Revert "Add VMC Oauth app support (vmware#1080)"

This reverts commit 08dff9f.
GraysonWu · Jan 26, 2024 · 05cdb31 · 05cdb31
1 parent 08dff9f
commit 05cdb31
Show file tree

Hide file tree

Showing 5 changed files with 39 additions and 141 deletions.
diff --git a/nsxt/data_source_nsxt_policy_realization_info.go b/nsxt/data_source_nsxt_policy_realization_info.go
@@ -64,15 +64,6 @@ func dataSourceNsxtPolicyRealizationInfo() *schema.Resource {
 				Default:      1,
 				ValidateFunc: validation.IntAtLeast(0),
 			},
-			"router_link_ip": {
-				Type:        schema.TypeList,
-				Description: "IP addresses of RealizedLogicalRouterPort type entity",
-				Elem: &schema.Schema{
-					Type:         schema.TypeString,
-					ValidateFunc: validation.IsIPAddress,
-				},
-				Computed: true,
-			},
 		},
 	}
 }
@@ -135,19 +126,6 @@ func dataSourceNsxtPolicyRealizationInfoRead(d *schema.ResourceData, m interface
 						}
 						return realizationResult, state, nil
 					} else if (objInList.EntityType != nil) && (*objInList.EntityType == entityType) {
-						if entityType == "RealizedLogicalRouterPort" {
-							found := false
-							for _, extAtt := range objInList.ExtendedAttributes {
-								if extAtt.Key != nil && *extAtt.Key == "IpAddresses" {
-									d.Set("router_link_ip", extAtt.Values)
-									found = true
-									break
-								}
-							}
-							if !found {
-								continue
-							}
-						}
 						d.Set("state", state)
 						if objInList.RealizationSpecificIdentifier == nil {
 							d.Set("realized_id", "")

diff --git a/nsxt/provider.go b/nsxt/provider.go
@@ -158,30 +158,13 @@ func Provider() *schema.Provider {
 				Type:        schema.TypeString,
 				Optional:    true,
 				Description: "URL for VMC authorization service (CSP)",
-				DefaultFunc: schema.EnvDefaultFunc("NSXT_VMC_AUTH_HOST", nil),
+				DefaultFunc: schema.EnvDefaultFunc("NSXT_VMC_AUTH_HOST", "console.cloud.vmware.com/csp/gateway/am/api/auth/api-tokens/authorize"),
 			},
 			"vmc_token": {
-				Type:          schema.TypeString,
-				Optional:      true,
-				Description:   "Long-living API token for VMC authorization",
-				DefaultFunc:   schema.EnvDefaultFunc("NSXT_VMC_TOKEN", nil),
-				ConflictsWith: []string{"vmc_client_id", "vmc_client_secret"},
-			},
-			"vmc_client_id": {
-				Type:          schema.TypeString,
-				Optional:      true,
-				Description:   "ID of OAuth App associated with the VMC organization",
-				DefaultFunc:   schema.EnvDefaultFunc("NSXT_VMC_CLIENT_ID", nil),
-				ConflictsWith: []string{"vmc_token"},
-				RequiredWith:  []string{"vmc_client_secret"},
-			},
-			"vmc_client_secret": {
-				Type:          schema.TypeString,
-				Optional:      true,
-				Description:   "Secret of OAuth App associated with the VMC organization",
-				DefaultFunc:   schema.EnvDefaultFunc("NSXT_VMC_CLIENT_SECRET", nil),
-				ConflictsWith: []string{"vmc_token"},
-				RequiredWith:  []string{"vmc_client_id"},
+				Type:        schema.TypeString,
+				Optional:    true,
+				Description: "Long-living API token for VMC authorization",
+				DefaultFunc: schema.EnvDefaultFunc("NSXT_VMC_TOKEN", nil),
 			},
 			"vmc_auth_mode": {
 				Type:         schema.TypeString,
@@ -206,7 +189,7 @@ func Provider() *schema.Provider {
 				Type:          schema.TypeList,
 				Optional:      true,
 				Description:   "license keys",
-				ConflictsWith: []string{"vmc_token", "vmc_client_id", "vmc_client_secret"},
+				ConflictsWith: []string{"vmc_token"},
 				Elem: &schema.Schema{
 					Type: schema.TypeString,
 					ValidateFunc: validation.StringMatch(
@@ -473,37 +456,21 @@ func Provider() *schema.Provider {
 	}
 }
 
