Add Zendesk as an OAuth backend

Cargo.toml

@@ -4,6 +4,7 @@ members = [
   "v-api-installer",
   "v-api-param",
   "v-api-permission-derive",
+  "v-cli-sdk",
   "v-model",
   "xtask"
 ]
@@ -29,14 +30,17 @@ hex = "0.4.3"
 http = "1"
 http-body-util = "0.1.3"
 hyper = "1.9.0"
+hyper-util = "0.1"
 jsonwebtoken = { version = "10.2", features = ["rust_crypto"] }
 mockall = "0.14.0"
 newtype-uuid = { version = "1.3.2", features = ["schemars08", "serde", "v4"] }
 oauth2 = { version = "5.0.0", default-features = false, features = ["rustls-tls"] }
 oauth2-reqwest = "0.1.0-alpha.3"
+owo-colors = "4.2.3"
 partial-struct = { git = "https://github.com/oxidecomputer/partial-struct" }
 percent-encoding = "2.3.2"
 proc-macro2 = "1"
+progenitor-client = "0.14.0"
 quote = "1"
 rand = "0.10.1"
 rand_core = "0.10.1"
@@ -53,6 +57,7 @@ sha2 = "0.11.0"
 slog = "2.8.2"
 steno = { git = "https://github.com/oxidecomputer/steno" }
 syn = "2"
+tabwriter = "1.4.1"
 tap = "1.0.1"
 tempfile = "3"
 thiserror = "2"

v-api-permission-derive/src/lib.rs

@@ -439,6 +439,7 @@ fn from_system_permission_tokens(
                         VPermission::ManageMagicLinkClientsAll => Self::ManageMagicLinkClientsAll,
 
                         VPermission::CreateAccessToken => Self::CreateAccessToken,
+                        VPermission::RetrieveRemoteAccessToken => Self::RetrieveRemoteAccessToken,
 
                         VPermission::GetSagasAll => Self::GetSagasAll,
                         VPermission::ManageSagasAll => Self::ManageSagasAll,
@@ -722,6 +723,7 @@ fn system_permission_tokens() -> TokenStream {
             ManageMagicLinkClientsAll,
 
             CreateAccessToken,
+            RetrieveRemoteAccessToken,
 
             #[v_api(scope(to = "saga:r", from = "saga:r"))]
             GetSagasAll,

v-api/src/config.rs

@@ -8,20 +8,23 @@ use jsonwebtoken::jwk::{
     AlgorithmParameters, CommonParameters, Jwk, KeyAlgorithm, PublicKeyUse, RSAKeyParameters,
     RSAKeyType,
 };
+use newtype_uuid::TypedUuid;
+use partial_struct::partial;
 use rsa::{
     pkcs1v15::{SigningKey, VerifyingKey},
     pkcs8::{DecodePrivateKey, DecodePublicKey},
     traits::PublicKeyParts,
     RsaPrivateKey, RsaPublicKey,
 };
-use secrecy::ExposeSecret;
+use secrecy::{ExposeSecret, SecretString};
 use serde::{
     de::{self, Visitor},
     Deserialize, Deserializer,
 };
 use std::path::PathBuf;
 use thiserror::Error;
-use v_api_param::StringParam;
+use v_api_param::{ParamResolutionError, StringParam};
+use v_model::OAuthClientId;
 
 use crate::{
     authn::{
@@ -151,25 +154,99 @@ pub struct SendGridConfig {
 pub struct OAuthProviders {
     pub github: Option<OAuthConfig>,
     pub google: Option<OAuthConfig>,
+    pub zendesk: Option<OAuthConfig>,
 }
 
-#[derive(Debug, Deserialize)]
+#[partial(ResolvedOAuthConfig)]
+#[derive(Clone, Debug, Deserialize)]
 pub struct OAuthConfig {
-    pub device: OAuthDeviceConfig,
-    pub web: OAuthWebConfig,
+    #[partial(ResolvedOAuthConfig(retype = Option<ResolvedOAuthDeviceConfig>))]
+    pub device: Option<OAuthDeviceConfig>,
+    #[partial(ResolvedOAuthConfig(retype = Option<ResolvedOAuthWebConfig>))]
+    pub web: Option<OAuthWebConfig>,
+    #[partial(ResolvedOAuthConfig(retype = Option<ResolvedOAuthWebProxyConfig>))]
+    pub proxy_web: Option<OAuthWebProxyConfig>,
 }
 
-#[derive(Debug, Deserialize)]
+#[partial(ResolvedOAuthDeviceConfig)]
+#[derive(Clone, Debug, Deserialize)]
 pub struct OAuthDeviceConfig {
-    pub client_id: String,
-    pub client_secret: StringParam,
+    pub client_id: TypedUuid<OAuthClientId>,
+    pub remote_client_id: String,
+    #[partial(ResolvedOAuthDeviceConfig(retype = SecretString))]
+    pub remote_client_secret: StringParam,
 }
 
