fix: allow federated auth to use stream connectors

kian99 · kian99 · commit fec8c1987006 · 2024-07-29T12:00:21.000+02:00
diff --git a/api/apiclient.go b/api/apiclient.go
@@ -180,14 +180,15 @@ func Open(info *Info, opts DialOpts) (Connection, error) {
 		// login because, when doing HTTP requests, we'll want
 		// to use the same username and password for authenticating
 		// those. If login fails, we discard the connection.
-		tag:          tagToString(info.Tag),
-		password:     info.Password,
-		macaroons:    info.Macaroons,
-		nonce:        info.Nonce,
-		tlsConfig:    dialResult.tlsConfig,
-		bakeryClient: bakeryClient,
-		modelTag:     info.ModelTag,
-		proxier:      dialResult.proxier,
+		tag:           tagToString(info.Tag),
+		password:      info.Password,
+		loginProvider: loginProvider,
+		macaroons:     info.Macaroons,
+		nonce:         info.Nonce,
+		tlsConfig:     dialResult.tlsConfig,
+		bakeryClient:  bakeryClient,
+		modelTag:      info.ModelTag,
+		proxier:       dialResult.proxier,
 	}
 	if !info.SkipLogin {
 		if err := loginWithContext(dialCtx, st, loginProvider); err != nil {
@@ -367,8 +368,8 @@ func (st *state) connectStream(path string, attrs url.Values, extraHeaders http.
 		TLSClientConfig: st.tlsConfig,
 	}
 	var requestHeader http.Header
-	if st.tag != "" {
-		requestHeader = jujuhttp.BasicAuthHeader(st.tag, st.password)
+	if st.tag != "" || st.LoginToken() != "" {
+		requestHeader = jujuhttp.BasicAuthHeader(st.tag, st.LoginToken())
 	} else {
 		requestHeader = make(http.Header)
 	}
diff --git a/api/clientcredentialsloginprovider.go b/api/clientcredentialsloginprovider.go
@@ -32,6 +32,11 @@ type clientCredentialsLoginProvider struct {
 	clientSecret string
 }
 
+// Token implements LoginProvider.Token
+func (p *clientCredentialsLoginProvider) Token() string {
+	return p.clientSecret
+}
+
 // Login implements the LoginProvider.Login method.
 //
 // It authenticates as the entity using client credentials.
diff --git a/api/clientcredentialsloginprovider_test.go b/api/clientcredentialsloginprovider_test.go
@@ -66,14 +66,16 @@ func (s *clientCredentialsLoginProviderProviderSuite) Test(c *gc.C) {
 		return nil
 	})
 
+	lp := api.NewClientCredentialsLoginProvider(clientID, clientSecret)
 	apiState, err := api.Open(&api.Info{
 		Addrs:          info.Addrs,
 		ControllerUUID: info.ControllerUUID,
 		CACert:         info.CACert,
 	}, api.DialOpts{
-		LoginProvider: api.NewClientCredentialsLoginProvider(clientID, clientSecret),
+		LoginProvider: lp,
 	})
 	c.Assert(err, jc.ErrorIsNil)
+	c.Assert(lp.Token(), gc.Equals, clientSecret)
 
 	defer func() { _ = apiState.Close() }()
 }
diff --git a/api/interface.go b/api/interface.go
@@ -185,6 +185,11 @@ func NewLoginResultParams(result params.LoginResult) (*LoginResultParams, error)
 type LoginProvider interface {
 	// Login performs log in when connecting to the controller.
 	Login(ctx context.Context, caller base.APICaller) (*LoginResultParams, error)
+	// Token returns the string used for authentication. Some providers may only obtain
+	// a token after login has completed.
+	// This is normally used as part of basic authentication in scenarios where a client
+	// makes use of a StreamConnector like when fetching logs using `juju debug-log`.
+	Token() string
 }
 
 // DialOpts holds configuration parameters that control the
diff --git a/api/sessiontokenloginprovider.go b/api/sessiontokenloginprovider.go
@@ -54,6 +54,11 @@ type sessionTokenLoginProvider struct {
 	updateAccountDetailsFunc func(string) error
 }
 
+// Token implements the LoginProvider.Token method.
+func (p *sessionTokenLoginProvider) Token() string {
+	return p.sessionToken
+}
+
 // Login implements the LoginProvider.Login method.
 //
 // It authenticates as the entity using the specified session token.
diff --git a/api/sessiontokenloginprovider_test.go b/api/sessiontokenloginprovider_test.go
@@ -102,24 +102,25 @@ func (s *sessionTokenLoginProviderProviderSuite) TestSessionTokenLogin(c *gc.C)
 	})
 
 	var output bytes.Buffer
+	lp := api.NewSessionTokenLoginProvider(
+		"expired-token",
+		&output,
+		func(sessionToken string) error {
+			obtainedSessionToken = sessionToken
+			return nil
+		})
 	apiState, err := api.Open(&api.Info{
 		Addrs:          info.Addrs,
 		ControllerUUID: info.ControllerUUID,
 		CACert:         info.CACert,
 	}, api.DialOpts{
-		LoginProvider: api.NewSessionTokenLoginProvider(
-			"expired-token",
-			&output,
-			func(sessionToken string) error {
-				obtainedSessionToken = sessionToken
-				return nil
-			},
-		),
+		LoginProvider: lp,
 	})
 	c.Assert(err, jc.ErrorIsNil)
 
 	c.Assert(output.String(), gc.Equals, "Please visit http://localhost:8080/test-verification and enter code 1234567 to log in.\n")
 	c.Assert(obtainedSessionToken, gc.Equals, sessionToken)
+	c.Assert(lp.Token(), gc.Equals, sessionToken)
 	defer func() { _ = apiState.Close() }()
 }
 
diff --git a/api/state.go b/api/state.go
@@ -98,6 +98,9 @@ type state struct {
 	macaroons []macaroon.Slice
 	nonce     string
 
