identify-federation

Summary:

- OIDC support for:
    - `google`.
    - `aws`.
    - `azure`.
- Added robot test `ID Fed AWS S3 Buckets Traffic Light Canonical`.
- Added robot test `ID Fed Azure Public Keys Traffic Light Canonical`.
- Added robot test `ID Fed Google Container Agg Desc Traffic Light Canonical`.

Co-authored-by: Copilot <copilot@github.com>

Author: general-kroll-4-life

go.mod

@@ -18,7 +18,7 @@ require (
 	github.com/spf13/cobra v1.4.0
 	github.com/spf13/pflag v1.0.5
 	github.com/spf13/viper v1.10.1
-	github.com/stackql/any-sdk v0.5.3-alpha05
+	github.com/stackql/any-sdk v0.5.3-alpha07
 	github.com/stackql/go-suffix-map v0.0.1-alpha01
 	github.com/stackql/psql-wire v0.1.2-beta01
 	github.com/stackql/stackql-parser v0.0.16-alpha02
@@ -68,12 +68,14 @@ require (
 	github.com/aws/aws-sdk-go-v2/service/sts v1.28.6 // indirect
 	github.com/aws/smithy-go v1.20.2 // indirect
 	github.com/clbanning/mxj/v2 v2.7.0 // indirect
+	github.com/coreos/go-oidc/v3 v3.18.0 // indirect
 	github.com/danieljoos/wincred v1.2.2 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/dvsekhvalnov/jose2go v1.6.0 // indirect
 	github.com/fsnotify/fsnotify v1.5.1 // indirect
 	github.com/gabriel-vasile/mimetype v1.4.7 // indirect
 	github.com/ghodss/yaml v1.0.0 // indirect
+	github.com/go-jose/go-jose/v4 v4.1.4 // indirect
 	github.com/go-openapi/jsonpointer v0.19.5 // indirect
 	github.com/go-openapi/swag v0.21.1 // indirect
 	github.com/goccy/go-json v0.10.4 // indirect
@@ -127,7 +129,7 @@ require (
 	golang.org/x/crypto v0.39.0 // indirect
 	golang.org/x/exp v0.0.0-20240909161429-701f63a606c0 // indirect
 	golang.org/x/net v0.41.0 // indirect
-	golang.org/x/oauth2 v0.26.0 // indirect
+	golang.org/x/oauth2 v0.36.0 // indirect
 	golang.org/x/sys v0.33.0 // indirect
 	golang.org/x/term v0.32.0 // indirect
 	golang.org/x/text v0.26.0 // indirect

