Simplify key flow: extract private key from service account key if present (#203)

* Draft implementation for extracting private key from service account key

* Add comment and update test

* Update unit tests, add separate struct for sa key credentials

* Env var and configured private key take precendence

* Fix lint

* Update documentation

* Update changelog

* Update example and fix empty private key path case

* Changes after review

Author: vicentepinto98

README.md

@@ -108,8 +108,7 @@ When setting up authentication, the SDK will always try to use the key flow firs
    ```json
    {
      "STACKIT_SERVICE_ACCOUNT_TOKEN": "foo_token",
-     "STACKIT_SERVICE_ACCOUNT_KEY_PATH": "path/to/sa_key.json",
-     "STACKIT_PRIVATE_KEY_PATH": "path/to/private_key.pem"
+     "STACKIT_SERVICE_ACCOUNT_KEY_PATH": "path/to/sa_key.json"
    }
    ```
 
@@ -118,17 +117,15 @@ Check the [authentication example](examples/authentication/authentication.go) fo
 ### Key flow
 
 To use the key flow, you need to have a service account key and an RSA key-pair.
-To configure it, follow this steps:
+To configure it, follow these steps:
 
     The following instructions assume that you have created a service account and assigned it the necessary permissions, e.g. project.owner.
 
 1.  In the Portal, go to the `Service Accounts` tab, choose a `Service Account` and go to `Service Account Keys` to create a key.
     - You can create your own RSA key-pair or have the Portal generate one for you.
-2.  Save the content of the service account key and the corresponding private key by copying them or saving them in a file.
+2.  Save the content of the service account key by copying it and saving it in a JSON file.
 
-    **Hint:** If you have generated the RSA key-pair using the Portal, you can save the private key in a PEM encoded file by downloading the service account key as a PEM file and using `openssl storeutl -keys <path/to/sa_key_pem_file> > private.key` to extract the private key from the service account key.
-
-The expected format of the service account key is a **json** with the following structure:
+    The expected format of the service account key is a **json** with the following structure:
 
 ```json
 {
@@ -150,11 +147,15 @@ The expected format of the service account key is a **json** with the following
 }
 ```
 
-3. Configure the service account key and private key for authentication in the SDK by following one of the alternatives below:
+3. Configure the service account key for authentication in the SDK by following one of the alternatives below:
    - using the configuration options: `config.WithServiceAccountKey` or `config.WithServiceAccountKeyPath`, `config.WithPrivateKey` or `config.WithPrivateKeyPath`
-   - setting environment variables: `STACKIT_SERVICE_ACCOUNT_KEY_PATH` and `STACKIT_PRIVATE_KEY_PATH`
-   - setting `STACKIT_SERVICE_ACCOUNT_KEY_PATH` and `STACKIT_PRIVATE_KEY_PATH` in the credentials file (see above)
-4. The SDK will search for the keys and, if valid, will use them to get access and refresh tokens which will be used to authenticate all the requests.
+   - setting environment variables: `STACKIT_SERVICE_ACCOUNT_KEY_PATH`
+   - setting `STACKIT_SERVICE_ACCOUNT_KEY_PATH` in the credentials file (see above)
+4. **If you have provided your own RSA key-pair**, you can set it the same way (it will take precedence over the private key included in the service account key, if present):
+   - using the configuration options: `config.WithPrivateKey` or `config.WithPrivateKeyPath`
+   - setting environment variables: `STACKIT_PRIVATE_KEY_PATH`
+   - setting `STACKIT_PRIVATE_KEY_PATH` in the credentials file (see above)
+5. The SDK will search for the keys and, if valid, will use them to get access and refresh tokens which will be used to authenticate all the requests.
 