-#[derive(Debug, Deserialize)]
+#[partial(ResolvedOAuthWebConfig)]
+#[derive(Clone, Debug, Deserialize)]
 pub struct OAuthWebConfig {
-    pub client_id: String,
-    pub client_secret: StringParam,
+    pub remote_client_id: String,
+    #[partial(ResolvedOAuthWebConfig(retype = SecretString))]
+    pub remote_client_secret: StringParam,
+}
+
+#[partial(ResolvedOAuthWebProxyConfig)]
+#[derive(Clone, Debug, Deserialize)]
+pub struct OAuthWebProxyConfig {
+    pub client_id: TypedUuid<OAuthClientId>,
     pub redirect_uri: String,
+    pub proxy_port: u16,
+}
+
+impl OAuthConfig {
+    pub fn resolve(
+        &self,
+        base: Option<PathBuf>,
+    ) -> Result<ResolvedOAuthConfig, ParamResolutionError> {
+        let device = self
+            .device
+            .as_ref()
+            .and_then(|d| d.resolve(base.clone()).ok());
+        let web = self.web.as_ref().and_then(|w| w.resolve(base.clone()).ok());
+        let proxy_web = self.proxy_web.as_ref().and_then(|p| p.resolve(base).ok());
+        Ok(ResolvedOAuthConfig {
+            device,
+            web,
+            proxy_web,
+        })
+    }
+}
+impl OAuthDeviceConfig {
+    pub fn resolve(
+        &self,
+        base: Option<PathBuf>,
+    ) -> Result<ResolvedOAuthDeviceConfig, ParamResolutionError> {
+        let remote_client_secret = self.remote_client_secret.resolve(base)?;
+        Ok(ResolvedOAuthDeviceConfig {
+            client_id: self.client_id,
+            remote_client_id: self.remote_client_id.clone(),
+            remote_client_secret,
+        })
+    }
+}
+impl OAuthWebConfig {
+    pub fn resolve(
+        &self,
+        base: Option<PathBuf>,
+    ) -> Result<ResolvedOAuthWebConfig, ParamResolutionError> {
+        let remote_client_secret = self.remote_client_secret.resolve(base)?;
+        Ok(ResolvedOAuthWebConfig {
+            remote_client_id: self.remote_client_id.clone(),
+            remote_client_secret,
+        })
+    }
+}
+impl OAuthWebProxyConfig {
+    pub fn resolve(
+        &self,
+        _base: Option<PathBuf>,
+    ) -> Result<ResolvedOAuthWebProxyConfig, ParamResolutionError> {
+        Ok(ResolvedOAuthWebProxyConfig {
+            client_id: self.client_id,
+            redirect_uri: self.redirect_uri.clone(),
+            proxy_port: self.proxy_port,
+        })
+    }
 }
 
 impl AsymmetricKey {

v-api/src/context/auth.rs

@@ -40,9 +40,22 @@ where
         jwks: JwkSet,
         signers: Vec<Signer>,
         verifiers: Vec<Verifier>,
+        mut additional_permissions: Vec<T>,
     ) -> Result<Self, AppError> {
         let signers = signers.into_iter().map(Arc::new).collect::<Vec<_>>();
         let verifiers = verifiers.into_iter().map(Arc::new).collect::<Vec<_>>();
+        additional_permissions.extend_from_slice(&[
+            VPermission::CreateApiUser.into(),
+            VPermission::GetApiUsersAll.into(),
+            VPermission::ManageApiUsersAll.into(),
+            VPermission::GetApiKeysAll.into(),
+            VPermission::CreateGroup.into(),
+            VPermission::GetGroupsAll.into(),
+            VPermission::CreateMapper.into(),
+            VPermission::GetMappersAll.into(),
+            VPermission::GetOAuthClientsAll.into(),
+            VPermission::CreateAccessToken.into(),
+        ]);
         Ok(Self {
             unauthenticated_caller: Caller {
                 id: "00000000-0000-4000-8000-000000000000".parse().unwrap(),
@@ -51,19 +64,7 @@ where
             },
             registration_caller: Caller {
                 id: "00000000-0000-4000-8000-000000000001".parse().unwrap(),
-                permissions: vec![
-                    VPermission::CreateApiUser,
-                    VPermission::GetApiUsersAll,
-                    VPermission::ManageApiUsersAll,
-                    VPermission::GetApiKeysAll,
-                    VPermission::CreateGroup,
-                    VPermission::GetGroupsAll,
-                    VPermission::CreateMapper,
-                    VPermission::GetMappersAll,
-                    VPermission::GetOAuthClientsAll,
-                    VPermission::CreateAccessToken,
-                ]
-                .into(),
+                permissions: additional_permissions.into(),
                 extensions: HashMap::default(),
             },
             jwt: JwtContext {
@@ -215,6 +216,7 @@ mod tests {
                 wrong_verifier.resolve_verifier(None).await.unwrap(),
                 verifier.resolve_verifier(None).await.unwrap(),
             ],
+            vec![],
         )
         .unwrap();