re-organize CLI config files

README.adoc

@@ -6,7 +6,7 @@ published to crates.io. All are derived from the Oxide API OpenAPI spec.
 
 ## Generation
 
-Generation of the CLI, SDK, and mocking library
+Generation of the CLI, SDK, and mocking library use
 https://github.com/oxidecomputer/progenitor[`progenitor`] for code generation
 from the OpenAPI description of the Oxide API. Typically `progenitor` is used
 via a macro or `build.rs`, here we use an
@@ -67,4 +67,4 @@ Use `cargo publish -p oxide` and `cargo publish -p oxide-httpmock`.
 
 Tag the repo with the version number (`vMAJOR.MINOR.PATCH+API_VERSION`) and
 push change and tags. This will kick off the `cargo-dist` workflow to generate
-a release with binaries.
+a release with binaries.

cli/Cargo.toml

@@ -45,6 +45,8 @@ serde = { workspace = true }
 serde_json = { workspace = true }
 tabwriter = { workspace = true }
 thouart = { workspace = true }
+toml = { workspace = true }
+toml_edit = { workspace = true }
 tokio = { workspace = true }
 url = { workspace = true }
 uuid = { workspace = true }

cli/README.md

@@ -2,12 +2,23 @@
 
 ## Installation
 
-Build with `cargo build --bin oxide` and add the executable in `target/debug` to your `PATH`.
+You can find pre-built binaries for various platforms
+[here](https://github.com/oxidecomputer/oxide.rs/releases). Look for the most
+recent release whose version suffix matches the version of Oxide software
+currently deployed. For example, if you're running the `20240502.0` release,
+use `0.5.0+20240502.0`.
+
+You can build the CLI yourself using `cargo build --bin oxide`; then add the
+executable in `target/debug` to your `PATH` or copy it to another location.
 
 ## Authentication
 
-There are two ways to authenticate against the Oxide rack using the CLI:
+To authenticate, use `oxide auth login --host my.oxide.host`. This will add a
+new profile to `$HOME/.config/oxide/credentials.toml` (and create the file if
+necessary). The profile will derive its name from the name of the Oxide Silo.
 
-- Environment variables: You can set the `OXIDE_HOST` and `OXIDE_TOKEN` environment variables. This method is useful for service accounts.
+The first time you authenticate, the `default-profile` will be set in
+`$HOME/.config/oxide/config.toml`. Edit that file to change the default later.
 
-- Configuration file: When running the `oxide auth login` command, a `$HOME/.config/oxide/hosts.toml` file is generated. This file contains sensitive information like your token and user ID.
+If you have a token value, you may set the `OXIDE_HOST` and `OXIDE_TOKEN`
+environment variables. This method can be useful for service accounts.

cli/docs/cli.json

@@ -1,6 +1,7 @@
 {
   "name": "oxide",
   "version": "0.5.0+20240502.0",
+  "about": "Control an Oxide environment",
   "args": [
     {
       "long": "cacert",
@@ -18,6 +19,10 @@
       "long": "insecure",
       "help": "Disable certificate validation and hostname verification"
     },
+    {
+      "long": "profile",
+      "help": "Configuration profile to use for commands"
+    },
     {
       "long": "resolve",
       "help": "Modify name resolution"
@@ -79,8 +84,8 @@
       "subcommands": [
         {
           "name": "login",
-          "about": "Authenticate with an Oxide host.",
-          "long_about": "Authenticate with an Oxide host.\n\nAlternatively, pass in a token on standard input by using `--with-token`.\n\n    # start interactive setup\n    $ oxide auth login\n\n    # authenticate against a specific Oxide instance by reading the token\n    # from a file\n    $ oxide auth login --with-token --host oxide.internal < mytoken.txt\n\n    # authenticate with a specific Oxide instance\n    $ oxide auth login --host oxide.internal\n\n    # authenticate with an insecure Oxide instance (not recommended)\n    $ oxide auth login --host http://oxide.internal",
+          "about": "Authenticate with an Oxide Silo",
+          "long_about": "Authenticate with an Oxide Silo\n\n    # authenticate with a specific Oxide silo\n    $ oxide auth login --host oxide.internal\n\n    # authenticate with an insecure Oxide silo (not recommended)\n    $ oxide auth login --host http://oxide.internal",
           "args": [
             {
               "long": "browser",
@@ -94,51 +99,30 @@
             {
               "long": "no-browser",
               "help": "Print the authentication URL rather than opening a browser window"
-            },
-            {
-              "long": "with-token",
-              "help": "Read token from standard input"
             }
           ]
         },
         {
           "name": "logout",
-          "about": "Removes saved authentication information.",
-          "long_about": "Removes saved authentication information.\n\nThis command does not invalidate any tokens from the hosts.",
+          "about": "Removes saved authentication information from profiles.",
+          "long_about": "Removes saved authentication information from profiles.\n\nThis command does not invalidate any tokens.",
           "args": [
             {
               "long": "all",
               "short": "a",
-              "help": "If set, all known hosts and authentication information will be deleted"
+              "help": "If set, authentication information from all profiles will be deleted"
             },
             {
               "long": "force",
               "short": "f",
               "help": "Skip confirmation prompt"
-            },
-            {
-              "long": "host",
-              "short": "H",
-              "help": "Remove authentication information for a single host"
             }
           ]
         },
         {
           "name": "status",
           "about": "Verifies and displays information about your authentication state.",
-          "long_about": "Verifies and displays information about your authentication state.\n\nThis command validates the authentication state for each Oxide environment\nin the current configuration. These hosts may be from your hosts.toml file\nand/or $OXIDE_HOST environment variable.",
-          "args": [
-            {
-              "long": "host",
-              "short": "H",
-              "help": "Specific hostname to validate"
-            },
-            {
-              "long": "show-token",
-              "short": "t",
-              "help": "Display the auth token"
-            }
-          ]
+          "long_about": "Verifies and displays information about your authentication state.\n\nThis command validates the authentication state for each profile in the\ncurrent configuration."
         }
       ]
     },

