Revert "Tenant support (#1400)"

This reverts commit f39a138.

Author: lionello

README.md

@@ -148,7 +148,6 @@ The Defang CLI recognizes the following environment variables:
 - `DEFANG_PULUMI_BACKEND` - The Pulumi backend URL or `"pulumi-cloud"`; defaults to a self-hosted backend
 - `DEFANG_PULUMI_DIR` - Run Pulumi from this folder, instead of spawning a cloud task; requires `--debug` (BYOC only)
 - `DEFANG_PULUMI_VERSION` - Override the version of the Pulumi image to use (`aws` provider only)
-- `DEFANG_TENANT` - The name of the tenant to use.
 - `NO_COLOR` - If set to any value, disables color output; by default, color output is enabled depending on the terminal
 - `PULUMI_ACCESS_TOKEN` - The Pulumi access token to use for authentication to Pulumi Cloud; see `DEFANG_PULUMI_BACKEND`
 - `PULUMI_CONFIG_PASSPHRASE` - Passphrase used to generate a unique key for your stack, and configuration and encrypted state values

pkgs/npm/README.md

@@ -43,7 +43,6 @@ The Defang CLI recognizes the following environment variables:
 - `DEFANG_PULUMI_BACKEND` - The Pulumi backend URL or `"pulumi-cloud"`; defaults to a self-hosted backend
 - `DEFANG_PULUMI_DIR` - Run Pulumi from this folder, instead of spawning a cloud task; requires `--debug` (BYOC only)
 - `DEFANG_PULUMI_VERSION` - Override the version of the Pulumi image to use (`aws` provider only)
-- `DEFANG_TENANT` - The name of the tenant to use.
 - `NO_COLOR` - If set to any value, disables color output; by default, color output is enabled depending on the terminal
 - `PULUMI_ACCESS_TOKEN` - The Pulumi access token to use for authentication to Pulumi Cloud; see `DEFANG_PULUMI_BACKEND`
 - `PULUMI_CONFIG_PASSPHRASE` - Passphrase used to generate a unique key for your stack, and configuration and encrypted state values

src/README.md

@@ -43,7 +43,6 @@ The Defang CLI recognizes the following environment variables:
 - `DEFANG_PULUMI_BACKEND` - The Pulumi backend URL or `"pulumi-cloud"`; defaults to a self-hosted backend
 - `DEFANG_PULUMI_DIR` - Run Pulumi from this folder, instead of spawning a cloud task; requires `--debug` (BYOC only)
 - `DEFANG_PULUMI_VERSION` - Override the version of the Pulumi image to use (`aws` provider only)
-- `DEFANG_TENANT` - The name of the tenant to use.
 - `NO_COLOR` - If set to any value, disables color output; by default, color output is enabled depending on the terminal
 - `PULUMI_ACCESS_TOKEN` - The Pulumi access token to use for authentication to Pulumi Cloud; see `DEFANG_PULUMI_BACKEND`
 - `PULUMI_CONFIG_PASSPHRASE` - Passphrase used to generate a unique key for your stack, and configuration and encrypted state values

src/cmd/cli/command/commands.go

@@ -9,14 +9,12 @@ import (
 	"os/exec"
 	"path/filepath"
 	"regexp"
-	"sort"
 	"strings"
 	"time"
 
 	"github.com/AlecAivazis/survey/v2"
 	_ "github.com/DefangLabs/defang/src/cmd/cli/autoload"
 	"github.com/DefangLabs/defang/src/pkg"
-	"github.com/DefangLabs/defang/src/pkg/auth"
 	"github.com/DefangLabs/defang/src/pkg/cli"
 	cliClient "github.com/DefangLabs/defang/src/pkg/cli/client"
 	"github.com/DefangLabs/defang/src/pkg/cli/client/byoc"
@@ -59,7 +57,6 @@ var (
 	modelId        = os.Getenv("DEFANG_MODEL_ID") // for Pro users only
 	nonInteractive = !hasTty
 	org            string
-	tenantFlag     string
 	providerID     = cliClient.ProviderID(pkg.Getenv("DEFANG_PROVIDER", "auto"))
 	verbose        = false
 )
@@ -166,7 +163,6 @@ func SetupCommands(ctx context.Context, version string) {
 	RootCmd.PersistentFlags().StringVarP(&cluster, "cluster", "s", pcluster.DefangFabric, "Defang cluster to connect to")
 	RootCmd.PersistentFlags().MarkHidden("cluster")
 	RootCmd.PersistentFlags().StringVar(&org, "org", os.Getenv("DEFANG_ORG"), "override GitHub organization name (tenant)")
-	RootCmd.PersistentFlags().StringVar(&tenantFlag, "tenant", "", "select tenant by name")
 	RootCmd.PersistentFlags().VarP(&providerID, "provider", "P", fmt.Sprintf(`bring-your-own-cloud provider; one of %v`, cliClient.AllProviders()))
 	// RootCmd.Flag("provider").NoOptDefVal = "auto" NO this will break the "--provider aws"
 	RootCmd.PersistentFlags().BoolVarP(&verbose, "verbose", "v", false, "verbose logging") // backwards compat: only used by tail
@@ -219,9 +215,6 @@ func SetupCommands(ctx context.Context, version string) {
 	// Whoami Command
 	RootCmd.AddCommand(whoamiCmd)
 
-	// Tenants Command
-	RootCmd.AddCommand(tenantsCmd)
-
 	// Logout Command
 	RootCmd.AddCommand(logoutCmd)
 
