Add option to use credentials from CLI (#244)

wfchandler · web-flow · commit 18592bde4d11 · 2024-11-12T22:18:23.000-05:00
The Oxide CLI stores authentication information in a well-known format.
For convenience, we should should allow SDK users to use these, rather
then requiring that it be manually set in the environment or directly
set.

Add functionality to `Config` to use Oxide config files, either with a
default profile, or with an explicitly provided profile name. We use the
files found in `$HOME/.config/oxide` by default. This can be can be
overridden with the `ConfigDir` field.

As with `Host`/`Token`, profiles will override the
`OXIDE_HOST`/`OXIDE_TOKEN` environment variables. `Profile` and
`UseDefaultProfile` are mutually exclusive with each other and the
`Host`/`Token` options to prevent confusion on the order or
precedence.
diff --git a/.changelog/v0.1.0-beta10.toml b/.changelog/v0.1.0-beta10.toml
@@ -3,8 +3,8 @@ title = ""
 description = ""
 
 [[features]]
-title = ""
-description = ""
+title = "Authenticate using Oxide credentials.toml"
+description = "Add option to authenticate using the `credentials.toml` file generated by the Oxide CLI. [244](https://github.com/oxidecomputer/oxide.go/pull/244)"
 
 [[bugs]]
 title = ""
diff --git a/go.mod b/go.mod
@@ -5,6 +5,7 @@ go 1.22
 require (
 	github.com/getkin/kin-openapi v0.128.0
 	github.com/iancoleman/strcase v0.3.0
+	github.com/pelletier/go-toml v1.9.5
 	github.com/stretchr/testify v1.9.0
 )
 
diff --git a/go.sum b/go.sum
@@ -22,6 +22,8 @@ github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0
 github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc=
 github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826 h1:RWengNIwukTxcDr9M+97sNutRR1RKhG96O6jWumTTnw=
 github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826/go.mod h1:TaXosZuwdSHYgviHp1DAtfrULt5eUgsSMsZf+YrPgl8=
+github.com/pelletier/go-toml v1.9.5 h1:4yBQzkHv+7BHq2PQUZF3Mx0IYxG7LsP222s7Agd3ve8=
+github.com/pelletier/go-toml v1.9.5/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCkoOuaOx1Y+c=
 github.com/perimeterx/marshmallow v1.1.5 h1:a2LALqQ1BlHM8PZblsDdidgv1mWi1DgC2UmX50IvK2s=
 github.com/perimeterx/marshmallow v1.1.5/go.mod h1:dsXbUu8CRzfYP5a87xpp0xq9S3u0Vchtcl8we9tYaXw=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
diff --git a/oxide/lib.go b/oxide/lib.go
@@ -12,15 +12,29 @@ import (
 	"net/http"
 	"net/url"
 	"os"
+	"path/filepath"
 	"strings"
 	"time"
+
+	"github.com/pelletier/go-toml"
 )
 
-// TokenEnvVar is the environment variable that contains the token.
-const TokenEnvVar = "OXIDE_TOKEN"
+const (
+	// TokenEnvVar is the environment variable that contains the token.
+	TokenEnvVar = "OXIDE_TOKEN"
+
+	// HostEnvVar is the environment variable that contains the host.
+	HostEnvVar = "OXIDE_HOST"
+
+	// credentialsFile is the name of the file the Oxide CLI stores credentials in.
+	credentialsFile = "credentials.toml"
 
-// HostEnvVar is the environment variable that contains the host.
-const HostEnvVar = "OXIDE_HOST"
+	// configFile is the name of the file the Oxide CLI stores its config in.
+	configFile = "config.toml"
+
+	// defaultConfigDir is the default path used by the Oxide CLI for configuration files.
+	defaultConfigDir = ".config" + string(filepath.Separator) + "oxide"
+)
 
 // Config is the configuration that can be set on a Client.
 type Config struct {
@@ -37,6 +51,20 @@ type Config struct {
 	// A custom user agent string to add to every request instead of the
 	// default.
 	UserAgent string
+
+	// The directory to look for Oxide CLI configuration files. Defaults
+	// to $HOME/.config/oxide if unset.
+	ConfigDir string
+
+	// The name of the Oxide CLI profile to use for authentication.
+	// The Host and Token fields will override their respective values
+	// provided by the profile.
+	Profile string
+
+	// Whether to use the default profile listed in the Oxide CLI
+	// config.toml file for authentication. Will be overridden by
+	// the Profile field.
+	UseDefaultProfile bool
 }
 
 // Client which conforms to the OpenAPI3 specification for this service.
@@ -55,11 +83,19 @@ type Client struct {
 	userAgent string
 }
 
+type authCredentials struct {
+	host  string
+	token string
+}
+
 // NewClient creates a new client for the Oxide API. To authenticate with
 // environment variables, set OXIDE_HOST and OXIDE_TOKEN accordingly. Pass in a
 // non-nil *Config to set the various configuration options on a Client. When
 // setting the host and token through the *Config, these will override any set
-// environment variables.
+// environment variables. The Profile and UseDefaultProfile fields will pull
+// authentication information from the credentials.toml file generated by
+// the Oxide CLI. These are mutally exclusive with each other and the Host and
+// Token fields.
 func NewClient(cfg *Config) (*Client, error) {
 	token := os.Getenv(TokenEnvVar)
 	host := os.Getenv(HostEnvVar)
@@ -70,6 +106,24 @@ func NewClient(cfg *Config) (*Client, error) {
 
