MB-68388 Support JWTs as an auth method

Change-Id: I6a6a636cff8437eab0a9dba32f75fcc8083613af
Reviewed-on: https://review.couchbase.org/c/couchbase-cli/+/236688
Tested-by: Build Bot <build@couchbase.com>
Reviewed-by: Safian Ali <safian.ali@couchbase.com>

Author: matthallcb

cbmgr.py

@@ -193,15 +193,15 @@ def rest_initialiser(cluster_init_check=False, version_check=False, enterprise_c
     """
     def inner(fn):
         def decorator(self, opts):
-            _exit_if_errors(validate_credential_flags(opts.cluster, opts.username, opts.password, opts.client_ca,
-                                                      opts.client_ca_password, opts.client_pk, opts.client_pk_password,
-                                                      credentials_required))
+            _exit_if_errors(validate_credential_flags(opts.cluster, opts.username, opts.password, opts.auth_token,
+                                                      opts.client_ca, opts.client_ca_password, opts.client_pk,
+                                                      opts.client_pk_password, credentials_required))
 
             try:
-                self.rest = ClusterManager(opts.cluster, opts.username, opts.password, opts.ssl, opts.ssl_verify,
-                                           opts.cacert, opts.debug, client_ca=opts.client_ca,
-                                           client_ca_password=opts.client_ca_password, client_pk=opts.client_pk,
-                                           client_pk_password=opts.client_pk_password)
+                self.rest = ClusterManager(opts.cluster, opts.username, opts.password, opts.auth_token,
+                                           opts.ssl, opts.ssl_verify, opts.cacert, opts.debug,
+                                           client_ca=opts.client_ca, client_ca_password=opts.client_ca_password,
+                                           client_pk=opts.client_pk, client_pk_password=opts.client_pk_password)
             except X509AdapterError as error:
                 _exit_if_errors([f"failed to setup client certificate encryption, {error}"])
 
@@ -230,7 +230,7 @@ def decorator(self, opts):
     return inner
 
 
-def validate_credential_flags(host, username, password, client_ca, client_ca_password,
+def validate_credential_flags(host, username, password, token, client_ca, client_ca_password,
                               client_pk, client_pk_password, credentials_required: bool = True):
     """ValidateCredentialFlags - Performs validation to ensure the user has provided the flags required to connect to
     their cluster.
@@ -245,29 +245,40 @@ def validate_credential_flags(host, username, password, client_ca, client_ca_pas
             host,
             username,
             password,
+            token,
             client_ca,
             client_ca_password,
             client_pk,
             client_pk_password)
 
-    if (username is None and password is None):
+    if (username is None and password is None and token is None):
         if credentials_required is False:
             return None
 
-        return ["cluster credentials required, expected --username/--password or --client-cert/--client-key"]
+        return ["cluster credentials required, expected --username/--password, --client-cert/--client-key or "
+                "--auth-token"]
+
+    if token:
+        if username is not None or password is not None:
+            return ["expected either --username and --password or --auth-token but not both"]
+        return None
 
     if (username is None or password is None):
         return ["the --username/--password flags must be supplied together"]
 
     return None
 
 
-def validate_certificate_flags(host, username, password, client_ca, client_ca_password, client_pk, client_pk_password):
+def validate_certificate_flags(host, username, password, token, client_ca, client_ca_password, client_pk,
+                               client_pk_password):
     """Validate that the user is correctly using certificate authentication.
     """
     if username is not None or password is not None:
         return ["expected either --username and --password or --client-cert and --client-key but not both"]
 
+    if token is not None:
+        return ["expected either --auth-token or --client-cert and --client-key but not both"]
+
     if not (host.startswith("https://") or host.startswith("couchbases://")):
         return ["certificate authentication requires a secure connection, use https:// or couchbases://"]
 
@@ -970,6 +981,10 @@ def __init__(self, deprecate_username=False, deprecate_password=False, cluster_d
                                action=CBNonEchoedAction, envvar='CB_REST_PASSWORD',
                                metavar="<password>", help="The password for the Couchbase cluster")
 
+        group.add_argument("--auth-token", dest="auth_token",
+                           action=CBNonEchoedAction, envvar="CB_REST_AUTH_TOKEN", metavar="<auth-token>",
+                           help="The JWT to authenticate with this Couchbase cluster")
+
         group.add_argument("-o", "--output", dest="output", default="standard", metavar="<output>",
                            choices=["json", "standard"], help="The output type (json or standard)")
         group.add_argument("-d", "--debug", dest="debug", action="store_true",
@@ -6342,8 +6357,8 @@ def execute(self, opts):
             opts.cluster = cluster
 
             # override rest client so it uses the node to be altered
-            self.rest = ClusterManager(opts.cluster, opts.username, opts.password, opts.ssl, opts.ssl_verify,
-                                       opts.cacert, opts.debug)
+            self.rest = ClusterManager(opts.cluster, opts.username, opts.password, opts.auth_token,
+                                       opts.ssl, opts.ssl_verify, opts.cacert, opts.debug)
 
         if opts.set:
             ports, error = self._parse_ports(opts.ports)

cluster_manager.py

@@ -40,6 +40,15 @@
     VERSION = '0.0.0-0000'
 