+	// loginProvider holds the provider used for login.
+	loginProvider LoginProvider
+
 	// serverRootAddress holds the cached API server address and port used
 	// to login.
 	serverRootAddress string
@@ -193,6 +196,12 @@ func (st *state) AuthTag() names.Tag {
 	return st.authTag
 }
 
+// LoginToken returns a token appropriate for basic auth as determined by the
+// underlying login provider.
+func (st *state) LoginToken() string {
+	return st.loginProvider.Token()
+}
+
 // ControllerAccess returns the access level of authorized user to the model.
 func (st *state) ControllerAccess() string {
 	return st.controllerAccess
diff --git a/api/userpass_login_provider_test.go b/api/userpass_login_provider_test.go
@@ -0,0 +1,38 @@
+// Copyright 2024 Canonical Ltd.
+// Licensed under the AGPLv3, see LICENCE file for details.
+
+package api_test
+
+import (
+	"github.com/juju/names/v5"
+	jc "github.com/juju/testing/checkers"
+	gc "gopkg.in/check.v1"
+
+	"github.com/juju/juju/api"
+	jujutesting "github.com/juju/juju/juju/testing"
+)
+
+type userPassLoginProviderSuite struct {
+	jujutesting.JujuConnSuite
+}
+
+var _ = gc.Suite(&userPassLoginProviderSuite{})
+
+func (s *userPassLoginProviderSuite) Test(c *gc.C) {
+	info := s.APIInfo(c)
+
+	username := names.NewUserTag("admin")
+	password := jujutesting.AdminSecret
+
+	lp := api.NewUserpassLoginProvider(username, password, "", nil, nil, nil)
+	apiState, err := api.Open(&api.Info{
+		Addrs:          info.Addrs,
+		ControllerUUID: info.ControllerUUID,
+		CACert:         info.CACert,
+	}, api.DialOpts{
+		LoginProvider: lp,
+	})
+	c.Assert(err, jc.ErrorIsNil)
+	defer apiState.Close()
+	c.Assert(lp.Token(), gc.Equals, password)
+}
diff --git a/api/userpassloginprovider.go b/api/userpassloginprovider.go
@@ -57,6 +57,11 @@ type userpassLoginProvider struct {
 	cookieURL    *url.URL
 }
 
+// Token implements the LoginProvider.Token method.
+func (p *userpassLoginProvider) Token() string {
+	return p.password
+}
+
 // Login implements the LoginProvider.Login method.
 //
 // It authenticates as the entity with the given name and password
diff --git a/cmd/internal/loginprovider/tryinorderloginprovider.go b/cmd/internal/loginprovider/tryinorderloginprovider.go
@@ -27,8 +27,14 @@ func NewTryInOrderLoginProvider(logger loggo.Logger, providers ...api.LoginProvi
 }
 
 type tryInOrderLoginProviders struct {
-	providers []api.LoginProvider
-	logger    loggo.Logger
+	providers  []api.LoginProvider
+	logger     loggo.Logger
+	loginToken string
+}
+
+// Token implements the LoginProvider.Token method.
+func (p *tryInOrderLoginProviders) Token() string {
+	return p.loginToken
 }
 
 // Login implements the LoginProvider.Login method.
@@ -40,6 +46,7 @@ func (p *tryInOrderLoginProviders) Login(ctx context.Context, caller base.APICal
 			p.logger.Debugf("login error using provider %d - %s", i, err.Error())
 		} else {
 			p.logger.Debugf("successful login using provider %d", i)
+			p.loginToken = provider.Token()
 			return result, nil
 		}
 		lastError = err
diff --git a/cmd/internal/loginprovider/tryinorderloginprovider_test.go b/cmd/internal/loginprovider/tryinorderloginprovider_test.go
@@ -23,20 +23,27 @@ var _ = gc.Suite(&tryInOrderLoginProviderSuite{})
 func (s *tryInOrderLoginProviderSuite) Test(c *gc.C) {
 	p1 := &mockLoginProvider{err: errors.New("provider 1 error")}
 	p2 := &mockLoginProvider{err: errors.New("provider 2 error")}
-	p3 := &mockLoginProvider{}
+	p3 := &mockLoginProvider{token: "successful-login-token"}
 
 	logger := loggo.GetLogger("juju.cmd.loginprovider")
 	lp := loginprovider.NewTryInOrderLoginProvider(logger, p1, p2)
 	_, err := lp.Login(context.Background(), nil)
 	c.Assert(err, gc.ErrorMatches, "provider 2 error")
 
 	lp = loginprovider.NewTryInOrderLoginProvider(logger, p1, p2, p3)
+	c.Assert(lp.Token(), gc.Equals, "")
 	_, err = lp.Login(context.Background(), nil)
 	c.Assert(err, jc.ErrorIsNil)
+	c.Assert(lp.Token(), gc.Equals, "successful-login-token")
 }
 
 type mockLoginProvider struct {
-	err error
+	err   error
+	token string
+}
+
+func (p *mockLoginProvider) Token() string {
+	return p.token
 }
 
 func (p *mockLoginProvider) Login(ctx context.Context, caller base.APICaller) (*api.LoginResultParams, error) {
