supporting MFA and fixed some misc issues (#48)

apigee · Aug 20, 2020 · a0d08ef · a0d08ef
1 parent 5bd533d
commit a0d08ef
Show file tree

Hide file tree

Showing 8 changed files with 63 additions and 47 deletions.
diff --git a/apigee/app.go b/apigee/app.go
@@ -15,18 +15,16 @@
 package apigee
 
 type Application struct {
-	AppID          string          `json:"appId"`
-	Attributes     []interface{}   `json:"attributes,omitempty"`
-	APIProducts    []APIProductRef `json:"apiProducts,omitempty"`
-	CallBackURL    string          `json:"callbackUrl,omitempty"`
-	CreatedAt      string          `json:"createdAt,omitempty"`
-	Credentials    []Credential    `json:"credentials,omitempty"`
-	CompanyName    string          `json:"companyName,omitempty"`
-	DeveloperID    string          `json:"developerId,omitempty"`
-	LastModifiedAt string          `json:"lastModifiedAt,omitempty"`
-	Name           string          `json:"name"`
-	Scopes         []string        `json:"scopes,omitempty"`
-	Status         string          `json:"status,omitempty"`
+	AppID       string          `json:"appId"`
+	Attributes  interface{}     `json:"attributes,omitempty"`
+	APIProducts []APIProductRef `json:"apiProducts,omitempty"`
+	CallBackURL string          `json:"callbackUrl,omitempty"`
+	Credentials []Credential    `json:"credentials,omitempty"`
+	CompanyName string          `json:"companyName,omitempty"`
+	DeveloperID string          `json:"developerId,omitempty"`
+	Name        string          `json:"name"`
+	Scopes      []string        `json:"scopes,omitempty"`
+	Status      string          `json:"status,omitempty"`
 }
 
 type Credential struct {

diff --git a/apigee/edge_client.go b/apigee/edge_client.go
@@ -29,7 +29,6 @@ import (
 	"net/url"
 	"os"
 	"path"
-	"strings"
 
 	"github.com/bgentry/go-netrc/netrc"
 )
@@ -161,6 +160,9 @@ type EdgeAuth struct {
 	// Optional. Used if you explicitly specify a Password.
 	Password string
 
+	// Optional. Required if MFA (multi-factor authorization) is enabled.
+	MFAToken string
+
 	// if set to true, no auth will be set
 	SkipAuth bool
 
@@ -241,12 +243,13 @@ func NewEdgeClient(o *EdgeClientOptions) (*EdgeClient, error) {
 				Username:    o.Auth.Username,
 				Password:    o.Auth.Password,
 				BearerToken: o.Auth.BearerToken,
+				MFAToken:    o.Auth.MFAToken,
 			}
 		}
 		if e != nil {
 			return nil, e
 		}
-		if o.MgmtURL == defaultBaseURL {
+		if o.MgmtURL == defaultBaseURL || c.auth.MFAToken != "" {
 			e = c.getOAuthToken()
 			if e != nil {
 				return nil, e
@@ -265,13 +268,19 @@ func NewEdgeClient(o *EdgeClientOptions) (*EdgeClient, error) {
 }
 
 func (c *EdgeClient) getOAuthToken() error {
-	oauthFormat := `username=%s&password=%s&grant_type=password`
-	oauthData := fmt.Sprintf(oauthFormat, c.auth.Username, c.auth.Password)
-	req, err := http.NewRequest(http.MethodPost, OAuthURL, strings.NewReader(oauthData))
+	req, err := http.NewRequest(http.MethodPost, OAuthURL, nil)
 	if err != nil {
 		return err
 	}
-	req.Header.Add("Content-type", "application/x-www-form-urlencoded;charset=utf-8")
+	q := req.URL.Query()
+	q.Set("username", c.auth.Username)
+	q.Set("password", c.auth.Password)
+	q.Set("grant_type", "password")
+	if c.auth.MFAToken != "" {
+		q.Set("mfa_token", c.auth.MFAToken)
+	}
+	req.URL.RawQuery = q.Encode()
+	req.Header.Add("Content-type", "application/x-www-form-urlencoded")
 	req.Header.Add("Authorization", basicAuthHeader)
 	res, err := c.client.Do(req)
 	if err != nil {

diff --git a/cmd/bindings/bindings.go b/cmd/bindings/bindings.go
@@ -65,6 +65,8 @@ func Cmd(rootArgs *shared.RootArgs, printf shared.FormatFn) *cobra.Command {
 		"Apigee username (legacy or OPDK only)")
 	c.PersistentFlags().StringVarP(&rootArgs.Password, "password", "p", "",
 		"Apigee password (legacy or OPDK only)")
+	c.PersistentFlags().StringVarP(&rootArgs.MFAToken, "mfa", "", "",
+		"Apigee password (legacy)")
 	c.PersistentFlags().StringVarP(&rootArgs.ManagementBase, "management", "m",
 		"", "Apigee management base URL")
 
