Merge pull request #5471 from snyk/fix/CLI-489_inject_random_api_token

fix(auth): missing auth issue with oauth
snyk · Sep 6, 2024 · be545b7 · be545b7
2 parents 9083ee1 + 57ae95c
commit be545b7
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 18 deletions.
diff --git a/cliv2/internal/constants/constants.go b/cliv2/internal/constants/constants.go
@@ -19,6 +19,7 @@ const SNYK_NPM_ALL_PROXY = "ALL_PROXY"
 const SNYK_CA_CERTIFICATE_LOCATION_ENV = "NODE_EXTRA_CA_CERTS"
 const SNYK_INTERNAL_NO_PROXY = "localhost,127.0.0.1,::1"
 const SNYK_OAUTH_ACCESS_TOKEN_ENV = "SNYK_OAUTH_TOKEN"
+const SNYK_API_TOKEN_ENV = "SNYK_TOKEN"
 const SNYK_ANALYTICS_DISABLED_ENV = "SNYK_DISABLE_ANALYTICS"
 const SNYK_INTERNAL_ORGID_ENV = "SNYK_INTERNAL_ORGID"
 const SNYK_INTERNAL_PREVIEW_FEATURES_ENABLED = "SNYK_INTERNAL_PREVIEW_FEATURES"

diff --git a/cliv2/pkg/basic_workflows/legacycli.go b/cliv2/pkg/basic_workflows/legacycli.go
@@ -8,7 +8,6 @@ import (
 
 	"github.com/pkg/errors"
 	"github.com/rs/zerolog"
-	"github.com/snyk/go-application-framework/pkg/auth"
 	"github.com/snyk/go-application-framework/pkg/configuration"
 	"github.com/snyk/go-application-framework/pkg/logging"
 	"github.com/snyk/go-application-framework/pkg/networking"
@@ -76,7 +75,6 @@ func legacycliWorkflow(
 	debugLoggerDefault := invocation.GetLogger()  // uses log
 	networkAccess := invocation.GetNetworkAccess()
 
-	oauthIsAvailable := config.GetBool(configuration.FF_OAUTH_AUTH_FLOW_ENABLED)
 	args := config.GetStringSlice(configuration.RAW_CMD_ARGS)
 	useStdIo := config.GetBool(configuration.WORKFLOW_USE_STDIO)
 	isDebug := config.GetBool(configuration.DEBUG)
@@ -104,23 +102,14 @@ func legacycliWorkflow(
 		cli.AppendEnvironmentVariables(env)
 	}
 
-	if oauthIsAvailable {
-		// The Legacy CLI doesn't support oauth authentication. Oauth authentication is implemented in the Extensible CLI and is added
-		// to the legacy CLI by forwarding network traffic through the internal proxy of the Extensible CLI.
-		// The legacy CLI always expects some sort of token to be available, otherwise some functionality isn't available. This is why we inject
-		// a random token value to bypass these checks and replace the proper authentication headers in the internal proxy.
-		// Injecting the real token here and not in the proxy would create an issue when the token expires during CLI execution.
-		if oauth := config.GetString(auth.CONFIG_KEY_OAUTH_TOKEN); len(oauth) > 0 {
-			envMap := pkg_utils.ToKeyValueMap(os.Environ(), "=")
-			if _, ok := envMap[constants.SNYK_OAUTH_ACCESS_TOKEN_ENV]; !ok {
-				env := []string{constants.SNYK_OAUTH_ACCESS_TOKEN_ENV + "=randomtoken"}
-				cli.AppendEnvironmentVariables(env)
-				debugLogger.Print("Authentication: Oauth token handling delegated to Extensible CLI.")
-			} else {
-				debugLogger.Print("Authentication: Using oauth token from Environment Variable.")
-			}
-		}
+	// In general all authentication if handled through the Extensible CLI now. But there is some legacy logic
+	// that checks for an API token to be available. Until this logic is safely removed, we will be injecting a
+	// fake/random API token to bypass this logic.
+	apiToken := config.GetString(configuration.AUTHENTICATION_TOKEN)
+	if len(apiToken) == 0 {
+		apiToken = "random"
 	}
+	cli.AppendEnvironmentVariables([]string{constants.SNYK_API_TOKEN_ENV + "=" + apiToken})
 
 	err = cli.Init()
 	if err != nil {

diff --git a/test/jest/acceptance/auth.spec.ts b/test/jest/acceptance/auth.spec.ts
@@ -55,6 +55,12 @@ describe('Auth', () => {
       },
     );
     expect(code).toEqual(0);
+
+    // Run this command to verify that it succeeds with oauth, since it is implemented in TS
+    const ignoreCode = await runSnykCLI(`ignore --id=das`, {
+      env,
+    });
+    expect(ignoreCode.code).toEqual(0);
   });
 
   it('fails to us oauth client credentials grant to authenticate', async () => {