Commit Graph

36 Commits

Author SHA1 Message Date
Martin Atkins
e1fb26de94 svchost/disco: Disco.CredentialsSource
Previously we allowed access to the credentials store only indirectly
through the Disco object, and that's fine for callers that only need to
_read_ credentials, but more specialized callers like "terraform login"
and "terraform logout" need more information in order to be transparent
to the user about what they are going to do and where the credentials
are going to be stored.
2019-08-30 10:57:17 -07:00
Martin Atkins
bc9756882e svchost/disco: Tolerate unpopulated OAuth endpoints
A server is allowed to omit AuthorizationURL if it's using the "password"
grant type, and other future grant type implementations may have similar
accommodations.
2019-08-30 09:39:07 -07:00
Martin Atkins
1e2da4f776 command/cliconfig: New CredentialsSource implementation
This new implementation is not yet used, but should eventually replace the
technique of composing together various types from the svchost/auth
package, since our requirements are now complex enough that they're more
straightforward to express in direct code within a single type than as
a composition of the building blocks in the svchost/auth package.
2019-08-23 11:57:11 -07:00
Martin Atkins
ec8dadcfa9 svchost/auth: store and forget operations for helper programs
This introduces two new verbs to the credentials helper protocol to store
and forget credentials, and uses them to implement StoreForHost and
ForgetForHost.
2019-08-23 11:57:11 -07:00
Martin Atkins
821d0401bc svchost/auth: New API for storing and forgetting credentials
This new functionality will be used as part of implementing the
"terraform login" and "terraform logout" commands.

As of this commit, the storage codepaths are all just stubs. Subsequent
commits will implement these new methods for each of the different
physical credentials sources.
2019-08-23 11:57:11 -07:00
Martin Atkins
31a9790080 svchost/disco: Allow oauth client services to specify grant types
Previously we just assumed support for the authorization code grant type,
but now we'll allow the host to declare which grant types it supports
to allow for more flexibility in host login implementations. We may extend
the set of supported grant types in future.
2019-08-22 14:01:44 -07:00
Martin Atkins
5590efcd33 svchost/disco: Allow services that act as OAuth clients
The OAuth specification requires several distinct arguments to be provided
to configure a client, rather than just a URL. To accommodate this, we'll
add a new method to the service discovery API to retrieve OAuth client
information in a Terraform-specific form. (The OAuth specification itself
considers this out of scope, because most OAuth clients are configured
by just hard-coding these settings into them for a particular remote
service.)
2019-08-22 14:01:44 -07:00
Pam Selle
9631e4c73d
Merge pull request #20571 from sergkondr/fix_misspelling
fix misspelling
2019-08-13 17:13:13 -04:00
Radek Simko
5b9f2fafc8 Standardise directory name for test data 2019-06-30 10:16:15 +02:00
Sergey Kondrashov
43e7a7b552 fix misspelling 2019-03-05 16:12:52 +03:00
Sander van Harmelen
47a00ea34b backend/remote: cleanup test connections
Cleanup test connection to prevent file descriptor issues when running the tests on a Mac.
2019-02-07 09:55:19 +01:00
Radek Simko
bd37eda076
disco: Set transport early (during initialization) 2019-01-28 11:04:56 +00:00
Sander van Harmelen
1e4c20686e backend/remote: make sure we show the correct error
Previously we would show two errors when there was a version constraint
error. But of course one is enough.
2019-01-23 15:09:42 +01:00
Sander van Harmelen
8f04e93739 backend/remote: return detailed incompatibility info 2018-12-14 21:11:41 +01:00
Sander van Harmelen
268c0f85ce Add a method to retrieve version contraints 2018-12-14 12:17:31 +01:00
Sander van Harmelen
a5a2156584 core: enhance service discovery
This PR improves the error handling so we can provide better feedback about any service discovery errors that occured.

Additionally it adds logic to test for specific versions when discovering a service using `service.vN`. This will enable more informational errors which can indicate any version incompatibilities.
2018-12-10 20:52:05 +01:00
Outsider
a2cb579d1b
svchost: test for hostname started with numeric
Signed-off-by: Outsider <outsideris@gmail.com>
2018-10-25 09:02:28 -07:00
Sander van Harmelen
179b32d426 Add a CredentialsForHost method to disco.Disco
By adding this method you now only have to pass a `*disco.Disco` object around in order to do discovery and use any configured credentials for the discovered hosts.

