feat: add tenant selection and management with CLI support

Author: raphaeltm

src/cmd/cli/command/commands.go

@@ -9,11 +9,13 @@ import (
 	"os/exec"
 	"path/filepath"
 	"regexp"
+	"sort"
 	"strings"
 	"time"
 
 	"github.com/AlecAivazis/survey/v2"
 	"github.com/DefangLabs/defang/src/pkg"
+	"github.com/DefangLabs/defang/src/pkg/auth"
 	"github.com/DefangLabs/defang/src/pkg/cli"
 	cliClient "github.com/DefangLabs/defang/src/pkg/cli/client"
 	"github.com/DefangLabs/defang/src/pkg/cli/client/byoc"
@@ -56,6 +58,7 @@ var (
 	modelId        = os.Getenv("DEFANG_MODEL_ID") // for Pro users only
 	nonInteractive = !hasTty
 	org            string
+	tenantFlag     string
 	providerID     = cliClient.ProviderID(pkg.Getenv("DEFANG_PROVIDER", "auto"))
 	verbose        = false
 )
@@ -162,6 +165,7 @@ func SetupCommands(ctx context.Context, version string) {
 	RootCmd.PersistentFlags().StringVarP(&cluster, "cluster", "s", pcluster.DefangFabric, "Defang cluster to connect to")
 	RootCmd.PersistentFlags().MarkHidden("cluster")
 	RootCmd.PersistentFlags().StringVar(&org, "org", os.Getenv("DEFANG_ORG"), "override GitHub organization name (tenant)")
+	RootCmd.PersistentFlags().StringVar(&tenantFlag, "tenant", "", "select tenant by name")
 	RootCmd.PersistentFlags().VarP(&providerID, "provider", "P", fmt.Sprintf(`bring-your-own-cloud provider; one of %v`, cliClient.AllProviders()))
 	// RootCmd.Flag("provider").NoOptDefVal = "auto" NO this will break the "--provider aws"
 	RootCmd.PersistentFlags().BoolVarP(&verbose, "verbose", "v", false, "verbose logging") // backwards compat: only used by tail
@@ -214,6 +218,9 @@ func SetupCommands(ctx context.Context, version string) {
 	// Whoami Command
 	RootCmd.AddCommand(whoamiCmd)
 
+	// Tenants Command
+	RootCmd.AddCommand(tenantsCmd)
+
 	// Logout Command
 	RootCmd.AddCommand(logoutCmd)
 
@@ -364,6 +371,14 @@ var RootCmd = &cobra.Command{
 			}
 		}
 
+		// Configure tenant selection based on --tenant flag
+		if f := cmd.Root().Flag("tenant"); f != nil && f.Changed {
+			auth.SetSelectedTenantName(tenantFlag)
+		} else {
+			// Default behavior: auto-select tenant by JWT subject if no explicit name is provided
+			auth.SetAutoSelectBySub(true)
+		}
+
 		client, err = cli.Connect(ctx, getCluster())
 
 		if v, err := client.GetVersions(ctx); err == nil {
@@ -375,6 +390,8 @@ var RootCmd = &cobra.Command{
 			}
 		}
 
+		// (deliberately skip tenant resolution here to avoid blocking non-auth commands)
+
 		// Check if we are correctly logged in, but only if the command needs authorization
 		if _, ok := cmd.Annotations[authNeeded]; !ok {
 			return nil
@@ -386,7 +403,73 @@ var RootCmd = &cobra.Command{
 			err = login.InteractiveRequireLoginAndToS(ctx, client, getCluster())
 		}
 
-		return err
+		if err != nil {
+			return err
+		}
+
+		// Ensure tenant is resolved post-login as we now have a token
+		if tok := pcluster.GetExistingToken(getCluster()); tok != "" {
+			if err2 := auth.ResolveAndSetTenantFromToken(ctx, tok); err2 != nil {
+				return err2
+			}
+			// log the tenant name and id
+			term.Debug("Selected tenant:", auth.GetSelectedTenantName(), "(", auth.GetSelectedTenantID(), ")")
+		}
+
+		return nil
+	},
+}
+
+var tenantsCmd = &cobra.Command{
+	Use:         "tenants",
+	Args:        cobra.NoArgs,
+	Annotations: authNeededAnnotation,
+	Short:       "List tenants available to the logged-in user",
+	RunE: func(cmd *cobra.Command, args []string) error {
+		ctx := cmd.Context()
+		tok := pcluster.GetExistingToken(getCluster())
+		if strings.TrimSpace(tok) == "" {
+			return errors.New("not logged in; run 'defang login'")
+		}
+
+		tenants, err := auth.ListTenantsFromToken(ctx, tok)
+		if err != nil {
+			return err
+		}
+
+		// Sort by name for stable output
+		sort.Slice(tenants, func(i, j int) bool { return strings.ToLower(tenants[i].Name) < strings.ToLower(tenants[j].Name) })
+
+		if len(tenants) == 0 {
+			term.Info("No tenants found")
+			return nil
+		}
+
+		currentID := auth.GetSelectedTenantID()
+		currentName := auth.GetSelectedTenantName()
+
+		// Compute longest name for aligned output
+		maxNameLen := 0
+		for _, t := range tenants {
+			if l := len(t.Name); l > maxNameLen {
+				maxNameLen = l
+			}
+		}
+
+		for _, t := range tenants {
+			selected := t.ID == currentID || (currentID == "" && t.Name == currentName && strings.TrimSpace(currentName) != "")
+			marker := "-"
+			if selected {
+				marker = "*" // highlight selected
+			}
+			line := fmt.Sprintf("%s %-*s (%s)\n", marker, maxNameLen, t.Name, t.ID)
+			if selected {
+				term.Printc(term.BrightCyan, " * ", line)
+			} else {
+				term.Printc(term.InfoColor, " * ", line)
+			}
+		}
+		return nil
 	},
 }
 

