feat: bring --devmode to oidc client config

DEVELOPING.md

@@ -100,6 +100,8 @@ RUST_LOG=info cargo run -p trust -- vexination api --devmode -p 8081 &
 RUST_LOG=info cargo run -p trust -- bombastic api --devmode -p 8082 &
 RUST_LOG=info cargo run -p trust -- spog api --devmode -p 8083  &
 RUST_LOG=info cargo run -p trust -- v11y api --devmode -p 8087 &
+RUST_LOG=info cargo run -p trust -- collectorist api --devmode -p 8088 &
+RUST_LOG=info cargo run -p trust -- collector osv --devmode &
 ```
 
 If you want to disable authentication (not recommended unless you are not exposing any services outside localhost), you can pass the `--authentication-disabled` flag to the above commands.
@@ -175,7 +177,7 @@ Assuming you have the system set up using `--devmode`, you can use the following
 a matching OIDC client configuration:
 
 ```shell
-RUST_LOG=info cargo run -p trust bombastic walker --bombastic-url http://localhost:8082 --oidc-client-id walker --oidc-client-secret ZVzq9AMOVUdMY1lSohpx1jI3aW56QDPS --oidc-issuer-url http://localhost:8090/realms/chicken
+RUST_LOG=info cargo run -p trust bombastic walker --bombastic-url http://localhost:8082 --devmode
 ```
 
 Example for importing an SBOM generated by `syft`:

auth/src/client/provider/openid.rs

@@ -2,8 +2,10 @@ use super::{
     super::{error::Error, Expires},
     {Credentials, TokenProvider},
 };
+use crate::devmode;
 use anyhow::Context;
 use core::fmt::{self, Debug, Formatter};
+use std::time::Duration;
 use std::{ops::Deref, sync::Arc};
 use tokio::sync::RwLock;
 use url::Url;
@@ -41,6 +43,15 @@ impl OpenIdTokenProviderConfigArguments {
     pub async fn into_provider(self) -> anyhow::Result<Arc<dyn TokenProvider>> {
         OpenIdTokenProviderConfig::new_provider(OpenIdTokenProviderConfig::from_args(self)).await
     }
+
+    pub async fn into_provider_or_devmode(self, devmode: bool) -> anyhow::Result<Arc<dyn TokenProvider>> {
+        let config = match devmode {
+            true => Some(OpenIdTokenProviderConfig::devmode()),
+            false => OpenIdTokenProviderConfig::from_args(self),
+        };
+
+        OpenIdTokenProviderConfig::new_provider(config).await
+    }
 }
 
 #[derive(Clone, Debug, PartialEq, Eq, clap::Args)]
@@ -52,6 +63,15 @@ pub struct OpenIdTokenProviderConfig {
 }
 
 impl OpenIdTokenProviderConfig {
+    pub fn devmode() -> Self {
+        Self {
+            issuer_url: devmode::issuer_url(),
+            client_id: devmode::SERVICE_CLIENT_ID.to_string(),
+            client_secret: devmode::SSO_CLIENT_SECRET.to_string(),
+            refresh_before: Duration::from_secs(30).into(),
+        }
+    }
+
     pub async fn new_provider(config: Option<Self>) -> anyhow::Result<Arc<dyn TokenProvider>> {
         Ok(match config {
             Some(config) => Arc::new(OpenIdTokenProvider::with_config(config).await?),

auth/src/devmode.rs

@@ -6,8 +6,17 @@ const ISSUER_URL: &str = "http://localhost:8090/realms/chicken";
 /// This also includes the "testing" clients, as this allows running the testsuite against an
 /// already spun up set of services.
 pub const CLIENT_IDS: &[&str] = &["frontend", "walker", "testing-user", "testing-manager"];
+
+/// The default "service" client ID for devmode
+pub const SERVICE_CLIENT_ID: &str = "testing-manager";
+
 pub const SWAGGER_UI_CLIENT_ID: &str = "frontend";
 
+/// Static client secret for testing, configured in `deploy/compose/container_files/init-sso/data/client-*.json`.
+///
+/// This is not a secret. Don't use this in production.
+pub const SSO_CLIENT_SECRET: &str = "R8A6KFeyxJsMDBhjfHbpZTIF0GWt43HP";
+
 /// Get the issuer URL for `--devmode`.
 ///
 /// This can be either the value of [`ISSUER_URL`], or it can be overridden using the environment

bombastic/walker/src/lib.rs

@@ -23,6 +23,9 @@ pub struct Run {
 #[derive(Clone, Debug, clap::Parser)]
 #[command(rename_all_env = "SCREAMING_SNAKE_CASE")]
 pub struct WalkerConfig {
+    #[arg(long = "devmode", default_value_t = false)]
+    pub devmode: bool,
+
     #[command(flatten)]
     pub script_context: ScriptContext,
 
@@ -53,7 +56,12 @@ impl Run {
     pub async fn run(self) -> anyhow::Result<ExitCode> {
