access: prevent login with username-password when using wrong keys

[shwstppr]

Fixes #168

Tested by setting wrong keys,

⇒  make run                                                                                      fix-wrongkeys-access| 
▶  Running gofmt…
▶  Building executable… 6bb4126
▶  Done!
./bin/cmk
Apache CloudStack 🐵 CloudMonkey 6.4.0
Report issues: https://github.com/apache/cloudstack-cloudmonkey/issues

(lab) 🐱 > set apikey 
(lab) 🐱 > set secretkey 
(lab) 🐱 > sync
Discovered 814 APIs
(lab) 🐱 > set apikey PCybDr6zX69sOPaYDD583pJFW0pnM46J9CY-452LD5G_oxPp_UW_3GRnInh-vh-9mZXZR5QnGU4VuSG4B_Y-Iw
(lab) 🐱 > set secretkey ClXRTtg1OmA392zs3lg3nbW7iuxPh6wRuAoEJWCf5ZbAMJ8w2C_NvyDkYm8E0qzlyNoBKOj-azziR3lerg5K0w
(lab) 🐱 > sync
Discovered 369 APIs
(lab) 🐱 > set secretkey ClXRTtg1OmA392zs3lg3nbW7iuxPh6wRuAoEJWCf5ZbAMJ8w2C_NvyDkYm8E0qzlyNoBKOj-azziR3lerg5K0
(lab) 🐱 > sync
🙈 Error: (HTTP 401, error code <nil>) unable to verify user credentials and/or request signature

[weizhouapache]

@shwstppr
if in .cmk/config, the apikey and secretkey are wrong, but username and password are correct , will it work ?

[shwstppr]

@weizhouapache no. I think that is the issue @ingox was mentioning.
Currently, you can set username/password for the admin and apikey/secretkey for any user. If the API call fails with keys, it logs in with username/pass, which could be problematic for the use case Ingo was referring.

[weizhouapache]

@weizhouapache no. I think that is the issue @ingox was mentioning.

Yes, it is the issue that @ingox reported. It seems like @DaanHoogland and @ingox have agreed it is a bash issue.

Currently, you can set username/password for the admin and apikey/secretkey for any user. If the API call fails with keys, it logs in with username/pass, which could be problematic for the use case Ingo was referring.

my understanding is a bit different.
if users use -s or -k or "set apikey" or "set secretkey" , do not load any profiles in config file, or clean existing profile.
Otherwise, load the profile in config file. if apikey/secretkey are wrong in config file, then use username and password instead.

[shwstppr]

Thanks @weizhouapache. I don't have a strong opinion either way, so I'm happy to close this if we have agreement, it should work as it is.

[github-actions]

✅ Build complete for PR #174.

🔗 Download the cmk binaries (expires on August 22, 2025)

[DaanHoogland]

@shwstppr work kind of like expected. I have one functional concern though:

(randy) 🐱 > sync
Discovered 877 APIs
(randy) 🐱 > set apikey 
(randy) 🐱 > sync
Discovered 877 APIs
(randy) 🐱 > set apikey plplpl
(randy) 🐱 > sync
Discovered 877 APIs
(randy) 🐱 > set secretkey plplpl
(randy) 🐱 > sync
🙈 Error: (HTTP 401, error code <nil>) unable to verify user credentials and/or request signature
(randy) 🐱 > set secretkey
(randy) 🐱 > sync
Discovered 877 APIs

as you can see above, setting only a “wrong” APIkey does not stop me from logging in. Is that what we want? I think this does not address all of @ingox concern. In this way we can still fool ourselfves.

~/Downloads/cmk-binaries.pr174/cmk.darwin.arm64 -p randy -k plpl
Apache CloudStack 🐵 CloudMonkey 6.4.0
Report issues: https://github.com/apache/cloudstack-cloudmonkey/issues

(randy) 🐱 > sync
Discovered 877 APIs
(randy) 🐱 > exit
~/Downloads/cmk-binaries.pr174/cmk.darwin.arm64 -p randy -k <good key>
Apache CloudStack 🐵 CloudMonkey 6.4.0
Report issues: https://github.com/apache/cloudstack-cloudmonkey/issues

(randy) 🐱 > sync
Discovered 877 APIs
(randy) 🐱 > exit
~/Downloads/cmk-binaries.pr174/cmk.darwin.arm64 -p randy -k <good key> -s <good key>
Apache CloudStack 🐵 CloudMonkey 6.4.0
Report issues: https://github.com/apache/cloudstack-cloudmonkey/issues

(randy) 🐱 > sync
Discovered 877 APIs
(randy) 🐱 > exit
~/Downloads/cmk-binaries.pr174/cmk.darwin.arm64 -p randy -k <good key> -s <bad key>
Apache CloudStack 🐵 CloudMonkey 6.4.0
Report issues: https://github.com/apache/cloudstack-cloudmonkey/issues

(randy) 🐱 > sync
Discovered 877 APIs

when not using a profile as the basis it works as expected btw:

~/Downloads/cmk-binaries.pr174/cmk.darwin.arm64 -k <good key> -s <good key> -u http://10.0.34.242:8080/client/api
Apache CloudStack 🐵 CloudMonkey 6.4.0
Report issues: https://github.com/apache/cloudstack-cloudmonkey/issues

(randy) 🐱 > sync
Discovered 877 APIs
(randy) 🐱 > exit
~/Downloads/cmk-binaries.pr174/cmk.darwin.arm64 -k <good key> -s <bad key> -u http://10.0.34.242:8080/client/api
Apache CloudStack 🐵 CloudMonkey 6.4.0
Report issues: https://github.com/apache/cloudstack-cloudmonkey/issues

(randy) 🐱 > sync
🙈 Error: (HTTP 401, error code <nil>) unable to verify user credentials and/or request signature

What do you think about my comment here ? In short, I would expect any configured credentials to be ignored once the CLI contains any credentials.

[shwstppr]

@DaanHoogland I think this needs a bit more discussion. I agree that if valid credentials are available, any invalid ones should be ignored. However, the use case @ingox raised is also valid.

One option is to add a config flag—say, allowfallback—to toggle this behaviour. Alternatively, to keep cmk simple, we could avoid a new setting and address Ingo’s scenario with a few preparatory steps before setting keys (e.g., clear stale credentials, explicitly select the target profile, and validate with a quick API call).
cmk set profile user
cmk set username <USER_ACCOUNT_NAME>
cmk -s -k

I'm converting this to draft for now