 ### Token flow
 

core/CHANGELOG.md

@@ -1,3 +1,7 @@
+## v0.7.5 (2024-01-09)
+
+- **Improvement:** When using the key flow, the SDK will extract the private key from the service account key and use it, if no private key is provided in the configuration, through environment variable or in the credentials file. This makes it simpler to use the key flow: if you create a service account key including the private key, you don't need to provide the private key separately anymore
+
 ## v0.7.4 (2023-12-22)
 
 - Replace k8s.io/apimachinery with cenkalti/backoff

core/auth/auth.go

@@ -139,15 +139,37 @@ func TokenAuth(cfg *config.Configuration) (http.RoundTripper, error) {
 
 // KeyAuth configures the key flow and returns an http.RoundTripper
 // that can be used to make authenticated requests using an access token
+// The KeyFlow requires a service account key and a private key.
+//
+// If the private key is not provided explicitly, KeyAuth will check if there is one included
+// in the service account key and use that one. An explicitly provided private key takes
+// precedence over the one on the service account key.
 func KeyAuth(cfg *config.Configuration) (http.RoundTripper, error) {
 	err := getServiceAccountKey(cfg)
 	if err != nil {
 		return nil, fmt.Errorf("configuring key authentication: service account key could not be found: %w", err)
 	}
 
+	// Unmarshal service account key to check if private key is present
+	var serviceAccountKey = &clients.ServiceAccountKeyResponse{}
+	err = json.Unmarshal([]byte(cfg.ServiceAccountKey), serviceAccountKey)
+	if err != nil {
+		return nil, fmt.Errorf("unmarshalling service account key: %w", err)
+	}
+
+	// Try to get private key from configuration, environment or credentials file
 	err = getPrivateKey(cfg)
 	if err != nil {
-		return nil, fmt.Errorf("configuring key authentication: private key could not be found: %w", err)
+		// If the private key is not provided explicitly, try to extract private key from the service account key
+		// and use it if present
+		var extractedPrivateKey string
+		if serviceAccountKey.Credentials != nil && serviceAccountKey.Credentials.PrivateKey != nil {
+			extractedPrivateKey = *serviceAccountKey.Credentials.PrivateKey
+		}
+		if extractedPrivateKey == "" {
+			return nil, fmt.Errorf("configuring key authentication: private key is not part of the service account key and could not be found: %w", err)
+		}
+		cfg.PrivateKey = extractedPrivateKey
 	}
 
 	if cfg.TokenCustomUrl == "" {
@@ -164,7 +186,7 @@ func KeyAuth(cfg *config.Configuration) (http.RoundTripper, error) {
 	}
 
 	keyCfg := clients.KeyFlowConfig{
-		ServiceAccountKey: cfg.ServiceAccountKey,
+		ServiceAccountKey: serviceAccountKey,
 		PrivateKey:        cfg.PrivateKey,
 		ClientRetry:       cfg.RetryOptions,
 		TokenUrl:          cfg.TokenCustomUrl,
@@ -203,7 +225,7 @@ func readCredentialsFile(path string) (*Credentials, error) {
 	var credentials Credentials
 	err = json.Unmarshal(credentialsRaw, &credentials)
 	if err != nil {
-		return nil, fmt.Errorf("unmarshalling credentials: %w", err)
+		return nil, fmt.Errorf("unmaPrivateKeyrshalling credentials: %w", err)
 	}
 	return &credentials, nil
 }
@@ -279,6 +301,9 @@ func getPrivateKey(cfg *config.Configuration) (err error) {
 		if err != nil {
 			return err
 		}
+		if len(privateKeyBytes) == 0 {
+			return fmt.Errorf("key path points to an empty file")
+		}
 		cfg.PrivateKey = string(privateKeyBytes)
 	}
 	return nil

core/auth/auth_test.go

@@ -4,37 +4,43 @@ import (
 	"crypto/rand"
 	"crypto/rsa"
 	"crypto/x509"
+	"encoding/json"
 	"encoding/pem"
-	"fmt"
 	"os"
 	"reflect"
 	"testing"
+	"time"
 
 	"github.com/google/uuid"
 	"github.com/stackitcloud/stackit-sdk-go/core/clients"
 	"github.com/stackitcloud/stackit-sdk-go/core/config"
 )
 
