bosh_cli 1.2980.0 → 1.2981.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: b746e2346f147c8bcb5ab4e32ffd42ee2068ba5e
-  data.tar.gz: e272f8007bfb9d325d11cbcc055ca082c9288a6b
+  metadata.gz: a8e1d3bf5c54dd7d88ea097bc989c0fee02b2481
+  data.tar.gz: 52c1003f0a7f996c73e66987953a4087e58ccca8
 SHA512:
-  metadata.gz: 9ceffbe0e4a7eae7b9cecd7db1a1813fd41c72506f38f459628d7b63782472e9e42ca30145fbc70093a3652320e9856e92c3e34802867aa7fef9558d18ca2a76
-  data.tar.gz: 4d2aeedcdaa87c14c0d48ea9422e184dda6872b506c4348e8f6eb8176fc241d838bd5fbf08344b52a337d9cc990890add37c5d3511fb3eff2e0430ef2a514c0b
+  metadata.gz: 9c16af5b713b12caa76ad0711b80905d9cfca32cb24fbf6f57a94bfd3588425b58c9aed8ef7b817ac91c466e6f5a04176fcc5a04ed61fb08527f1bd83b6af19f
+  data.tar.gz: 3cdbb9050100b5f0ee45ce0ac2c957f682072aca593fcbe08ac29ad337433a203392110760ba156447086915a53f6cd3a4ee0b66bffb9a2af3b5d372539ff3c4

data/lib/cli.rb

@@ -107,6 +107,9 @@ require 'cli/command_handler'
 require 'cli/runner'
 require 'cli/base_command'
 
+require 'cli/client/uaa/token_provider'
+require 'cli/client/uaa/auth_info'
+
 tmpdir = Dir.mktmpdir
 at_exit { FileUtils.rm_rf(tmpdir) }
 ENV['TMPDIR'] = tmpdir

data/lib/cli/base_command.rb

@@ -1,5 +1,3 @@
-# Copyright (c) 2009-2012 VMware, Inc.
-
 module Bosh::Cli
   module Command
     class Base
@@ -102,11 +100,15 @@ module Bosh::Cli
       end
 
       def credentials
-        auth_token = config.token(target)
-        return Bosh::Cli::Client::UaaCredentials.new(auth_token) if auth_token
+        director_client = Client::Director.new(target)
+        auth_info = Client::Uaa::AuthInfo.new(director_client, ENV, config.ca_cert(target))
+        token_decoder = Client::Uaa::TokenDecoder.new
+        uaa_token_provider = Client::Uaa::TokenProvider.new(auth_info, config, token_decoder, target)
+        auth_token = uaa_token_provider.token
+        return Client::UaaCredentials.new(auth_token) if auth_token
 
         if username && password
-          return Bosh::Cli::Client::BasicCredentials.new(username, password)
+          return Client::BasicCredentials.new(username, password)
         end
 
         nil

data/lib/cli/client/uaa/access_info.rb

@@ -2,7 +2,66 @@ module Bosh
   module Cli
     module Client
       module Uaa
-        class AccessInfo < Struct.new(:username, :token); end
+        class AccessInfo
+          EXPIRATION_DEADLINE_IN_SECONDS = 30
+
+          def self.from_config(config_access_token, refresh_token, token_decoder)
+            token_type, access_token = config_access_token.split(' ')
+            return nil unless token_type && access_token
+
+            token_info = CF::UAA::TokenInfo.new({
+              access_token: access_token,
+              refresh_token: refresh_token,
+              token_type: token_type,
+            })
+            new(token_info, token_decoder)
+          end
+
+          def initialize(token_info, token_decoder)
+            @token_info = token_info
+            @token_decoder = token_decoder
+          end
+
+          def auth_header
+            @token_info.auth_header
+          end
+
+          def refresh_token
+            @token_info.info[:refresh_token] || @token_info.info['refresh_token']
+          end
+
+          def was_issued_for?(other_username)
+            username == other_username
+          end
+
+          def expires_soon?
+            expiration = token_data[:exp] || token_data['exp']
+            (Time.at(expiration).to_i - Time.now.to_i) < EXPIRATION_DEADLINE_IN_SECONDS
+          end
+
+          def token_data
+            @token_data ||= @token_decoder.decode(@token_info)
+          end
+
+          def to_hash
+            {
+              'access_token' => auth_header,
+              'refresh_token' => refresh_token
+            }
+          end
+        end
+
+        class ClientAccessInfo < AccessInfo
+          def username
+            token_data['client_id']
+          end
+        end
+
+        class PasswordAccessInfo < AccessInfo
+          def username
+            token_data['user_name']
+          end
+        end
       end
     end
   end

