netboxlabs
diff --git a/‎diode-server/Makefile
+16-3 b/‎diode-server/Makefile
+16-3
diff --git a/‎diode-server/README.md
+112 b/‎diode-server/README.md
+112
diff --git a/‎diode-server/auth/manage.go
+39 b/‎diode-server/auth/manage.go
+39
diff --git a/‎diode-server/auth/manage_hydra.go
+161 b/‎diode-server/auth/manage_hydra.go
+161
@@ -1,4 +1,6 @@
-SERVICES         := $(shell find ./cmd/* -type d -exec basename {} \;)
+UTILITIES        = auth_manage
+BUILD_UTILITIES  = $(addprefix build-,$(UTILITIES))
+SERVICES         := $(filter-out $(UTILITIES),$(shell find ./cmd/* -type d -exec basename {} \;))
 BUILD_SERVICES   = $(addprefix build-,$(SERVICES))
 DOCKER_SERVICES  = $(addprefix docker-,$(SERVICES))
 BUILD_DIR        ?= ./build
@@ -58,11 +60,17 @@ $(BUILD_SERVICES):
 	@CGO_ENABLED=$(CGO_ENABLED) GOOS=$(GOOS) GOARCH=$(GOARCH) GOARM=$(GOARM) \
 	go build -ldflags "$(LD_FLAGS)" -o $(BUILD_DIR)/$(SVC) ./cmd/$(SVC)
 
+.PHONY: $(BUILD_UTILITIES)
+$(BUILD_UTILITIES):
+	@$(eval UTIL=$(subst build-,,$@))
+	@CGO_ENABLED=$(CGO_ENABLED) GOOS=$(GOOS) GOARCH=$(GOARCH) GOARM=$(GOARM) \
+	go build -ldflags "$(LD_FLAGS)" -o $(BUILD_DIR)/$(UTIL) ./cmd/$(UTIL)
+
 .PHONY: build-all
-build-all: $(BUILD_SERVICES)
+build-all: $(BUILD_SERVICES) $(BUILD_UTILITIES)
 
 .PHONY: $(DOCKER_SERVICES)
-$(DOCKER_SERVICES):
+$(DOCKER_SERVICES): $(BUILD_UTILITIES)
 	@$(eval SVC=$(subst docker-,,$@))
 
 	@GOOS=$(GOOS) GOARCH=$(GOARCH) $(MAKE) build-$(SVC)
@@ -104,6 +112,11 @@ docker-compose-dev-down:
 	@DIODE_VERSION=$(DIODE_VERSION) COMMIT_SHA=$(COMMIT_SHA) DIODE_TAG=$(DIODE_VERSION)-$(COMMIT_SHA) PROJECT_NAME=diode-dev \
 	$(DOCKER_COMPOSE) --env-file docker/sample.env --env-file docker/dev.env -f docker/docker-compose.yaml -f docker/docker-compose.dev.yaml down --remove-orphans
 
+.PHONY: docker-compose-dev-auth-manage
+docker-compose-dev-auth-manage:
+	@DIODE_VERSION=$(DIODE_VERSION) COMMIT_SHA=$(COMMIT_SHA) DIODE_TAG=$(DIODE_VERSION)-$(COMMIT_SHA) PROJECT_NAME=diode-dev \
+	$(DOCKER_COMPOSE) --env-file docker/sample.env --env-file docker/dev.env -f docker/docker-compose.yaml -f docker/docker-compose.dev.yaml run --rm --no-deps diode-auth auth_manage $(auth_manage_command)
+
 .PHONY: clean
 clean:
 	@rm -rf $(BUILD_DIR)/*
 
