From db21f1988d9cfd61a2bea38c934004b9f94e83e3 Mon Sep 17 00:00:00 2001 From: Anna Khmelnitsky Date: Tue, 28 Apr 2020 11:34:58 -0700 Subject: [PATCH 1/2] Support remote auth for policy resources This is needed for vIDM use case with NSX version < 3.0.0 --- nsxt/provider.go | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/nsxt/provider.go b/nsxt/provider.go index 0404b8cd9..5f9949a72 100644 --- a/nsxt/provider.go +++ b/nsxt/provider.go @@ -23,6 +23,7 @@ var defaultRetryOnStatusCodes = []int{429, 503} var toleratePartialSuccess = false var policyEnforcementPoint = "default" var policySite = "default" +var policyRemoteAuth = false type nsxtClients struct { // NSX Manager client - based on go-vmware-nsxt SDK @@ -439,6 +440,7 @@ func configurePolicyConnectorData(d *schema.ResourceData, clients *nsxtClients) clientAuthKeyFile := d.Get("client_auth_key_file").(string) caFile := d.Get("ca_file").(string) policyEnforcementPoint = d.Get("enforcement_point").(string) + policyRemoteAuth = d.Get("remote_auth").(bool) if hostIP == "" { return fmt.Errorf("host must be provided") @@ -499,6 +501,20 @@ func configurePolicyConnectorData(d *schema.ResourceData, clients *nsxtClients) return nil } +type remoteBasicAuthHeaderProcessor struct { +} + +func newRemoteBasicAuthHeaderProcessor() *remoteBasicAuthHeaderProcessor { + return &remoteBasicAuthHeaderProcessor{} +} + +func (processor remoteBasicAuthHeaderProcessor) Process(req *http.Request) error { + oldAuthHeader := req.Header.Get("Authorization") + newAuthHeader := strings.Replace(oldAuthHeader, "Basic", "Remote", 1) + req.Header.Set("Authorization", newAuthHeader) + return nil +} + func providerConfigure(d *schema.ResourceData) (interface{}, error) { nsxtClient, err := configureNsxtClient(d) if err != nil { @@ -523,5 +539,9 @@ func getPolicyConnector(clients interface{}) *client.RestConnector { if c.PolicySecurityContext != nil { connector.SetSecurityContext(c.PolicySecurityContext) } + if policyRemoteAuth { + connector.AddRequestProcessor(newRemoteBasicAuthHeaderProcessor()) + } + return connector } From f5548eb3d7f1252cd5e29fc01c69326dbccd2e27 Mon Sep 17 00:00:00 2001 From: Anna Khmelnitsky Date: Tue, 28 Apr 2020 13:57:19 -0700 Subject: [PATCH 2/2] Verify username and pwd are set with remote auth Provider should error out if remote auth is on, but no credentials specified. --- nsxt/provider.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nsxt/provider.go b/nsxt/provider.go index 5f9949a72..2cedf0bef 100644 --- a/nsxt/provider.go +++ b/nsxt/provider.go @@ -449,7 +449,7 @@ func configurePolicyConnectorData(d *schema.ResourceData, clients *nsxtClients) host := fmt.Sprintf("https://%s", hostIP) securityCtx := core.NewSecurityContextImpl() securityContextNeeded := true - if len(clientAuthCertFile) > 0 { + if len(clientAuthCertFile) > 0 && !policyRemoteAuth { securityContextNeeded = false }