Tenant support (#1400)

* feat: add tenant selection and management with CLI support

* feat: add compact target listing mode when verbose flag is disabled

* feat: add DEFANG_TENANT environment variable support for tenant selection

* feat: skip userinfo endpoint resolution for GitHub Actions tokens

* return nil on fabric issuer

---------

Co-authored-by: Lio李歐 <[email protected]>

Author: raphaeltm

pkgs/npm/README.md

@@ -32,6 +32,7 @@ The Defang CLI recognizes the following environment variables:
 - `DEFANG_HIDE_HINTS` - If set to `true`, hides hints in the CLI output; defaults to `false`
 - `DEFANG_HIDE_UPDATE` - If set to `true`, hides the update notification; defaults to `false`
 - `DEFANG_PROVIDER` - The name of the cloud provider to use, `auto` (default), `aws`, `digitalocean`, or `defang`
+- `DEFANG_TENANT` - The name of the tenant to use.
 - `NO_COLOR` - If set to any value, disables color output; by default, color output is enabled depending on the terminal
 - `TZ` - The timezone to use for log timestamps: an IANA TZ name like `UTC` or `Europe/Amsterdam`; defaults to `Local`
 - `XDG_STATE_HOME` - The directory to use for storing state; defaults to `~/.local/state`

src/README.md

@@ -43,6 +43,7 @@ The Defang CLI recognizes the following environment variables:
 - `DEFANG_PULUMI_BACKEND` - The Pulumi backend URL or `"pulumi-cloud"`; defaults to a self-hosted backend
 - `DEFANG_PULUMI_DIR` - Run Pulumi from this folder, instead of spawning a cloud task; requires `--debug` (BYOC only)
 - `DEFANG_PULUMI_VERSION` - Override the version of the Pulumi image to use (`aws` provider only)
+- `DEFANG_TENANT` - The name of the tenant to use.
 - `NO_COLOR` - If set to any value, disables color output; by default, color output is enabled depending on the terminal
 - `PULUMI_ACCESS_TOKEN` - The Pulumi access token to use for authentication to Pulumi Cloud; see `DEFANG_PULUMI_BACKEND`
 - `PULUMI_CONFIG_PASSPHRASE` - Passphrase used to generate a unique key for your stack, and configuration and encrypted state values

src/cmd/cli/command/commands.go

@@ -9,12 +9,14 @@ import (
 	"os/exec"
 	"path/filepath"
 	"regexp"
+	"sort"
 	"strings"
 	"time"
 
 	"github.com/AlecAivazis/survey/v2"
 	_ "github.com/DefangLabs/defang/src/cmd/cli/autoload"
 	"github.com/DefangLabs/defang/src/pkg"
+	"github.com/DefangLabs/defang/src/pkg/auth"
 	"github.com/DefangLabs/defang/src/pkg/cli"
 	cliClient "github.com/DefangLabs/defang/src/pkg/cli/client"
 	"github.com/DefangLabs/defang/src/pkg/cli/client/byoc"
@@ -57,6 +59,7 @@ var (
 	modelId        = os.Getenv("DEFANG_MODEL_ID") // for Pro users only
 	nonInteractive = !hasTty
 	org            string
+	tenantFlag     string
 	providerID     = cliClient.ProviderID(pkg.Getenv("DEFANG_PROVIDER", "auto"))
 	verbose        = false
 )
@@ -163,6 +166,7 @@ func SetupCommands(ctx context.Context, version string) {
 	RootCmd.PersistentFlags().StringVarP(&cluster, "cluster", "s", pcluster.DefangFabric, "Defang cluster to connect to")
 	RootCmd.PersistentFlags().MarkHidden("cluster")
 	RootCmd.PersistentFlags().StringVar(&org, "org", os.Getenv("DEFANG_ORG"), "override GitHub organization name (tenant)")
+	RootCmd.PersistentFlags().StringVar(&tenantFlag, "tenant", "", "select tenant by name")
 	RootCmd.PersistentFlags().VarP(&providerID, "provider", "P", fmt.Sprintf(`bring-your-own-cloud provider; one of %v`, cliClient.AllProviders()))
 	// RootCmd.Flag("provider").NoOptDefVal = "auto" NO this will break the "--provider aws"
 	RootCmd.PersistentFlags().BoolVarP(&verbose, "verbose", "v", false, "verbose logging") // backwards compat: only used by tail
@@ -215,6 +219,9 @@ func SetupCommands(ctx context.Context, version string) {
 	// Whoami Command
 	RootCmd.AddCommand(whoamiCmd)
 
+	// Tenants Command
+	RootCmd.AddCommand(tenantsCmd)
+
 	// Logout Command
 	RootCmd.AddCommand(logoutCmd)
 
