feat(account): support API token operations (#363)

Co-authored-by: riku salkia <riku.salkia@upcloud.com>
Co-authored-by: Ville Skyttä <ville.skytta@upcloud.com>

Author: 3 people

CHANGELOG.md

@@ -12,6 +12,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Added support for Valkey properties
 - Add termination_protection to upctl database show output
 - Experimental support for token authentication by defining token in `UPCLOUD_TOKEN` environment variable.
+- Experimental support for managing tokens with `account token` commands.
 
 ### Changed
 

internal/commands/account/token/create.go

@@ -0,0 +1,125 @@
+package token
+
+import (
+	"fmt"
+	"time"
+
+	"github.com/UpCloudLtd/upcloud-cli/v3/internal/commands"
+	"github.com/UpCloudLtd/upcloud-cli/v3/internal/output"
+	"github.com/UpCloudLtd/upcloud-cli/v3/internal/ui"
+	"github.com/UpCloudLtd/upcloud-go-api/v8/upcloud/request"
+	"github.com/spf13/pflag"
+)
+
+// CreateCommand creates the "token create" command
+func CreateCommand() commands.Command {
+	return &createCommand{
+		BaseCommand: commands.New(
+			"create",
+			"Create an API token",
+			`upctl account token create --name test --expires-in 1h`,
+			`upctl account token create --name test --expires-in 1h --allow-ip-range "0.0.0.0/0" --allow-ip-range "::/0"`,
+		),
+	}
+}
+
+var defaultCreateParams = &createParams{
+	CreateTokenRequest: request.CreateTokenRequest{},
+	name:               "",
+	expiresIn:          0,
+	allowedIPRanges:    []string{}, // TODO: should we default to empty or "0.0.0.0/0", "::/0"?
+	canCreateTokens:    false,
+}
+
+func newCreateParams() createParams {
+	return createParams{
+		CreateTokenRequest: request.CreateTokenRequest{},
+	}
+}
+
+type createParams struct {
+	request.CreateTokenRequest
+	name            string
+	expiresIn       time.Duration
+	expiresAt       string
+	canCreateTokens bool
+	allowedIPRanges []string
+}
+
+func (s *createParams) processParams() error {
+	if s.expiresIn == 0 && s.expiresAt == "" {
+		return fmt.Errorf("either expires-in or expires-at must be set")
+	}
+	if s.expiresAt != "" {
+		var err error
+		s.ExpiresAt, err = time.Parse(time.RFC3339, s.expiresAt)
+		if err != nil {
+			return fmt.Errorf("invalid expires-at: %w", err)
+		}
+	} else {
+		s.ExpiresAt = time.Now().Add(s.expiresIn)
+	}
+	s.Name = s.name
+	s.CanCreateSubTokens = s.canCreateTokens
+	s.AllowedIPRanges = s.allowedIPRanges
+	return nil
+}
+
+type createCommand struct {
+	*commands.BaseCommand
+	params  createParams
+	flagSet *pflag.FlagSet
+}
+
+func applyCreateFlags(fs *pflag.FlagSet, dst, def *createParams) {
+	fs.StringVar(&dst.name, "name", def.name, "Name for the token.")
+	fs.StringVar(&dst.expiresAt, "expires-at", def.expiresAt, "Exact time when the token expires in RFC3339 format. e.g. 2025-01-01T00:00:00Z")
+	fs.DurationVar(&dst.expiresIn, "expires-in", def.expiresIn, "Duration until the token expires. e.g. 24h")
+	fs.BoolVar(&dst.canCreateTokens, "can-create-tokens", def.canCreateTokens, "Allow token to be used to create further tokens.")
+	fs.StringArrayVar(&dst.allowedIPRanges, "allow-ip-range", def.allowedIPRanges, "Allowed IP ranges for the token. If not defined, the token can not be used from any IP. To allow access from all IPs, use `0.0.0.0/0` as the value.")
+
+	commands.Must(fs.SetAnnotation("name", commands.FlagAnnotationNoFileCompletions, nil))
+	commands.Must(fs.SetAnnotation("expires-at", commands.FlagAnnotationNoFileCompletions, nil))
+	commands.Must(fs.SetAnnotation("expires-in", commands.FlagAnnotationNoFileCompletions, nil))
+	commands.Must(fs.SetAnnotation("allow-ip-range", commands.FlagAnnotationNoFileCompletions, nil))
+}
+
+// InitCommand implements Command.InitCommand
+func (s *createCommand) InitCommand() {
+	s.flagSet = &pflag.FlagSet{}
+	s.params = newCreateParams()
+	applyCreateFlags(s.flagSet, &s.params, defaultCreateParams)
+
+	s.AddFlags(s.flagSet)
+	commands.Must(s.Cobra().MarkFlagRequired("name"))
+}
+
+// ExecuteWithoutArguments implements commands.NoArgumentCommand
+func (s *createCommand) ExecuteWithoutArguments(exec commands.Executor) (output.Output, error) {
+	svc := exec.Token()
+
+	if err := s.params.processParams(); err != nil {
+		return nil, err
+	}
+
+	msg := fmt.Sprintf("Creating token %s", s.params.Name)
+	exec.PushProgressStarted(msg)
+
+	res, err := svc.CreateToken(exec.Context(), &s.params.CreateTokenRequest)
+	if err != nil {
+		return commands.HandleError(exec, msg, err)
+	}
+
+	exec.PushProgressSuccess(msg)
+
+	return output.MarshaledWithHumanDetails{Value: res, Details: []output.DetailRow{
+		{Title: "API Token", Value: res.APIToken, Colour: ui.DefaultNoteColours},
+		{Title: "Name", Value: res.Name},
+		{Title: "ID", Value: res.ID, Colour: ui.DefaultUUUIDColours},
+		{Title: "Type", Value: res.Type},
+		{Title: "Created At", Value: res.CreatedAt.Format(time.RFC3339)},
+		{Title: "Expires At", Value: res.ExpiresAt.Format(time.RFC3339)},
+		{Title: "Allowed IP Ranges", Value: res.AllowedIPRanges},
+		{Title: "Can Create Sub Tokens", Value: res.CanCreateSubTokens},
+	}}, nil
+}