go.sum

@@ -150,6 +150,8 @@ github.com/cncf/udpa/go v0.0.0-20200629203442-efcf912fb354/go.mod h1:WmhPx2Nbnht
 github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
 github.com/cncf/xds/go v0.0.0-20210312221358-fbca930ec8ed/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
 github.com/cockroachdb/apd v1.1.0/go.mod h1:8Sl8LxpKi29FqWXR16WEFZRNSz3SoPzUzeMeY4+DwBQ=
+github.com/coreos/go-oidc/v3 v3.18.0 h1:V9orjXynvu5wiC9SemFTWnG4F45v403aIcjWo0d41+A=
+github.com/coreos/go-oidc/v3 v3.18.0/go.mod h1:DYCf24+ncYi+XkIH97GY1+dqoRlbaSI26KVTCI9SrY4=
 github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
 github.com/coreos/go-systemd v0.0.0-20190719114852-fd7a80b32e1f/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
 github.com/cpuguy83/go-md2man/v2 v2.0.1/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
@@ -184,6 +186,8 @@ github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeME
 github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU=
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
+github.com/go-jose/go-jose/v4 v4.1.4 h1:moDMcTHmvE6Groj34emNPLs/qtYXRVcd6S7NHbHz3kA=
+github.com/go-jose/go-jose/v4 v4.1.4/go.mod h1:x4oUasVrzR7071A4TnHLGSPpNOm2a21K9Kf04k1rs08=
 github.com/go-kit/log v0.1.0/go.mod h1:zbhenjAZHb184qTLMA9ZjW7ThYL0H2mk7Q6pNt4vbaY=
 github.com/go-logfmt/logfmt v0.5.0/go.mod h1:wCYkCAKZfumFQihp8CzCvQ3paCTfi41vtzG1KdI/P7A=
 github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
@@ -467,8 +471,8 @@ github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
 github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/spf13/viper v1.10.1 h1:nuJZuYpG7gTj/XqiUwg8bA0cp1+M2mC3J4g5luUYBKk=
 github.com/spf13/viper v1.10.1/go.mod h1:IGlFPqhNAPKRxohIzWpI5QEy4kuI7tcl5WvR+8qy1rU=
-github.com/stackql/any-sdk v0.5.3-alpha05 h1:Be5d0k5o1fLotY06ToKseNxp/JTFp2P4LpSxspedGw4=
-github.com/stackql/any-sdk v0.5.3-alpha05/go.mod h1:yGAr3eEtY6UpFMq8fF5BTvZhdqYGpyS90LP6KY5AKZs=
+github.com/stackql/any-sdk v0.5.3-alpha07 h1:EuOx9AMFEW4SkO10kQ4E0FXcyzsmhzDQQz0kTgoXqII=
+github.com/stackql/any-sdk v0.5.3-alpha07/go.mod h1:jTU9+GetqZ4lbcSF0D1Cf034nfxiAy0uFKzdi7hx7EE=
 github.com/stackql/go-suffix-map v0.0.1-alpha01 h1:TDUDS8bySu41Oo9p0eniUeCm43mnRM6zFEd6j6VUaz8=
 github.com/stackql/go-suffix-map v0.0.1-alpha01/go.mod h1:QAi+SKukOyf4dBtWy8UMy+hsXXV+yyEE4vmBkji2V7g=
 github.com/stackql/psql-wire v0.1.2-beta01 h1:+0xeLLam3nbI1iv84pWJYGYw5VO5S/+eICRbdu6+dj8=
@@ -657,8 +661,8 @@ golang.org/x/oauth2 v0.0.0-20210628180205-a41e5a781914/go.mod h1:KelEdhl1UZF7XfJ
 golang.org/x/oauth2 v0.0.0-20210805134026-6f1e6394065a/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/oauth2 v0.0.0-20210819190943-2bc19b11175f/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
-golang.org/x/oauth2 v0.26.0 h1:afQXWNNaeC4nvZ0Ed9XvCCzXM6UHJG7iCg0W4fPqSBE=
-golang.org/x/oauth2 v0.26.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
+golang.org/x/oauth2 v0.36.0 h1:peZ/1z27fi9hUOFCAZaHyrpWG5lwe0RJEEEeH0ThlIs=
+golang.org/x/oauth2 v0.36.0/go.mod h1:YDBUJMTkDnJS+A4BP4eZBjCqtokkg1hODuPjwiGPO7Q=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=

test/python/stackql_test_tooling/StackQLInterfaces.py

@@ -888,7 +888,7 @@ def should_stackql_exec_inline_equal_both_streams(
         *args,
         **cfg
       )
-      return self._verify_both_streams(result, expected_output, expected_stderr_output, **cfg)
+      self._verify_both_streams(result, expected_output, expected_stderr_output, **cfg)
 
