Merge pull request #26 from MagaluCloud/feat/auth-tenant

feat: implemented tenant management commands

Author: NathalyaStefhany

base-cli/cmd/common/auth/auth.go

@@ -1,15 +1,20 @@
 package auth
 
 import (
+	"bytes"
 	"context"
+	"encoding/json"
 	"fmt"
+	"net/http"
 	"os"
 	"path"
+	"strings"
 	"time"
 
 	"github.com/golang-jwt/jwt/v5"
 	"github.com/magaluCloud/mgccli/cmd/common/structs"
 	"github.com/magaluCloud/mgccli/cmd/common/workspace"
+	cmdutils "github.com/magaluCloud/mgccli/cmd_utils"
 	"gopkg.in/yaml.v3"
 )
 
@@ -32,17 +37,23 @@ type Auth interface {
 	GetRefreshToken() string
 	GetSecretAccessKey() string
 	GetService() *Service
+	GetCurrentTenantID() (string, error)
+	GetCurrentTenant(ctx context.Context) (*Tenant, error)
+	GetScopes() (string, error)
 	TokenClaims() (*TokenClaims, error)
 
 	SetAccessToken(token string) error
 	SetRefreshToken(token string) error
 	SetSecretAccessKey(key string) error
 	SetAccessKeyID(key string) error
+	SetTenant(ctx context.Context, id string) (*TokenExchangeResult, error)
 
 	ValidateToken() error
 	RefreshToken(ctx context.Context) error
 
 	Logout() error
+
+	ListTenants(ctx context.Context) ([]*Tenant, error)
 }
 
 type authValue struct {
@@ -98,6 +109,54 @@ func (a *authValue) GetSecretAccessKey() string {
 	return a.authValue.SecretAccessKey
 }
 