-const saKeyStrPattern = `{
-	"active": true,
-	"createdAt": "2023-03-23T18:26:20.335Z",
-	"credentials": {
-	  "aud": "https://test-url.com",
-	  "iss": "[email protected]",
-	  "kid": "%s",
-	  "sub": "%s"
-	},
-	"id": "%s",
-	"keyAlgorithm": "RSA_2048",
-	"keyOrigin": "USER_PROVIDED",
-	"keyType": "USER_MANAGED",
-	"publicKey": "...",
-	"validUntil": "2024-03-22T18:05:41Z"
-}`
-
-var saKey = fmt.Sprintf(saKeyStrPattern, uuid.New().String(), uuid.New().String(), uuid.New().String())
-
-// Error cases are tested in the noAuth, TokenAuth and DefaultAuth functions
+func fixtureServiceAccountKey(mods ...func(*clients.ServiceAccountKeyResponse)) *clients.ServiceAccountKeyResponse {
+	validUntil := time.Now().Add(time.Hour)
+	serviceAccountKeyResponse := &clients.ServiceAccountKeyResponse{
+		Active:    true,
+		CreatedAt: time.Now(),
+		Credentials: &clients.ServiceAccountKeyCredentials{
+			Aud: "https://stackit-service-account-prod.apps.01.cf.eu01.stackit.cloud",
+			Iss: "[email protected]",
+			Kid: uuid.New().String(),
+			Sub: uuid.New(),
+		},
+		ID:           uuid.New(),
+		KeyAlgorithm: "RSA_2048",
+		KeyOrigin:    "USER_PROVIDED",
+		KeyType:      "USER_MANAGED",
+		PublicKey:    "...",
+		ValidUntil:   &validUntil,
+	}
+	for _, mod := range mods {
+		mod(serviceAccountKeyResponse)
+	}
+	return serviceAccountKeyResponse
+}
+
+// Error cases are tested in the NoAuth, KeyAuth, TokenAuth and DefaultAuth functions
 func TestSetupAuth(t *testing.T) {
 	privateKey, err := generatePrivateKey()
 	if err != nil {
@@ -78,7 +84,11 @@ func TestSetupAuth(t *testing.T) {
 		}
 	}()
 
-	// Write some text to the file
+	// Write the service account key to the file
+	saKey, err := json.Marshal(fixtureServiceAccountKey())
+	if err != nil {
+		t.Fatalf("unmarshalling service account key: %s", err)
+	}
 	_, errs = saKeyFile.WriteString(string(saKey))
 	if errs != nil {
 		t.Fatalf("Writing private key to temporary file: %s", err)
@@ -288,7 +298,11 @@ func TestDefaultAuth(t *testing.T) {
 		}
 	}()
 
-	// Write some text to the file
+	// Write the service account key to the file
+	saKey, err := json.Marshal(fixtureServiceAccountKey())
+	if err != nil {
+		t.Fatalf("unmarshalling service account key: %s", err)
+	}
 	_, errs = saKeyFile.WriteString(string(saKey))
 	if errs != nil {
 		t.Fatalf("Writing private key to temporary file: %s", err)
@@ -417,40 +431,71 @@ func TestTokenAuth(t *testing.T) {
 }
 
 func TestKeyAuth(t *testing.T) {
-	privateKey, err := generatePrivateKey()
+	includedPrivateKey, err := generatePrivateKey()
+	if err != nil {
+		t.Fatalf("Failed to generate private key for testing")
+	}
+	configuredPrivateKey, err := generatePrivateKey()
 	if err != nil {
 		t.Fatalf("Failed to generate private key for testing")
 	}
 