-func isVMCCredentialSet(d *schema.ResourceData) bool {
-	// Refresh token
-	vmcToken := d.Get("vmc_token").(string)
-	if len(vmcToken) > 0 {
-		return true
-	}
-
-	// Oauth app
-	vmcClientID := d.Get("vmc_client_id").(string)
-	vmcClientSecret := d.Get("vmc_client_secret").(string)
-	if len(vmcClientSecret) > 0 && len(vmcClientID) > 0 {
-		return true
-	}
-
-	return false
-}
-
 func configureNsxtClient(d *schema.ResourceData, clients *nsxtClients) error {
 	onDemandConn := d.Get("on_demand_connection").(bool)
 	clientAuthCertFile := d.Get("client_auth_cert_file").(string)
 	clientAuthKeyFile := d.Get("client_auth_key_file").(string)
 	clientAuthCert := d.Get("client_auth_cert").(string)
 	clientAuthKey := d.Get("client_auth_key").(string)
+	vmcToken := d.Get("vmc_token").(string)
 	vmcAuthMode := d.Get("vmc_auth_mode").(string)
 
 	if onDemandConn {
 		// On demand connection option is not supported with old SDK
 		return nil
 	}
 
-	if (vmcAuthMode == "Basic") || isVMCCredentialSet(d) {
+	if (len(vmcToken) > 0) || (vmcAuthMode == "Basic") {
 		// VMC can operate without token with basic auth, however MP API is not
 		// available for cloud admin user
 		return nil
@@ -597,65 +564,21 @@ type jwtToken struct {
 	RefreshToken string `json:"refresh_token"`
 }
 
-type vmcAuthInfo struct {
-	authHost     string
-	authMode     string
-	accessToken  string
-	clientID     string
-	clientSecret string
-}
-
-func getVmcAuthInfo(d *schema.ResourceData) *vmcAuthInfo {
-	vmcInfo := vmcAuthInfo{
-		authHost:     d.Get("vmc_auth_host").(string),
-		authMode:     d.Get("vmc_auth_mode").(string),
-		accessToken:  d.Get("vmc_token").(string),
-		clientID:     d.Get("vmc_client_id").(string),
-		clientSecret: d.Get("vmc_client_secret").(string),
-	}
-	if len(vmcInfo.authHost) > 0 {
-		return &vmcInfo
-	}
-
-	// Fill in default auth host + url based on auth method
-	if len(vmcInfo.accessToken) > 0 {
-		vmcInfo.authHost = "console.cloud.vmware.com/csp/gateway/am/api/auth/api-tokens/authorize"
-	} else if len(vmcInfo.clientSecret) > 0 && len(vmcInfo.clientID) > 0 {
-		vmcInfo.authHost = "console.cloud.vmware.com/csp/gateway/am/api/auth/authorize"
-	}
-	return &vmcInfo
-}
-
-func (v *vmcAuthInfo) IsZero() bool {
-	return len(v.accessToken) == 0 && len(v.clientID) == 0 && len(v.clientSecret) == 0
-}
-
-func (v *vmcAuthInfo) getAPIToken() (string, error) {
-	var req *http.Request
+func getAPIToken(vmcAuthHost string, vmcAccessToken string) (string, error) {
 
-	// Access token
-	if len(v.accessToken) > 0 {
-		payload := strings.NewReader("refresh_token=" + v.accessToken)
-		req, _ = http.NewRequest("POST", "https://"+v.authHost, payload)
-	}
-	// Oauth app
-	if len(v.clientSecret) > 0 && len(v.clientID) > 0 {
-		payload := strings.NewReader("grant_type=client_credentials")
-		req, _ = http.NewRequest("POST", "https://"+v.authHost, payload)
-		req.SetBasicAuth(v.clientID, v.clientSecret)
-	}
-	if req == nil {
-		return "", fmt.Errorf("invalid VMC auth input")
-	}
+	payload := strings.NewReader("refresh_token=" + vmcAccessToken)
+	req, _ := http.NewRequest("POST", "https://"+vmcAuthHost, payload)
 
