Add OAuth app registration commands

Author: artpar

README.md

@@ -267,6 +267,39 @@ server process.
 OAuth provider setup and OpenAPI integration workflows have first-class wrappers. The generic `create`, `list`, `describe action`, and `execute` commands still work, but these commands keep the common lifecycle discoverable and avoid passing large specs as shell arguments.
 
 ```bash
+# Register a Daptin OAuth provider client app
+export APP_CALLBACK_URL=https://app.example.com/auth/daptin/callback
+daptin-cli oauth app register \
+  --name "App Login" \
+  --redirect-uri "$APP_CALLBACK_URL" \
+  --scope openid \
+  --scope profile \
+  --scope email \
+  --grant authorization_code \
+  --grant refresh_token
+
+# Inspect provider-side OAuth apps and rotate a confidential client secret
+daptin-cli oauth app list
+daptin-cli oauth app describe <client_id_or_reference_id>
+daptin-cli oauth app rotate-secret <client_id_or_reference_id>
+
+# Use the returned client_id/client_secret to configure Daptin self-login
+export DAPTIN_BASE_URL=https://daptin.example.com
+export DAPTIN_SELF_CLIENT_SECRET=...
+daptin-cli oauth connect create daptin-login \
+  --client-id <client_id> \
+  --client-secret-env DAPTIN_SELF_CLIENT_SECRET \
+  --auth-url "$DAPTIN_BASE_URL/oauth/authorize" \
+  --token-url "$DAPTIN_BASE_URL/oauth/token" \
+  --profile-url "$DAPTIN_BASE_URL/oauth/userinfo" \
+  --scope openid,profile,email \
+  --redirect-uri "$APP_CALLBACK_URL" \
+  --profile-email-path email \
+  --allow-login \
+  --pkce \
+  --access-type-offline \
+  --update
+
 # Create an OAuth connection without putting the client secret in shell history
 export ASANA_CLIENT_SECRET=...
 daptin-cli oauth connect create asana.com \

cmd/args.go

@@ -25,7 +25,8 @@ var commandSubcommands = map[string]map[string]bool{
 		"upload": true, "download": true, "mv": true, "rm": true, "mkdir": true,
 	},
 	"asset":   {"upload": true, "list": true},
-	"oauth":   {"connect": true, "login-url": true, "tokens": true},
+	"oauth":   {"app": true, "connect": true, "login-url": true, "tokens": true},
+	"app":     {"register": true, "list": true, "describe": true, "rotate-secret": true},
 	"connect": {"create": true, "list": true},
 	"tokens":  {"list": true},
 	"integration": {
@@ -80,11 +81,13 @@ var valueFlags = map[string]bool{
 	"--credential-id":                   true,
 	"--input-json":                      true,
 	"--input-file":                      true,
+	"--name":                            true,
 	"--client-id":                       true,
 	"--client-secret":                   true,
 	"--client-secret-env":               true,
 	"--client-secret-file":              true,
 	"--scope":                           true,
+	"--grant":                           true,
 	"--response-type":                   true,
 	"--redirect-uri":                    true,
 	"--auth-url":                        true,
@@ -110,6 +113,8 @@ var boolFlags = map[string]bool{
 	"--allow-login":         true,
 	"--access-type-offline": true,
 	"--pkce":                true,
+	"--confidential":        true,
+	"--public":              true,
 	"--open":                true,
 	"--help":                true, "-h": true,
 	"--version": true, "-v": true,

cmd/args_test.go

@@ -135,6 +135,16 @@ func TestReorderArgs_OAuthNestedSubcommand(t *testing.T) {
 	}
 }
 
+func TestReorderArgs_OAuthAppRegister(t *testing.T) {
+	input := []string{"daptin", "oauth", "app", "register", "--name", "App Login", "--redirect-uri", "https://app.example.com/auth/daptin/callback", "--grant", "refresh_token"}
+	expected := []string{"daptin", "oauth", "app", "register", "--name", "App Login", "--redirect-uri", "https://app.example.com/auth/daptin/callback", "--grant", "refresh_token"}
+
+	result := ReorderArgs(input)
+	if !reflect.DeepEqual(result, expected) {
+		t.Errorf("expected %v, got %v", expected, result)
+	}
+}
+
 func TestReorderArgs_IntegrationExecute(t *testing.T) {
 	input := []string{"daptin", "integration", "execute", "asana.com", "getWorkspaces", "--oauth-token-id", "tok", "workspace=abc"}
 	expected := []string{"daptin", "integration", "execute", "--oauth-token-id", "tok", "asana.com", "getWorkspaces", "workspace=abc"}

cmd/oauth.go