data/lib/cli/client/uaa/auth_info.rb

@@ -0,0 +1,54 @@
+require 'cli/errors'
+
+module Bosh
+  module Cli
+    module Client
+      module Uaa
+        class AuthInfo
+          class ValidationError < Bosh::Cli::CliError; end
+
+          attr_reader :ssl_ca_file, :client_id, :client_secret
+
+          def initialize(director, env, ssl_ca_file)
+            @director = director
+            @client_id, @client_secret = env['BOSH_CLIENT'], env['BOSH_CLIENT_SECRET']
+            @ssl_ca_file = ssl_ca_file
+          end
+
+          def client_auth?
+            !@client_id.nil? && !@client_secret.nil?
+          end
+
+          def uaa?
+            auth_info['type'] == 'uaa'
+          end
+
+          def url
+            auth_info.fetch('options', {}).fetch('url', nil)
+          end
+
+          def validate!
+            return unless uaa?
+
+            unless URI.parse(url).instance_of?(URI::HTTPS)
+              raise ValidationError.new('HTTPS protocol is required')
+            end
+          end
+
+          private
+
+          def auth_info
+            director_info.fetch('user_authentication', {})
+          end
+
+          def director_info
+            @director_info ||= @director.get_status
+          rescue Bosh::Cli::AuthError
+            {}
+          end
+        end
+      end
+    end
+  end
+end
+

data/lib/cli/client/uaa/client.rb

@@ -0,0 +1,61 @@
+require 'uaa'
+require 'uri'
+require 'cli/client/uaa/client_token_issuer'
+require 'cli/client/uaa/password_token_issuer'
+require 'cli/client/uaa/token_decoder'
+
+module Bosh
+  module Cli
+    module Client
+      module Uaa
+        class Client
+          def initialize(target, auth_info, config)
+            @target = target
+            token_decoder = TokenDecoder.new
+            if auth_info.client_auth?
+              token_issuer = ClientTokenIssuer.new(auth_info, token_decoder)
+            else
+              token_issuer = PasswordTokenIssuer.new(auth_info, token_decoder)
+            end
+            @ssl_ca_file = auth_info.ssl_ca_file
+            @token_issuer = token_issuer
+            @config = config
+          end
+
+          def prompts
+            @token_issuer.prompts
+          rescue CF::UAA::SSLException => e
+            raise e unless @ssl_ca_file.nil?
+            err('Invalid SSL Cert. Use --ca-cert option when setting target to specify SSL certificate')
+          end
+
+          def access_info(prompt_responses)
+            with_save { @token_issuer.access_info(prompt_responses) }
+          rescue CF::UAA::TargetError => e
+            err("Failed to log in: #{e.info['error_description']}")
+          rescue CF::UAA::BadResponse
+            nil
+          end
+
+          def refresh(access_info)
+            with_save { @token_issuer.refresh(access_info) }
+          rescue CF::UAA::TargetError
+            nil
+          end
+
+          private
+
+          def with_save
+            access_info = yield
+            if access_info.auth_header
+              @config.set_credentials(@target, access_info.to_hash)
+              @config.save
+            end
+
+            access_info
+          end
+        end
+      end
+    end
+  end
+end

data/lib/cli/client/uaa/client_token_issuer.rb

@@ -1,10 +1,12 @@
+require 'cli/client/uaa/access_info'
+
 module Bosh
   module Cli
     module Client
       module Uaa
         class ClientTokenIssuer
-          def initialize(options, token_decoder)
-            @token_issuer = CF::UAA::TokenIssuer.new(options.url, options.client_id, options.client_secret, {ssl_ca_file: options.ssl_ca_file})
+          def initialize(auth_info, token_decoder)
+            @auth_info = auth_info
             @token_decoder = token_decoder
           end
 
@@ -13,13 +15,26 @@ module Bosh
           end
 
           def access_info(_)
-            token = @token_issuer.client_credentials_grant
-            decoded = @token_decoder.decode(token)
+            @auth_info.validate!
+
+            token = token_issuer.client_credentials_grant
+            ClientAccessInfo.new(token, @token_decoder)
+          end
+
+          def refresh(_)
+            # For client credentials there is no refresh token, so obtain access token again
+            access_info(_)
+          end
 