 
   @keyword
@@ -996,19 +996,21 @@ def should_stackql_exec_inline_contain_both_streams(
     *args,
     **cfg
   ):
-    result = self._run_stackql_exec_command(
-      stackql_exe, 
-      okta_secret_str,
-      github_secret_str,
-      k8s_secret_str,
-      registry_cfg, 
-      auth_cfg_str, 
-      sql_backend_cfg_str,
-      query,
-      *args,
-      **cfg
-    )
-    return self._contain_both_streams(result, expected_output, expected_output_stderr)
+    repeat_count = int(cfg.pop('repeat_count', 1))
+    for _ in range(repeat_count):
+      result = self._run_stackql_exec_command(
+        stackql_exe,
+        okta_secret_str,
+        github_secret_str,
+        k8s_secret_str,
+        registry_cfg,
+        auth_cfg_str,
+        sql_backend_cfg_str,
+        query,
+        *args,
+        **cfg
+      )
+      self._contain_both_streams(result, expected_output, expected_output_stderr)
 
 
   @keyword

test/python/stackql_test_tooling/flask/oauth2/token_srv.py

@@ -9,6 +9,8 @@
 import logging
 
 from typing import List
+from datetime import datetime, timedelta, timezone
+from itertools import count
 
 
 """
@@ -64,6 +66,18 @@ def generate_google_response_dict(self, default_scopes: List[str]=["https://www.
             "expires_in": 3600
         }
 
+_AZURE_FEDERATED_TOKEN_COUNTER = count(1)
+_GCP_STS_TOKEN_COUNTER = count(1)
+_GCP_IMPERSONATED_TOKEN_COUNTER = count(1)
+
+
+def _utc_now() -> datetime:
+    return datetime.now(timezone.utc)
+
+
+def _isoformat_z(ts: datetime) -> str:
+    return ts.astimezone(timezone.utc).replace(microsecond=0).isoformat().replace('+00:00', 'Z')
+
 def _form_to_str(form: ImmutableMultiDict) -> str:
     return json.dumps(form.to_dict(flat=False), sort_keys=True)
 
@@ -84,3 +98,66 @@ def contrived_simple_token():
     request_data = request.form
     app.logger.info(f'POST /contrived/simple/token request data: {_form_to_str(request_data)}')
     return json.dumps(_SIMPLE_RESPONSE, sort_keys=True)
+
+
+@app.route("/aws/sts", methods=['POST'])
+def aws_sts_assume_role_with_web_identity():
+    request_data = request.form
+    action = request_data.get('Action')
+    token = request_data.get('WebIdentityToken')
+    if action != 'AssumeRoleWithWebIdentity' or not token:
+        return json.dumps({"msg": "malformed aws_web_identity request"}, sort_keys=True), 400
+    expiration = _isoformat_z(_utc_now() + timedelta(seconds=1))
+    response_xml = f"""<?xml version=\"1.0\" encoding=\"UTF-8\"?>
+<AssumeRoleWithWebIdentityResponse xmlns=\"https://sts.amazonaws.com/doc/2011-06-15/\">
+  <AssumeRoleWithWebIdentityResult>
+    <Credentials>
+      <AccessKeyId>ASIA_MOCK_IDFED</AccessKeyId>
+      <SecretAccessKey>mock-idfed-secret</SecretAccessKey>
+      <SessionToken>mock-idfed-session-token</SessionToken>
+      <Expiration>{expiration}</Expiration>
+    </Credentials>
+  </AssumeRoleWithWebIdentityResult>
+</AssumeRoleWithWebIdentityResponse>"""
+    return response_xml, 200, {"Content-Type": "text/xml"}
+
+
+@app.route("/gcp/sts/token", methods=['POST'])
+def gcp_workload_identity_sts_token():
+    request_data = request.form
+    subject_token = request_data.get('subject_token')
+    if not subject_token:
+        return json.dumps({"msg": "missing subject_token"}, sort_keys=True), 400
+    token_index = next(_GCP_STS_TOKEN_COUNTER)
+    response = {
+        "access_token": f"gcp-fed-token-{token_index}",
+        "issued_token_type": "urn:ietf:params:oauth:token-type:access_token",
+        "token_type": "Bearer",
+        "expires_in": 1,
+    }
+    return json.dumps(response, sort_keys=True)
+
+
+@app.route("/gcp/iamcredentials/generateAccessToken", methods=['POST'])
+def gcp_workload_identity_impersonation():
+    token_index = next(_GCP_IMPERSONATED_TOKEN_COUNTER)
+    response = {
+        "accessToken": f"gcp-impersonated-token-{token_index}",
+        "expireTime": _isoformat_z(_utc_now() + timedelta(seconds=1)),
+    }
+    return json.dumps(response, sort_keys=True)
+
+
+@app.route("/azure/federated/token", methods=['POST'])
+def azure_federated_token():
+    request_data = request.form
+    subject_token = request_data.get('subject_token')
+    if not subject_token:
+        return json.dumps({"msg": "missing subject_token"}, sort_keys=True), 400
+    token_index = next(_AZURE_FEDERATED_TOKEN_COUNTER)
+    response = {
+        "access_token": f"azure-fed-token-{token_index}",
+        "token_type": "Bearer",
+        "expires_in": 1,
+    }
+    return json.dumps(response, sort_keys=True)