@@ -372,18 +365,6 @@ var RootCmd = &cobra.Command{
 			}
 		}
 
-		// Configure tenant selection based on --tenant flag
-		if f := cmd.Root().Flag("tenant"); f != nil && f.Changed {
-			// Highest precedence: explicit --tenant flag
-			auth.SetSelectedTenantName(tenantFlag)
-		} else if envTenant := os.Getenv("DEFANG_TENANT"); strings.TrimSpace(envTenant) != "" {
-			// Next precedence: DEFANG_TENANT environment variable
-			auth.SetSelectedTenantName(envTenant)
-		} else {
-			// Default behavior: auto-select tenant by JWT subject if no explicit name is provided
-			auth.SetAutoSelectBySub(true)
-		}
-
 		client, err = cli.Connect(ctx, getCluster())
 
 		if v, err := client.GetVersions(ctx); err == nil {
@@ -395,8 +376,6 @@ var RootCmd = &cobra.Command{
 			}
 		}
 
-		// (deliberately skip tenant resolution here to avoid blocking non-auth commands)
-
 		// Check if we are correctly logged in, but only if the command needs authorization
 		if _, ok := cmd.Annotations[authNeeded]; !ok {
 			return nil
@@ -408,80 +387,7 @@ var RootCmd = &cobra.Command{
 			err = login.InteractiveRequireLoginAndToS(ctx, client, getCluster())
 		}
 
-		if err != nil {
-			return err
-		}
-
-		// Ensure tenant is resolved post-login as we now have a token
-		if tok := pcluster.GetExistingToken(getCluster()); tok != "" {
-			if err2 := auth.ResolveAndSetTenantFromToken(ctx, tok); err2 != nil {
-				return err2
-			}
-			// log the tenant name and id
-			term.Debug("Selected tenant:", auth.GetSelectedTenantName(), "(", auth.GetSelectedTenantID(), ")")
-		}
-
-		return nil
-	},
-}
-
-var tenantsCmd = &cobra.Command{
-	Use:         "tenants",
-	Args:        cobra.NoArgs,
-	Annotations: authNeededAnnotation,
-	Short:       "List tenants available to the logged-in user",
-	RunE: func(cmd *cobra.Command, args []string) error {
-		ctx := cmd.Context()
-		tok := pcluster.GetExistingToken(getCluster())
-		if strings.TrimSpace(tok) == "" {
-			return errors.New("not logged in; run 'defang login'")
-		}
-
-		tenants, err := auth.ListTenantsFromToken(ctx, tok)
-		if err != nil {
-			return err
-		}
-
-		// Sort by name for stable output
-		sort.Slice(tenants, func(i, j int) bool { return strings.ToLower(tenants[i].Name) < strings.ToLower(tenants[j].Name) })
-
-		if len(tenants) == 0 {
-			term.Info("No tenants found")
-			return nil
-		}
-
-		currentID := auth.GetSelectedTenantID()
-		currentName := auth.GetSelectedTenantName()
-
-		// Compute longest name for aligned output
-		maxNameLen := 0
-		for _, t := range tenants {
-			if l := len(t.Name); l > maxNameLen {
-				maxNameLen = l
-			}
-		}
-
-		for _, t := range tenants {
-			selected := t.ID == currentID || (currentID == "" && t.Name == currentName && strings.TrimSpace(currentName) != "")
-			marker := "-"
-			if selected {
-				marker = "*" // highlight selected
-			}
-
-			var line string
-			if verbose {
-				line = fmt.Sprintf("%s %-*s (%s)\n", marker, maxNameLen, t.Name, t.ID)
-			} else {
-				line = fmt.Sprintf("%s %s\n", marker, t.Name)
-			}
-
-			if selected {
-				term.Printc(term.BrightCyan, line)
-			} else {
-				term.Printc(term.InfoColor, line)
-			}
-		}
-		return nil
+		return err
 	},
 }
 

src/pkg/auth/interceptor.go

@@ -7,10 +7,7 @@ import (
 	"github.com/bufbuild/connect-go"
 )
 
-const (
-	XDefangOrgID    = "X-Defang-Orgid"
-	XDefangTenantID = "X-Defang-Tenant-Id"
-)
+const XDefangOrgID = "X-Defang-Orgid"
 
 type authInterceptor struct {
 	authorization string
@@ -26,9 +23,6 @@ func (a *authInterceptor) WrapUnary(next connect.UnaryFunc) connect.UnaryFunc {
 		req.Header().Set("Authorization", a.authorization)
 		req.Header().Set("Content-Type", "application/grpc") // same as the gRPC client
 		req.Header().Set(XDefangOrgID, a.orgID)
-		if tid := GetSelectedTenantID(); tid != "" {
-			req.Header().Set(XDefangTenantID, tid)
-		}
 		return next(ctx, req)
 	}
 }
@@ -39,9 +33,6 @@ func (a *authInterceptor) WrapStreamingClient(next connect.StreamingClientFunc)
 		conn.RequestHeader().Set("Authorization", a.authorization)
 		conn.RequestHeader().Set("Content-Type", "application/grpc") // same as the gRPC client
 		conn.RequestHeader().Set(XDefangOrgID, a.orgID)
-		if tid := GetSelectedTenantID(); tid != "" {
-			conn.RequestHeader().Set(XDefangTenantID, tid)
-		}
 		return conn
 	}
 }