Respect BROWSER environment variable in "auth login" command (#3659)

## Changes

Respect the `BROWSER` environment variable for the OAuth login flow.
When set, the value is used as executable to launch the URL to
authenticate the user. When set to "none", the CLI prints a message with
the URL to open. When not set, it defers to the existing logic to open a
browser via the `pkg/browser` package.

## Why

Context in:
* #3464
* databricks/databricks-vscode#1764

Also refer to issues linked in the description of these issues for
broader context, and why `pkg/browser` doesn't respect `BROWSER` itself.
It boils down to it not being a ratified standard.

We choose to respect it to make the interactive login flow from VS Code
running in a dev container work.

## Tests

New acceptance test that goes through the login flow via the test
server.

Author: pietern

acceptance/bin/browser.py

@@ -0,0 +1,26 @@
+#!/usr/bin/env python3
+"""
+This script fetches a URL.
+It follows redirects if applicable.
+
+Usage: browser.py <url>
+"""
+
+import urllib.request
+import sys
+
+if len(sys.argv) < 2:
+    sys.stderr.write("Usage: browser.py <url>\n")
+    sys.exit(1)
+
+url = sys.argv[1]
+try:
+    response = urllib.request.urlopen(url)
+    if response.status != 200:
+        sys.stderr.write(f"Failed to fetch URL: {url} (status {response.status})\n")
+        sys.exit(1)
+except Exception as e:
+    sys.stderr.write(f"Failed to fetch URL: {url} ({e})\n")
+    sys.exit(1)
+
+sys.exit(0)

acceptance/cmd/auth/login/out.databrickscfg

@@ -0,0 +1,6 @@
+; The profile defined in the DEFAULT section is to be used as a fallback when no profile is explicitly specified.
+[DEFAULT]
+
+[test]
+host      = [DATABRICKS_URL]
+auth_type = databricks-cli

acceptance/cmd/auth/login/out.test.toml

@@ -0,0 +1,7 @@
+
+>>> [CLI] auth login --host [DATABRICKS_URL] --profile test
+Profile test was successfully saved
+
+>>> [CLI] auth profiles
+Name  Host                    Valid
+test  [DATABRICKS_URL]  YES

acceptance/cmd/auth/login/output.txt

@@ -0,0 +1,11 @@
+sethome "./home"
+
+# Use a fake browser that performs a GET on the authorization URL
+# and follows the redirect back to localhost.
+export BROWSER="browser.py"
+
+trace $CLI auth login --host $DATABRICKS_HOST --profile test
+trace $CLI auth profiles
+
+# Track the .databrickscfg file that was created to surface changes.
+mv "./home/.databrickscfg" "./out.databrickscfg"

acceptance/cmd/auth/login/script

@@ -0,0 +1,3 @@
+Ignore = [
+    "home"
+]

acceptance/cmd/auth/login/test.toml

@@ -97,3 +97,14 @@ envsubst() {
 print_telemetry_bool_values() {
     jq -r 'select(.path? == "/telemetry-ext") | (.body.protoLogs // [])[] | fromjson | ( (.entry // .) | (.databricks_cli_log.bundle_deploy_event.experimental.bool_values // []) ) | map("\(.key) \(.value)") | .[]' out.requests.txt | sort
 }
+
+sethome() {
+    local home="$1"
+    mkdir -p "$home"
+
+    # For macOS and Linux, use HOME.
+    export HOME="$home"
+
+    # For Windows, use USERPROFILE.
+    export USERPROFILE="$home"
+}

acceptance/script.prepare

@@ -14,9 +14,12 @@ import (
 	"github.com/databricks/cli/libs/databrickscfg"
 	"github.com/databricks/cli/libs/databrickscfg/cfgpickers"
 	"github.com/databricks/cli/libs/databrickscfg/profile"
+	"github.com/databricks/cli/libs/env"
+	"github.com/databricks/cli/libs/exec"
 	"github.com/databricks/databricks-sdk-go"
 	"github.com/databricks/databricks-sdk-go/config"
 	"github.com/databricks/databricks-sdk-go/credentials/u2m"
+	browserpkg "github.com/pkg/browser"
 	"github.com/spf13/cobra"
 )
 
