Add support for GraphQL API OAuth 2.0 authentication using a login query

or mutation

Author: pdecat

docsite/docs/provider.md

@@ -13,7 +13,9 @@ The latest release can be downloaded from the graphql provider [release page](ht
 
 ## Provider Configuration
 
-This provider has only two configuration inputs: `url` & `headers`
+This provider has several configuration inputs.
+
+In most cases, only `url` & `headers` are used, e.g.:
 
 ```hcl
 provider "graphql" {
@@ -26,12 +28,43 @@ provider "graphql" {
 }
 ```
 
+In some advanced cases where the GraphQL server exposes an endpoint to perform OAuth 2.0 authentication, instead of using `headers`, you can use `oauth2_login_query`, `oauth2_login_query_variables` and `oauth2_login_query_value_attribute`, e.g.:
+
+```hcl
+provider "graphql" {
+  url = "https://your-graphql-server-url"
+
+  oauth2_login_query = "mutation loginAPI($apiKey: String!) {loginAPI(apiKey: $apiKey) {accessToken}}"
+  oauth2_login_query_variables = {
+    "apiKey" = "5555-44-33-99"
+  }
+  oauth2_login_query_value_attribute = "data.loginAPI.accessToken"
+}
+```
+
 ## Inputs
 
 ### url
+  - **Required**: `true`
   - **Type**: `string`
-  - **Description**: `The GraphQL API url that the provider will use to make requests`
+  - **Description**: The GraphQL API url that the provider will use to make requests.
 
 ### headers
+  - **Required**: `false`
+  - **Type**: `map(string)`
+  - **Desciption**: Any http headers that the GraphQL API server requires (e.g. `Authentication`, `x-api-key`, etc.).
+
+### oauth2_login_query
+  - **Required**: `false`
+  - **Type**: `string`
+  - **Description**: The GraphQL query or mutation used to retrieve an OAuth 2.0 access token from the GraphQL server. It will be executed once during provider initialization. Be aware that renewal is not implemented, which may cause issue with short-lived access tokens. Note: you must also define `oauth2_login_query_variables` and `oauth2_login_query_value_attribute` when using `oauth2_login_query`.
+
+### oauth2_login_query_variables
+  - **Required**: `false`
   - **Type**: `map(string)`
-  - **Desciption**: `Any http headers that the GraphQL API requires. (eg; Authentication; x-api-key; etc)`
+  - **Desciption**: A map of any variables that will be used in your OAuth 2.0 login query. Each variable's value is interpreted as JSON when possible. Note: you must also define `oauth2_login_query` and `oauth2_login_query_value_attribute` when using `oauth2_login_query_variables`.
+
+### oauth2_login_query_value_attribute
+  - **Required**: `false`
+  - **Type**: `string`
+  - **Description**: The dot-separated path to the attribute containing the access token value that will be extracted from the OAuth 2.0 login query or mutation response (it must start with `data.`, e.g. `data.loginAPI.accessToken`). Note: you must also define `oauth2_login_query` and `oauth2_login_query_variables` when using `oauth2_login_query_value_attribute`.

go.mod

@@ -6,11 +6,13 @@ require (
 	cloud.google.com/go/storage v1.12.0 // indirect
 	github.com/aws/aws-sdk-go v1.34.33 // indirect
 	github.com/fatih/color v1.9.0 // indirect
+	github.com/hashicorp/hcl/v2 v2.3.0
 	github.com/hashicorp/terraform-plugin-sdk/v2 v2.7.0
 	github.com/jarcoal/httpmock v1.0.6
 	github.com/mattn/go-colorable v0.1.7 // indirect
 	github.com/mitchellh/mapstructure v1.3.3 // indirect
 	github.com/stretchr/testify v1.7.0
+	github.com/zclconf/go-cty v1.8.4
 	golang.org/x/tools v0.0.0-20200929173036-5272f303b6eb // indirect
 	google.golang.org/genproto v0.0.0-20200929141702-51c3e5b607fe // indirect
 	gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776 // indirect

graphql/provider.go

@@ -2,9 +2,16 @@ package graphql
 
 import (
 	"context"
+	"fmt"
 
