`zen oplog-export`, `zen oplog-import` for `--url` (cloud) and `--builds` (builds) option now has `--oidctoken-exe-path` to let zen run the OidcToken executable to get and refresh authentication token (#340)

author: Dan Engelbrecht <[email protected]> 2025-04-03 14:28:15 +0200
committer: GitHub Enterprise <[email protected]> 2025-04-03 14:28:15 +0200
commit: 9e138d34eda99c57c1e55ab15b1c60f4757cd99f (patch)
tree: ea9a8181061f87459f1282145555e98f4f240ce5 /src
parent: 5.6.2 (diff)
download: zen-9e138d34eda99c57c1e55ab15b1c60f4757cd99f.tar.xz
zen-9e138d34eda99c57c1e55ab15b1c60f4757cd99f.zip
7 files changed, 159 insertions, 140 deletions
diff --git a/src/zen/cmds/projectstore_cmd.cpp b/src/zen/cmds/projectstore_cmd.cpp
index 13c7c4b23..c73842b89 100644
--- a/src/zen/cmds/projectstore_cmd.cpp
+++ b/src/zen/cmds/projectstore_cmd.cpp
@@ -61,6 +61,75 @@ namespace {
 		return AuthToken;
 	}
 
+	std::filesystem::path FindOidcTokenExePath(std::string_view OidcTokenAuthExecutablePath)
+	{
+		if (OidcTokenAuthExecutablePath.empty())
+		{
+			const std::string	  OidcExecutableName = "OidcToken" ZEN_EXE_SUFFIX_LITERAL;
+			std::filesystem::path OidcTokenPath		 = (GetRunningExecutablePath().parent_path() / OidcExecutableName).make_preferred();
+			if (IsFile(OidcTokenPath))
+			{
+				return OidcTokenPath;
+			}
+			OidcTokenPath = (std::filesystem::current_path() / OidcExecutableName).make_preferred();
+			if (IsFile(OidcTokenPath))
+			{
+				return OidcTokenPath;
+			}
+		}
+		else
+		{
+			std::filesystem::path OidcTokenPath = std::filesystem::absolute(StringToPath(OidcTokenAuthExecutablePath)).make_preferred();
+			if (IsFile(OidcTokenPath))
+			{
+				return OidcTokenPath;
+			}
+		}
+		return {};
+	};
+
+	void WriteAuthOptions(CbObjectWriter&  Writer,
+						  std::string_view JupiterOpenIdProvider,
+						  std::string_view JupiterAccessToken,
+						  std::string_view JupiterAccessTokenEnv,
+						  std::string_view JupiterAccessTokenPath,
+						  std::string_view OidcTokenAuthExecutablePath)
+	{
+		if (!JupiterOpenIdProvider.empty())
+		{
+			Writer.AddString("openid-provider"sv, JupiterOpenIdProvider);
+		}
+		if (!JupiterAccessToken.empty())
+		{
+			Writer.AddString("access-token"sv, JupiterAccessToken);
+		}
+		if (!JupiterAccessTokenPath.empty())
+		{
+			std::string ResolvedCloudAccessToken = ReadJupiterAccessTokenFromFile(JupiterAccessTokenPath);
+			if (!ResolvedCloudAccessToken.empty())
+			{
+				Writer.AddString("access-token"sv, ResolvedCloudAccessToken);
+			}
+		}
+		if (!JupiterAccessTokenEnv.empty())
+		{
+			std::string ResolvedCloudAccessTokenEnv = GetEnvVariable(JupiterAccessTokenEnv);
+
+			if (!ResolvedCloudAccessTokenEnv.empty())
+			{
+				Writer.AddString("access-token"sv, ResolvedCloudAccessTokenEnv);
+			}
+			else
+			{
+				Writer.AddString("access-token-env"sv, JupiterAccessTokenEnv);
+			}
+		}
+		if (std::filesystem::path OidcTokenExePath = FindOidcTokenExePath(OidcTokenAuthExecutablePath); !OidcTokenExePath.empty())
+		{
+			Writer.AddString("oidc-exe-path"sv, OidcTokenExePath.generic_string());
+		}
+	}
+
 	IoBuffer MakeCbObjectPayload(std::function<void(CbObjectWriter& Writer)> WriteCB)
 	{
 		CbObjectWriter Writer;
