Allow reading API key from default path when Auth0 is not configured

author: Martin Polden <mpolden@mpolden.no> 2022-04-19 11:29:27 +0200
committer: Martin Polden <mpolden@mpolden.no> 2022-04-20 08:56:29 +0200
commit: 9790091ed97be301ea39eb95cda218dd6dd1b16e (patch)
tree: 65206e54bd4e15d59a1e2668c68161e6452980dc /client
parent: 30d38557e9b442e8f2c705aee982ab0e70b1bc2b (diff)
3 files changed, 37 insertions, 34 deletions
diff --git a/client/go/cmd/config.go b/client/go/cmd/config.go
index 726676ce476..02477aecf28 100644
--- a/client/go/cmd/config.go
+++ b/client/go/cmd/config.go
@@ -20,7 +20,6 @@ import (
 	"github.com/spf13/pflag"
 	"github.com/vespa-engine/vespa/client/go/auth/auth0"
 	"github.com/vespa-engine/vespa/client/go/config"
-	"github.com/vespa-engine/vespa/client/go/util"
 	"github.com/vespa-engine/vespa/client/go/vespa"
 )
 
@@ -433,30 +432,21 @@ func (c *Config) authConfigPath() string {
 	return filepath.Join(c.homeDir, "auth.json")
 }
 
-func (c *Config) readAPIKey(tenantName string) ([]byte, error) {
+func (c *Config) readAPIKey(cli *CLI, system vespa.System, tenantName string) ([]byte, error) {
 	if override, ok := c.apiKeyFromEnv(); ok {
 		return override, nil
 	}
-	return os.ReadFile(c.apiKeyPath(tenantName))
-}
-
-// useAPIKey returns true if an API key should be used when authenticating with system.
-func (c *Config) useAPIKey(cli *CLI, system vespa.System, tenantName string) bool {
-	if _, ok := c.apiKeyFromEnv(); ok {
-		return true
-	}
-	if _, ok := c.apiKeyFileFromEnv(); ok {
-		return true
+	if path, ok := c.apiKeyFileFromEnv(); ok {
+		return os.ReadFile(path)
 	}
 	if !cli.isCI() {
-		// Fall back to API key, if present and Auth0 has not been configured
 		client, err := auth0.New(c.authConfigPath(), system.Name, system.URL)
-		if err != nil || !client.HasCredentials() {
-			cli.printWarning("Regular authentication is preferred over API key in a non-CI context", "Authenticate with 'vespa auth login'")
-			return util.PathExists(c.apiKeyPath(tenantName))
+		if err == nil && client.HasCredentials() {
+			return nil, nil // use Auth0
 		}
+		cli.printWarning("Authenticating with API key. This is discouraged in non-CI environments", "Authenticate with 'vespa auth login'")
 	}
-	return false
+	return os.ReadFile(c.apiKeyPath(tenantName))
 }
 
 func (c *Config) readSessionID(app vespa.ApplicationID) (int64, error) {
diff --git a/client/go/cmd/config_test.go b/client/go/cmd/config_test.go
index f89e752f82d..9f41ef46914 100644
--- a/client/go/cmd/config_test.go
+++ b/client/go/cmd/config_test.go
@@ -145,17 +145,33 @@ func assertConfigCommandErr(t *testing.T, configHome, expected string, args ...s
 	assert.NotNil(t, assertConfigCommandStdErr(t, configHome, expected, args...))
 }
 
-func TestUseAPIKey(t *testing.T) {
+func TestReadAPIKey(t *testing.T) {
 	cli, _, _ := newTestCLI(t)
-	assert.False(t, cli.config.useAPIKey(cli, vespa.PublicSystem, "t1"))
+	key, err := cli.config.readAPIKey(cli, vespa.PublicSystem, "t1")
+	assert.Nil(t, key)
+	require.NotNil(t, err)
 