Of course you can also still pass around both a `*disco.Disco` and a `auth.CredentialsSource` object if there is a need or a reason for that!
2018-08-03 11:29:11 +02:00
Sander van Harmelen
2c0c3771a9 Make sure to close the response body
And fix a few linter warnings while we're at it…
2018-06-29 16:14:54 +02:00
Paul Tyng
c868092d2d
Standardize http.Client creation with User-Agent 2018-02-28 12:09:50 -05:00
Paul Tyng
344e8fca05
Relax typing to allow for http.RoundTripper 2018-02-28 11:40:17 -05:00
James Bardin
37ad172d0d extend disco timeout
Extend the discovery timeout from 4 seconds to 11 seconds. This gives a
little more time for a slow host to response. The duration of 11s
keeps the delay reasonable, and puts it just after the default TLS
handshake timeout of 10s for easier differentiation of the error cases.
2018-01-25 17:16:28 -05:00
Masayuki Morita
f440dba137 Standardize on log level "WARN" rather than "WARNING" 2018-01-16 18:05:26 -08:00
Martin Atkins
74180229d0 svchost/disco: allow overriding discovery for a particular hostname
The default network-based discovery is not desirable for all situations,
so this mechanism allows callers to provide a services map for a given
hostname that was obtained some other way (caller-defined) which will then
cause network-based discovery to be skipped and the given map to be
returned verbatim.
2017-10-26 08:58:52 -07:00
James Bardin
e7ecec6860 add Transport field to Disco
For the same reason the disco tests need to override the http.Transport,
other test fixtures will need to as well. Provide a field to override
the default httpTransport.
2017-10-25 10:49:36 -04:00
James Bardin
36b8be43e8 use the new version package
Update all references to the version values to use the new package.
The VersionString function was left in the terraform package
specifically for the aws provider, which is vendored. We can remove that
last call once the provider is updated.
2017-10-19 21:48:08 -04:00
Martin Atkins
d5b0beac01 svchost/auth: static credentials source
This uses an in-memory table of credentials keyed on hostname. This is
the simplest possible credentials source that can actually return
credentials, and is suitable for representing statically-configured
credentials from configuration.
2017-10-19 11:18:43 -07:00
Martin Atkins
0db521a281 svchost/auth: expose a "NoCredentials" credentials source
For situations where no credentials are needed but where a working
CredentialsSource is still required, this variable provides a convenient
way to get a fully-functional-but-empty credentials source.
2017-10-19 11:18:43 -07:00
Martin Atkins
83b098344b svchost/disco: add credentials, if available, to disco requests
Although service discovery metadata is usually not sensitive, a service
host may wish to produce different results depending on the requesting
user, such as if users are migrating between two different implementations
that are both running concurrently for some period.
2017-10-19 11:18:43 -07:00
Martin Atkins
fcff4cbc95 svchost/auth: caching credentials source
This credentials source wraps another and caches its results in memory
in a map that is keyed on the request hostname.

This should ease the common case of many services operating on the same
hostname by allowing an initial set of credentials to be re-used for
subsequent requests.
2017-10-19 11:18:43 -07:00
Martin Atkins
981c95f699 svchost/auth: CredentialsSource that runs an external program
This CredentialsSource can serve as an extension point to pass credentials
from an arbitrary external system to Terraform. For example, an external
helper program could fetch limited-time credentials from HashiCorp Vault
and return them, thus avoiding the need for any static configuration to
be maintained locally (except a Vault token!).

So far there are no real programs implementing this protocol, though this
commit includes a basic implementation that we use for unit tests.
2017-10-19 11:18:43 -07:00
Martin Atkins
1b60e8fdb6 svchost/auth: HostCredentialsFromMap function
This function deals with turning a map derived from some user input
(e.g. in a config file) into a HostCredentials object, if possible. This
will be used as a standard way to specify credentials so we have a place
to add new credentials types in future and have support for those across
all of our map-based CredentialsSources.
2017-10-19 11:18:43 -07:00
Martin Atkins
43a3357473 svchost/auth: token-based HostCredentials
This is the only credentials type we support right now, which just sends
an opaque token via the "Bearer" HTTP auth scheme.
2017-10-19 11:18:43 -07:00
Martin Atkins
3c65b5dd61 svchost/auth: package for looking up credentials for service hosts
This commit establishes the primary types involved here. Subsequent
commits will add specific implementations of these interfaces.
2017-10-19 11:18:43 -07:00
Martin Atkins
6cd9a8f9c2 svchost/disco: lookup of service URLs within a discovered map
This package implements our Terraform-native Service discovery protocol,
which allows us to find the base URL for a particular service given a
hostname that was already validated and normalized by the svchost package.
2017-10-19 11:18:43 -07:00
Martin Atkins
db08ee4ac5 svchost: new package for wrangling service hostnames
We're starting to expose a number of so-called "Terraform-native services"
that can be offered under a friendly hostname. The first of these will
be module registry services, as they expand from the public
Terraform Registry to private registry services within Terraform
Enterprise and elsewhere.

This package is for wrangling these "friendly hostnames", which start
their lives as user-specified unicode strings, can be converted to
Punycode for storage and comparison, and can in turn be converted back
into normalized unicode for display to the user.
2017-10-19 11:18:43 -07:00