @@ module github.com/gitpod-io/gitpod/gitpod-cli
 go 1.19
 
 require (
+	github.com/bufbuild/connect-go v1.0.0
 	github.com/creack/pty v1.1.17
 	github.com/gitpod-io/gitpod/common-go v0.0.0-00010101000000-000000000000
+	github.com/gitpod-io/gitpod/components/public-api/go v0.0.0-20230220133850-852f5cd5b180
 	github.com/gitpod-io/gitpod/gitpod-protocol v0.0.0-00010101000000-000000000000
 	github.com/gitpod-io/gitpod/ide-metrics-api v0.0.0-00010101000000-000000000000
 	github.com/gitpod-io/gitpod/supervisor/api v0.0.0-00010101000000-000000000000
@@ -58,10 +60,64 @@ require (
 	gopkg.in/segmentio/analytics-go.v3 v3.1.0 // indirect
 )
 
+replace github.com/gitpod-io/gitpod/common-go => ../common-go // leeway
+
+replace github.com/gitpod-io/gitpod/components/public-api/go => ../public-api/go // leeway
+
 replace github.com/gitpod-io/gitpod/gitpod-protocol => ../gitpod-protocol/go // leeway
 
+replace github.com/gitpod-io/gitpod/ide-metrics-api => ../ide-metrics-api/go // leeway
+
 replace github.com/gitpod-io/gitpod/supervisor/api => ../supervisor-api/go // leeway
 
-replace github.com/gitpod-io/gitpod/ide-metrics-api => ../ide-metrics-api/go // leeway
+replace github.com/google/addlicense => ../../dev/addlicense // leeway
 
-replace github.com/gitpod-io/gitpod/common-go => ../common-go // leeway
+replace k8s.io/api => k8s.io/api v0.24.4 // leeway indirect from components/common-go:lib
+
+replace k8s.io/apiextensions-apiserver => k8s.io/apiextensions-apiserver v0.24.4 // leeway indirect from components/common-go:lib
+
+replace k8s.io/apimachinery => k8s.io/apimachinery v0.24.4 // leeway indirect from components/common-go:lib
+
+replace k8s.io/apiserver => k8s.io/apiserver v0.24.4 // leeway indirect from components/common-go:lib
+
+replace k8s.io/cli-runtime => k8s.io/cli-runtime v0.24.4 // leeway indirect from components/common-go:lib
+
+replace k8s.io/client-go => k8s.io/client-go v0.24.4 // leeway indirect from components/common-go:lib
+
+replace k8s.io/cloud-provider => k8s.io/cloud-provider v0.24.4 // leeway indirect from components/common-go:lib
+
+replace k8s.io/cluster-bootstrap => k8s.io/cluster-bootstrap v0.24.4 // leeway indirect from components/common-go:lib
+
+replace k8s.io/code-generator => k8s.io/code-generator v0.24.4 // leeway indirect from components/common-go:lib
+
+replace k8s.io/component-base => k8s.io/component-base v0.24.4 // leeway indirect from components/common-go:lib
+
+replace k8s.io/cri-api => k8s.io/cri-api v0.24.4 // leeway indirect from components/common-go:lib
+
+replace k8s.io/csi-translation-lib => k8s.io/csi-translation-lib v0.24.4 // leeway indirect from components/common-go:lib
+
+replace k8s.io/kube-aggregator => k8s.io/kube-aggregator v0.24.4 // leeway indirect from components/common-go:lib
+
+replace k8s.io/kube-controller-manager => k8s.io/kube-controller-manager v0.24.4 // leeway indirect from components/common-go:lib
+
+replace k8s.io/kube-proxy => k8s.io/kube-proxy v0.24.4 // leeway indirect from components/common-go:lib
+
+replace k8s.io/kube-scheduler => k8s.io/kube-scheduler v0.24.4 // leeway indirect from components/common-go:lib
+
+replace k8s.io/kubelet => k8s.io/kubelet v0.24.4 // leeway indirect from components/common-go:lib
+
+replace k8s.io/legacy-cloud-providers => k8s.io/legacy-cloud-providers v0.24.4 // leeway indirect from components/common-go:lib
+
+replace k8s.io/metrics => k8s.io/metrics v0.24.4 // leeway indirect from components/common-go:lib
+
+replace k8s.io/sample-apiserver => k8s.io/sample-apiserver v0.24.4 // leeway indirect from components/common-go:lib
+
+replace k8s.io/component-helpers => k8s.io/component-helpers v0.24.4 // leeway indirect from components/common-go:lib
+
+replace k8s.io/controller-manager => k8s.io/controller-manager v0.24.4 // leeway indirect from components/common-go:lib
+
+replace k8s.io/kubectl => k8s.io/kubectl v0.24.4 // leeway indirect from components/common-go:lib
+
+replace k8s.io/mount-utils => k8s.io/mount-utils v0.24.4 // leeway indirect from components/common-go:lib
+
+replace k8s.io/pod-security-admission => k8s.io/pod-security-admission v0.24.4 // leeway indirect from components/common-go:lib