@@ -118,6 +118,118 @@ docker compose down --volumes
 
 ---
 
+### Provisioning and Managing Agent Credentials via Comand Line
+
+Additional agent credentials may be provisioned by calling the `auth_manage` command in the auth service container.
+
+**Create a new client with the right to ingest**
+```bash
+docker compose run --rm --no-deps diode-auth auth_manage create-client --client-id my-agent-001 --allow-ingest
+```
+example output:
+```
+** NOTE: The client secret is only displayed once and cannot be retrieved later.
+  Store credentials in a secure location. If you lose them, you will need to
+  destroy and regenerate the client.
+{
+  "client_id": "my-agent-001",
+  "scope": "diode:ingest",
+  "client_secret": "a_new_generated_secret"
+}
+```
+
+**Create a client with a supplied secret** (in this case the secret is not returned)
+```bash
+docker compose run --rm --no-deps diode-auth auth_manage create-client --client-id my-agent-002 --allow-ingest --client-secret="a_secret_key_from_some_other_source"
+```
+example output:
+```
+client created successfully.
+{
+  "client_id": "my-agent-002",
+  "scope": "diode:ingest"
+}
+```
+
+**Retrieve info of an existing client**
+```bash
+docker compose run --rm --no-deps diode-auth auth_manage get-client --client-id my-agent-001
+```
+example output:
+```
+{
+  "client_id": "my-agent-001",
+  "scope": "diode:ingest"
+}
+```
+
+**List existing clients**
+```bash
+docker compose run --rm --no-deps diode-auth auth_manage list-clients
+```
+example output:
+```
+[
+  {
+    "client_id": "diode-ingest",
+    "scope": "diode:ingest"
+  },
+  {
+    "client_id": "diode-to-netbox",
+    "scope": "netbox:read netbox:write"
+  },
+  {
+    "client_id": "my-agent-001",
+    "scope": "diode:ingest"
+  },
+  {
+    "client_id": "my-agent-002",
+    "scope": "diode:ingest"
+  },
+  {
+    "client_id": "netbox-to-diode",
+    "scope": "diode:read diode:write"
+  }
+]
+```
+
+**Delete an existing client**
+```bash
+docker compose run --rm --no-deps diode-auth auth_manage delete-client --client-id my-agent-002
+```
+example output:
+```
+client my-agent-002 deleted successfully
+```
+
+**List auth utility subcommands**
+```bash
+docker compose run --rm --no-deps diode-auth auth_manage
+```
+example output:
+```
+usage: auth_manage <subcommand>
+subcommands: list-clients get-client delete-client create-client
+```
+
+**Additional help on a subcommand**
+```bash
+docker compose run --rm --no-deps diode-auth auth_manage create-client --help
+```
+example output:
+```
+Usage of create-client:
+  -allow-ingest
+    	include scopes that allow the client to ingest data
+  -client-id string
+    	client id
+  -client-secret string
+    	client secret [generated if not provided]
+  -scope string
+    	space separated list of scopes to allow
+```
+---
+
 ## License
 
 Distributed under the NetBox Limited Use License 1.0.  
 