+func (a *authValue) GetCurrentTenantID() (string, error) {
+	claims, err := a.TokenClaims()
+	if err != nil {
+		return "", err
+	}
+
+	tenantId := claims.TenantIDWithType
+
+	// Dot is a separator, Tenant will be <TenantType>.<ID>. We only want the ID
+	dotIndex := strings.Index(tenantId, ".")
+
+	if dotIndex != -1 {
+		tenantId = tenantId[dotIndex+1:]
+	}
+
+	return tenantId, nil
+}
+
+func (a *authValue) GetCurrentTenant(ctx context.Context) (*Tenant, error) {
+	currentTenantId, err := a.GetCurrentTenantID()
+	if err != nil {
+		return nil, err
+	}
+
+	tenants, err := a.ListTenants(ctx)
+	if err != nil || len(tenants) == 0 {
+		fmt.Printf("Não foi possível pegar as informações sobre o tenant atual, retornando apenas o ID.\nErro: %v\n\n", err)
+		return &Tenant{UUID: currentTenantId}, nil
+	}
+
+	for _, tenant := range tenants {
+		if tenant.UUID == currentTenantId {
+			return tenant, nil
+		}
+	}
+
+	return nil, fmt.Errorf("o ID (%s) do tenant atual não foi encontrado na lista de tenants", currentTenantId)
+}
+
+func (a *authValue) GetScopes() (string, error) {
+	tokenClaims, err := a.TokenClaims()
+	if err != nil {
+		return "", err
+	}
+
+	return tokenClaims.ScopesStr, nil
+}
+
 func (a *authValue) SetAccessToken(token string) error {
 	a.authValue.AccessToken = token
 	return a.Write()
@@ -182,3 +241,119 @@ func (a *authValue) RefreshToken(ctx context.Context) error {
 	a.authValue.RefreshToken = token.RefreshToken
 	return a.Write()
 }
+
+func (a *authValue) ListTenants(ctx context.Context) ([]*Tenant, error) {
+	client, err := NewOAuthClient(a.service.config)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create OAuth client: %w", err)
+	}
+
+	httpClient := client.AuthenticatedHttpClientFromContext(ctx)
+	if httpClient == nil {
+		return nil, fmt.Errorf("programming error: unable to get HTTP Client from context")
+	}
+
+	r, err := http.NewRequestWithContext(
+		ctx,
+		http.MethodGet,
+		a.service.config.TenantsListURL,
+		nil,
+	)
+	if err != nil {
+		return nil, err
+	}
+	r.Header.Set("Content-Type", "application/json")
+
+	resp, err := httpClient.Do(r)
+	if err != nil {
+		return nil, err
+	}
+
+	if resp.StatusCode != http.StatusOK {
+		return nil, cmdutils.NewHttpErrorFromResponse(resp, r)
+	}
+
+	defer resp.Body.Close()
+	var result []*Tenant
+	if err = json.NewDecoder(resp.Body).Decode(&result); err != nil {
+		return nil, err
+	}
+
+	return result, nil
+}
+
+func (a *authValue) SetTenant(ctx context.Context, id string) (*TokenExchangeResult, error) {
+	return a.runTokenExchange(ctx, id)
+}
+
+func (a *authValue) runTokenExchange(
+	ctx context.Context, tenantId string,
+) (*TokenExchangeResult, error) {
+	client, err := NewOAuthClient(a.service.config)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create OAuth client: %w", err)
+	}
+
+	httpClient := client.AuthenticatedHttpClientFromContext(ctx)
+	if httpClient == nil {
+		return nil, fmt.Errorf("programming error: unable to get HTTP Client from context")
+	}
+
+	scopes, err := a.GetScopes()
+	if err != nil {
+		return nil, err
+	}
+
+	data := map[string]any{
+		"tenant": tenantId,
+		"scopes": scopes,
+	}
+	jsonData, err := json.Marshal(data)
+	if err != nil {
+		return nil, err
+	}
+
+	bodyReader := bytes.NewReader(jsonData)
+	r, err := http.NewRequestWithContext(ctx, http.MethodPost, a.service.config.TokenExchangeURL, bodyReader)
+	r.Header.Set("Content-Type", "application/json")
+
+	if err != nil {
+		return nil, err
+	}
+
+	resp, err := httpClient.Do(r)
+	if err != nil {
+		return nil, err
+	}
+
+	defer r.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		return nil, cmdutils.NewHttpErrorFromResponse(resp, r)
+	}
+
+	payload := &TenantResult{}
+	if err = json.NewDecoder(resp.Body).Decode(payload); err != nil {
+		return nil, err
+	}
+
+	err = a.SetAccessToken(payload.AccessToken)
+	if err != nil {
+		return nil, err
+	}
+
+	err = a.SetRefreshToken(payload.RefreshToken)
+	if err != nil {
+		return nil, err
+	}
+
+	createdAt := time.Time(time.Unix(int64(payload.CreatedAt), 0))
+
+	return &TokenExchangeResult{
+		AccessToken:  payload.AccessToken,
+		CreatedAt:    createdAt,
+		TenantID:     tenantId,
+		RefreshToken: payload.RefreshToken,
+		Scope:        strings.Split(payload.Scope, " "),
+	}, nil
+}

base-cli/cmd/common/auth/config.go

@@ -19,8 +19,10 @@ type Config struct {
 	Timeout    time.Duration
 
 	// External Links
-	TermsURL   string
-	PrivacyURL string
+	TermsURL         string
+	PrivacyURL       string
+	TenantsListURL   string
+	TokenExchangeURL string
 }
 
 // DefaultConfig retorna a configuração padrão para autenticação
@@ -40,10 +42,12 @@ func DefaultConfig() *Config {
 			"lba.loadbalancer.write", "gdb:azs-r", "lbaas.read", "lbaas.write",
 			"iam:read", "iam:write",
 		},
-		ListenAddr: getListenAddr(),
-		Timeout:    500 * time.Millisecond,
-		TermsURL:   "https://magalu.cloud/termos-legais/termos-de-uso-magalu-cloud/",
-		PrivacyURL: "https://magalu.cloud/termos-legais/politica-de-privacidade/",
+		ListenAddr:       getListenAddr(),
+		Timeout:          500 * time.Millisecond,
+		TermsURL:         "https://magalu.cloud/termos-legais/termos-de-uso-magalu-cloud/",
+		PrivacyURL:       "https://magalu.cloud/termos-legais/politica-de-privacidade/",
+		TenantsListURL:   "https://id.magalu.com/account/api/v2/whoami/tenants",
+		TokenExchangeURL: "https://id.magalu.com/oauth/token/exchange",
 	}
 }
 

