add tfe webhook auth

breardon2011 · breardon2011 · commit ac7ffda2cc5a · 2025-10-31T09:27:26.000-07:00
diff --git a/taco/internal/api/internal.go b/taco/internal/api/internal.go
@@ -5,10 +5,14 @@ import (
 	"net/http"
 	"os"
 
+	"github.com/diggerhq/digger/opentaco/internal/auth"
+	"github.com/diggerhq/digger/opentaco/internal/auth/oidc"
+	"github.com/diggerhq/digger/opentaco/internal/auth/sts"
 	"github.com/diggerhq/digger/opentaco/internal/domain"
 	"github.com/diggerhq/digger/opentaco/internal/middleware"
 	"github.com/diggerhq/digger/opentaco/internal/rbac"
 	"github.com/diggerhq/digger/opentaco/internal/repositories"
+	"github.com/diggerhq/digger/opentaco/internal/tfe"
 	unithandlers "github.com/diggerhq/digger/opentaco/internal/unit"
 	"github.com/labstack/echo/v4"
 )
@@ -123,6 +127,59 @@ func RegisterInternalRoutes(e *echo.Echo, deps Dependencies) {
 	internal.GET("/units/:id/versions", unitHandler.ListVersions)
 	internal.POST("/units/:id/restore", unitHandler.RestoreVersion)
 
+	// ====================================================================================
+	// TFE API Routes with Webhook Auth (for UI forwarding)
+	// ====================================================================================
+	// These mirror the public TFE routes but use webhook auth instead of opaque tokens
+	// This allows the UI to forward Terraform Cloud API requests on behalf of users
+	
+	// Prepare auth deps for TFE handler
+	stsi, _ := sts.NewStatelessIssuerFromEnv()
+	ver, _ := oidc.NewFromEnv()
+	authHandler := auth.NewHandler(deps.Signer, stsi, ver)
+	apiTokenMgr := auth.NewAPITokenManagerFromStore(deps.BlobStore)
+	authHandler.SetAPITokenManager(apiTokenMgr)
+	
+	// Create identifier resolver for TFE org resolution
+	var tfeIdentifierResolver domain.IdentifierResolver
+	if deps.QueryStore != nil {
+		if db := repositories.GetDBFromQueryStore(deps.QueryStore); db != nil {
+			tfeIdentifierResolver = repositories.NewIdentifierResolver(db)
+		}
+	}
+	
+	// Create TFE handler with webhook auth context
+	tfeHandler := tfe.NewTFETokenHandler(authHandler, deps.Repository, deps.BlobStore, deps.RBACManager, tfeIdentifierResolver)
+	
+	// TFE group with webhook auth (for UI pass-through)
+	tfeInternal := e.Group("/internal/tfe/api/v2")
+	tfeInternal.Use(middleware.WebhookAuth())
+	
+	// Add org resolution middleware for TFE routes
+	if tfeIdentifierResolver != nil {
+		tfeInternal.Use(middleware.ResolveOrgContextMiddleware(tfeIdentifierResolver))
+		log.Println("Org context resolution middleware enabled for internal TFE routes")
+	}
+	
+	// Register TFE endpoints (same handlers as public TFE routes)
+	tfeInternal.GET("/ping", tfeHandler.Ping)
+	tfeInternal.GET("/organizations/:org_name/entitlement-set", tfeHandler.GetOrganizationEntitlements)
+	tfeInternal.GET("/account/details", tfeHandler.AccountDetails)
+	tfeInternal.GET("/organizations/:org_name/workspaces/:workspace_name", tfeHandler.GetWorkspace)
+	tfeInternal.POST("/workspaces/:workspace_id/actions/lock", tfeHandler.LockWorkspace)
+	tfeInternal.POST("/workspaces/:workspace_id/actions/unlock", tfeHandler.UnlockWorkspace)
+	tfeInternal.POST("/workspaces/:workspace_id/actions/force-unlock", tfeHandler.ForceUnlockWorkspace)
+	tfeInternal.GET("/workspaces/:workspace_id/current-state-version", tfeHandler.GetCurrentStateVersion)
+	tfeInternal.POST("/workspaces/:workspace_id/state-versions", tfeHandler.CreateStateVersion)
+	tfeInternal.GET("/state-versions/:id/download", tfeHandler.DownloadStateVersion)
+	tfeInternal.GET("/state-versions/:id", tfeHandler.ShowStateVersion)
+	
+	log.Println("TFE API endpoints registered at /internal/tfe/api/v2 with webhook auth")
+	
+	// ====================================================================================
+	// Health and Info Endpoints
+	// ====================================================================================
+	
 	// Health check for internal routes
 	internal.GET("/health", func(c echo.Context) error {
 		return c.JSON(http.StatusOK, map[string]interface{}{
diff --git a/ui/src/routes/tfe/$.tsx b/ui/src/routes/tfe/$.tsx
@@ -1,44 +1,119 @@
-import { verifyTokenFn } from '@/api/tokens_serverFunctions';
 import { createFileRoute } from '@tanstack/react-router'
 