-	cli, _, _ = newTestCLI(t, "VESPA_CLI_API_KEY_FILE=/tmp/foo")
-	assert.True(t, cli.config.useAPIKey(cli, vespa.PublicSystem, "t1"))
+	// From default path when it exists
+	require.Nil(t, os.WriteFile(filepath.Join(cli.config.homeDir, "t1.api-key.pem"), []byte("foo"), 0600))
+	key, err = cli.config.readAPIKey(cli, vespa.PublicSystem, "t1")
+	require.Nil(t, err)
+	assert.Equal(t, []byte("foo"), key)
+
+	// From file specified in environment
+	keyFile := filepath.Join(t.TempDir(), "key")
+	require.Nil(t, os.WriteFile(keyFile, []byte("bar"), 0600))
+	cli, _, _ = newTestCLI(t, "VESPA_CLI_API_KEY_FILE="+keyFile)
+	key, err = cli.config.readAPIKey(cli, vespa.PublicSystem, "t1")
+	require.Nil(t, err)
+	assert.Equal(t, []byte("bar"), key)
 
-	cli, _, _ = newTestCLI(t, "VESPA_CLI_API_KEY=foo")
-	assert.True(t, cli.config.useAPIKey(cli, vespa.PublicSystem, "t1"))
+	// From key specified in environment
+	cli, _, _ = newTestCLI(t, "VESPA_CLI_API_KEY=baz")
+	key, err = cli.config.readAPIKey(cli, vespa.PublicSystem, "t1")
+	require.Nil(t, err)
+	assert.Equal(t, []byte("baz"), key)
 
-	// Prefer Auth0, if configured
+	// Auth0 is preferred when configured
 	authContent := `
 {
     "version": 1,
@@ -172,10 +188,9 @@ func TestUseAPIKey(t *testing.T) {
 		}
 	}
 }`
-	cli, _, _ = newTestCLI(t, "VESPA_CLI_CLOUD_SYSTEM=public")
-	_, err := os.Create(filepath.Join(cli.config.homeDir, "t2.api-key.pem"))
-	require.Nil(t, err)
-	assert.True(t, cli.config.useAPIKey(cli, vespa.PublicSystem, "t2"))
+	cli, _, _ = newTestCLI(t)
 	require.Nil(t, os.WriteFile(filepath.Join(cli.config.homeDir, "auth.json"), []byte(authContent), 0600))
-	assert.False(t, cli.config.useAPIKey(cli, vespa.PublicSystem, "t2"))
+	key, err = cli.config.readAPIKey(cli, vespa.PublicSystem, "t1")
+	require.Nil(t, err)
+	assert.Equal(t, []byte(nil), key)
 }
diff --git a/client/go/cmd/root.go b/client/go/cmd/root.go
index e88398a7fde..0557248cedf 100644
--- a/client/go/cmd/root.go
+++ b/client/go/cmd/root.go
@@ -324,11 +324,9 @@ func (c *CLI) createCloudTarget(targetType string, opts targetOptions) (vespa.Ta
 	)
 	switch targetType {
 	case vespa.TargetCloud:
-		if c.config.useAPIKey(c, system, deployment.Application.Tenant) {
-			apiKey, err = c.config.readAPIKey(deployment.Application.Tenant)
-			if err != nil {
-				return nil, err
-			}
+		apiKey, err = c.config.readAPIKey(c, system, deployment.Application.Tenant)
+		if err != nil {
+			return nil, err
 		}
 		authConfigPath = c.config.authConfigPath()
 		deploymentTLSOptions = vespa.TLSOptions{}
author	Martin Polden <mpolden@mpolden.no>	2022-04-19 11:29:27 +0200
committer	Martin Polden <mpolden@mpolden.no>	2022-04-20 08:56:29 +0200
commit	9790091ed97be301ea39eb95cda218dd6dd1b16e (patch)
tree	65206e54bd4e15d59a1e2668c68161e6452980dc /client
parent	30d38557e9b442e8f2c705aee982ab0e70b1bc2b (diff)