Previously we allowed access to the credentials store only indirectly
through the Disco object, and that's fine for callers that only need to
_read_ credentials, but more specialized callers like "terraform login"
and "terraform logout" need more information in order to be transparent
to the user about what they are going to do and where the credentials
are going to be stored.
A server is allowed to omit AuthorizationURL if it's using the "password"
grant type, and other future grant type implementations may have similar
accommodations.
This new implementation is not yet used, but should eventually replace the
technique of composing together various types from the svchost/auth
package, since our requirements are now complex enough that they're more
straightforward to express in direct code within a single type than as
a composition of the building blocks in the svchost/auth package.
This introduces two new verbs to the credentials helper protocol to store
and forget credentials, and uses them to implement StoreForHost and
ForgetForHost.
This new functionality will be used as part of implementing the
"terraform login" and "terraform logout" commands.
As of this commit, the storage codepaths are all just stubs. Subsequent
commits will implement these new methods for each of the different
physical credentials sources.
Previously we just assumed support for the authorization code grant type,
but now we'll allow the host to declare which grant types it supports
to allow for more flexibility in host login implementations. We may extend
the set of supported grant types in future.
The OAuth specification requires several distinct arguments to be provided
to configure a client, rather than just a URL. To accommodate this, we'll
add a new method to the service discovery API to retrieve OAuth client
information in a Terraform-specific form. (The OAuth specification itself
considers this out of scope, because most OAuth clients are configured
by just hard-coding these settings into them for a particular remote
service.)
This PR improves the error handling so we can provide better feedback about any service discovery errors that occured.
Additionally it adds logic to test for specific versions when discovering a service using `service.vN`. This will enable more informational errors which can indicate any version incompatibilities.
By adding this method you now only have to pass a `*disco.Disco` object around in order to do discovery and use any configured credentials for the discovered hosts.
Of course you can also still pass around both a `*disco.Disco` and a `auth.CredentialsSource` object if there is a need or a reason for that!
Extend the discovery timeout from 4 seconds to 11 seconds. This gives a
little more time for a slow host to response. The duration of 11s
keeps the delay reasonable, and puts it just after the default TLS
handshake timeout of 10s for easier differentiation of the error cases.
The default network-based discovery is not desirable for all situations,
so this mechanism allows callers to provide a services map for a given
hostname that was obtained some other way (caller-defined) which will then
cause network-based discovery to be skipped and the given map to be
returned verbatim.
For the same reason the disco tests need to override the http.Transport,
other test fixtures will need to as well. Provide a field to override
the default httpTransport.
Update all references to the version values to use the new package.
The VersionString function was left in the terraform package
specifically for the aws provider, which is vendored. We can remove that
last call once the provider is updated.
This uses an in-memory table of credentials keyed on hostname. This is
the simplest possible credentials source that can actually return
credentials, and is suitable for representing statically-configured
credentials from configuration.
For situations where no credentials are needed but where a working
CredentialsSource is still required, this variable provides a convenient
way to get a fully-functional-but-empty credentials source.
Although service discovery metadata is usually not sensitive, a service
host may wish to produce different results depending on the requesting
user, such as if users are migrating between two different implementations
that are both running concurrently for some period.
This credentials source wraps another and caches its results in memory
in a map that is keyed on the request hostname.
This should ease the common case of many services operating on the same
hostname by allowing an initial set of credentials to be re-used for
subsequent requests.
This CredentialsSource can serve as an extension point to pass credentials
from an arbitrary external system to Terraform. For example, an external
helper program could fetch limited-time credentials from HashiCorp Vault
and return them, thus avoiding the need for any static configuration to
be maintained locally (except a Vault token!).
So far there are no real programs implementing this protocol, though this
commit includes a basic implementation that we use for unit tests.
This function deals with turning a map derived from some user input
(e.g. in a config file) into a HostCredentials object, if possible. This
will be used as a standard way to specify credentials so we have a place
to add new credentials types in future and have support for those across
all of our map-based CredentialsSources.
This package implements our Terraform-native Service discovery protocol,
which allows us to find the base URL for a particular service given a
hostname that was already validated and normalized by the svchost package.
We're starting to expose a number of so-called "Terraform-native services"
that can be offered under a friendly hostname. The first of these will
be module registry services, as they expand from the public
Terraform Registry to private registry services within Terraform
Enterprise and elsewhere.
This package is for wrangling these "friendly hostnames", which start
their lives as user-specified unicode strings, can be converted to
Punycode for storage and comparison, and can in turn be converted back
into normalized unicode for display to the user.
Martin Atkins