 async function handler({ request }) {
   const url = new URL(request.url);
   
-  const isExemptPath =
+  // OAuth/discovery paths that don't require token auth (login flow)
+  const isOAuthPath = 
+    url.pathname.startsWith('/tfe/app/oauth2/') ||
+    url.pathname.startsWith('/tfe/oauth2/') ||
+    url.pathname === '/.well-known/terraform.json' ||
+    url.pathname === '/tfe/api/v2/motd';
+  
+  // Upload paths that use signed URLs (no Bearer token)
+  const isUploadPath =
     /^\/tfe\/api\/v2\/state-versions\/[^\/]+\/upload$/.test(url.pathname) ||
     /^\/tfe\/api\/v2\/state-versions\/[^\/]+\/json-upload$/.test(url.pathname);
 
-  if (!isExemptPath) {
-    try {
-      const token = request.headers.get('authorization')?.split(' ')[1]
-      console.log('verifying token', token, request.url)
-      console.log(request.headers)
-      const tokenValidation = await verifyTokenFn({data: { token: token}})
-      if (!tokenValidation.valid) {
-        return new Response('Unauthorized', { status: 401 })
-      }
-    } catch (error) {
-      console.error('Error verifying token', error)
-      return new Response('Unauthorized', { status: 401 })
+  // OAuth and upload paths: forward directly to public statesman endpoints
+  if (isOAuthPath || isUploadPath) {
+    const outgoingHeaders = new Headers(request.headers);
+    const originalHost = outgoingHeaders.get('host') ?? '';
+    if (originalHost) outgoingHeaders.set('x-forwarded-host', originalHost);
+    outgoingHeaders.set('x-forwarded-proto', url.protocol.replace(':', ''));
+    if (url.port) outgoingHeaders.set('x-forwarded-port', url.port);
+    
+    // Drop hop-by-hop headers
+    ['host','content-length','connection','keep-alive','proxy-connection','transfer-encoding','upgrade','te','trailer','accept-encoding']
+      .forEach(h => outgoingHeaders.delete(h));
+
+    const response = await fetch(`${process.env.STATESMAN_BACKEND_URL}${url.pathname}${url.search}`, {
+      method: request.method,
+      headers: outgoingHeaders,
+      body: request.method !== 'GET' && request.method !== 'HEAD' ? await request.blob() : undefined
+    });
+
+    const headers = new Headers(response.headers);
+    headers.delete('Content-Encoding');
+    headers.delete('content-length');
+    headers.delete('transfer-encoding');
+    headers.delete('connection');
+
+    console.log(response.status, request.url, '(direct proxy)');
+    return new Response(response.body, { headers });
+  }
+
+  // API paths: verify token service token and use webhook auth to internal routes
+  const token = request.headers.get('authorization')?.split(' ')[1]
+  if (!token) {
+    return new Response('Unauthorized: No token provided', { status: 401 })
+  }
+  
+  // Verify token against TOKEN SERVICE and extract user context
+  let userId, userEmail, orgId;
+  try {
+    const verifyResponse = await fetch(`${process.env.TOKENS_SERVICE_BACKEND_URL}/api/v1/tokens/verify`, {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/json',
+      },
+      body: JSON.stringify({
+        token: token,
+      }),
+    });
+    
+    if (!verifyResponse.ok) {
+      console.error('Token verification failed:', verifyResponse.status);
+      return new Response('Unauthorized: Invalid token', { status: 401 })
+    }
+    
+    const tokenInfo = await verifyResponse.json();
+    if (!tokenInfo.valid) {
+      return new Response('Unauthorized: Invalid token', { status: 401 })
     }
+    
+    // Extract user info from token service response
+    userId = tokenInfo.user_id || tokenInfo.userId || 'anonymous';
+    userEmail = tokenInfo.email || '';
+    orgId = tokenInfo.org_id || tokenInfo.orgId || 'default';
+    
+    console.log('Verified token service token for user:', userId, 'org:', orgId);
+  } catch (error) {
+    console.error('Error verifying token:', error);
+    return new Response('Unauthorized: Token verification failed', { status: 401 })
   }
 