-            username = decoded['client_id'] if decoded
+          private
 
-            access_token = "#{token.info['token_type']} #{token.info['access_token']}"
-            AccessInfo.new(username, access_token)
+          def token_issuer
+            @token_issuer ||= CF::UAA::TokenIssuer.new(
+              @auth_info.url,
+              @auth_info.client_id,
+              @auth_info.client_secret,
+              { ssl_ca_file: @auth_info.ssl_ca_file }
+            )
           end
         end
       end

data/lib/cli/client/uaa/password_token_issuer.rb

@@ -18,15 +18,15 @@ module Bosh
             end
           end
 
-          def access_info(credentials)
-            credentials = credentials.select { |_, c| !c.empty? }
+          def access_info(prompt_responses)
+            credentials = prompt_responses.select { |_, c| !c.empty? }
             token = @token_issuer.owner_password_credentials_grant(credentials)
-            decoded = @token_decoder.decode(token)
-
-            username = decoded['user_name'] if decoded
-            access_token = "#{token.info['token_type']} #{token.info['access_token']}"
+            PasswordAccessInfo.new(token, @token_decoder)
+          end
 
-            AccessInfo.new(username, access_token)
+          def refresh(access_info)
+            token = @token_issuer.refresh_token_grant(access_info.refresh_token)
+            PasswordAccessInfo.new(token, @token_decoder)
           end
         end
       end

data/lib/cli/client/uaa/token_decoder.rb

@@ -4,8 +4,9 @@ module Bosh
       module Uaa
         class TokenDecoder
           def decode(token)
+            access_token = token.info['access_token'] || token.info[:access_token]
             CF::UAA::TokenCoder.decode(
-              token.info['access_token'],
+              access_token,
               {verify: false}, # token signature not verified because CLI doesn't have the secret key
               nil, nil)
           end

data/lib/cli/client/uaa/token_provider.rb

@@ -0,0 +1,70 @@
+require 'cli/client/uaa/client'
+
+module Bosh
+  module Cli
+    module Client
+      module Uaa
+        class TokenProvider
+          def initialize(auth_info, config, token_decoder, target)
+            @auth_info = auth_info
+            @config = config
+            @token_decoder = token_decoder
+            @target = target
+          end
+
+          def token
+            config_access_token = @config.access_token(@target)
+
+            if @auth_info.client_auth?
+              access_info = client_access_info(config_access_token)
+            else
+              access_info = password_access_info(config_access_token)
+            end
+
+            access_info.auth_header if access_info
+          end
+
+          private
+
+          def uaa_client
+            @uaa_client ||= Bosh::Cli::Client::Uaa::Client.new(@target, @auth_info, @config)
+          end
+
+          def client_access_info(config_access_token)
+            unless config_access_token
+              return uaa_client.access_info({})
+            end
+
+            access_info = ClientAccessInfo.from_config(config_access_token, nil, @token_decoder)
+            return nil unless access_info
+
+            if access_info.was_issued_for?(@auth_info.client_id)
+              return refresh_if_needed(access_info)
+            end
+            uaa_client.access_info({})
+          end
+
+          def password_access_info(config_access_token)
+            return nil unless config_access_token
+
+            access_info = PasswordAccessInfo.from_config(config_access_token, @config.refresh_token(@target), @token_decoder)
+            return nil unless access_info
+
+            refresh_if_needed(access_info)
+          end
+
+          def refresh_if_needed(access_info)
+            if access_info.expires_soon?
+              uaa_client.refresh(access_info)
+            else
+              access_info
+            end
+          end
+        end
+      end
+    end
+  end
+end
+
+
+

data/lib/cli/commands/login.rb

@@ -1,7 +1,6 @@
 require 'cli/basic_login_strategy'
 require 'cli/uaa_login_strategy'
-require 'cli/client/uaa'
-require 'cli/client/uaa/options'
+require 'cli/client/uaa/client'
 require 'cli/terminal'
 
 module Bosh::Cli::Command
@@ -12,11 +11,10 @@ module Bosh::Cli::Command
         'The username and password can also be ' +
         'set in the BOSH_USER and BOSH_PASSWORD ' +
         'environment variables.'
-    option '--ca-cert FILE', String, 'Path to client certificate provided to UAA server'
     def login(username = nil, password = nil)
       target_required
 
-      login_strategy(director_info).login(target, username.to_s, password.to_s)
+      login_strategy(director).login(target, username.to_s, password.to_s)
     end
 
     # bosh logout
@@ -31,25 +29,18 @@ module Bosh::Cli::Command
 
     private
 
-    def director_info
-      director.get_status
-    rescue Bosh::Cli::AuthError
-      {}
-    end
-
-    def login_strategy(director_info)
+    def login_strategy(director)
       terminal = Bosh::Cli::Terminal.new(HighLine.new, BoshExtensions)
-      auth_info = director_info.fetch('user_authentication', {})
+      auth_info = Bosh::Cli::Client::Uaa::AuthInfo.new(director, ENV, config.ca_cert)
 