@@ -342,15 +344,15 @@ func (b *bindings) verifyAll(appMap map[string][]App, printf shared.FormatFn) er
 
 func (b *bindings) verify(p *product.APIProduct, appMap map[string][]App, printf shared.FormatFn) error {
 	if p.GetBoundTargets() == nil {
-		printf("product %s is unbound to any target, no need to verify", p.Name)
+		printf("Product %s is unbound to any target, no need to verify.", p.Name)
 		return nil
 	}
 	apps, ok := appMap[p.Name]
 	if !ok {
-		printf("no app is found associated with product %s", p.Name)
+		printf("No app is found associated with product %s.", p.Name)
 		return nil
 	}
-	printf("verifying apps associated with product %s:", p.Name)
+	printf("Verifying apps associated with product %s:", p.Name)
 	for _, app := range apps {
 		if !app.hasRemoteService {
 			return fmt.Errorf("  app %s associated with product %s is not associated with remote-service product", app.name, p.Name)

diff --git a/cmd/bindings/bindings_test.go b/cmd/bindings/bindings_test.go
@@ -225,13 +225,13 @@ func TestBindingVerifyAll(t *testing.T) {
 		t.Errorf("want no error, got: %v", err)
 	}
 	wants = []string{
-		"product /product1/ is unbound to any target, no need to verify",
-		"product /product/ is unbound to any target, no need to verify",
-		"verifying apps associated with product /product2/:",
+		"Product /product1/ is unbound to any target, no need to verify.",
+		"Product /product/ is unbound to any target, no need to verify.",
+		"Verifying apps associated with product /product2/:",
 		"  app /app1/ associated with product /product2/ is verified",
-		"verifying apps associated with product /product0/:",
+		"Verifying apps associated with product /product0/:",
 		"  app /app0/ associated with product /product0/ is verified",
-		"no app is found associated with product /product4/",
+		"No app is found associated with product /product4/.",
 	}
 	print.Check(t, wants)
 }
@@ -256,7 +256,7 @@ func TestBindingVerifyOne(t *testing.T) {
 		t.Errorf("want no error, got: %v", err)
 	}
 	wants = []string{
-		"verifying apps associated with product /product2/:",
+		"Verifying apps associated with product /product2/:",
 		"  app /app1/ associated with product /product2/ is verified",
 	}
 	print.Check(t, wants)

diff --git a/cmd/provision/provision.go b/cmd/provision/provision.go
@@ -100,6 +100,8 @@ to your organization and environment.`,
 		"Apigee username (legacy or OPDK only)")
 	c.Flags().StringVarP(&rootArgs.Password, "password", "p", "",
 		"Apigee password (legacy or OPDK only)")
+	c.Flags().StringVarP(&rootArgs.MFAToken, "mfa", "", "",
+		"Apigee password (legacy)")
 
 	c.Flags().BoolVarP(&p.forceProxyInstall, "force-proxy-install", "f", false,
 		"force new proxy install (upgrades proxy)")

diff --git a/cmd/samples/samples.go b/cmd/samples/samples.go
@@ -99,7 +99,7 @@ files related to deployment of their target services.`,
 			}
 			printf("config files successfully generated.")
 			if s.template != "native" {
-				printf("please enable istio sidecar injection on the default namespace before running kubectl apply on the directory with config files.")
+				printf("Please enable istio sidecar injection on the default namespace before running kubectl apply on the directory with config files.")
 			}
 			return nil
 		},
@@ -151,11 +151,11 @@ func (s *samples) createSampleConfigs(printf shared.FormatFn) error {
 			return err
 		}
 	} else if s.overwrite {
-		printf("overwriting the existing directory...")
+		printf("Overwriting the existing directory!")
 	} else {
 		return fmt.Errorf("output directory already exists")
 	}
-	printf("generating %s configuration files...", s.template)
+	printf("Generating %s configuration files...", s.template)
 	return s.createConfig(s.template, printf)
 }
 