src/pkg/auth/interceptor.go

@@ -7,7 +7,10 @@ import (
 	"github.com/bufbuild/connect-go"
 )
 
-const XDefangOrgID = "X-Defang-Orgid"
+const (
+	XDefangOrgID    = "X-Defang-Orgid"
+	XDefangTenantID = "X-Defang-Tenant-Id"
+)
 
 type authInterceptor struct {
 	authorization string
@@ -23,6 +26,9 @@ func (a *authInterceptor) WrapUnary(next connect.UnaryFunc) connect.UnaryFunc {
 		req.Header().Set("Authorization", a.authorization)
 		req.Header().Set("Content-Type", "application/grpc") // same as the gRPC client
 		req.Header().Set(XDefangOrgID, a.orgID)
+		if tid := GetSelectedTenantID(); tid != "" {
+			req.Header().Set(XDefangTenantID, tid)
+		}
 		return next(ctx, req)
 	}
 }
@@ -33,6 +39,9 @@ func (a *authInterceptor) WrapStreamingClient(next connect.StreamingClientFunc)
 		conn.RequestHeader().Set("Authorization", a.authorization)
 		conn.RequestHeader().Set("Content-Type", "application/grpc") // same as the gRPC client
 		conn.RequestHeader().Set(XDefangOrgID, a.orgID)
+		if tid := GetSelectedTenantID(); tid != "" {
+			conn.RequestHeader().Set(XDefangTenantID, tid)
+		}
 		return conn
 	}
 }

