refactor: enhance validation for authenticating with console

Author: rsdmike

internal/cli/cli.go

@@ -6,6 +6,7 @@
 package cli
 
 import (
+	"os"
 	"strings"
 	"time"
 
@@ -23,6 +24,7 @@ import (
 const (
 	amtInitializeMaxAttempts = 4
 	amtInitializeBackoff     = 2 * time.Second
+	configFilePath           = "config.yaml"
 )
 
 var sleepForAMTRetry = time.Sleep
@@ -99,7 +101,7 @@ func Parse(args []string, amtCommand amt.Interface) (*kong.Context, *CLI, error)
 		kong.UsageOnError(),
 		kong.DefaultEnvars("RPC"),
 		kong.ConfigureHelp(helpOpts),
-		kong.Configuration(kongyaml.Loader, "config.yaml"),
+		kong.Configuration(kongyaml.Loader, configFilePath),
 		kong.BindToProvider(func() amt.Interface { return amtCommand }),
 	}
 
@@ -117,6 +119,12 @@ func Parse(args []string, amtCommand amt.Interface) (*kong.Context, *CLI, error)
 	}
 
 	ctx, perr := parser.Parse(parseArgs)
+
+	// Log config file presence after parsing (logging is configured by AfterApply at this point)
+	if _, statErr := os.Stat(configFilePath); statErr == nil {
+		log.Infof("Using configuration file: %s (flag values may originate from this file)", configFilePath)
+	}
+
 	if perr == nil {
 		return ctx, &cli, nil
 	}

internal/commands/activate/activate.go

@@ -307,7 +307,7 @@ func (cmd *ActivateCmd) runHttpProfileFullflow(ctx *commands.Context) error {
 
 	cfg, err := fetcher.FetchProfile()
 	if err != nil {
-		return fmt.Errorf("failed to fetch profile: %w", err)
+		return err
 	}
 
 	// Resolve AMT/MEBx/MPS passwords — generate random ones when the profile requests it.

internal/commands/auth.go

@@ -13,14 +13,32 @@ import (
 	"github.com/sirupsen/logrus"
 )
 
-// ServerAuthFlags provides common auth options for server communications
-// Either AuthToken (Bearer) OR both AuthUsername and AuthPassword (Basic) should be supplied.
+// ServerAuthFlags provides common auth options for server communications.
+// When AuthEndpoint is set, either AuthToken (Bearer) OR both AuthUsername
+// and AuthPassword (Basic) must be supplied.
 type ServerAuthFlags struct {
 	AuthToken    string `help:"Bearer token for server authentication" name:"auth-token" env:"AUTH_TOKEN"`
 	AuthUsername string `help:"Username for basic auth (used when no token)" name:"auth-username" env:"AUTH_USERNAME"`
 	AuthPassword string `help:"Password for basic auth (used when no token)" name:"auth-password" env:"AUTH_PASSWORD"`
-	// Optional endpoint for exchanging credentials for a token (primarily used when fetching HTTP profiles)
-	AuthEndpoint string `help:"The endpoint to call to fetch a token. Assumes the same host as the profile URL unless an absolute URL is provided; defaults to the Console path /api/v1/authorize." name:"auth-endpoint" default:"/api/v1/authorize"`
+	AuthEndpoint string `help:"Token exchange endpoint. Requires --auth-token or --auth-username/--auth-password. Resolved relative to the profile URL host unless absolute." name:"auth-endpoint" env:"AUTH_ENDPOINT"`
+}
+
+// Validate implements kong.Validatable. When auth-endpoint is set,
+// either auth-token or (auth-username + auth-password) is required.
+func (a *ServerAuthFlags) Validate() error {
+	if a.AuthEndpoint == "" {
+		return nil
+	}
+
+	if a.AuthToken != "" {
+		return nil
+	}
+
+	if a.AuthUsername != "" && a.AuthPassword != "" {
+		return nil
+	}
+
+	return fmt.Errorf("--auth-endpoint requires --auth-token or both --auth-username and --auth-password")
 }
 
 // ValidateRequired enforces that some form of auth is present when required.