-      if auth_info['type'] == 'uaa'
-        client_options = Bosh::Cli::Client::Uaa::Options.parse(options, auth_info['options'], ENV)
-        uaa = Bosh::Cli::Client::Uaa::Client.new(client_options)
-        Bosh::Cli::UaaLoginStrategy.new(terminal, uaa, config, interactive?)
+      if auth_info.uaa?
+        uaa_client = Bosh::Cli::Client::Uaa::Client.new(target, auth_info, config)
+        Bosh::Cli::UaaLoginStrategy.new(terminal, uaa_client, interactive?)
       else
         Bosh::Cli::BasicLoginStrategy.new(terminal, director, config, interactive?)
       end
 
-      rescue Bosh::Cli::Client::Uaa::Options::ValidationError => e
+      rescue Bosh::Cli::Client::Uaa::AuthInfo::ValidationError => e
         err("Failed to connect to UAA: #{e.message}")
     end
   end

data/lib/cli/commands/misc.rb

@@ -83,11 +83,6 @@ module Bosh::Cli::Command
       end
 
       director_url = normalize_url(director_url)
-      if target && director_url == normalize_url(target)
-        say("Target already set to `#{target_name.make_green}'")
-        return
-      end
-
       director = Bosh::Cli::Client::Director.new(director_url)
 
       begin
@@ -104,6 +99,13 @@ module Bosh::Cli::Command
       config.target_version = status["version"]
       config.target_uuid = status["uuid"]
 
+      old_ca_cert_path = config.ca_cert
+      expanded_ca_cert_path = config.save_ca_cert_path(options[:ca_cert])
+      if old_ca_cert_path != expanded_ca_cert_path
+        say("Updating certificate file path to `#{expanded_ca_cert_path.to_s.make_green}'")
+        nl
+      end
+
       unless name.blank?
         config.set_alias(:target, name, director_url)
       end

data/lib/cli/config.rb

@@ -117,8 +117,14 @@ module Bosh::Cli
 
     # @param [String] target Target director url
     # @return [String] Token associated with target
-    def token(target)
-      credentials_for(target)["token"]
+    def access_token(target)
+      credentials_for(target)["access_token"]
+    end
+
+    # @param [String] target Target director url
+    # @return [String] Refresh token associated with target
+    def refresh_token(target)
+      credentials_for(target)["refresh_token"]
     end
 
     # Deployment used to be a string that was only stored for your
@@ -201,6 +207,25 @@ module Bosh::Cli
       write_global(:target_uuid, value)
     end
 
+    def ca_cert(for_target=nil)
+      if for_target
+        return @config_file.fetch('ca_cert', {}).fetch(for_target, nil)
+      end
+
+      return nil if target.nil?
+
+      @config_file.fetch('ca_cert', {}).fetch(target, nil)
+    end
+
+
+    def save_ca_cert_path(cert_path)
+      expanded_path = cert_path ? File.expand_path(cert_path) : nil
+      @config_file['ca_cert'] ||= {}
+      @config_file['ca_cert'][target] = expanded_path
+
+      expanded_path
+    end
+
     # Read the max parallel downloads configuration.
     #
     # @return [Integer] The maximum number of parallel downloads

data/lib/cli/uaa_login_strategy.rb

@@ -4,17 +4,16 @@ require 'cli/errors'
 module Bosh
   module Cli
     class UaaLoginStrategy
-      def initialize(terminal, uaa, config, interactive)
+      def initialize(terminal, uaa_client, interactive)
         @terminal = terminal
-        @uaa = uaa
-        @config = config
+        @uaa_client = uaa_client
         @interactive = interactive
       end
 
       def login(target, username = nil, password = nil)
         if @interactive
           credentials = {}
-          @uaa.prompts.map do |prompt|
+          @uaa_client.prompts.map do |prompt|
             if prompt.password?
               credentials[prompt.field] = @terminal.ask_password("#{prompt.display_text}: ")
             else
@@ -22,13 +21,8 @@ module Bosh
             end
           end
 