@@ -24,13 +24,123 @@ func oauthCommand(appCtx *AppContext) *cli.Command {
    daptin oauth tokens list --provider asana.com`,
 		Description: "Wraps Daptin's oauth_connect and oauth_token tables without printing client secrets or tokens by default.",
 		Subcommands: []*cli.Command{
+			oauthAppCommand(appCtx),
 			oauthConnectCommand(appCtx),
 			oauthLoginURLCommand(appCtx),
 			oauthTokensCommand(appCtx),
 		},
 	}
 }
 
+func oauthAppCommand(appCtx *AppContext) *cli.Command {
+	return &cli.Command{
+		Name:  "app",
+		Usage: "Manage Daptin OAuth provider client apps",
+		Subcommands: []*cli.Command{
+			oauthAppRegisterCommand(appCtx),
+			oauthAppListCommand(appCtx),
+			oauthAppDescribeCommand(appCtx),
+			oauthAppRotateSecretCommand(appCtx),
+		},
+	}
+}
+
+func oauthAppRegisterCommand(appCtx *AppContext) *cli.Command {
+	return &cli.Command{
+		Name:      "register",
+		Usage:     "Register an OAuth client app for Daptin's OAuth provider",
+		ArgsUsage: "",
+		UsageText: `daptin oauth app register --name "App Login" --redirect-uri https://app.example.com/auth/daptin/callback --scope openid --scope profile --scope email`,
+		Flags: []cli.Flag{
+			&cli.StringFlag{Name: "name", Usage: "OAuth app display name"},
+			&cli.StringSliceFlag{Name: "redirect-uri", Usage: "Allowed redirect URI; repeat for multiple values"},
+			&cli.StringSliceFlag{Name: "scope", Usage: "Allowed scope; repeat or pass comma-separated values"},
+			&cli.StringSliceFlag{Name: "grant", Usage: "Allowed grant; repeat or pass comma-separated values"},
+			&cli.BoolFlag{Name: "confidential", Usage: "Register a confidential client (default)"},
+			&cli.BoolFlag{Name: "public", Usage: "Register a public client with no client secret"},
+		},
+		Action: func(c *cli.Context) error {
+			name := strings.TrimSpace(c.String("name"))
+			if name == "" {
+				return fmt.Errorf("--name is required")
+			}
+			if c.Bool("confidential") && c.Bool("public") {
+				return fmt.Errorf("--confidential and --public are mutually exclusive")
+			}
+			redirectURIs := c.StringSlice("redirect-uri")
+			if len(redirectURIs) == 0 {
+				return fmt.Errorf("--redirect-uri is required")
+			}
+
+			attrs := oauthAppRegisterAttrs(name, redirectURIs, c.StringSlice("scope"), c.StringSlice("grant"), !c.Bool("public"))
+			responses, err := appCtx.Client.Execute("register_client", "oauth_app", daptinClient.JsonApiObject(attrs))
+			if err != nil {
+				return err
+			}
+			return renderOAuthAppActionResponse(appCtx, responses, false)
+		},
+	}
+}
+
+func oauthAppListCommand(appCtx *AppContext) *cli.Command {
+	return &cli.Command{
+		Name:  "list",
+		Usage: "List OAuth provider client apps without secrets",
+		Action: func(c *cli.Context) error {
+			result, err := appCtx.Client.FindAll("oauth_app", daptinClient.DaptinQueryParameters{"page[size]": 100})
+			if err != nil {
+				return err
+			}
+			rows := client.MapArray(result, "attributes")
+			rows = render.FilterColumns(rows, []string{"name", "client_id", "redirect_uris", "scopes", "grants", "is_confidential", "is_enabled", "reference_id"})
+			if appCtx.Quiet {
+				return printRefs(rows)
+			}
+			return appCtx.Renderer.RenderArray(rows)
+		},
+	}
+}
+
+func oauthAppDescribeCommand(appCtx *AppContext) *cli.Command {
+	return &cli.Command{
+		Name:      "describe",
+		Usage:     "Describe one OAuth provider client app without secrets",
+		ArgsUsage: "<name-client-id-or-reference-id>",
+		Action: func(c *cli.Context) error {
+			app, err := oauthAppByNameClientOrRef(appCtx, c.Args().Get(0))
+			if err != nil {
+				return err
+			}
+			return renderSingleAPIObject(appCtx, app)
+		},
+	}
+}
+
+func oauthAppRotateSecretCommand(appCtx *AppContext) *cli.Command {
+	return &cli.Command{
+		Name:      "rotate-secret",
+		Usage:     "Rotate a confidential OAuth app client secret",
+		ArgsUsage: "<name-client-id-or-reference-id>",
+		Action: func(c *cli.Context) error {
+			app, err := oauthAppByNameClientOrRef(appCtx, c.Args().Get(0))
+			if err != nil {
+				return err
+			}
+			ref := refID(app)
+			if ref == "" {
+				return fmt.Errorf("oauth_app %q has no reference_id", c.Args().Get(0))
+			}