+  // Use webhook auth to forward to internal TFE routes
+  const webhookSecret = process.env.OPENTACO_ENABLE_INTERNAL_ENDPOINTS;
+  if (!webhookSecret) {
+    console.error('OPENTACO_ENABLE_INTERNAL_ENDPOINTS not configured');
+    return new Response('Internal configuration error', { status: 500 });
+  }
 
-  // important: we need to set these to allow the statesman backend to return the correct URL to opentofu or terraform clients
-  const outgoingHeaders = new Headers(request.headers);
-  const originalHost = outgoingHeaders.get('host') ?? '';
+  const outgoingHeaders = new Headers();
+  outgoingHeaders.set('Authorization', `Bearer ${webhookSecret}`);
+  outgoingHeaders.set('X-User-ID', userId);
+  outgoingHeaders.set('X-Email', userEmail);
+  outgoingHeaders.set('X-Org-ID', orgId);
+  
+  const originalHost = request.headers.get('host') ?? '';
   if (originalHost) outgoingHeaders.set('x-forwarded-host', originalHost);
   outgoingHeaders.set('x-forwarded-proto', url.protocol.replace(':', ''));
   if (url.port) outgoingHeaders.set('x-forwarded-port', url.port);
-  // Let fetch manage these, and drop hop-by-hop headers
-  ['host','content-length','connection','keep-alive','proxy-connection','transfer-encoding','upgrade','te','trailer','accept-encoding']
-  .forEach(h => outgoingHeaders.delete(h));
-
+  
+  // Copy other relevant headers
+  const headersToForward = ['content-type', 'accept', 'user-agent'];
+  headersToForward.forEach(h => {
+    const value = request.headers.get(h);
+    if (value) outgoingHeaders.set(h, value);
+  });
 
-  const response = await fetch(`${process.env.STATESMAN_BACKEND_URL}${url.pathname}${url.search}`, {
+  // Forward to internal TFE routes with webhook auth
+  const internalPath = url.pathname.replace('/tfe/api/v2', '/internal/tfe/api/v2');
+  const response = await fetch(`${process.env.STATESMAN_BACKEND_URL}${internalPath}${url.search}`, {
     method: request.method,
-    headers: request.headers,
-    body: request.method !== 'GET' ? await request.blob() : undefined
+    headers: outgoingHeaders,
+    body: request.method !== 'GET' && request.method !== 'HEAD' ? await request.blob() : undefined
   });
 
   // important, remove all encoding headers since the fetch already decompresses the gzip
