Support session auth for policy resources

In addition, support ability to disable session auth for both MP and policy resources on provider level. Signed-off-by: Anna Khmelnitsky <[email protected]>
vmware · Mar 1, 2023 · 0f020b0 · 0f020b0
1 parent d72f8fc
commit 0f020b0
Showing 1 changed file with 39 additions and 2 deletions.
diff --git a/nsxt/provider.go b/nsxt/provider.go
@@ -43,6 +43,8 @@ type nsxtClients struct {
 	CommonConfig commonProviderConfig
 	// NSX Manager client - based on go-vmware-nsxt SDK
 	NsxtClient *api.APIClient
+	// Config for the above client
+	NsxtClientConfig *api.Configuration
 	// Data for NSX Policy client - based on vsphere-automation-sdk-go SDK
 	// First offering of Policy SDK does not support concurrent
 	// operations in single connector. In order to avoid heavy locks,
@@ -83,6 +85,11 @@ func Provider() *schema.Provider {
 				Optional:    true,
 				DefaultFunc: schema.EnvDefaultFunc("NSXT_REMOTE_AUTH", false),
 			},
+			"session_auth": {
+				Type:        schema.TypeBool,
+				Optional:    true,
+				DefaultFunc: schema.EnvDefaultFunc("NSXT_SESSION_AUTH", true),
+			},
 			"host": {
 				Type:         schema.TypeString,
 				Optional:     true,
@@ -439,6 +446,8 @@ func configureNsxtClient(d *schema.ResourceData, clients *nsxtClients) error {
 
 	caFile := d.Get("ca_file").(string)
 	caString := d.Get("ca").(string)
+	sessionAuth := d.Get("session_auth").(bool)
+	skipSessionAuth := !sessionAuth
 
 	retriesConfig := api.ClientRetriesConfiguration{
 		MaxRetries:      clients.CommonConfig.MaxRetries,
@@ -447,7 +456,7 @@ func configureNsxtClient(d *schema.ResourceData, clients *nsxtClients) error {
 		RetryOnStatuses: clients.CommonConfig.RetryStatusCodes,
 	}
 
-	cfg := api.Configuration{
+	clients.NsxtClientConfig = &api.Configuration{
 		BasePath:             "/api/v1",
 		Host:                 host,
 		Scheme:               "https",
@@ -463,9 +472,10 @@ func configureNsxtClient(d *schema.ResourceData, clients *nsxtClients) error {
 		CAString:             caString,
 		Insecure:             insecure,
 		RetriesConfiguration: retriesConfig,
+		SkipSessionAuth:      skipSessionAuth,
 	}
 
-	nsxClient, err := api.NewAPIClient(&cfg)
+	nsxClient, err := api.NewAPIClient(clients.NsxtClientConfig)
 	if err != nil {
 		return err
 	}
@@ -694,6 +704,24 @@ func (processor bearerAuthHeaderProcessor) Process(req *http.Request) error {
 	return nil
 }
 
+type sessionHeaderProcessor struct {
+	cookie string
+	xsrf   string
+}
+
+func newSessionHeaderProcessor(cookie string, xsrf string) *sessionHeaderProcessor {
+	return &sessionHeaderProcessor{
+		cookie: cookie,
+		xsrf:   xsrf,
+	}
+}
+
+func (processor sessionHeaderProcessor) Process(req *http.Request) error {
+	req.Header.Set("Cookie", processor.cookie)
+	req.Header.Set("X-XSRF-TOKEN", processor.xsrf)
+	return nil
+}
+
 func applyLicense(c *api.APIClient, licenseKey string) error {
 	if c == nil {
 		return fmt.Errorf("API client not configured")
@@ -817,6 +845,15 @@ func getPolicyConnector(clients interface{}) *client.RestConnector {
 	if len(c.CommonConfig.BearerToken) > 0 {
 		connector.AddRequestProcessor(newBearerAuthHeaderProcessor(c.CommonConfig.BearerToken))
 	}
+	if len(c.NsxtClientConfig.DefaultHeader["Cookie"]) > 0 {
+		cookie := c.NsxtClientConfig.DefaultHeader["Cookie"]
+		xsrf := ""
+		if len(c.NsxtClientConfig.DefaultHeader["X-XSRF-TOKEN"]) > 0 {
+			xsrf = c.NsxtClientConfig.DefaultHeader["X-XSRF-TOKEN"]
+		}
+		connector.AddRequestProcessor(newSessionHeaderProcessor(cookie, xsrf))
+		log.Printf("[INFO]: Session headers configured for policy objects")
+	}
 
 	return connector
 }