|
| 1 | +package cmd |
| 2 | + |
| 3 | +import ( |
| 4 | + "context" |
| 5 | + "fmt" |
| 6 | + "os" |
| 7 | + "sort" |
| 8 | + "strings" |
| 9 | + |
| 10 | + "github.com/automagik-dev/workit/internal/msauth" |
| 11 | + "github.com/automagik-dev/workit/internal/outfmt" |
| 12 | + "github.com/automagik-dev/workit/internal/secrets" |
| 13 | + "github.com/automagik-dev/workit/internal/ui" |
| 14 | +) |
| 15 | + |
| 16 | +func isM365ServicesCSV(value string) bool { |
| 17 | + parts := strings.Split(value, ",") |
| 18 | + if len(parts) == 0 { |
| 19 | + return false |
| 20 | + } |
| 21 | + for _, part := range parts { |
| 22 | + if strings.ToLower(strings.TrimSpace(part)) != "m365" { |
| 23 | + return false |
| 24 | + } |
| 25 | + } |
| 26 | + return true |
| 27 | +} |
| 28 | + |
| 29 | +func (c *AuthAddCmd) runM365(ctx context.Context, flags *RootFlags, u *ui.UI) error { |
| 30 | + if !c.Readonly { |
| 31 | + return usage("m365 auth requires explicit --readonly") |
| 32 | + } |
| 33 | + if c.Headless || c.NoPoll || c.CallbackServer != "" { |
| 34 | + return usage("m365 auth uses browser OAuth; headless callback-server mode is not supported yet") |
| 35 | + } |
| 36 | + if c.AuthCode != "" { |
| 37 | + return usage("m365 auth does not accept raw --auth-code; use browser OAuth") |
| 38 | + } |
| 39 | + if c.Step != 0 && c.Step != 1 && c.Step != 2 { |
| 40 | + return usage("step must be 1 or 2") |
| 41 | + } |
| 42 | + if c.Step != 0 && !c.Remote { |
| 43 | + return usage("--step requires --remote") |
| 44 | + } |
| 45 | + if c.Remote || c.Step != 0 || c.AuthURL != "" { |
| 46 | + return usage("m365 remote auth is not supported yet; use browser OAuth on this machine") |
| 47 | + } |
| 48 | + if dryRunErr := dryRunExit(ctx, flags, "auth.add.m365", map[string]any{ |
| 49 | + "email": strings.TrimSpace(c.Email), |
| 50 | + "provider": "microsoft_graph", |
| 51 | + "services": []string{"m365"}, |
| 52 | + "scopes": msauth.PilotAllowedScopes(), |
| 53 | + "readonly": c.Readonly, |
| 54 | + }); dryRunErr != nil { |
| 55 | + return dryRunErr |
| 56 | + } |
| 57 | + if keychainErr := ensureKeychainAccessIfNeeded(); keychainErr != nil { |
| 58 | + return fmt.Errorf("keychain access: %w", keychainErr) |
| 59 | + } |
| 60 | + result, err := authorizeM365(ctx, msauth.AuthorizeOptions{ |
| 61 | + ExpectedEmail: strings.TrimSpace(c.Email), |
| 62 | + Readonly: c.Readonly, |
| 63 | + ForceConsent: c.ForceConsent, |
| 64 | + Timeout: c.Timeout, |
| 65 | + }) |
| 66 | + if err != nil { |
| 67 | + return err |
| 68 | + } |
| 69 | + if normalizeEmail(result.Email) != normalizeEmail(c.Email) { |
| 70 | + return fmt.Errorf("authorized as %s, expected %s", result.Email, c.Email) |
| 71 | + } |
| 72 | + return storeM365Token(ctx, u, result.Email, result.RefreshToken) |
| 73 | +} |
| 74 | + |
| 75 | +func (c *AuthManageCmd) runM365(ctx context.Context) error { |
| 76 | + if !outfmt.IsJSON(ctx) && !c.PrintURL { |
| 77 | + return usage("m365 auth manage requires --print-url") |
| 78 | + } |
| 79 | + |
| 80 | + result, err := m365ManualAuthURL(ctx, msauth.ManualAuthURLOptions{Readonly: true, ForceConsent: c.ForceConsent}) |
| 81 | + if err != nil { |
| 82 | + return err |
| 83 | + } |
| 84 | + if outfmt.IsJSON(ctx) || c.PrintURL { |
| 85 | + return outfmt.WriteJSON(ctx, os.Stdout, map[string]any{ |
| 86 | + "provider": "microsoft_graph", |
| 87 | + "auth_url": result.URL, |
| 88 | + "state": result.State, |
| 89 | + "expires_in": result.ExpiresIn, |
| 90 | + }) |
| 91 | + } |
| 92 | + return nil |
| 93 | +} |
| 94 | + |
| 95 | +func storeM365Token(ctx context.Context, u *ui.UI, email string, refreshToken string) error { |
| 96 | + store, err := openSecretsStore() |
| 97 | + if err != nil { |
| 98 | + return err |
| 99 | + } |
| 100 | + serviceNames := []string{"m365"} |
| 101 | + scopes := append([]string(nil), msauth.PilotAllowedScopes()...) |
| 102 | + sort.Strings(scopes) |
| 103 | + if err := store.MergeToken(msauth.ClientName, email, secrets.Token{ |
| 104 | + Client: msauth.ClientName, |
| 105 | + Email: email, |
| 106 | + Services: serviceNames, |
| 107 | + Scopes: scopes, |
| 108 | + RefreshToken: refreshToken, |
| 109 | + }); err != nil { |
| 110 | + return err |
| 111 | + } |
| 112 | + return writeResult(ctx, u, |
| 113 | + kv("stored", true), |
| 114 | + kv("provider", "microsoft_graph"), |
| 115 | + kv("email", email), |
| 116 | + kv("services", serviceNames), |
| 117 | + kv("client", msauth.ClientName), |
| 118 | + ) |
| 119 | +} |
0 commit comments