feat: support & require RH OIDC auth

Author: Strum355

.eslintignore

@@ -0,0 +1 @@
+dist

package-lock.json

@@ -76,6 +76,11 @@
         "command": "rhda.stackLogs",
         "title": "Debug logs",
         "category": "Red Hat Dependency Analytics"
+      },
+      {
+        "command": "rhda.authenticate",
+        "title": "Authenticate",
+        "category": "Red Hat Dependency Analytics"
       }
     ],
     "menus": {
@@ -374,6 +379,21 @@
             "type": "string"
           },
           "description": "List of path globs for manifests to ignore for analysis. Only forward slash is support as a path separator."
+        },
+        "redHatDependencyAnalytics.oidc.endpoint": {
+          "type": "string",
+          "default": "https://sso.redhat.com/auth/realms/redhat-external",
+          "description": "URL used for OIDC auth server metadata discovery."
+        },
+        "redHatDependencyAnalytics.oidc.clientId": {
+          "type": "string",
+          "default": "rhda-vscode",
+          "description": "Specifies the OIDC client ID."
+        },
+        "redHatDependencyAnalytics.oidc.allowInsecure": {
+          "type": "boolean",
+          "default": false,
+          "description": "Enables specifying HTTP-only endpoints."
         }
       }
     }
@@ -436,6 +456,7 @@
     "json-to-ast": "^2.1.0",
     "minimatch": "^10.0.3",
     "mustache": "^4.2.0",
+    "openid-client": "^6.8.0",
     "path": "^0.12.7",
     "tree-sitter-python": "^0.23.6",
     "web-tree-sitter": "^0.25.6"

package.json

@@ -47,6 +47,49 @@ class CAStatusBarProvider implements Disposable {
     this.statusBarItem.tooltip = PromptText.LSP_FAILURE_TEXT;
   }
 
+  /**
+   * Shows authentication required status in the status bar.
+   */
+  public showAuthRequired(): void {
+    this.statusBarItem.text = `$(account) RHDA: Not Signed In`;
+    this.statusBarItem.command = {
+      title: 'Authenticate with RHDA',
+      command: 'rhda.authenticate',
+    };
+    this.statusBarItem.tooltip = 'Click to sign in for enhanced RHDA features (optional)';
+    this.statusBarItem.show();
+  }
+
+  /**
+   * Shows authenticated status in the status bar.
+   */
+  public showAuthenticated(): void {
+    this.statusBarItem.text = `$(verified) RHDA: Authenticated`;
+    this.statusBarItem.command = undefined; // No command needed when authenticated
+    this.statusBarItem.tooltip = 'RHDA is authenticated and ready for dependency analysis';
+    this.statusBarItem.show();
+  }
+
+  /**
+   * Shows session expired status in the status bar.
+   */
+  public showSessionExpired(): void {
+    this.statusBarItem.text = `$(warning) RHDA: Session Expired`;
+    this.statusBarItem.command = {
+      title: 'Re-authenticate with RHDA',
+      command: 'rhda.authenticate',
+    };
+    this.statusBarItem.tooltip = 'Your RHDA session has expired. Click to re-authenticate and restore functionality.';
+    this.statusBarItem.show();
+  }
+
+  /**
+   * Hides the status bar item.
+   */
+  public hide(): void {
+    this.statusBarItem.hide();
+  }
+
   /**
    * Disposes of the status bar item.
    */

src/caStatusBarProvider.ts

@@ -23,6 +23,9 @@ class Config {
   enablePythonBestEffortsInstallation!: string;
   usePipDepTree!: string;
   vulnerabilityAlertSeverity!: string;
+  oidcRealmUrl!: string;
+  oidcClientId!: string;
+  oidcAllowInsecure!: boolean;
   exhortMvnPath!: string;
   exhortPreferMvnw!: string;
   exhortMvnArgs!: string;
@@ -132,6 +135,9 @@ class Config {
     this.exhortPodmanPath = rhdaConfig.podman.executable.path || this.DEFAULT_PODMAN_EXECUTABLE;
     this.exhortImagePlatform = rhdaConfig.imagePlatform;
     this.excludePatterns = (rhdaConfig.exclude as string[]).map(pattern => new Minimatch(pattern));
+    this.oidcRealmUrl = rhdaConfig.oidc.endpoint;
+    this.oidcClientId = rhdaConfig.oidc.clientId;
+    this.oidcAllowInsecure = rhdaConfig.oidc.allowInsecure;
   }
 
   private getEffectiveHttpProxyUrl(): string {

src/config.ts

@@ -4,7 +4,8 @@
  * ------------------------------------------------------------------------------------------ */
 'use strict';
 