@@ -365,6 +372,18 @@ var RootCmd = &cobra.Command{
 			}
 		}
 
+		// Configure tenant selection based on --tenant flag
+		if f := cmd.Root().Flag("tenant"); f != nil && f.Changed {
+			// Highest precedence: explicit --tenant flag
+			auth.SetSelectedTenantName(tenantFlag)
+		} else if envTenant := os.Getenv("DEFANG_TENANT"); strings.TrimSpace(envTenant) != "" {
+			// Next precedence: DEFANG_TENANT environment variable
+			auth.SetSelectedTenantName(envTenant)
+		} else {
+			// Default behavior: auto-select tenant by JWT subject if no explicit name is provided
+			auth.SetAutoSelectBySub(true)
+		}
+
 		client, err = cli.Connect(ctx, getCluster())
 
 		if v, err := client.GetVersions(ctx); err == nil {
@@ -376,6 +395,8 @@ var RootCmd = &cobra.Command{
 			}
 		}
 
+		// (deliberately skip tenant resolution here to avoid blocking non-auth commands)
+
 		// Check if we are correctly logged in, but only if the command needs authorization
 		if _, ok := cmd.Annotations[authNeeded]; !ok {
 			return nil
@@ -387,7 +408,80 @@ var RootCmd = &cobra.Command{
 			err = login.InteractiveRequireLoginAndToS(ctx, client, getCluster())
 		}
 
-		return err
+		if err != nil {
+			return err
+		}
+
+		// Ensure tenant is resolved post-login as we now have a token
+		if tok := pcluster.GetExistingToken(getCluster()); tok != "" {
+			if err2 := auth.ResolveAndSetTenantFromToken(ctx, tok); err2 != nil {
+				return err2
+			}
+			// log the tenant name and id
+			term.Debug("Selected tenant:", auth.GetSelectedTenantName(), "(", auth.GetSelectedTenantID(), ")")
+		}
+
+		return nil
+	},
+}
+
+var tenantsCmd = &cobra.Command{
+	Use:         "tenants",
+	Args:        cobra.NoArgs,
+	Annotations: authNeededAnnotation,
+	Short:       "List tenants available to the logged-in user",
+	RunE: func(cmd *cobra.Command, args []string) error {
+		ctx := cmd.Context()
+		tok := pcluster.GetExistingToken(getCluster())
+		if strings.TrimSpace(tok) == "" {
+			return errors.New("not logged in; run 'defang login'")
+		}
+
+		tenants, err := auth.ListTenantsFromToken(ctx, tok)
+		if err != nil {
+			return err
+		}
+
+		// Sort by name for stable output
+		sort.Slice(tenants, func(i, j int) bool { return strings.ToLower(tenants[i].Name) < strings.ToLower(tenants[j].Name) })
+
+		if len(tenants) == 0 {
+			term.Info("No tenants found")
+			return nil
+		}
+
+		currentID := auth.GetSelectedTenantID()
+		currentName := auth.GetSelectedTenantName()
+
+		// Compute longest name for aligned output
+		maxNameLen := 0
+		for _, t := range tenants {
+			if l := len(t.Name); l > maxNameLen {
+				maxNameLen = l
+			}
+		}
+
+		for _, t := range tenants {
+			selected := t.ID == currentID || (currentID == "" && t.Name == currentName && strings.TrimSpace(currentName) != "")
+			marker := "-"
+			if selected {
+				marker = "*" // highlight selected
+			}
+
+			var line string
+			if verbose {
+				line = fmt.Sprintf("%s %-*s (%s)\n", marker, maxNameLen, t.Name, t.ID)
+			} else {
+				line = fmt.Sprintf("%s %s\n", marker, t.Name)
+			}
+
+			if selected {
+				term.Printc(term.BrightCyan, line)
+			} else {
+				term.Printc(term.InfoColor, line)
+			}
+		}
+		return nil
 	},
 }
 

src/pkg/auth/interceptor.go

@@ -7,7 +7,10 @@ import (
 	"github.com/bufbuild/connect-go"
 )
 
-const XDefangOrgID = "X-Defang-Orgid"
+const (
+	XDefangOrgID    = "X-Defang-Orgid"
+	XDefangTenantID = "X-Defang-Tenant-Id"
+)
 
 type authInterceptor struct {
 	authorization string
@@ -23,6 +26,9 @@ func (a *authInterceptor) WrapUnary(next connect.UnaryFunc) connect.UnaryFunc {
 		req.Header().Set("Authorization", a.authorization)
 		req.Header().Set("Content-Type", "application/grpc") // same as the gRPC client
 		req.Header().Set(XDefangOrgID, a.orgID)
+		if tid := GetSelectedTenantID(); tid != "" {
+			req.Header().Set(XDefangTenantID, tid)
+		}
 		return next(ctx, req)
 	}
 }
@@ -33,6 +39,9 @@ func (a *authInterceptor) WrapStreamingClient(next connect.StreamingClientFunc)
 		conn.RequestHeader().Set("Authorization", a.authorization)
 		conn.RequestHeader().Set("Content-Type", "application/grpc") // same as the gRPC client
 		conn.RequestHeader().Set(XDefangOrgID, a.orgID)
+		if tid := GetSelectedTenantID(); tid != "" {
+			conn.RequestHeader().Set(XDefangTenantID, tid)
+		}
 		return conn
 	}
 }