-          if access_info = @uaa.login(credentials)
+          if access_info = @uaa_client.access_info(credentials)
             @terminal.say_green("Logged in as `#{access_info.username}'")
-
-            if access_info.token
-              @config.set_credentials(target, { 'token' => access_info.token })
-              @config.save
-            end
           else
             err('Failed to log in')
           end

data/lib/cli/version.rb

@@ -1,5 +1,5 @@
 module Bosh
   module Cli
-    VERSION = '1.2980.0'
+    VERSION = '1.2981.0'
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: bosh_cli
 version: !ruby/object:Gem::Version
-  version: 1.2980.0
+  version: 1.2981.0
 platform: ruby
 authors:
 - VMware
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2015-06-02 00:00:00.000000000 Z
+date: 2015-06-08 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bosh_common
@@ -16,28 +16,28 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.2980.0
+        version: 1.2981.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.2980.0
+        version: 1.2981.0
 - !ruby/object:Gem::Dependency
   name: bosh-template
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.2980.0
+        version: 1.2981.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.2980.0
+        version: 1.2981.0
 - !ruby/object:Gem::Dependency
   name: cf-uaa-lib
   requirement: !ruby/object:Gem::Requirement
@@ -128,14 +128,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.2980.0
+        version: 1.2981.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.2980.0
+        version: 1.2981.0
 - !ruby/object:Gem::Dependency
   name: net-ssh
   requirement: !ruby/object:Gem::Requirement
@@ -306,7 +306,7 @@ dependencies:
         version: '0'
 description: |-
   BOSH CLI
-  cb6c5e
+  4246cc
 email: support@cloudfoundry.com
 executables:
 - bosh
@@ -328,13 +328,14 @@ files:
 - lib/cli/client/credentials.rb
 - lib/cli/client/director.rb
 - lib/cli/client/errands_client.rb
-- lib/cli/client/uaa.rb
 - lib/cli/client/uaa/access_info.rb
+- lib/cli/client/uaa/auth_info.rb
+- lib/cli/client/uaa/client.rb
 - lib/cli/client/uaa/client_token_issuer.rb
-- lib/cli/client/uaa/options.rb
 - lib/cli/client/uaa/password_token_issuer.rb
 - lib/cli/client/uaa/prompt.rb
 - lib/cli/client/uaa/token_decoder.rb
+- lib/cli/client/uaa/token_provider.rb
 - lib/cli/cloud_config.rb
 - lib/cli/command_discovery.rb
 - lib/cli/command_handler.rb

data/lib/cli/client/uaa.rb

@@ -1,41 +0,0 @@
-require 'uaa'
-require 'uri'
-require 'cli/client/uaa/client_token_issuer'
-require 'cli/client/uaa/password_token_issuer'
-require 'cli/client/uaa/token_decoder'
-
-module Bosh
-  module Cli
-    module Client
-      module Uaa
-        class Client
-          def initialize(options)
-            token_decoder = TokenDecoder.new
-            if options.client_auth?
-              token_issuer = ClientTokenIssuer.new(options, token_decoder)
-            else
-              token_issuer = PasswordTokenIssuer.new(options, token_decoder)
-            end
-            @ssl_ca_file = options.ssl_ca_file
-            @token_issuer = token_issuer
-          end
-
-          def prompts
-            @token_issuer.prompts
-          rescue CF::UAA::SSLException => e
-            raise e unless @ssl_ca_file.nil?
-            err('Invalid SSL Cert. Use --ca-cert to specify SSL certificate')
-          end
-
-          def login(credentials)
-            @token_issuer.access_info(credentials)
-          rescue CF::UAA::TargetError => e
-            err("Failed to log in: #{e.info['error_description']}")
-          rescue CF::UAA::BadResponse
-            nil
-          end
-        end
-      end
-    end
-  end
-end

data/lib/cli/client/uaa/options.rb

@@ -1,34 +0,0 @@
-require 'cli/errors'
-
-module Bosh
-  module Cli
-    module Client
-      module Uaa
-        class Options < Struct.new(:url, :ssl_ca_file, :client_id, :client_secret)
-          class ValidationError < Bosh::Cli::CliError; end
-
-          def self.parse(cli_options, auth_options, env)
-            url = auth_options.fetch('url')
-            ssl_ca_file = cli_options[:ca_cert]
-            client_id, client_secret = env['BOSH_CLIENT'], env['BOSH_CLIENT_SECRET']
-
-            options = new(url, ssl_ca_file, client_id, client_secret)
-            options.validate!
-            options
-          end
-
-          def client_auth?
-            !client_id.nil? && !client_secret.nil?
-          end
-
-          def validate!
-            unless URI.parse(url).instance_of?(URI::HTTPS)
-              raise ValidationError.new('HTTPS protocol is required')
-            end
-          end
-        end
-      end
-    end
-  end
-end
-