@@ -136,7 +139,11 @@ depends on the existing profiles you have set in your configuration file
 		if err != nil {
 			return err
 		}
-		persistentAuth, err := u2m.NewPersistentAuth(ctx, u2m.WithOAuthArgument(oauthArgument))
+		persistentAuthOpts := []u2m.PersistentAuthOption{
+			u2m.WithOAuthArgument(oauthArgument),
+		}
+		persistentAuthOpts = append(persistentAuthOpts, u2m.WithBrowser(getBrowserFunc(cmd)))
+		persistentAuth, err := u2m.NewPersistentAuth(ctx, persistentAuthOpts...)
 		if err != nil {
 			return err
 		}
@@ -288,3 +295,38 @@ func loadProfileByName(ctx context.Context, profileName string, profiler profile
 	}
 	return nil, nil
 }
+
+// getBrowserFunc returns a function that opens the given URL in the browser.
+// It respects the BROWSER environment variable:
+// - empty string: uses the default browser
+// - "none": prints the URL to stdout without opening a browser
+// - custom command: executes the specified command with the URL as argument
+func getBrowserFunc(cmd *cobra.Command) func(url string) error {
+	browser := env.Get(cmd.Context(), "BROWSER")
+	switch browser {
+	case "":
+		return browserpkg.OpenURL
+	case "none":
+		return func(url string) error {
+			fmt.Fprintf(cmd.OutOrStdout(), "Please open %s in the browser to continue authentication\n", url)
+			return nil
+		}
+	default:
+		return func(url string) error {
+			// Run the browser command via a shell.
+			// It can be a script or a binary and scripts cannot be executed directly on Windows.
+			e, err := exec.NewCommandExecutor(".")
+			if err != nil {
+				return err
+			}
+
+			e.WithInheritOutput()
+			cmd, err := e.StartCommand(cmd.Context(), fmt.Sprintf("%q %q", browser, url))
+			if err != nil {
+				return err
+			}
+
+			return cmd.Wait()
+		}
+	}
+}

cmd/auth/login.go

@@ -0,0 +1,60 @@
+package testserver
+
+import (
+	"net/http"
+	"net/url"
+)
+
+// FakeOidc holds OAuth state for acceptance tests.
+type FakeOidc struct {
+	url string
+}
+
+func (s *FakeOidc) OidcEndpoints() Response {
+	return Response{
+		Body: map[string]string{
+			"authorization_endpoint": s.url + "/oidc/v1/authorize",
+			"token_endpoint":         s.url + "/oidc/v1/token",
+		},
+	}
+}
+
+func (s *FakeOidc) OidcAuthorize(req Request) Response {
+	redirectURI, err := url.Parse(req.URL.Query().Get("redirect_uri"))
+	if err != nil {
+		return Response{
+			StatusCode: http.StatusBadRequest,
+			Body:       err.Error(),
+		}
+	}
+
+	// Compile query parameters for the redirect URL.
+	q := make(url.Values)
+
+	// Include an opaque authorization code that will be used to exchange for a token.
+	q.Set("code", "oauth-code")
+
+	// Include the state parameter from the original request.
+	q.Set("state", req.URL.Query().Get("state"))
+
+	// Update the redirect URI with the new query parameters.
+	redirectURI.RawQuery = q.Encode()
+
+	return Response{
+		StatusCode: http.StatusMovedPermanently,
+		Headers: map[string][]string{
+			"Location": {redirectURI.String()},
+		},
+	}
+}
+
+func (s *FakeOidc) OidcToken(req Request) Response {
+	return Response{
+		Body: map[string]string{
+			"access_token": "oauth-token",
+			"expires_in":   "3600",
+			"scope":        "all-apis",
+			"token_type":   "Bearer",
+		},
+	}
+}

libs/testserver/fake_oidc.go

@@ -204,19 +204,15 @@ func AddDefaultHandlers(server *Server) {
 	})
 
 	server.Handle("GET", "/oidc/.well-known/oauth-authorization-server", func(_ Request) any {
-		return map[string]string{
-			"authorization_endpoint": server.URL + "oidc/v1/authorize",
-			"token_endpoint":         server.URL + "/oidc/v1/token",
-		}
+		return server.fakeOidc.OidcEndpoints()
 	})
 
-	server.Handle("POST", "/oidc/v1/token", func(_ Request) any {
-		return map[string]string{
-			"access_token": "oauth-token",
-			"expires_in":   "3600",
-			"scope":        "all-apis",
-			"token_type":   "Bearer",
-		}
+	server.Handle("GET", "/oidc/v1/authorize", func(req Request) any {
+		return server.fakeOidc.OidcAuthorize(req)
+	})
+
+	server.Handle("POST", "/oidc/v1/token", func(req Request) any {
+		return server.fakeOidc.OidcToken(req)
 	})
 
 	server.Handle("POST", "/telemetry-ext", func(_ Request) any {