cli/src/cli_builder.rs

@@ -4,29 +4,32 @@
 
 // Copyright 2024 Oxide Computer Company
 
-use std::{collections::BTreeMap, marker::PhantomData, path::PathBuf};
+use std::{collections::BTreeMap, marker::PhantomData, net::IpAddr, path::PathBuf};
 
 use anyhow::{bail, Result};
 use async_trait::async_trait;
 use clap::{ArgMatches, Command, CommandFactory, FromArgMatches};
 use log::LevelFilter;
 
 use crate::{
+    context::Context,
     generated_cli::{Cli, CliCommand},
     OxideOverride, RunnableCmd,
 };
-use oxide::{
-    config::{Config, ResolveValue},
-    context::Context,
-};
+use oxide::ClientConfig;
 
+/// Control an Oxide environment
 #[derive(clap::Parser, Debug, Clone)]
-#[command(name = "oxide")]
+#[command(name = "oxide", verbatim_doc_comment)]
 struct OxideCli {
     /// Enable debug output
     #[clap(long)]
     pub debug: bool,
 
+    /// Configuration profile to use for commands
+    #[clap(long)]
+    pub profile: Option<String>,
+
     /// Directory to use for configuration
     #[clap(long, value_name = "DIR")]
     pub config_dir: Option<PathBuf>,
@@ -48,6 +51,41 @@ struct OxideCli {
     pub timeout: Option<u64>,
 }
 
+#[derive(Debug, Clone, PartialEq, Eq)]
+struct ResolveValue {
+    pub host: String,
+    pub port: u16,
+    pub addr: IpAddr,
+}
+
+impl std::str::FromStr for ResolveValue {
+    type Err = String;
+
+    fn from_str(s: &str) -> std::result::Result<Self, Self::Err> {
+        let values = s.splitn(3, ':').collect::<Vec<_>>();
+        let [host, port, addr] = values.as_slice() else {
+            return Err(r#"value must be "host:port:addr"#.to_string());
+        };
+
+        let host = host.to_string();
+        let port = port
+            .parse()
+            .map_err(|_| format!("error parsing port '{}'", port))?;
+
+        // `IpAddr::parse()` does not accept enclosing brackets on IPv6
+        // addresses; strip them off if they exist.
+        let addr = addr
+            .strip_prefix('[')
+            .and_then(|s| s.strip_suffix(']'))
+            .unwrap_or(addr);
+        let addr = addr
+            .parse()
+            .map_err(|_| format!("error parsing address '{}'", addr))?;
+
+        Ok(Self { host, port, addr })
+    }
+}
+
 #[async_trait]
 trait RunIt: Send + Sync {
     async fn run_cmd(&self, matches: &ArgMatches, ctx: &Context) -> Result<()>;
@@ -182,6 +220,7 @@ impl<'a> NewCli<'a> {
         let matches = parser.get_matches();
 
         let OxideCli {
+            profile,
             debug,
             config_dir,
             resolve,
@@ -194,42 +233,36 @@ impl<'a> NewCli<'a> {
             env_logger::builder().filter_level(LevelFilter::Debug);
         }
 