 	req.Header.Add("content-type", "application/x-www-form-urlencoded")
 	res, err := http.DefaultClient.Do(req)
+
 	if err != nil {
 		return "", err
 	}
+
 	if res.StatusCode != 200 {
 		b, _ := ioutil.ReadAll(res.Body)
-		return "", fmt.Errorf("unexpected status code %d trying to get auth token. %s", res.StatusCode, string(b))
+		return "", fmt.Errorf("Unexpected status code %d trying to get auth token. %s", res.StatusCode, string(b))
 	}
 
 	defer res.Body.Close()
@@ -742,15 +665,17 @@ func configurePolicyConnectorData(d *schema.ResourceData, clients *nsxtClients)
 	host := d.Get("host").(string)
 	username := d.Get("username").(string)
 	password := d.Get("password").(string)
+	vmcAccessToken := d.Get("vmc_token").(string)
+	vmcAuthHost := d.Get("vmc_auth_host").(string)
 	clientAuthCertFile := d.Get("client_auth_cert_file").(string)
 	clientAuthCert := d.Get("client_auth_cert").(string)
 	clientAuthDefined := (len(clientAuthCertFile) > 0) || (len(clientAuthCert) > 0)
 	policyEnforcementPoint := d.Get("enforcement_point").(string)
 	policyGlobalManager := d.Get("global_manager").(bool)
-	vmcInfo := getVmcAuthInfo(d)
+	vmcAuthMode := d.Get("vmc_auth_mode").(string)
 
 	isVMC := false
-	if (vmcInfo.authMode == "Basic") || isVMCCredentialSet(d) {
+	if (len(vmcAccessToken) > 0) || (vmcAuthMode == "Basic") {
 		isVMC = true
 		if onDemandConn {
 			return fmt.Errorf("on demand connection option is not supported with VMC")
@@ -770,7 +695,7 @@ func configurePolicyConnectorData(d *schema.ResourceData, clients *nsxtClients)
 		securityContextNeeded = false
 	}
 	if securityContextNeeded {
-		securityCtx, err := getConfiguredSecurityContext(clients, vmcInfo, username, password)
+		securityCtx, err := getConfiguredSecurityContext(clients, vmcAccessToken, vmcAuthHost, vmcAuthMode, username, password)
 		if err != nil {
 			return err
 		}
@@ -815,33 +740,37 @@ func configurePolicyConnectorData(d *schema.ResourceData, clients *nsxtClients)
 	return err
 }
 
-func getConfiguredSecurityContext(clients *nsxtClients, vmcInfo *vmcAuthInfo, username string, password string) (*core.SecurityContextImpl, error) {
+func getConfiguredSecurityContext(clients *nsxtClients, vmcAccessToken string, vmcAuthHost string, vmcAuthMode string, username string, password string) (*core.SecurityContextImpl, error) {
 	securityCtx := core.NewSecurityContextImpl()
-	if vmcInfo == nil || vmcInfo.IsZero() {
-		if username == "" {
-			return nil, fmt.Errorf("username must be provided")
+	if len(vmcAccessToken) > 0 {
+		if vmcAuthHost == "" {
+			return nil, fmt.Errorf("vmc auth host must be provided if auth token is provided")
 		}
 
-		if password == "" {
-			return nil, fmt.Errorf("password must be provided")
-		}
-
-		securityCtx.SetProperty(security.AUTHENTICATION_SCHEME_ID, security.USER_PASSWORD_SCHEME_ID)
-		securityCtx.SetProperty(security.USER_KEY, username)
-		securityCtx.SetProperty(security.PASSWORD_KEY, password)
-	} else {
-		apiToken, err := vmcInfo.getAPIToken()
+		apiToken, err := getAPIToken(vmcAuthHost, vmcAccessToken)
 		if err != nil {
 			return nil, err
 		}
 