 	for _, test := range []struct {
-		desc              string
-		serviceAccountKey string
-		privateKey        string
-		isValid           bool
+		desc                 string
+		serviceAccountKey    *clients.ServiceAccountKeyResponse
+		includedPrivateKey   *string
+		configuredPrivateKey string
+		envVarPrivateKey     string
+		expectedPrivateKey   string
+		isValid              bool
 	}{
 		{
-			desc:              "valid_case",
-			serviceAccountKey: saKey,
-			privateKey:        string(privateKey),
-			isValid:           true,
+			desc:                 "configured_private_key",
+			serviceAccountKey:    fixtureServiceAccountKey(),
+			configuredPrivateKey: string(configuredPrivateKey),
+			expectedPrivateKey:   string(configuredPrivateKey),
+			isValid:              true,
 		},
 		{
-			desc:              "no_sa_key",
-			serviceAccountKey: "",
-			privateKey:        string(privateKey),
-			isValid:           false,
+			desc:               "included_private_key",
+			serviceAccountKey:  fixtureServiceAccountKey(),
+			includedPrivateKey: &includedPrivateKey,
+			expectedPrivateKey: includedPrivateKey,
+			isValid:            true,
+		},
+		{
+			desc:                 "empty_configured_use_included_private_key",
+			serviceAccountKey:    fixtureServiceAccountKey(),
+			includedPrivateKey:   &includedPrivateKey,
+			configuredPrivateKey: "",
+			expectedPrivateKey:   includedPrivateKey,
+			isValid:              true,
 		},
 		{
-			desc:              "no_private_key",
-			serviceAccountKey: "no_sa_key",
-			privateKey:        "",
-			isValid:           false,
+			desc:                 "configured_over_included_private_key",
+			serviceAccountKey:    fixtureServiceAccountKey(),
+			includedPrivateKey:   &includedPrivateKey,
+			configuredPrivateKey: configuredPrivateKey,
+			expectedPrivateKey:   configuredPrivateKey,
+			isValid:              true,
 		},
 		{
-			desc:              "no_keys",
-			serviceAccountKey: "",
-			privateKey:        "",
-			isValid:           false,
+			desc:                 "no_sa_key",
+			serviceAccountKey:    nil,
+			configuredPrivateKey: configuredPrivateKey,
+			isValid:              false,
+		},
+		{
+			desc:                 "missing_private_key",
+			serviceAccountKey:    fixtureServiceAccountKey(),
+			configuredPrivateKey: "",
+			isValid:              false,
+		},
+		{
+			desc:                 "no_keys",
+			serviceAccountKey:    nil,
+			configuredPrivateKey: "",
+			isValid:              false,
 		},
 	} {
 		t.Run(test.desc, func(t *testing.T) {
@@ -459,9 +504,21 @@ func TestKeyAuth(t *testing.T) {
 			t.Setenv("STACKIT_PRIVATE_KEY", "")
 			t.Setenv("STACKIT_PRIVATE_KEY_PATH", "")
 
+			var saKey string
+			if test.serviceAccountKey != nil {
+				test.serviceAccountKey.Credentials.PrivateKey = test.includedPrivateKey
+
+				saKeyBytes, err := json.Marshal(test.serviceAccountKey)
+				if err != nil {
+					t.Fatalf("unmarshalling service account key: %s", err)
+				}
+
+				saKey = string(saKeyBytes)
+			}
+
 			cfg := &config.Configuration{
-				ServiceAccountKey: test.serviceAccountKey,
-				PrivateKey:        test.privateKey,
+				ServiceAccountKey: saKey,
+				PrivateKey:        test.configuredPrivateKey,
 			}
 			// Get the key authentication client and ensure that it's not nil
 			authClient, err := KeyAuth(cfg)
@@ -474,8 +531,18 @@ func TestKeyAuth(t *testing.T) {
 				t.Fatalf("Test didn't return error on invalid test case")
 			}
 
-			if test.isValid && authClient == nil {
-				t.Fatalf("Client returned is nil for valid test case")
+			if test.isValid {
+				if authClient == nil {
+					t.Fatalf("Client returned is nil for valid test case")
+				}
+
+				keyFlow, ok := authClient.(*clients.KeyFlow)
+				if !ok {
+					t.Fatalf("Could not convert authClient to KeyFlow")
+				}
+				if keyFlow.GetConfig().PrivateKey != test.expectedPrivateKey {
+					t.Fatalf("The private key is wrong: expected %s, got %s", test.expectedPrivateKey, keyFlow.GetConfig().PrivateKey)
+				}
 			}
 		})
 	}
@@ -575,11 +642,11 @@ func TestGetServiceAccountEmail(t *testing.T) {
 	}
 }
 
-func generatePrivateKey() ([]byte, error) {
+func generatePrivateKey() (string, error) {
 	// Generate a new RSA key pair with a size of 2048 bits
 	privKey, err := rsa.GenerateKey(rand.Reader, 2048)
 	if err != nil {
-		return nil, err
+		return "", err
 	}
 
 	// Encode the private key in PEM format
@@ -589,7 +656,7 @@ func generatePrivateKey() ([]byte, error) {
 	}
 
 	// Print the private and public keys
-	return pem.EncodeToMemory(privKeyPEM), nil
+	return string(pem.EncodeToMemory(privKeyPEM)), nil
 }
 
 func TestGetPrivateKey(t *testing.T) {