 
+class TokenAuth(requests.auth.AuthBase):
+    def __init__(self, token):
+        self.token = token
+
+    def __call__(self, r):
+        r.headers["Authorization"] = f"Bearer {self.token}"
+        return r
+
+
 def unexpected_403_err(message):
     return f"Unexpected response for error 403: {message}"
 
@@ -86,10 +95,21 @@ def __init__(self, service):
 class ClusterManager(object):
     """A set of REST API's for managing a Couchbase cluster"""
 
-    def __init__(self, hostname, username, password, ssl_flag=False, verify_cert=True, ca_cert=True, debug=False,
-                 timeout=DEFAULT_REQUEST_TIMEOUT, client_ca: Optional[Path] = None,
-                 client_ca_password: Optional[str] = None,
-                 client_pk: Optional[Path] = None, client_pk_password: Optional[str] = None):
+    def __init__(
+            self,
+            hostname,
+            username,
+            password,
+            token=None,
+            ssl_flag=False,
+            verify_cert=True,
+            ca_cert=True,
+            debug=False,
+            timeout=DEFAULT_REQUEST_TIMEOUT,
+            client_ca: Optional[Path] = None,
+            client_ca_password: Optional[str] = None,
+            client_pk: Optional[Path] = None,
+            client_pk_password: Optional[str] = None):
         hostname = hostname.replace("couchbase://", "http://", 1)
         hostname = hostname.replace("couchbases://", "https://", 1)
 
@@ -115,8 +135,13 @@ def __init__(self, hostname, username, password, ssl_flag=False, verify_cert=Tru
             self.verify_cert = False
             self.ca_cert = False
 
-        self.username = username.encode('utf-8').decode('latin1') if username is not None else ""
-        self.password = password.encode('utf-8').decode('latin1') if password is not None else ""
+        username = username.encode('utf-8').decode('latin1') if username is not None else ""
+        password = password.encode('utf-8').decode('latin1') if password is not None else ""
+        self.auth: Any = (username, password)
+
+        if token:
+            self.auth = TokenAuth(token)
+
         self.timeout = timeout
         self.ssl = self.hostname.startswith("https://")
         self.debug = debug
@@ -3002,7 +3027,7 @@ def _get(self, url, params=None):
         if self.debug:
             print(f'GET {url} {self._url_encode_params(params)}')
 
-        return self._handle_response(self.session.get(url, params=params, auth=(self.username, self.password),
+        return self._handle_response(self.session.get(url, params=params, auth=self.auth,
                                                       verify=self.ca_cert, timeout=self.timeout, headers=self.headers))
 
     @request
@@ -3013,15 +3038,15 @@ def _post_form_encoded(self, url, params):
             else:
                 print(f'POST {url} {self._url_encode_params(params)}')
 
-        return self._handle_response(self.session.post(url, auth=(self.username, self.password), data=params,
+        return self._handle_response(self.session.post(url, auth=self.auth, data=params,
                                                        verify=self.ca_cert, timeout=self.timeout, headers=self.headers))
 
     @request
     def _post_json(self, url, params):
         if self.debug:
             print(f'POST {url} {self._json_encode_params(params)}')
 
-        return self._handle_response(self.session.post(url, auth=(self.username, self.password), json=params,
+        return self._handle_response(self.session.post(url, auth=self.auth, json=params,
                                                        verify=self.ca_cert, timeout=self.timeout, headers=self.headers))
 
     @request
@@ -3031,9 +3056,7 @@ def _patch_form_encoded(self, url, params):
 
         return self._handle_response(
             self.session.patch(
-                url, auth=(
-                    self.username,
-                    self.password),
+                url, auth=self.auth,
                 data=params,
                 verify=self.ca_cert,
                 timeout=self.timeout,
@@ -3044,7 +3067,7 @@ def _patch_json(self, url, params):
         if self.debug:
             print(f'PATCH {url} {self._json_encode_params(params)}')
 
-        return self._handle_response(self.session.patch(url, auth=(self.username, self.password), json=params,
+        return self._handle_response(self.session.patch(url, auth=self.auth, json=params,
                                                         verify=self.ca_cert, timeout=self.timeout,
                                                         headers=self.headers))
 
@@ -3053,23 +3076,23 @@ def _put(self, url, params):
         if self.debug:
             print(f'PUT {url} {self._url_encode_params(params)}')
 
-        return self._handle_response(self.session.put(url, params, auth=(self.username, self.password),
+        return self._handle_response(self.session.put(url, params, auth=self.auth,
                                                       verify=self.ca_cert, timeout=self.timeout, headers=self.headers))
 
     @request
     def _put_json(self, url, params):
         if self.debug:
             print(f'PUT {url} {self._json_encode_params(params)}')
 
-        return self._handle_response(self.session.put(url, None, auth=(self.username, self.password), json=params,
+        return self._handle_response(self.session.put(url, None, auth=self.auth, json=params,
                                                       verify=self.ca_cert, timeout=self.timeout, headers=self.headers))
 