 		// We'll be sending Bearer token anyway even with scp-auth-token auth
 		// For now, node API is not working on VMC without Bearer token present
 		clients.CommonConfig.BearerToken = apiToken
-		if vmcInfo.authMode != "Bearer" {
+		if vmcAuthMode != "Bearer" {
 			securityCtx.SetProperty(security.AUTHENTICATION_SCHEME_ID, security.OAUTH_SCHEME_ID)
 			securityCtx.SetProperty(security.ACCESS_TOKEN, apiToken)
 		}
+	} else {
+		if username == "" {
+			return nil, fmt.Errorf("username must be provided")
+		}
+
+		if password == "" {
+			return nil, fmt.Errorf("password must be provided")
+		}
+
+		securityCtx.SetProperty(security.AUTHENTICATION_SCHEME_ID, security.USER_PASSWORD_SCHEME_ID)
+		securityCtx.SetProperty(security.USER_KEY, username)
+		securityCtx.SetProperty(security.PASSWORD_KEY, password)
 	}
 	return securityCtx, nil
 }

diff --git a/nsxt/resource_nsxt_manager_cluster.go b/nsxt/resource_nsxt_manager_cluster.go
@@ -324,7 +324,7 @@ func getNewNsxtClient(node NsxClusterNode, d *schema.ResourceData, clients inter
 
 func configureNewClient(newClient *nsxtClients, oldClient *nsxtClients, host string, username string, password string) error {
 	newClient.Host = host
-	securityCtx, err := getConfiguredSecurityContext(newClient, &vmcAuthInfo{}, username, password)
+	securityCtx, err := getConfiguredSecurityContext(newClient, "", "", "", username, password)
 	if err != nil {
 		return fmt.Errorf("Failed to configure new client with host %s: %s", host, err)
 	}

diff --git a/website/docs/d/policy_realization_info.html.markdown b/website/docs/d/policy_realization_info.html.markdown
@@ -80,4 +80,3 @@ In addition to arguments listed above, the following attributes are exported:
 
 * `state` - The realization state of the resource: "REALIZED", "UNKNOWN", "UNREALIZED" or "ERROR".
 * `realized_id` - The id of the realized object.
-* `router_link_ip` - The IP addresses of `RealizedLogicalRouterPort` type entity. It could be used to fetch T0/1 gateway router links IP addresses. The attribute will only be exposed when entity_type is `RealizedLogicalRouterPort`.
diff --git a/website/docs/index.html.markdown b/website/docs/index.html.markdown
@@ -221,15 +221,7 @@ The following arguments are used to configure the VMware NSX-T Provider:
   partially successful realization as valid state and not fail apply.
 * `vmc_token` - (Optional) Long-lived API token for authenticating with VMware
   Cloud Services APIs. This token will be used to short-lived token that is
-  needed to communicate with NSX Manager in VMC environment. Can not be specified 
-  together with `vmc_client_id` and `vmc_client_secret`.
-  Note that only subset of policy resources are supported with VMC environment.
-* `vmc_client_id`- (Optional) ID of OAuth App associated with the VMC organization. 
-  The combination with `vmc_client_secret` is used to authenticate when calling 
-  VMware Cloud Services APIs. Can not be specified together with `vmc_token`.
-* `vmc_client_secret` - (Optional) Secret of OAuth App associated with the VMC 
-  organization. The combination with `vmc_client_id` is used to authenticate when 
-  calling VMware Cloud Services APIs. Can not be specified together with `vmc_token`.
+  needed to communicate with NSX Manager in VMC environment.
   Note that only subset of policy resources are supported with VMC environment.
 * `vmc_auth_host` - (Optional) URL for VMC authorization service that is used
   to obtain short-lived token for NSX manager access. Defaults to VMC
Original file line number	Diff line number	Diff line change
Expand Up		@@ -80,4 +80,3 @@ In addition to arguments listed above, the following attributes are exported:

		* `state` - The realization state of the resource: "REALIZED", "UNKNOWN", "UNREALIZED" or "ERROR".
		* `realized_id` - The id of the realized object.
		* `router_link_ip` - The IP addresses of `RealizedLogicalRouterPort` type entity. It could be used to fetch T0/1 gateway router links IP addresses. The attribute will only be exposed when entity_type is `RealizedLogicalRouterPort`.