src/pkg/auth/tenant.go

@@ -0,0 +1,226 @@
+package auth
+
+import (
+	"context"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"net/http"
+	"strings"
+
+	"github.com/golang-jwt/jwt/v5"
+)
+
+var (
+	selectedTenantName string
+	selectedTenantID   string
+	autoSelectBySub    bool
+
+	// Returned when multiple tenants share the same name in the userinfo response.
+	ErrMultipleTenantMatches = errors.New("multiple tenants match the name")
+	// Returned when no tenant matches the provided name in the userinfo response.
+	ErrTenantNotFound = errors.New("tenant not found")
+	// Returned when no access token is available yet (user not logged in).
+	ErrNoAccessToken = errors.New("no access token available; please login first")
+)
+
+// SetSelectedTenantName stores the desired tenant name for selection.
+func SetSelectedTenantName(name string) {
+	selectedTenantName = strings.TrimSpace(name)
+	autoSelectBySub = false
+}
+
+// SetAutoSelectBySub enables or disables auto-select by JWT sub.
+func SetAutoSelectBySub(enabled bool) {
+	autoSelectBySub = enabled
+}
+
+// subFromJWT extracts the "sub" claim from the given JWT without verification.
+func subFromJWT(token string) (string, error) {
+	var claims jwt.MapClaims
+	_, _, err := new(jwt.Parser).ParseUnverified(token, &claims)
+	if err != nil {
+		return "", fmt.Errorf("failed to parse access token: %w", err)
+	}
+	subVal, ok := claims["sub"]
+	if !ok {
+		return "", errors.New("token is missing subject (sub) claim")
+	}
+	sub, ok := subVal.(string)
+	if !ok || sub == "" {
+		return "", errors.New("invalid subject (sub) claim in token")
+	}
+	return sub, nil
+}
+
+// GetSelectedTenantName returns the currently selected tenant name.
+func GetSelectedTenantName() string { return selectedTenantName }
+
+// SetSelectedTenantID stores the resolved tenant ID used in Fabric requests.
+func SetSelectedTenantID(id string) { selectedTenantID = strings.TrimSpace(id) }
+
+// GetSelectedTenantID returns the currently selected tenant ID.
+func GetSelectedTenantID() string { return selectedTenantID }
+
+// issuerFromJWT extracts the "iss" claim from the given JWT without verification.
+func issuerFromJWT(token string) (string, error) {
+	var claims jwt.MapClaims
+	_, _, err := new(jwt.Parser).ParseUnverified(token, &claims)
+	if err != nil {
+		return "", fmt.Errorf("failed to parse access token: %w", err)
+	}
+	issVal, ok := claims["iss"]
+	if !ok {
+		return "", errors.New("token is missing issuer (iss) claim")
+	}
+	iss, ok := issVal.(string)
+	if !ok || iss == "" {
+		return "", errors.New("invalid issuer (iss) claim in token")
+	}
+	return iss, nil
+}
+
+// userinfoTenant represents a tenant entry in the /userinfo payload.
+type userinfoTenant struct {
+	ID   string `json:"id"`
+	Name string `json:"name"`
+}
+
+// userinfoResponse represents the relevant portion of the /userinfo response.
+type userinfoResponse struct {
+	AllTenants []userinfoTenant `json:"allTenants"`
+}
+
+// ResolveAndSetTenantFromToken resolves the tenant ID for the previously set tenant name
+// by calling issuer + "/userinfo" with the current access token. On success, it sets the
+// global selected tenant ID so subsequent Fabric requests include the header.
+func ResolveAndSetTenantFromToken(ctx context.Context, accessToken string) error {
+	// If neither a specific name was requested nor auto-select was enabled, do nothing
+	if strings.TrimSpace(selectedTenantName) == "" && !autoSelectBySub {
+		return nil
+	}
+
+	token := strings.TrimSpace(accessToken)
+	if token == "" {
+		return ErrNoAccessToken
+	}
+
+	iss, err := issuerFromJWT(token)
+	if err != nil {
+		return err
+	}
+
+	url := strings.TrimRight(iss, "/") + "/userinfo"
+	req, err := http.NewRequestWithContext(ctx, http.MethodGet, url, nil)
+	if err != nil {
+		return err
+	}
+	req.Header.Set("Authorization", "Bearer "+token)
+	req.Header.Set("Accept", "application/json")
+
+	resp, err := http.DefaultClient.Do(req)
+	if err != nil {
+		return fmt.Errorf("userinfo request failed: %w", err)
+	}
+	defer resp.Body.Close()
+	if resp.StatusCode != http.StatusOK {
+		return fmt.Errorf("userinfo request failed: %s", resp.Status)
+	}
+
+	var ui userinfoResponse
+	if err := json.NewDecoder(resp.Body).Decode(&ui); err != nil {
+		return fmt.Errorf("failed to decode userinfo: %w", err)
+	}
+
+	if autoSelectBySub {
+		sub, err := subFromJWT(token)
+		if err != nil {
+			return err
+		}
+		matches := 0
+		var id string
+		for _, t := range ui.AllTenants {
+			if t.ID == sub {
+				id = t.ID
+				matches++
+			}
+		}
+		switch matches {
+		case 0:
+			return fmt.Errorf("%w: no tenant with id matching JWT sub", ErrTenantNotFound)
+		case 1:
+			SetSelectedTenantID(id)
+			return nil
+		default:
+			return fmt.Errorf("%w: multiple tenants with id %q", ErrMultipleTenantMatches, sub)
+		}
+	} else {
+		var (
+			id    string
+			count int
+		)
+		for _, t := range ui.AllTenants {
+			if t.Name == selectedTenantName {
+				id = t.ID
+				count++
+			}
+		}
+		switch count {
+		case 0:
+			return fmt.Errorf("%w: %q", ErrTenantNotFound, selectedTenantName)
+		case 1:
+			SetSelectedTenantID(id)
+			return nil
+		default:
+			return fmt.Errorf("%w: %q", ErrMultipleTenantMatches, selectedTenantName)
+		}
+	}
+}
+
+// Tenant represents a tenant entry returned by the /userinfo endpoint.
+type Tenant struct {
+	ID   string `json:"id"`
+	Name string `json:"name"`
+}
+
+// ListTenantsFromToken calls issuer + "/userinfo" with the provided access token
+// and returns the list of tenants available to the user.
+func ListTenantsFromToken(ctx context.Context, accessToken string) ([]Tenant, error) {
+	token := strings.TrimSpace(accessToken)
+	if token == "" {
+		return nil, ErrNoAccessToken
+	}
+
+	iss, err := issuerFromJWT(token)
+	if err != nil {
+		return nil, err
+	}
+
+	url := strings.TrimRight(iss, "/") + "/userinfo"
+	req, err := http.NewRequestWithContext(ctx, http.MethodGet, url, nil)
+	if err != nil {
+		return nil, err
+	}
+	req.Header.Set("Authorization", "Bearer "+token)
+	req.Header.Set("Accept", "application/json")
+
+	resp, err := http.DefaultClient.Do(req)
+	if err != nil {
+		return nil, fmt.Errorf("userinfo request failed: %w", err)
+	}
+	defer resp.Body.Close()
+	if resp.StatusCode != http.StatusOK {
+		return nil, fmt.Errorf("userinfo request failed: %s", resp.Status)
+	}
+
+	var ui userinfoResponse
+	if err := json.NewDecoder(resp.Body).Decode(&ui); err != nil {
+		return nil, fmt.Errorf("failed to decode userinfo: %w", err)
+	}
+
+	tenants := make([]Tenant, 0, len(ui.AllTenants))
+	for _, t := range ui.AllTenants {
+		tenants = append(tenants, Tenant{ID: t.ID, Name: t.Name})
+	}
+	return tenants, nil
+}