@@ -1160,35 +1229,12 @@ ExportOplogCommand::Run(const ZenCliOptions& GlobalOptions, int argc, char** arg
 					{
 						Writer.AddString("basekey"sv, m_BaseCloudKey);
 					}
-					if (!m_JupiterOpenIdProvider.empty())
-					{
-						Writer.AddString("openid-provider"sv, m_JupiterOpenIdProvider);
-					}
-					if (!m_JupiterAccessToken.empty())
-					{
-						Writer.AddString("access-token"sv, m_JupiterAccessToken);
-					}
-					if (!m_JupiterAccessTokenPath.empty())
-					{
-						std::string ResolvedCloudAccessToken = ReadJupiterAccessTokenFromFile(m_JupiterAccessTokenPath);
-						if (!ResolvedCloudAccessToken.empty())
-						{
-							Writer.AddString("access-token"sv, ResolvedCloudAccessToken);
-						}
-					}
-					if (!m_JupiterAccessTokenEnv.empty())
-					{
-						std::string ResolvedCloudAccessTokenEnv = GetEnvVariable(m_JupiterAccessTokenEnv);
-
-						if (!ResolvedCloudAccessTokenEnv.empty())
-						{
-							Writer.AddString("access-token"sv, ResolvedCloudAccessTokenEnv);
-						}
-						else
-						{
-							Writer.AddString("access-token-env"sv, m_JupiterAccessTokenEnv);
-						}
-					}
+					WriteAuthOptions(Writer,
+									 m_JupiterOpenIdProvider,
+									 m_JupiterAccessToken,
+									 m_JupiterAccessTokenEnv,
+									 m_JupiterAccessTokenPath,
+									 m_OidcTokenAuthExecutablePath);
 					if (m_JupiterAssumeHttp2)
 					{
 						Writer.AddBool("assumehttp2"sv, true);
@@ -1219,35 +1265,12 @@ ExportOplogCommand::Run(const ZenCliOptions& GlobalOptions, int argc, char** arg
 					Writer.AddString("namespace"sv, m_JupiterNamespace);
 					Writer.AddString("bucket"sv, m_JupiterBucket);
 					Writer.AddString("buildsid"sv, m_BuildsId);
-					if (!m_JupiterOpenIdProvider.empty())
-					{
-						Writer.AddString("openid-provider"sv, m_JupiterOpenIdProvider);
-					}
-					if (!m_JupiterAccessToken.empty())
-					{
-						Writer.AddString("access-token"sv, m_JupiterAccessToken);
-					}
-					if (!m_JupiterAccessTokenPath.empty())
-					{
-						std::string ResolvedCloudAccessToken = ReadJupiterAccessTokenFromFile(m_JupiterAccessTokenPath);
-						if (!ResolvedCloudAccessToken.empty())
-						{
-							Writer.AddString("access-token"sv, ResolvedCloudAccessToken);
-						}
-					}
-					if (!m_JupiterAccessTokenEnv.empty())
-					{
-						std::string ResolvedCloudAccessTokenEnv = GetEnvVariable(m_JupiterAccessTokenEnv);
-
-						if (!ResolvedCloudAccessTokenEnv.empty())
-						{
-							Writer.AddString("access-token"sv, ResolvedCloudAccessTokenEnv);
-						}
-						else
-						{
-							Writer.AddString("access-token-env"sv, m_JupiterAccessTokenEnv);
-						}
-					}
+					WriteAuthOptions(Writer,
+									 m_JupiterOpenIdProvider,
+									 m_JupiterAccessToken,
+									 m_JupiterAccessTokenEnv,
+									 m_JupiterAccessTokenPath,
+									 m_OidcTokenAuthExecutablePath);
 					if (m_JupiterAssumeHttp2)
 					{
 						Writer.AddBool("assumehttp2"sv, true);
@@ -1586,35 +1609,12 @@ ImportOplogCommand::Run(const ZenCliOptions& GlobalOptions, int argc, char** arg
 					Writer.AddString("namespace"sv, m_JupiterNamespace);
 					Writer.AddString("bucket"sv, m_JupiterBucket);
 					Writer.AddString("key"sv, m_CloudKey);
-					if (!m_JupiterOpenIdProvider.empty())
-					{
-						Writer.AddString("openid-provider"sv, m_JupiterOpenIdProvider);