-        let mut config = if let Some(dir) = config_dir {
-            Config::new_with_config_dir(dir)
-        } else {
-            Config::default()
-        };
+        let mut client_config = ClientConfig::default();
+
+        if let Some(profile_name) = profile {
+            client_config = client_config.with_profile(profile_name);
+        }
+        if let Some(config_dir) = config_dir {
+            client_config = client_config.with_config_dir(config_dir);
+        }
         if let Some(resolve) = resolve {
-            config = config.with_resolve(resolve);
+            client_config = client_config.with_resolve(resolve.host, resolve.addr);
         }
         if let Some(cacert_path) = cacert {
-            enum CertType {
-                Pem,
-                Der,
-            }
-
             let extension = cacert_path
                 .extension()
                 .map(std::ffi::OsStr::to_ascii_lowercase);
-            let ct = match extension.as_ref().and_then(|ex| ex.to_str()) {
-                Some("pem") => CertType::Pem,
-                Some("der") => CertType::Der,
-                _ => bail!("--cacert path must be a 'pem' or 'der' file".to_string()),
-            };
-
             let contents = std::fs::read(cacert_path)?;
-
-            let cert = match ct {
-                CertType::Pem => reqwest::tls::Certificate::from_pem(&contents),
-                CertType::Der => reqwest::tls::Certificate::from_der(&contents),
+            let cert = match extension.as_ref().and_then(|ex| ex.to_str()) {
+                Some("pem") => reqwest::tls::Certificate::from_pem(&contents),
+                Some("der") => reqwest::tls::Certificate::from_der(&contents),
+                _ => bail!("--cacert path must be a 'pem' or 'der' file".to_string()),
             }?;
-            config = config.with_cert(cert);
+
+            client_config = client_config.with_cert(cert);
         }
-        config = config.with_insecure(insecure);
+        client_config = client_config.with_insecure(insecure);
         if let Some(timeout) = timeout {
-            config = config.with_timeout(timeout);
+            client_config = client_config.with_timeout(timeout);
         }
-        let ctx = Context::new(config)?;
+
+        let ctx = Context::new(client_config)?;
 
         let mut node = &runner;
         let mut sm = &matches;
@@ -267,7 +300,8 @@ struct GeneratedCmd(CliCommand);
 #[async_trait]
 impl RunIt for GeneratedCmd {
     async fn run_cmd(&self, matches: &ArgMatches, ctx: &Context) -> Result<()> {
-        let cli = Cli::new(ctx.client()?.clone(), OxideOverride::default());
+        let client = oxide::Client::new_authenticated_config(ctx.client_config())?;
+        let cli = Cli::new(client, OxideOverride::default());
         cli.execute(self.0, matches).await
     }
 

cli/src/cmd_api.rs

@@ -13,10 +13,9 @@ use anyhow::{anyhow, Result};
 use async_trait::async_trait;
 use clap::Parser;
 use futures::{StreamExt, TryStreamExt};
+use oxide::Client;
 use serde::Deserialize;
 
-use crate::RunnableCmd;
-
 /// Makes an authenticated HTTP request to the Oxide API and prints the response.
 ///
 /// The endpoint argument should be a path of a Oxide API endpoint.
@@ -97,8 +96,8 @@ pub struct PaginatedResponse {
 }
 
 #[async_trait]
-impl RunnableCmd for CmdApi {
-    async fn run(&self, ctx: &oxide::context::Context) -> Result<()> {
+impl crate::AuthenticatedCmd for CmdApi {
+    async fn run(&self, client: &Client) -> Result<()> {
         // Make sure the endpoint starts with a slash.
         let endpoint = if self.endpoint.starts_with('/') {
             self.endpoint.clone()
@@ -107,7 +106,7 @@ impl RunnableCmd for CmdApi {
         };
 
         // Parse the fields.
-        let params = self.parse_fields(ctx)?;
+        let params = self.parse_fields()?;
 
         // Set them as our body if they exist.
         let mut b = String::new();
@@ -164,7 +163,6 @@ impl RunnableCmd for CmdApi {
             }
         }
 
-        let client = ctx.client()?;
         let rclient = client.client();
         let uri = format!("{}{}", client.baseurl(), endpoint_with_query);
 
@@ -197,7 +195,7 @@ impl RunnableCmd for CmdApi {
         // Print the response headers if requested.
         if self.include {
             println!("{:?} {}", resp.version(), resp.status());
-            print_headers(ctx, resp.headers())?;
+            print_headers(resp.headers())?;
         }
 
         if resp.status() == reqwest::StatusCode::NO_CONTENT {
@@ -292,10 +290,7 @@ impl CmdApi {
         Ok(headers)
     }
 
-    fn parse_fields(
-        &self,
-        _ctx: &oxide::context::Context,
-    ) -> Result<HashMap<String, serde_json::Value>> {
+    fn parse_fields(&self) -> Result<HashMap<String, serde_json::Value>> {
         let mut params: HashMap<String, serde_json::Value> = HashMap::new();
 
         // Parse the raw fields.
@@ -371,10 +366,7 @@ impl CmdApi {
     }
 }
 
-fn print_headers(
-    _ctx: &oxide::context::Context,
-    headers: &reqwest::header::HeaderMap,
-) -> Result<()> {
+fn print_headers(headers: &reqwest::header::HeaderMap) -> Result<()> {
     let mut names: Vec<String> = headers.keys().map(|k| k.as_str().to_string()).collect();
     names.sort_by_key(|a| a.to_lowercase());