@@ -0,0 +1,39 @@
+package auth
+
+import (
+	"context"
+	"crypto/rand"
+	"encoding/base64"
+)
+
+type ClientInfo struct {
+	ClientID     string `json:"client_id"`
+	Scope        string `json:"scope"`
+	ClientSecret string `json:"client_secret,omitempty"`
+}
+
+type RetrieveClientsRequest struct {
+	PageToken string
+}
+
+type RetrieveClientsResponse struct {
+	Clients       []ClientInfo
+	NextPageToken string
+}
+
+// ClientManager is an interface for managing oauth2 clients.
+type ClientManager interface {
+	CreateClient(ctx context.Context, clientInfo ClientInfo) (ClientInfo, error)
+	RetrieveClientByID(ctx context.Context, clientID string) (ClientInfo, error)
+	RetrieveClients(ctx context.Context, q RetrieveClientsRequest) (RetrieveClientsResponse, error)
+	DeleteClientByID(ctx context.Context, clientID string) error
+}
+
+func GenerateClientSecret() (string, error) {
+	secret := make([]byte, 32)
+	_, err := rand.Read(secret)
+	if err != nil {
+		return "", err
+	}
+	return base64.StdEncoding.EncodeToString(secret), nil
+}
@@ -0,0 +1,161 @@
+package auth
+
+import (
+	"context"
+	"fmt"
+	"log/slog"
+	"net/http"
+	"net/url"
+	"strings"
+
+	hydra "github.com/ory/hydra-client-go/v2"
+)
+
+type HydraClientManager struct {
+	hydraAdmin *hydra.APIClient
+	logger     *slog.Logger
+}
+
+func NewHydraClientManager(adminURL string, logger *slog.Logger) *HydraClientManager {
+	hydraConfig := hydra.NewConfiguration()
+	hydraConfig.Servers = []hydra.ServerConfiguration{
+		{
+			URL: adminURL,
+		},
+	}
+
+	return &HydraClientManager{
+		hydraAdmin: hydra.NewAPIClient(hydraConfig),
+		logger:     logger,
+	}
+}
+
+func (h *HydraClientManager) CreateClient(ctx context.Context, clientInfo ClientInfo) (ClientInfo, error) {
+	newClient := hydra.OAuth2Client{
+		ClientId:   &clientInfo.ClientID,
+		Scope:      &clientInfo.Scope,
+		GrantTypes: []string{"client_credentials"},
+	}
+	if clientInfo.ClientSecret != "" {
+		newClient.ClientSecret = &clientInfo.ClientSecret
+	}
+
+	createdClient, response, err := h.hydraAdmin.OAuth2API.CreateOAuth2Client(ctx).OAuth2Client(newClient).Execute()
+	if response.StatusCode == 409 {
+		return ClientInfo{}, fmt.Errorf("failed to create client: client with id %s already exists", *newClient.ClientId)
+	}
+	if response.StatusCode == 400 {
+		return ClientInfo{}, fmt.Errorf("failed to create client: invalid request")
+	}
+	if response.StatusCode != 201 {
+		return ClientInfo{}, fmt.Errorf("failed to create client: status=%s", response.Status)
+	}
+	// these can be confusing and related to internal client failures, so handled after http status codes
+	if err != nil {
+		return ClientInfo{}, fmt.Errorf("failed to create client: %w", err)
+	}
+
+	return clientInfoFromHydraClient(createdClient), nil
+}
+
+func (h *HydraClientManager) DeleteClientByID(ctx context.Context, clientID string) error {
+	response, err := h.hydraAdmin.OAuth2API.DeleteOAuth2Client(ctx, clientID).Execute()
+	if response.StatusCode == 404 {
+		return fmt.Errorf("client %s not found", clientID)
+	}
+	if response.StatusCode != 204 {
+		return fmt.Errorf("failed to delete client from hydra: status=%s", response.Status)
+	}
+	// these can be confusing and related to internal client failures, so handled after http status codes
+	if err != nil {
+		return fmt.Errorf("failed to delete client from hydra: %w", err)
+	}
+
+	return nil
+}
+
+func (h *HydraClientManager) RetrieveClientByID(ctx context.Context, clientID string) (ClientInfo, error) {
+	client, response, err := h.hydraAdmin.OAuth2API.GetOAuth2Client(ctx, clientID).Execute()
+	if response.StatusCode == 404 {
+		return ClientInfo{}, fmt.Errorf("client %s not found", clientID)
+	}
+	if response.StatusCode != 200 {
+		return ClientInfo{}, fmt.Errorf("failed to retrieve client: status=%s", response.Status)
+	}
+	// these tend to be confusing and related to internal client failures, so handled after http status codes
+	if err != nil {
+		return ClientInfo{}, fmt.Errorf("failed to retrieve client: %w", err)
+	}
+
+	return clientInfoFromHydraClient(client), nil
+}
+
+func (h *HydraClientManager) RetrieveClients(ctx context.Context, q RetrieveClientsRequest) (RetrieveClientsResponse, error) {
+	var out RetrieveClientsResponse
+
+	clients, response, err := h.hydraAdmin.OAuth2API.ListOAuth2Clients(ctx).PageToken(q.PageToken).Execute()
+	if response.StatusCode != 200 {
+		return out, fmt.Errorf("failed to retrieve clients: status=%s", response.Status)
+	}
+	// these can be confusing and related to internal client failures, so handled after http status codes
+	if err != nil {
+		return out, fmt.Errorf("failed to retrieve clients: %w", err)
+	}
+
+	out.Clients = make([]ClientInfo, 0, len(clients))
+	for _, client := range clients {
+		out.Clients = append(out.Clients, clientInfoFromHydraClient(&client))
+	}
+
+	out.NextPageToken = getHydraNextPageToken(response, h.logger)
+	return out, nil
+}
+
+func clientInfoFromHydraClient(client *hydra.OAuth2Client) ClientInfo {
+	var clientInfo ClientInfo
+
+	if client == nil {
+		return clientInfo
+	}
+
+	if client.ClientId != nil {
+		clientInfo.ClientID = *client.ClientId
+	}
+	if client.Scope != nil {
+		clientInfo.Scope = *client.Scope
+	}
+
+	return clientInfo
+}
+
+func getHydraNextPageToken(response *http.Response, logger *slog.Logger) string {
+	for _, linkHeader := range response.Header.Values("Link") {
+		params := strings.Split(linkHeader, ";")
+		link := params[0]
+		params = params[1:]
+		// search for rel="next"
+		for _, param := range params {
+			vs := strings.Split(param, "=")
+			if len(vs) != 2 {
+				continue
+			}
+			k, v := strings.TrimSpace(vs[0]), strings.TrimSpace(vs[1])
+			if k == "rel" && (v == "next" || v == "\"next\"") {
+				parsedURL, err := url.Parse(link)
+				if err != nil {
+					logger.Warn("failed to parse url in rel=next link", "error", err, "link", linkHeader)
+					return ""
+				}
+				queryParams := parsedURL.Query()
+				for key, values := range queryParams {
+					if key == "page_token" {
+						return values[0]
+					}
+				}
+				logger.Warn("failed to find next page token in rel=next url", "link", linkHeader)
+				return ""
+			}
+		}
+	}
+	return ""
+}