internal/commands/auth_test.go

@@ -0,0 +1,172 @@
+/*********************************************************************
+ * Copyright (c) Intel Corporation 2024
+ * SPDX-License-Identifier: Apache-2.0
+ **********************************************************************/
+
+package commands
+
+import (
+	"net/http"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestServerAuthFlags_Validate(t *testing.T) {
+	tests := []struct {
+		name    string
+		flags   ServerAuthFlags
+		wantErr string
+	}{
+		{
+			name:  "no endpoint — no validation",
+			flags: ServerAuthFlags{},
+		},
+		{
+			name: "endpoint with token — ok",
+			flags: ServerAuthFlags{
+				AuthEndpoint: "/api/v1/authorize",
+				AuthToken:    "tok",
+			},
+		},
+		{
+			name: "endpoint with username and password — ok",
+			flags: ServerAuthFlags{
+				AuthEndpoint: "/api/v1/authorize",
+				AuthUsername: "user",
+				AuthPassword: "pass",
+			},
+		},
+		{
+			name: "endpoint with no credentials — error",
+			flags: ServerAuthFlags{
+				AuthEndpoint: "/api/v1/authorize",
+			},
+			wantErr: "--auth-endpoint requires --auth-token or both --auth-username and --auth-password",
+		},
+		{
+			name: "endpoint with username only — error",
+			flags: ServerAuthFlags{
+				AuthEndpoint: "/api/v1/authorize",
+				AuthUsername: "user",
+			},
+			wantErr: "--auth-endpoint requires --auth-token or both --auth-username and --auth-password",
+		},
+		{
+			name: "endpoint with password only — error",
+			flags: ServerAuthFlags{
+				AuthEndpoint: "/api/v1/authorize",
+				AuthPassword: "pass",
+			},
+			wantErr: "--auth-endpoint requires --auth-token or both --auth-username and --auth-password",
+		},
+		{
+			name: "endpoint with token and username/password — token wins, ok",
+			flags: ServerAuthFlags{
+				AuthEndpoint: "/api/v1/authorize",
+				AuthToken:    "tok",
+				AuthUsername: "user",
+				AuthPassword: "pass",
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			err := tt.flags.Validate()
+			if tt.wantErr != "" {
+				require.Error(t, err)
+				assert.Contains(t, err.Error(), tt.wantErr)
+			} else {
+				assert.NoError(t, err)
+			}
+		})
+	}
+}
+
+func TestServerAuthFlags_ValidateRequired(t *testing.T) {
+	tests := []struct {
+		name     string
+		flags    ServerAuthFlags
+		required bool
+		wantErr  bool
+	}{
+		{
+			name:     "not required — always ok",
+			flags:    ServerAuthFlags{},
+			required: false,
+		},
+		{
+			name:     "required with token",
+			flags:    ServerAuthFlags{AuthToken: "tok"},
+			required: true,
+		},
+		{
+			name:     "required with username and password",
+			flags:    ServerAuthFlags{AuthUsername: "user", AuthPassword: "pass"},
+			required: true,
+		},
+		{
+			name:     "required with nothing",
+			flags:    ServerAuthFlags{},
+			required: true,
+			wantErr:  true,
+		},
+		{
+			name:     "required with username only",
+			flags:    ServerAuthFlags{AuthUsername: "user"},
+			required: true,
+			wantErr:  true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			err := tt.flags.ValidateRequired(tt.required)
+			if tt.wantErr {
+				assert.Error(t, err)
+			} else {
+				assert.NoError(t, err)
+			}
+		})
+	}
+}
+
+func TestServerAuthFlags_ApplyToRequest(t *testing.T) {
+	tests := []struct {
+		name       string
+		flags      ServerAuthFlags
+		wantHeader string
+	}{
+		{
+			name:       "token sets bearer",
+			flags:      ServerAuthFlags{AuthToken: "my-token"},
+			wantHeader: "Bearer my-token",
+		},
+		{
+			name:       "username/password sets basic",
+			flags:      ServerAuthFlags{AuthUsername: "user", AuthPassword: "pass"},
+			wantHeader: "Basic dXNlcjpwYXNz",
+		},
+		{
+			name:       "token takes precedence over basic",
+			flags:      ServerAuthFlags{AuthToken: "tok", AuthUsername: "user", AuthPassword: "pass"},
+			wantHeader: "Bearer tok",
+		},
+		{
+			name:       "no credentials — no header",
+			flags:      ServerAuthFlags{},
+			wantHeader: "",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			req, _ := http.NewRequest("GET", "http://example.com", nil)
+			tt.flags.ApplyToRequest(req)
+
+			assert.Equal(t, tt.wantHeader, req.Header.Get("Authorization"))
+		})
+	}
+}

internal/profile/fetcher.go

@@ -198,7 +198,11 @@ func (f *ProfileFetcher) fetchData(u, token string) ([]byte, error) {
 	defer resp.Body.Close()
 
 	if resp.StatusCode == http.StatusUnauthorized {
-		return nil, fmt.Errorf("unauthorized: authentication required or token invalid")
+		if token == "" {
+			return nil, fmt.Errorf("unauthorized: no credentials provided — use --auth-token or --auth-username/--auth-password")
+		}
+
+		return nil, fmt.Errorf("unauthorized: server rejected the bearer token")
 	}
 
 	if resp.StatusCode != http.StatusOK {