-import exhort from '@trustification/exhort-javascript-api';
+
+import exhort, { Options } from '@trustification/exhort-javascript-api';
 import { AnalysisReport } from '@trustification/exhort-api-spec/model/v4/AnalysisReport';
 
 import { globalConfig } from '../config';
@@ -15,6 +16,7 @@ import { notifications, outputChannelDep } from '../extension';
 import { Source } from '@trustification/exhort-api-spec/model/v4/Source';
 import { DependencyReport } from '@trustification/exhort-api-spec/model/v4/DependencyReport';
 import { Issue } from '@trustification/exhort-api-spec/model/v4/Issue';
+import { TokenProvider } from '../tokenProvider';
 
 /**
  * Represents a source object with an ID and dependencies array.
@@ -146,11 +148,12 @@ class AnalysisResponse implements IAnalysisResponse {
  * @param provider - The dependency provider of the corresponding ecosystem.
  * @returns A Promise resolving to an AnalysisResponse object.
  */
-async function executeComponentAnalysis(diagnosticFilePath: Uri, provider: IDependencyProvider): Promise<AnalysisResponse> {
+async function executeComponentAnalysis(tokenProvider: TokenProvider, diagnosticFilePath: Uri, provider: IDependencyProvider): Promise<AnalysisResponse> {
 
   // Define configuration options for the component analysis request
-  const options = {
-    'RHDA_TOKEN': globalConfig.telemetryId,
+  const options: Options = {
+    'RHDA_TOKEN': await tokenProvider.getToken() ?? '',
+    'RHDA_TELEMETRY_ID': globalConfig.telemetryId,
     'RHDA_SOURCE': globalConfig.utmSource,
     'MATCH_MANIFEST_VERSIONS': globalConfig.matchManifestVersions,
     'EXHORT_PROXY_URL': globalConfig.exhortProxyUrl,

src/dependencyAnalysis/analysis.ts

@@ -15,6 +15,7 @@ import { AbstractDiagnosticsPipeline } from '../diagnosticsPipeline';
 import { Diagnostic, DiagnosticSeverity, Uri } from 'vscode';
 import { notifications, outputChannelDep } from '../extension';
 import { globalConfig } from '../config';
+import { TokenProvider } from '../tokenProvider';
 
 /**
  * Implementation of DiagnosticsPipeline interface.
@@ -95,7 +96,7 @@ class DiagnosticsPipeline extends AbstractDiagnosticsPipeline<DependencyData> {
  * @param provider - The dependency provider of the corresponding ecosystem.
  * @returns A Promise that resolves when diagnostics are completed.
  */
-async function performDiagnostics(diagnosticFilePath: Uri, contents: string, provider: IDependencyProvider) {
+async function performDiagnostics(tokenProvider: TokenProvider, diagnosticFilePath: Uri, contents: string, provider: IDependencyProvider) {
   try {
     const dependencies = provider.collect(contents);
     const ecosystem = provider.getEcosystem();
@@ -104,7 +105,7 @@ async function performDiagnostics(diagnosticFilePath: Uri, contents: string, pro
     const diagnosticsPipeline = new DiagnosticsPipeline(dependencyMap, diagnosticFilePath);
     diagnosticsPipeline.clearDiagnostics();
 
-    const response = await executeComponentAnalysis(diagnosticFilePath, provider);
+    const response = await executeComponentAnalysis(tokenProvider, diagnosticFilePath, provider);
 
     clearCodeActionsMap(diagnosticFilePath);
 

src/dependencyAnalysis/diagnostics.ts

@@ -50,7 +50,7 @@ function parseImageReference(image: IImageRef, options: IOptions): ImageRef {
  * @param source The source for which the token is being validated.
  * @returns A promise resolving after validating the token.
  */
-async function tokenValidationService(options: { [key: string]: string }, source: string): Promise<string | undefined> {
+async function tokenValidationService(options: Options, source: string): Promise<string | undefined> {
   try {
     // Get token validation status code
     const response = await exhort.validateToken(options);