-					}
-					if (!m_JupiterAccessToken.empty())
-					{
-						Writer.AddString("access-token"sv, m_JupiterAccessToken);
-					}
-					if (!m_JupiterAccessTokenPath.empty())
-					{
-						std::string ResolvedCloudAccessToken = ReadJupiterAccessTokenFromFile(m_JupiterAccessTokenPath);
-						if (!ResolvedCloudAccessToken.empty())
-						{
-							Writer.AddString("access-token"sv, ResolvedCloudAccessToken);
-						}
-					}
-					if (!m_JupiterAccessTokenEnv.empty())
-					{
-						std::string ResolvedCloudAccessTokenEnv = GetEnvVariable(m_JupiterAccessTokenEnv);
-
-						if (!ResolvedCloudAccessTokenEnv.empty())
-						{
-							Writer.AddString("access-token"sv, ResolvedCloudAccessTokenEnv);
-						}
-						else
-						{
-							Writer.AddString("access-token-env"sv, m_JupiterAccessTokenEnv);
-						}
-					}
+					WriteAuthOptions(Writer,
+									 m_JupiterOpenIdProvider,
+									 m_JupiterAccessToken,
+									 m_JupiterAccessTokenEnv,
+									 m_JupiterAccessTokenPath,
+									 m_OidcTokenAuthExecutablePath);
 					if (m_JupiterAssumeHttp2)
 					{
 						Writer.AddBool("assumehttp2"sv, true);
@@ -1631,35 +1631,12 @@ ImportOplogCommand::Run(const ZenCliOptions& GlobalOptions, int argc, char** arg
 					Writer.AddString("namespace"sv, m_JupiterNamespace);
 					Writer.AddString("bucket"sv, m_JupiterBucket);
 					Writer.AddString("buildsid"sv, m_BuildsId);
-					if (!m_JupiterOpenIdProvider.empty())
-					{
-						Writer.AddString("openid-provider"sv, m_JupiterOpenIdProvider);
-					}
-					if (!m_JupiterAccessToken.empty())
-					{
-						Writer.AddString("access-token"sv, m_JupiterAccessToken);
-					}
-					if (!m_JupiterAccessTokenPath.empty())
-					{
-						std::string ResolvedCloudAccessToken = ReadJupiterAccessTokenFromFile(m_JupiterAccessTokenPath);
-						if (!ResolvedCloudAccessToken.empty())
-						{
-							Writer.AddString("access-token"sv, ResolvedCloudAccessToken);
-						}
-					}
-					if (!m_JupiterAccessTokenEnv.empty())
-					{
-						std::string ResolvedCloudAccessTokenEnv = GetEnvVariable(m_JupiterAccessTokenEnv);
-
-						if (!ResolvedCloudAccessTokenEnv.empty())
-						{
-							Writer.AddString("access-token"sv, ResolvedCloudAccessTokenEnv);
-						}
-						else
-						{
-							Writer.AddString("access-token-env"sv, m_JupiterAccessTokenEnv);
-						}
-					}
+					WriteAuthOptions(Writer,
+									 m_JupiterOpenIdProvider,
+									 m_JupiterAccessToken,
+									 m_JupiterAccessTokenEnv,
+									 m_JupiterAccessTokenPath,
+									 m_OidcTokenAuthExecutablePath);
 					if (m_JupiterAssumeHttp2)
 					{
 						Writer.AddBool("assumehttp2"sv, true);
diff --git a/src/zen/cmds/projectstore_cmd.h b/src/zen/cmds/projectstore_cmd.h
index e66e98414..0d24d8529 100644
--- a/src/zen/cmds/projectstore_cmd.h
+++ b/src/zen/cmds/projectstore_cmd.h
@@ -109,6 +109,7 @@ private:
 	std::string m_JupiterAccessToken;
 	std::string m_JupiterAccessTokenEnv;
 	std::string m_JupiterAccessTokenPath;
+	std::string m_OidcTokenAuthExecutablePath;
 	bool		m_JupiterAssumeHttp2	   = false;
 	bool		m_JupiterDisableTempBlocks = false;
 
@@ -165,6 +166,7 @@ private:
 	std::string m_JupiterAccessToken;
 	std::string m_JupiterAccessTokenEnv;