         Infrastructure::from(self.infra)
             .run("bombastic-walker", |_| async move {
-                let provider = self.config.oidc.clone().into_provider().await?;
+                let provider = self
+                    .config
+                    .oidc
+                    .clone()
+                    .into_provider_or_devmode(self.config.devmode)
+                    .await?;
 
                 let source = self
                     .config

collector/osv/src/lib.rs

@@ -25,6 +25,9 @@ pub struct Run {
     #[command(flatten)]
     pub api: EndpointServerConfig<CollectorOsv>,
 
+    #[arg(long = "devmode", default_value_t = false)]
+    pub devmode: bool,
+
     #[command(flatten)]
     pub infra: InfrastructureConfig,
 
@@ -52,7 +55,7 @@ impl Run {
     pub async fn run(self) -> anyhow::Result<ExitCode> {
         Infrastructure::from(self.infra)
             .run("collector-osv", |_metrics| async move {
-                let provider = self.oidc.into_provider().await?;
+                let provider = self.oidc.into_provider_or_devmode(self.devmode).await?;
                 let state = Self::configure("osv".into(), self.collectorist_url, self.v11y_url, provider).await?;
                 let server = server::run(state.clone(), self.api.socket_addr()?);
                 let register = register_with_collectorist(state.clone());

integration-tests/src/lib.rs

@@ -16,7 +16,7 @@ use reqwest::{StatusCode, Url};
 use serde_json::Value;
 use std::time::Duration;
 use tokio::select;
-use trustification_auth::{auth::AuthConfigArguments, client::TokenInjector};
+use trustification_auth::{auth::AuthConfigArguments, client::TokenInjector, devmode};
 use trustification_event_bus::EventBusConfig;
 
 #[cfg(feature = "with-services")]
@@ -30,10 +30,6 @@ use {
 const STORAGE_ENDPOINT: &str = "http://localhost:9000";
 #[cfg(feature = "with-services")]
 const KAFKA_BOOTSTRAP_SERVERS: &str = "localhost:9092";
-const SSO_ENDPOINT: &str = "http://localhost:8090/realms/chicken";
-
-/// Static client secret for testing, configured in `deploy/compose/container_files/init-sso/data/client-*.json`
-const SSO_TESTING_CLIENT_SECRET: &str = "R8A6KFeyxJsMDBhjfHbpZTIF0GWt43HP";
 
 pub async fn wait_for_event<F: Future>(events: &EventBusConfig, bus_name: &str, id: &str, f: F) {
     let bus = events.create(&prometheus::Registry::new()).await.unwrap();
@@ -105,7 +101,7 @@ fn testing_auth() -> AuthConfigArguments {
 #[cfg(feature = "with-services")]
 fn testing_swagger_ui_oidc() -> SwaggerUiOidcConfig {
     SwaggerUiOidcConfig {
-        swagger_ui_oidc_issuer_url: Some(SSO_ENDPOINT.to_string()),
+        swagger_ui_oidc_issuer_url: Some(devmode::issuer_url()),
         swagger_ui_oidc_client_id: "frontend".to_string(),
     }
 }

integration-tests/src/provider.rs

@@ -1,6 +1,6 @@
-use super::{SSO_ENDPOINT, SSO_TESTING_CLIENT_SECRET};
 use std::sync::Arc;
 use trustification_auth::client::{OpenIdTokenProvider, TokenProvider};
+use trustification_auth::devmode;
 
 #[derive(Clone)]
 pub struct ProviderContext {
@@ -10,17 +10,17 @@ pub struct ProviderContext {
 
 pub async fn create_provider_context() -> ProviderContext {
     ProviderContext {
-        provider_user: create_provider("testing-user", SSO_TESTING_CLIENT_SECRET, SSO_ENDPOINT).await,
-        provider_manager: create_provider("testing-manager", SSO_TESTING_CLIENT_SECRET, SSO_ENDPOINT).await,
+        provider_user: create_provider("testing-user", devmode::SSO_CLIENT_SECRET, devmode::issuer_url()).await,
+        provider_manager: create_provider("testing-manager", devmode::SSO_CLIENT_SECRET, devmode::issuer_url()).await,
     }
 }
 
-pub async fn create_provider(client_id: &str, secret: &str, issuer: &str) -> Arc<OpenIdTokenProvider> {
+pub async fn create_provider(client_id: &str, secret: &str, issuer: impl AsRef<str>) -> Arc<OpenIdTokenProvider> {
     let client_user = openid::Client::discover(
         client_id.into(),
         Some(secret.to_string()),
         None,
-        issuer.parse().unwrap(),
+        issuer.as_ref().parse().unwrap(),
     )
     .await
     .unwrap();