base-cli/cmd/common/auth/http.go

@@ -0,0 +1,124 @@
+package auth
+
+import (
+	"bytes"
+	"context"
+	"errors"
+	"fmt"
+	"io"
+	"net/http"
+	"os"
+	"syscall"
+	"time"
+
+	cmdutils "github.com/magaluCloud/mgccli/cmd_utils"
+)
+
+type authRoundTripper struct {
+	parent   http.RoundTripper
+	auth     Auth
+	attempts int
+}
+
+func (rt *authRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) {
+	token := rt.auth.GetAccessToken(req.Context())
+
+	if token == "" {
+		return nil, fmt.Errorf("não foi possível obter o token de acesso. Você esqueceu de fazer login?")
+	}
+
+	req.Header.Set("Authorization", "Bearer "+token)
+
+	waitBeforeRetry := 100 * time.Millisecond
+	var res *http.Response
+	var err error
+
+	if req.Body != nil {
+		defer req.Body.Close()
+	}
+
+	for i := 0; i < rt.attempts; i++ {
+		reqCopy := rt.cloneRequest(req)
+		res, err = rt.parent.RoundTrip(reqCopy)
+
+		if err != nil {
+			var sysErr *os.SyscallError
+
+			if os.IsTimeout(err) {
+				fmt.Println("Request timeout, retrying...\n", "attempt", i+1, "\n ")
+				time.Sleep(waitBeforeRetry)
+				waitBeforeRetry = waitBeforeRetry * 2
+				continue
+			}
+
+			if errors.As(err, &sysErr) {
+				if sysErr.Err == syscall.ECONNRESET {
+					fmt.Println("\n\n\nConn reset by peer! THIS IS A SERVER PROBLEM!!!\n\n\n", "attempt", i+1, "")
+					time.Sleep(waitBeforeRetry)
+					waitBeforeRetry = waitBeforeRetry * 2
+					continue
+				}
+			}
+			return res, err
+		}
+		if res.StatusCode >= 500 {
+			fmt.Println("\n\n\nServer responded with fail, retrying...\n\n\n", "attempt", i+1, "status code", res.StatusCode, "")
+			time.Sleep(waitBeforeRetry)
+			waitBeforeRetry = waitBeforeRetry * 2
+			continue
+		}
+
+		return res, err
+	}
+
+	return rt.parent.RoundTrip(req)
+}
+
+func (c *OAuthClient) AuthenticatedHttpClientFromContext(ctx context.Context) *http.Client {
+	auth := ctx.Value(cmdutils.CTX_AUTH_KEY).(Auth)
+
+	transport := c.httpClient.Transport
+
+	if transport == nil {
+		transport = http.DefaultTransport
+	}
+
+	transport = &authRoundTripper{parent: transport, auth: auth, attempts: 5}
+
+	return &http.Client{
+		Transport: transport,
+		Timeout:   c.httpClient.Timeout,
+		CheckRedirect: func(req *http.Request, via []*http.Request) error {
+			// Don't follow redirects, return an error to use the last response.
+			return http.ErrUseLastResponse
+		}}
+}
+
+func (rt *authRoundTripper) cloneRequest(req *http.Request) *http.Request {
+	var body io.Reader
+	var err error
+
+	if req.Body != nil {
+		body, err = rt.cloneRequestBody(req)
+		if err != nil {
+			fmt.Println("Erro: %w", err)
+			return req
+		}
+	}
+	clonedRequest, err := http.NewRequestWithContext(req.Context(), req.Method, req.URL.String(), body)
+	if err != nil {
+		return req
+	}
+	clonedRequest.Header = req.Header
+	return clonedRequest
+}
+
+func (rt *authRoundTripper) cloneRequestBody(req *http.Request) (io.Reader, error) {
+	body, err := io.ReadAll(req.Body)
+	if err != nil {
+		return nil, fmt.Errorf("erro: %w", err)
+	}
+
+	req.Body = io.NopCloser(bytes.NewBuffer(body))
+	return bytes.NewReader(body), nil
+}