     @request
     def _delete(self, url, params):
         if self.debug:
             print(f'DELETE {url} {self._url_encode_params(params)}')
 
-        return self._handle_response(self.session.delete(url, auth=(self.username, self.password), data=params,
+        return self._handle_response(self.session.delete(url, auth=self.auth, data=params,
                                                          verify=self.ca_cert, timeout=self.timeout,
                                                          headers=self.headers))
 

docs/modules/cli/pages/_partials/cbcli/part-common-env.adoc

@@ -9,6 +9,12 @@ CB_REST_PASSWORD::
   argument on the command line. It also allows the user to ensure that their
   password are not cached in their command line history.
 
+CB_REST_AUTH_TOKEN::
+  Specifies the JWT to authenticate with. This environment variable allows you
+  to specify a default argument for the --auth-token argument on the command
+  line. It also allows the user to ensure that their tokens are not cached
+  in their command line history.
+
 CB_CLIENT_CERT::
   The path to a client certificate used to authenticate when connecting to a
   cluster. May be supplied with `CB_CLIENT_KEY` as an alternative to the

docs/modules/cli/pages/_partials/cbcli/part-common-options.adoc

@@ -15,6 +15,12 @@ include::part-common-cluster.adoc[]
   non-echoed stdin. You may also specify your password by using the
   environment variable CB_REST_PASSWORD.
 
+--auth-token <auth-token>::
+  Specifies the JWT to authenticate with. If you do not have a user account
+  with permission to execute the command then it will fail with an unauthorized
+  error. You may also specify your token by using the environment variable
+  CB_REST_AUTH_TOKEN.
+
 --client-cert <path>::
   The path to a client certificate used to authenticate when connecting to a
   cluster. May be supplied with `--client-key` as an alternative to the

jenkins/.aspell.en.pws

@@ -112,6 +112,7 @@ ipv
 iso
 JSON
 json
+JWT
 kek
 kmip
 kms

test/test_cli.py

@@ -37,6 +37,12 @@ def test_validate_credential_flags(self):
                 "username": "username",
                 "password": "password",
             },
+            "ValidAuthToken": {
+                "auth_token":
+                    "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9." +
+                    "eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0." +
+                    "KMUFsIDTnFmyG3nMiGM6H9FNFUROf3wh7SmqJp-QV30",
+            },
             "ValidCertAuthWithHTTPS": {
                 "host": "https://localhost:8091",
                 "client_ca": "/path/to/cert",
@@ -55,6 +61,22 @@ def test_validate_credential_flags(self):
                 "password": "password",
                 "errors": ["the --username/--password flags must be supplied together"],
             },
+            "AuthTokenWithUsername": {
+                "auth_token":
+                    "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9." +
+                    "eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0." +
+                    "KMUFsIDTnFmyG3nMiGM6H9FNFUROf3wh7SmqJp-QV30",
+                "username": "username",
+                "errors": ["expected either --username and --password or --auth-token but not both"],
+            },
+            "AuthTokenWithPassword": {
+                "auth_token":
+                    "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9." +
+                    "eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0." +
+                    "KMUFsIDTnFmyG3nMiGM6H9FNFUROf3wh7SmqJp-QV30",
+                "password": "password",
+                "errors": ["expected either --username and --password or --auth-token but not both"],
+            },
             "OnlyClientCert": {
                 "host": "https://localhost:8091",
                 "client_ca": "/path/to/cert",
@@ -79,6 +101,16 @@ def test_validate_credential_flags(self):
                 "client_pk": "/path/to/key",
                 "errors": ["expected either --username and --password or --client-cert and --client-key but not both"],
             },
+            "CertAuthWithToken": {
+                "host": "https://localhost:8091",
+                "auth_token":
+                    "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9." +
+                    "eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0." +
+                    "KMUFsIDTnFmyG3nMiGM6H9FNFUROf3wh7SmqJp-QV30",
+                "client_ca": "/path/to/cert",
+                "client_pk": "/path/to/key",
+                "errors": ["expected either --auth-token or --client-cert and --client-key but not both"],
+            },
             "InsecureConnectionEmpty": {
                 "host": "",
                 "client_ca": "/path/to/cert",
@@ -140,7 +172,8 @@ def test_validate_credential_flags(self):
             },
             "NoCredentials": {
                 "host": "https://localhost:8091",
-                "errors": ["cluster credentials required, expected --username/--password or --client-cert/--client-key"],
+                "errors": ["cluster credentials required, expected --username/--password, " +
+                           "--client-cert/--client-key or --auth-token"],
             },
             "NoCredentialsAndCredentialsNotRequired": {
                 "host": "https://localhost:8091",
@@ -157,6 +190,7 @@ def value(test, key):
                     value(test, "host"),
                     value(test, "username"),
                     value(test, "password"),
+                    value(test, "auth_token"),
                     value(test, "client_ca"),
                     value(test, "client_ca_password"),
                     value(test, "client_pk"),