test/robot/functional/stackql_mocked_from_cmd_line.robot

@@ -4508,6 +4508,71 @@ Oauth2 CLient Credentials Auth Should Fail with Invalid Config
     ...    stdout=${CURDIR}/tmp/Oauth2-CLient-Credentials-Auth-Should-Fail-with-Invalid-Config.tmp
     ...    stderr=${CURDIR}/tmp/Oauth2-CLient-Credentials-Auth-Should-Fail-with-Invalid-Config-stderr.tmp
 
+ID Fed AWS S3 Buckets Traffic Light Canonical
+    [Tags]    id_fed_traffic_light    registry    tls_proxied
+    Pass Execution If    "${RUN_ID_FED_TRAFFIC_LIGHTS}" != "true"    Running only in dedicated id federation traffic-light CI step
+    Create File    ${CURDIR}/tmp/id-fed-aws-subject-token.jwt    mock-oidc-subject-token-aws
+    ${authCfg} =    Catenate
+    ...    {"aws":{"type":"aws_web_identity","aws_role_arn":"arn:aws:iam::123456789012:role/mock-idfed-role","aws_sts_region":"us-east-1","aws_sts_endpoint":"https://${LOCAL_HOST_ALIAS}:${MOCKSERVER_PORT_OAUTH_CLIENT_CREDENTIALS_TOKEN}/aws/sts","oidc_subject_token_file":"${CURDIR}/tmp/id-fed-aws-subject-token.jwt"}}
+    Should Stackql Exec Inline Contain Both Streams
+    ...    ${STACKQL_EXE}
+    ...    ${OKTA_SECRET_STR}
+    ...    ${GITHUB_SECRET_STR}
+    ...    ${K8S_SECRET_STR}
+    ...    ${REGISTRY_NO_VERIFY_CFG_STR}
+    ...    ${authCfg}
+    ...    ${SQL_BACKEND_CFG_STR_CANONICAL}
+    ...    ${SELECT_AWS_S3_BUCKETS}
+    ...    CreationDate
+    ...    ${EMPTY}
+    ...    stdout=${CURDIR}/tmp/ID-Fed-AWS-S3-Buckets-Traffic-Light-Canonical-stdout.tmp
+    ...    stderr=${CURDIR}/tmp/ID-Fed-AWS-S3-Buckets-Traffic-Light-Canonical-stderr.tmp
+    ...    repeat_count=4
+
+ID Fed Azure Public Keys Traffic Light Canonical
+    [Tags]    id_fed_traffic_light    registry    tls_proxied
+    Pass Execution If    "${RUN_ID_FED_TRAFFIC_LIGHTS}" != "true"    Running only in dedicated id federation traffic-light CI step
+    Create File    ${CURDIR}/tmp/id-fed-azure-subject-token.jwt    mock-oidc-subject-token-azure
+    ${authCfg} =    Catenate
+    ...    {"azure":{"type":"azure_federated","azure_tenant_id":"00000000-0000-0000-0000-000000000000","client_id":"11111111-1111-1111-1111-111111111111","scopes":["https://management.azure.com/.default"],"azure_federated_endpoint":"https://${LOCAL_HOST_ALIAS}:${MOCKSERVER_PORT_OAUTH_CLIENT_CREDENTIALS_TOKEN}/azure/federated/token","oidc_subject_token_file":"${CURDIR}/tmp/id-fed-azure-subject-token.jwt"}}
+    ${inputStr} =    Catenate