 	// Layer in the user-provided configuration if provided.
 	if cfg != nil {
+		if cfg.Profile != "" || cfg.UseDefaultProfile {
+			if cfg.Profile != "" && cfg.UseDefaultProfile {
+				return nil, errors.New("cannot authenticate with both default profile and a defined profile")
+			}
+
+			if cfg.Host != "" || cfg.Token != "" {
+				return nil, errors.New("cannot authenticate with both a profile and host/token")
+			}
+
+			fileCreds, err := getProfile(*cfg)
+			if err != nil {
+				return nil, fmt.Errorf("unable to retrieve profile: %w", err)
+			}
+
+			token = fileCreds.token
+			host = fileCreds.host
+		}
+
 		if cfg.Host != "" {
 			host = cfg.Host
 		}
@@ -87,19 +141,18 @@ func NewClient(cfg *Config) (*Client, error) {
 		}
 	}
 
-	var errHost error
+	errs := make([]error, 0)
 	host, err := parseBaseURL(host)
 	if err != nil {
-		errHost = fmt.Errorf("failed parsing host address: %w", err)
+		errs = append(errs, fmt.Errorf("failed parsing host address: %w", err))
 	}
 
-	var errToken error
 	if token == "" {
-		errToken = errors.New("token is required")
+		errs = append(errs, errors.New("token is required"))
 	}
 
 	// To aggregate the validation errors above.
-	if err := errors.Join(errHost, errToken); err != nil {
+	if err := errors.Join(errs...); err != nil {
 		return nil, fmt.Errorf("invalid client configuration:\n%w", err)
 	}
 
@@ -118,6 +171,85 @@ func defaultUserAgent() string {
 	return fmt.Sprintf("oxide.go/%s", version)
 }
 
+// getProfile determines the path of the user's credentials file
+// and returns the host and token for the requested profile.
+func getProfile(cfg Config) (*authCredentials, error) {
+	configDir := cfg.ConfigDir
+	if configDir == "" {
+		homeDir, err := os.UserHomeDir()
+		if err != nil {
+			return nil, fmt.Errorf("unable to find user's home directory: %w", err)
+		}
+		configDir = filepath.Join(homeDir, defaultConfigDir)
+	}
+
+	profile := cfg.Profile
+
+	// Use explicitly configured profile over default when both are set.
+	if cfg.UseDefaultProfile && profile == "" {
+		configPath := filepath.Join(configDir, configFile)
+
+		var err error
+		profile, err = defaultProfile(configPath)
+		if err != nil {
+			return nil, fmt.Errorf("failed to get default profile from %q: %w", configPath, err)
+		}
+	}
+
+	credentialsPath := filepath.Join(configDir, credentialsFile)
+	fileCreds, err := parseCredentialsFile(credentialsPath, profile)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get credentials for profile %q from %q: %w", profile, credentialsPath, err)
+	}
+
+	return fileCreds, nil
+}
+
+// defaultProfile returns the default profile from config.toml, if present.
+func defaultProfile(configPath string) (string, error) {
+	configFile, err := toml.LoadFile(configPath)
+	if err != nil {
+		return "", fmt.Errorf("failed to open config: %w", err)
+	}
+
+	if profileName := configFile.Get("default-profile"); profileName != nil {
+		return profileName.(string), nil
+	}
+
+	return "", errors.New("no default profile set")
+}
+
+// parseCredentialsFile parses a credentials.toml and returns the token and host
+// associated with the requested profile.
+func parseCredentialsFile(credentialsPath, profileName string) (*authCredentials, error) {
+	if profileName == "" {
+		return nil, errors.New("no profile name provided")
+	}
+
+	credentialsFile, err := toml.LoadFile(credentialsPath)
+	if err != nil {
+		return nil, fmt.Errorf("failed to open %q: %v", credentialsPath, err)
+	}
+
+	profile, ok := credentialsFile.Get("profile." + profileName).(*toml.Tree)
+	if !ok {
+		return nil, errors.New("profile not found")
+	}
+
+	var hostTokenErr error
+	token, ok := profile.Get("token").(string)
+	if !ok {
+		hostTokenErr = errors.New("token not found")
+	}
+
+	host, ok := profile.Get("host").(string)
+	if !ok {
+		hostTokenErr = errors.Join(errors.New("host not found"))
+	}
+
+	return &authCredentials{host: host, token: token}, hostTokenErr
+}
+
 // parseBaseURL parses the base URL from the host URL.
 func parseBaseURL(baseURL string) (string, error) {
 	if baseURL == "" {
diff --git a/oxide/lib_test.go b/oxide/lib_test.go

Original file line number	Diff line number	Diff line change
`@@ -5,6 +5,7 @@ go 1.22`
`5`	`5`	`require (`
`6`	`6`	`github.com/getkin/kin-openapi v0.128.0`
`7`	`7`	`github.com/iancoleman/strcase v0.3.0`
	`8`	`+ github.com/pelletier/go-toml v1.9.5`
`8`	`9`	`github.com/stretchr/testify v1.9.0`
`9`	`10`	`)`
`10`	`11`