+	"github.com/hashicorp/hcl/v2"
+	"github.com/hashicorp/hcl/v2/hclsyntax"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+	"github.com/zclconf/go-cty/cty"
+	"github.com/zclconf/go-cty/cty/function"
+	"github.com/zclconf/go-cty/cty/function/stdlib"
+	"github.com/zclconf/go-cty/cty/gocty"
 )
 
 func Provider() *schema.Provider {
@@ -24,6 +31,21 @@ func Provider() *schema.Provider {
 				Optional: true,
 				ForceNew: true,
 			},
+			"oauth2_login_query": {
+				Type:     schema.TypeString,
+				Optional: true,
+			},
+			"oauth2_login_query_variables": {
+				Type: schema.TypeMap,
+				Elem: &schema.Schema{
+					Type: schema.TypeString,
+				},
+				Optional: true,
+			},
+			"oauth2_login_query_value_attribute": {
+				Type:     schema.TypeString,
+				Optional: true,
+			},
 		},
 		ResourcesMap: map[string]*schema.Resource{
 			"graphql_mutation": resourceGraphqlMutation(),
@@ -40,10 +62,66 @@ func graphqlConfigure(ctx context.Context, d *schema.ResourceData) (interface{},
 		GQLServerUrl:   d.Get("url").(string),
 		RequestHeaders: d.Get("headers").(map[string]interface{}),
 	}
+
+	if oauth2LoginQueryValueAttribute := d.Get("oauth2_login_query_value_attribute"); d.Get("oauth2_login_query") != "" && oauth2LoginQueryValueAttribute != "" {
+		queryResponse, resBytes, err := queryExecute(ctx, d, config, "oauth2_login_query", "oauth2_login_query_variables")
+		if err != nil {
+			return nil, diag.FromErr(fmt.Errorf("unable to execute oauth2_login_query: %w", err))
+		}
+
+		if queryErrors := queryResponse.ProcessErrors(); queryErrors.HasError() {
+			return nil, *queryErrors
+		}
+
+		var queryResponseCty cty.Value
+		if queryResponseCty, err = gocty.ToCtyValue(string(resBytes), cty.String); err != nil {
+			return nil, diag.FromErr(err)
+		}
+
+		evalCtx := &hcl.EvalContext{
+			Variables: map[string]cty.Value{
+				"oauth2_login_query_response": queryResponseCty,
+			},
+			Functions: map[string]function.Function{
+				"jsondecode": stdlib.JSONDecodeFunc,
+			},
+		}
+
+		var expr hcl.Expression
+		var hclDiags hcl.Diagnostics
+		valueTemplate := fmt.Sprintf("${jsondecode(oauth2_login_query_response).%s}", oauth2LoginQueryValueAttribute.(string))
+		if expr, hclDiags = hclsyntax.ParseTemplate([]byte(valueTemplate), "", hcl.InitialPos); len(hclDiags) > 0 {
+			return nil, convertDiagnosticsFromHCLToTerraformSDK(hclDiags)
+		}
+
+		var interpolatedValue cty.Value
+		if interpolatedValue, hclDiags = expr.Value(evalCtx); len(hclDiags) > 0 {
+			return nil, convertDiagnosticsFromHCLToTerraformSDK(hclDiags)
+		}
+
+		config.RequestAuthorizationHeaders = map[string]interface{}{
+			"Authorization": fmt.Sprintf("Bearer %s", interpolatedValue.AsString()),
+		}
+	}
+
 	return config, diag.Diagnostics{}
 }
 
 type graphqlProviderConfig struct {
 	GQLServerUrl   string
 	RequestHeaders map[string]interface{}
+
+	RequestAuthorizationHeaders map[string]interface{}
+}
+
+func convertDiagnosticsFromHCLToTerraformSDK(hclDiags hcl.Diagnostics) diag.Diagnostics {
+	diags := make(diag.Diagnostics, len(hclDiags))
+	for i, hclDiag := range hclDiags {
+		// HCL severity enum is: 0 (invalid), 1 (error), 2 (warning)
+		// terraform SDK severity enum is: 0 (error), 1 (warning)
+		diags[i].Severity = diag.Severity(hclDiag.Severity - 1)
+		diags[i].Summary = hclDiag.Summary
+		diags[i].Detail = hclDiag.Detail
+	}
+	return diags
 }

graphql/query_executor.go

@@ -18,6 +18,7 @@ func queryExecute(ctx context.Context, d *schema.ResourceData, m interface{}, qu
 	inputVariables := d.Get(variableSource).(map[string]interface{})
 	apiURL := m.(*graphqlProviderConfig).GQLServerUrl
 	headers := m.(*graphqlProviderConfig).RequestHeaders
+	authorizationHeaders := m.(*graphqlProviderConfig).RequestAuthorizationHeaders
 
 	var queryBodyBuffer bytes.Buffer
 
@@ -50,6 +51,9 @@ func queryExecute(ctx context.Context, d *schema.ResourceData, m interface{}, qu
 
 	req.Header.Set("Content-Type", "application/json; charset=utf-8")
 	req.Header.Set("Accept", "application/json; charset=utf-8")
+	for key, value := range authorizationHeaders {
+		req.Header.Set(key, value.(string))
+	}
 	for key, value := range headers {
 		req.Header.Set(key, value.(string))
 	}