+    ...    select name from azure.network.virtual_networks where subscriptionId = 'subid' order by name asc;
+    Should Stackql Exec Inline Contain Both Streams
+    ...    ${STACKQL_EXE}
+    ...    ${OKTA_SECRET_STR}
+    ...    ${GITHUB_SECRET_STR}
+    ...    ${K8S_SECRET_STR}
+    ...    ${REGISTRY_NO_VERIFY_CFG_STR}
+    ...    ${authCfg}
+    ...    ${SQL_BACKEND_CFG_STR_CANONICAL}
+    ...    ${inputStr}
+    ...    name
+    ...    ${EMPTY}
+    ...    stdout=${CURDIR}/tmp/ID-Fed-Azure-Public-Keys-Traffic-Light-Canonical-stdout.tmp
+    ...    stderr=${CURDIR}/tmp/ID-Fed-Azure-Public-Keys-Traffic-Light-Canonical-stderr.tmp
+    ...    repeat_count=4
+
+ID Fed Google Container Agg Desc Traffic Light Canonical
+    [Tags]    id_fed_traffic_light    registry    tls_proxied
+    Pass Execution If    "${RUN_ID_FED_TRAFFIC_LIGHTS}" != "true"    Running only in dedicated id federation traffic-light CI step
+    Create File    ${CURDIR}/tmp/id-fed-gcp-subject-token.jwt    mock-oidc-subject-token-gcp
+    ${authCfg} =    Catenate
+    ...    {"google":{"type":"gcp_workload_identity","gcp_workload_identity_audience":"//iam.googleapis.com/projects/123456789/locations/global/workloadIdentityPools/mock-pool/providers/mock-provider","gcp_workload_identity_token_url":"https://${LOCAL_HOST_ALIAS}:${MOCKSERVER_PORT_OAUTH_CLIENT_CREDENTIALS_TOKEN}/gcp/sts/token","gcp_service_account_impersonation_url":"https://${LOCAL_HOST_ALIAS}:${MOCKSERVER_PORT_OAUTH_CLIENT_CREDENTIALS_TOKEN}/gcp/iamcredentials/generateAccessToken","scopes":["https://www.googleapis.com/auth/cloud-platform"],"oidc_subject_token_file":"${CURDIR}/tmp/id-fed-gcp-subject-token.jwt"}}
+    Should Stackql Exec Inline Contain Both Streams
+    ...    ${STACKQL_EXE}
+    ...    ${OKTA_SECRET_STR}
+    ...    ${GITHUB_SECRET_STR}
+    ...    ${K8S_SECRET_STR}
+    ...    ${REGISTRY_NO_VERIFY_CFG_STR}
+    ...    ${authCfg}
+    ...    ${SQL_BACKEND_CFG_STR_CANONICAL}
+    ...    ${SELECT_CONTAINER_SUBNET_AGG_DESC}
+    ...    ipCidrRange
+    ...    ${EMPTY}
+    ...    stdout=${CURDIR}/tmp/ID-Fed-Google-Container-Agg-Desc-Traffic-Light-Canonical-stdout.tmp
+    ...    stderr=${CURDIR}/tmp/ID-Fed-Google-Container-Agg-Desc-Traffic-Light-Canonical-stderr.tmp
+    ...    repeat_count=4
+
 HTTP Log enabled regression test
     Should Horrid HTTP Log Enabled Query StackQL Inline Equal
     ...    ${STACKQL_EXE}