 	std::string m_JupiterAccessTokenPath;
+	std::string m_OidcTokenAuthExecutablePath;
 	bool		m_JupiterAssumeHttp2 = false;
 
 	std::string m_CloudUrl;
diff --git a/src/zenserver/projectstore/buildsremoteprojectstore.cpp b/src/zenserver/projectstore/buildsremoteprojectstore.cpp
index a6583b722..2a04d5c40 100644
--- a/src/zenserver/projectstore/buildsremoteprojectstore.cpp
+++ b/src/zenserver/projectstore/buildsremoteprojectstore.cpp
@@ -494,7 +494,15 @@ CreateBuildsRemoteStore(const BuildsRemoteStoreOptions& Options, const std::file
 	{
 		TokenProvider = httpclientauth::CreateFromStaticToken(Options.AccessToken);
 	}
-	else
+	else if (!Options.OidcExePath.empty())
+	{
+		if (auto TokenProviderMaybe = httpclientauth::CreateFromOidcTokenExecutable(Options.OidcExePath, Url); TokenProviderMaybe)
+		{
+			TokenProvider = TokenProviderMaybe.value();
+		}
+	}
+
+	if (!TokenProvider)
 	{
 		TokenProvider = httpclientauth::CreateFromDefaultOpenIdProvider(Options.AuthManager);
 	}
diff --git a/src/zenserver/projectstore/buildsremoteprojectstore.h b/src/zenserver/projectstore/buildsremoteprojectstore.h
index 8b2c6c8c8..c52b13886 100644
--- a/src/zenserver/projectstore/buildsremoteprojectstore.h
+++ b/src/zenserver/projectstore/buildsremoteprojectstore.h
@@ -10,17 +10,18 @@ class AuthMgr;
 
 struct BuildsRemoteStoreOptions : RemoteStoreOptions
 {
-	std::string Url;
-	std::string Namespace;
-	std::string Bucket;
-	Oid			BuildId;
-	std::string OpenIdProvider;
-	std::string AccessToken;
-	AuthMgr&	AuthManager;
-	bool		ForceDisableBlocks	   = false;
-	bool		ForceDisableTempBlocks = false;
-	bool		AssumeHttp2			   = false;
-	IoBuffer	MetaData;
+	std::string			  Url;
+	std::string			  Namespace;
+	std::string			  Bucket;
+	Oid					  BuildId;
+	std::string			  OpenIdProvider;
+	std::string			  AccessToken;
+	AuthMgr&			  AuthManager;
+	std::filesystem::path OidcExePath;
+	bool				  ForceDisableBlocks	 = false;
+	bool				  ForceDisableTempBlocks = false;
+	bool				  AssumeHttp2			 = false;
+	IoBuffer			  MetaData;
 };
 
 std::shared_ptr<RemoteProjectStore> CreateBuildsRemoteStore(const BuildsRemoteStoreOptions& Options,
diff --git a/src/zenserver/projectstore/jupiterremoteprojectstore.cpp b/src/zenserver/projectstore/jupiterremoteprojectstore.cpp
index e5839ad3b..20e6c28ac 100644
--- a/src/zenserver/projectstore/jupiterremoteprojectstore.cpp
+++ b/src/zenserver/projectstore/jupiterremoteprojectstore.cpp
@@ -371,7 +371,15 @@ CreateJupiterRemoteStore(const JupiterRemoteStoreOptions& Options, const std::fi
 	{
 		TokenProvider = httpclientauth::CreateFromStaticToken(Options.AccessToken);
 	}
-	else
+	else if (!Options.OidcExePath.empty())
+	{
+		if (auto TokenProviderMaybe = httpclientauth::CreateFromOidcTokenExecutable(Options.OidcExePath, Url); TokenProviderMaybe)
+		{
+			TokenProvider = TokenProviderMaybe.value();
+		}
+	}
+
+	if (!TokenProvider)
 	{
 		TokenProvider = httpclientauth::CreateFromDefaultOpenIdProvider(Options.AuthManager);
 	}
diff --git a/src/zenserver/projectstore/jupiterremoteprojectstore.h b/src/zenserver/projectstore/jupiterremoteprojectstore.h
index 27f3d9b73..8bf79d563 100644
--- a/src/zenserver/projectstore/jupiterremoteprojectstore.h
+++ b/src/zenserver/projectstore/jupiterremoteprojectstore.h