@@ -196,7 +196,7 @@ func (s *samples) createConfigYaml(dir string, name string, printf shared.Format
 	if err != nil {
 		return err
 	}
-	printf("generating %s...", name)
+	printf("  generating %s...", name)
 	return tmpl.Execute(f, s)
 }
 

diff --git a/cmd/samples/samples_test.go b/cmd/samples/samples_test.go
@@ -55,8 +55,8 @@ func TestCreateNativeConfigs(t *testing.T) {
 	}
 
 	want := []string{
-		"generating native configuration files...",
-		"generating envoy-config.yaml...",
+		"Generating native configuration files...",
+		"  generating envoy-config.yaml...",
 		"config files successfully generated.",
 	}
 
@@ -91,13 +91,13 @@ func TestCreateIstioConfigsWithHttpbin(t *testing.T) {
 	}
 
 	want := []string{
-		"generating istio-1.6 configuration files...",
-		"generating apigee-envoy-adapter.yaml...",
-		"generating envoyfilter-sidecar.yaml...",
-		"generating httpbin.yaml...",
-		"generating request-authentication.yaml...",
+		"Generating istio-1.6 configuration files...",
+		"  generating apigee-envoy-adapter.yaml...",
+		"  generating envoyfilter-sidecar.yaml...",
+		"  generating httpbin.yaml...",
+		"  generating request-authentication.yaml...",
 		"config files successfully generated.",
-		"please enable istio sidecar injection on the default namespace before running kubectl apply on the directory with config files.",
+		"Please enable istio sidecar injection on the default namespace before running kubectl apply on the directory with config files.",
 	}
 
 	print.CheckPrefix(t, want)
@@ -131,12 +131,12 @@ func TestCreateIstioConfigsWithoutHttpbin(t *testing.T) {
 	}
 
 	want := []string{
-		"generating istio-1.6 configuration files...",
-		"generating apigee-envoy-adapter.yaml...",
-		"generating envoyfilter-sidecar.yaml...",
-		"generating request-authentication.yaml...",
+		"Generating istio-1.6 configuration files...",
+		"  generating apigee-envoy-adapter.yaml...",
+		"  generating envoyfilter-sidecar.yaml...",
+		"  generating request-authentication.yaml...",
 		"config files successfully generated.",
-		"please enable istio sidecar injection on the default namespace before running kubectl apply on the directory with config files.",
+		"Please enable istio sidecar injection on the default namespace before running kubectl apply on the directory with config files.",
 	}
 
 	print.CheckPrefix(t, want)
@@ -204,9 +204,9 @@ func TestExistingDirectoryOverwrite(t *testing.T) {
 	}
 
 	want := []string{
-		"overwriting the existing directory...",
-		"generating native configuration files...",
-		"generating envoy-config.yaml...",
+		"Overwriting the existing directory!",
+		"Generating native configuration files...",
+		"  generating envoy-config.yaml...",
 		"config files successfully generated.",
 	}
 

diff --git a/shared/shared.go b/shared/shared.go
@@ -67,6 +67,7 @@ type RootArgs struct {
 	Env                string
 	Username           string
 	Password           string
+	MFAToken           string
 	Token              string
 	NetrcPath          string
 	IsOPDK             bool
@@ -179,6 +180,7 @@ func (r *RootArgs) Resolve(skipAuth, requireRuntime bool) error {
 			Username:    r.Username,
 			Password:    r.Password,
 			BearerToken: r.Token,
+			MFAToken:    r.MFAToken,
 			SkipAuth:    skipAuth,
 		},
 		GCPManaged:         r.IsGCPManaged,
@@ -196,6 +198,9 @@ func (r *RootArgs) Resolve(skipAuth, requireRuntime bool) error {
 			}
 			return fmt.Errorf("no auth: must have username and password or a ~/.netrc entry for %s", baseURL.Host)
 		}
+		if strings.Contains(err.Error(), "oauth") { // OAuth failure
+			return fmt.Errorf("error authorizing for OAuth token: %v", err)
+		}
 		return fmt.Errorf("error initializing Edge client: %v", err)
 	}