feat: add auth token command

Signed-off-by: Ruben Romero Montes <rromerom@redhat.com>
Assisted-by: Cursor

Author: ruromero

README.md

@@ -4,9 +4,10 @@ A command-line interface for interacting with the [Trustify](https://github.com/
 
 ## Features
 
-- 🔐 OAuth2 authentication (client credentials)
+- 🔐 OAuth2 authentication (client credentials) with token retrieval
 - 📦 SBOM management (list, get, delete)
 - 🔍 Duplicate detection and cleanup
+- ⚡ Concurrent operations with automatic retry and token refresh
 
 ## Installation
 
@@ -135,6 +136,30 @@ trustify -u http://localhost:8080 \
 
 ---
 
+### `auth token`
+
+Retrieve an OAuth2 access token using the configured credentials. Useful for debugging authentication or using the token with other tools.
+
+```bash
+trustify -u http://localhost:8080 \
+  --sso-url http://sso.example.com/realms/trustify \
+  --client-id my-client \
+  --client-secret my-secret \
+  auth token
+```
+
+**Output:** The access token string (can be used as a Bearer token)
+
+**Example with curl:**
+
+```bash
+# Get token and use with curl
+TOKEN=$(trustify auth token)
+curl -H "Authorization: Bearer $TOKEN" http://localhost:8080/api/v2/sbom
+```
+
+---
+
 ### `sbom get <ID>`
 
 Get an SBOM by its ID. Returns the full JSON document.

src/auth.rs src/api/auth.rssrc/auth.rs renamed to src/api/auth.rs

@@ -14,6 +14,42 @@ pub enum AuthError {
     ServerError(String),
 }
 
+/// Authentication credentials for token refresh
+#[derive(Clone)]
+pub struct AuthCredentials {
+    pub token_url: String,
+    pub client_id: String,
+    pub client_secret: String,
+}
+
+impl AuthCredentials {
+    /// Build credentials from SSO URL and client credentials
+    pub fn new(sso_url: &str, client_id: &str, client_secret: &str) -> Self {
+        let token_url = build_token_url(sso_url);
+        Self {
+            token_url,
+            client_id: client_id.to_string(),
+            client_secret: client_secret.to_string(),
+        }
+    }
+
+    /// Get a token using these credentials
+    pub async fn get_token(&self) -> Result<String, AuthError> {
+        get_token(&self.token_url, &self.client_id, &self.client_secret).await
+    }
+}
+
+/// Build the token URL from an SSO base URL
+pub fn build_token_url(sso_url: &str) -> String {
+    if sso_url.ends_with("/token") {
+        sso_url.to_string()
+    } else if sso_url.ends_with('/') {
+        format!("{}protocol/openid-connect/token", sso_url)
+    } else {
+        format!("{}/protocol/openid-connect/token", sso_url)
+    }
+}
+
 #[derive(Deserialize)]
 struct TokenResponse {
     access_token: String,

src/api/client.rs

@@ -6,7 +6,6 @@ use thiserror::Error;
 use tokio::sync::RwLock;
 use tokio::time::sleep;
 
-use crate::auth;
 
 const MAX_RETRIES: u32 = 3;
 const RETRY_DELAY_MS: u64 = 1000;
@@ -52,13 +51,8 @@ impl From<reqwest::Error> for ApiError {
     }
 }
 
-/// Authentication credentials for token refresh
-#[derive(Clone)]
-pub struct AuthCredentials {
-    pub token_url: String,
-    pub client_id: String,
-    pub client_secret: String,
-}
+// Re-export AuthCredentials from auth module
+pub use super::auth::AuthCredentials;
 
 /// API client for Trustify with retry and token refresh support
 #[derive(Clone)]
@@ -111,7 +105,7 @@ impl ApiClient {
 
         eprintln!("Token expired, refreshing...");
 
-        match auth::get_token(&creds.token_url, &creds.client_id, &creds.client_secret).await {
+        match creds.get_token().await {
             Ok(new_token) => {
                 let mut token = self.token.write().await;
                 *token = Some(new_token);

src/api/mod.rs

@@ -1,4 +1,4 @@
 pub mod client;
 pub mod sbom;
-
+pub mod auth;
 pub use client::ApiClient;

src/commands/auth.rs

@@ -0,0 +1,36 @@
+use clap::Subcommand;
+
+use std::process;
+use crate::Context;
+use crate::api::auth::AuthCredentials;
+
+#[derive(Subcommand)]
+pub enum AuthCommands {
+    /// Get authentication token
+    Token {},
+}
+
+impl AuthCommands {
+    pub async fn run(&self, ctx: &Context) {
+        match self {
+            AuthCommands::Token {} => {
+                match ctx.config.auth_credentials() {
+                    Some((token_url, client_id, client_secret)) => {
+                        let creds = AuthCredentials::new(token_url, client_id, client_secret);
+                        match creds.get_token().await {
+                            Ok(token) => println!("{}", token),
+                            Err(e) => {
+                                eprintln!("Error: {}", e);
+                                process::exit(1);
+                            }
+                        }
+                    }
+                    None => {
+                        eprintln!("Error: SSO URL, client ID, and client secret are all required");
+                        process::exit(1);
+                    }
+                }
+            }
+        }
+    }
+}

src/commands/mod.rs

@@ -1,9 +1,11 @@
 pub mod sbom;
+pub mod auth;
 
 use clap::Subcommand;
 
 use crate::Context;
 pub use sbom::SbomCommands;
+pub use auth::AuthCommands;
 
 #[derive(Subcommand)]
 pub enum Commands {
@@ -12,12 +14,19 @@ pub enum Commands {
         #[command(subcommand)]
         command: SbomCommands,
     },
+
+    /// Authentication commands
+    Auth {
+        #[command(subcommand)]
+        command: AuthCommands,
+    },
 }
 
 impl Commands {
     pub async fn run(&self, ctx: &Context) {
         match self {
             Commands::Sbom { command } => command.run(ctx).await,
+            Commands::Auth { command } => command.run(ctx).await,
         }
     }
 }

src/main.rs

@@ -1,5 +1,4 @@
 mod api;
-mod auth;
 mod cli;
 mod commands;
 mod config;
@@ -8,7 +7,7 @@ use std::process;
 
 use clap::Parser;
 
-use api::client::AuthCredentials;
+use api::auth::AuthCredentials;
 use api::ApiClient;
 use cli::Cli;
 
@@ -28,22 +27,9 @@ async fn main() {
     // Build auth credentials and get initial token if configured
     let (token, auth_credentials) =
         if let Some((sso_url, client_id, client_secret)) = cli.config.auth_credentials() {
-            let token_url = if sso_url.ends_with("/token") {
-                sso_url.to_string()
-            } else if sso_url.ends_with('/') {
-                format!("{}protocol/openid-connect/token", sso_url)
-            } else {
-                format!("{}/protocol/openid-connect/token", sso_url)
-            };
+            let creds = AuthCredentials::new(sso_url, client_id, client_secret);
 
-            // Store credentials for token refresh
-            let creds = AuthCredentials {
-                token_url: token_url.clone(),
-                client_id: client_id.to_string(),
-                client_secret: client_secret.to_string(),
-            };
-
-            match auth::get_token(&token_url, client_id, client_secret).await {
+            match creds.get_token().await {
                 Ok(token) => (Some(token), Some(creds)),
                 Err(e) => {
                     eprintln!("Error: {}", e);