@@ -10,17 +10,18 @@ class AuthMgr;
 
 struct JupiterRemoteStoreOptions : RemoteStoreOptions
 {
-	std::string Url;
-	std::string Namespace;
-	std::string Bucket;
-	IoHash		Key;
-	IoHash		OptionalBaseKey;
-	std::string OpenIdProvider;
-	std::string AccessToken;
-	AuthMgr&	AuthManager;
-	bool		ForceDisableBlocks	   = false;
-	bool		ForceDisableTempBlocks = false;
-	bool		AssumeHttp2			   = false;
+	std::string			  Url;
+	std::string			  Namespace;
+	std::string			  Bucket;
+	IoHash				  Key;
+	IoHash				  OptionalBaseKey;
+	std::string			  OpenIdProvider;
+	std::string			  AccessToken;
+	AuthMgr&			  AuthManager;
+	std::filesystem::path OidcExePath;
+	bool				  ForceDisableBlocks	 = false;
+	bool				  ForceDisableTempBlocks = false;
+	bool				  AssumeHttp2			 = false;
 };
 
 std::shared_ptr<RemoteProjectStore> CreateJupiterRemoteStore(const JupiterRemoteStoreOptions& Options,
diff --git a/src/zenserver/projectstore/projectstore.cpp b/src/zenserver/projectstore/projectstore.cpp
index 1966eeef9..9aa800434 100644
--- a/src/zenserver/projectstore/projectstore.cpp
+++ b/src/zenserver/projectstore/projectstore.cpp
@@ -210,6 +210,16 @@ namespace {
 					AccessToken = GetEnvVariable(AccessTokenEnvVariable);
 				}
 			}
+			std::filesystem::path OidcExePath;
+			if (std::string_view OidcExePathString = Cloud["oidc-exe-path"].AsString(); !OidcExePathString.empty())
+			{
+				std::filesystem::path OidcExePathMaybe(OidcExePathString);
+				if (!IsFile(OidcExePathMaybe))
+				{
+					ZEN_WARN("Path to OidcToken executable '{}' can not be reached by server", OidcExePathString);
+					OidcExePath = std::move(OidcExePathMaybe);
+				}
+			}
 			std::string_view KeyParam = Cloud["key"sv].AsString();
 			if (KeyParam.empty())
 			{
@@ -252,6 +262,7 @@ namespace {
 												 std::string(OpenIdProvider),
 												 AccessToken,
 												 AuthManager,
+												 OidcExePath,
 												 ForceDisableBlocks,
 												 ForceDisableTempBlocks,
 												 AssumeHttp2};
@@ -307,6 +318,16 @@ namespace {
 					AccessToken = GetEnvVariable(AccessTokenEnvVariable);
 				}
 			}
+			std::filesystem::path OidcExePath;
+			if (std::string_view OidcExePathString = Builds["oidc-exe-path"].AsString(); !OidcExePathString.empty())
+			{
+				std::filesystem::path OidcExePathMaybe(OidcExePathString);
+				if (!IsFile(OidcExePathMaybe))
+				{
+					ZEN_WARN("Path to OidcToken executable '{}' can not be reached by server", OidcExePathString);
+					OidcExePath = std::move(OidcExePathMaybe);
+				}
+			}
 			std::string_view BuildIdParam = Builds["buildsid"sv].AsString();
 			if (BuildIdParam.empty())
 			{
@@ -337,6 +358,7 @@ namespace {
 												std::string(OpenIdProvider),
 												AccessToken,
 												AuthManager,
+												OidcExePath,
 												ForceDisableBlocks,
 												ForceDisableTempBlocks,
 												AssumeHttp2,
author	Dan Engelbrecht <[email protected]>	2025-04-03 14:28:15 +0200
committer	GitHub Enterprise <[email protected]>	2025-04-03 14:28:15 +0200
commit	9e138d34eda99c57c1e55ab15b1c60f4757cd99f (patch)
tree	ea9a8181061f87459f1282145555e98f4f240ce5 /src
parent	5.6.2 (diff)
download	zen-9e138d34eda99c57c1e55ab15b1c60f4757cd99f.tar.xz zen-9e138d34eda99c57c1e55ab15b1c60f4757cd99f.zip