+			responses, err := appCtx.Client.Execute("rotate_client_secret", "oauth_app", daptinClient.JsonApiObject{
+				"oauth_app_id": ref,
+			})
+			if err != nil {
+				return err
+			}
+			return renderOAuthAppActionResponse(appCtx, responses, false)
+		},
+	}
+}
+
 func oauthConnectCommand(appCtx *AppContext) *cli.Command {
 	return &cli.Command{
 		Name:  "connect",
@@ -296,6 +406,84 @@ func redirectURLFromResponses(responses []daptinClient.DaptinActionResponse) str
 	return ""
 }
 
+func oauthAppRegisterAttrs(name string, redirectURIs, scopes, grants []string, confidential bool) map[string]interface{} {
+	attrs := map[string]interface{}{
+		"name":            name,
+		"redirect_uris":   oauthListString(redirectURIs, ""),
+		"scopes":          oauthListString(scopes, "openid profile email"),
+		"grants":          oauthListString(grants, "authorization_code refresh_token"),
+		"is_confidential": confidential,
+	}
+	return attrs
+}
+
+func oauthListString(values []string, defaultValue string) string {
+	parts := make([]string, 0, len(values))
+	for _, value := range values {
+		value = strings.ReplaceAll(value, ",", " ")
+		for _, part := range strings.Fields(value) {
+			if part != "" {
+				parts = append(parts, part)
+			}
+		}
+	}
+	if len(parts) == 0 {
+		return defaultValue
+	}
+	return strings.Join(parts, " ")
+}
+
+func oauthAppByNameClientOrRef(appCtx *AppContext, nameClientOrRef string) (map[string]interface{}, error) {
+	if nameClientOrRef == "" {
+		return nil, fmt.Errorf("oauth app name, client_id, or reference_id required")
+	}
+	if strings.Contains(nameClientOrRef, "-") {
+		row, err := appCtx.Client.FindOne("oauth_app", nameClientOrRef, nil)
+		if err == nil {
+			return row, nil
+		}
+	}
+	if row, err := findOneByField(appCtx, "oauth_app", "client_id", nameClientOrRef); err == nil {
+		return row, nil
+	}
+	return findOneByName(appCtx, "oauth_app", nameClientOrRef)
+}
+
+func findOneByField(appCtx *AppContext, entityName, fieldName, value string) (map[string]interface{}, error) {
+	clauses, err := ParseFilter(fieldName + "=" + value)
+	if err != nil {
+		return nil, err
+	}
+	result, err := appCtx.Client.FindAll(entityName, daptinClient.DaptinQueryParameters{
+		"page[size]": 1,
+		"query":      FilterToJSON(clauses),
+	})
+	if err != nil {
+		return nil, err
+	}
+	if len(result) == 0 {
+		return nil, fmt.Errorf("%s with %s %q not found", entityName, fieldName, value)
+	}
+	return result[0], nil
+}
+
+func renderOAuthAppActionResponse(appCtx *AppContext, responses []daptinClient.DaptinActionResponse, redact bool) error {
+	for _, response := range responses {
+		if response.ResponseType != "oauth_app" {
+			continue
+		}
+		attrs := response.Attributes
+		if redact {
+			attrs = redactSecretColumns(attrs)
+		}
+		if appCtx.Quiet {
+			return printRef(attrs)
+		}
+		return appCtx.Renderer.RenderObject(attrs)
+	}
+	return applyEffects(ProcessResponses(responses), appCtx)
+}
+
 func openBrowser(url string) error {
 	var command string
 	var args []string

cmd/oauth_test.go

@@ -39,6 +39,32 @@ func TestOAuthClientSecretRequiresSingleSource(t *testing.T) {
 	}
 }
 
+func TestOAuthAppRegisterAttrsDefaults(t *testing.T) {
+	attrs := oauthAppRegisterAttrs("App Login", []string{"https://app.example.com/auth/daptin/callback"}, nil, nil, true)
+	if attrs["name"] != "App Login" {
+		t.Fatalf("unexpected name: %v", attrs["name"])
+	}
+	if attrs["redirect_uris"] != "https://app.example.com/auth/daptin/callback" {
+		t.Fatalf("unexpected redirect_uris: %v", attrs["redirect_uris"])
+	}
+	if attrs["scopes"] != "openid profile email" {
+		t.Fatalf("unexpected scopes: %v", attrs["scopes"])
+	}
+	if attrs["grants"] != "authorization_code refresh_token" {
+		t.Fatalf("unexpected grants: %v", attrs["grants"])
+	}
+	if attrs["is_confidential"] != true {
+		t.Fatalf("expected confidential client, got %v", attrs["is_confidential"])
+	}
+}
+
+func TestOAuthListStringAcceptsRepeatedCommaAndSpaceValues(t *testing.T) {
+	got := oauthListString([]string{"openid,profile", "email offline_access"}, "")
+	if got != "openid profile email offline_access" {
+		t.Fatalf("unexpected list: %q", got)
+	}
+}
+
 func TestRedirectURLFromResponses(t *testing.T) {
 	responses := []daptinClient.DaptinActionResponse{
 		{