internal/commands/account/token/create_test.go

@@ -0,0 +1,115 @@
+package token
+
+import (
+	"testing"
+	"time"
+
+	"github.com/UpCloudLtd/upcloud-cli/v3/internal/commands"
+	"github.com/UpCloudLtd/upcloud-cli/v3/internal/config"
+	smock "github.com/UpCloudLtd/upcloud-cli/v3/internal/mock"
+	"github.com/UpCloudLtd/upcloud-cli/v3/internal/mockexecute"
+
+	"github.com/UpCloudLtd/upcloud-go-api/v8/upcloud"
+	"github.com/UpCloudLtd/upcloud-go-api/v8/upcloud/request"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/mock"
+)
+
+func TestCreateToken(t *testing.T) {
+	created := time.Now()
+
+	for _, test := range []struct {
+		name  string
+		resp  *upcloud.Token
+		args  []string
+		req   request.CreateTokenRequest
+		errFn assert.ErrorAssertionFunc
+	}{
+		{
+			name: "defaults",
+			args: []string{
+				"--name", "test",
+				"--expires-in", "1h",
+			},
+			req: request.CreateTokenRequest{
+				Name:               "test",
+				ExpiresAt:          created.Add(1 * time.Hour),
+				CanCreateSubTokens: false,
+				AllowedIPRanges:    nil,
+			},
+			resp: &upcloud.Token{
+				APIToken:           "ucat_01JH5D3ZZJVZS6JC713FA11CB8",
+				ID:                 "0cd8eab4-ecb7-445b-a457-6019b0a00496",
+				Name:               "test",
+				Type:               "workspace",
+				CreatedAt:          created,
+				ExpiresAt:          created.Add(1 * time.Hour),
+				LastUsed:           nil,
+				CanCreateSubTokens: false,
+				AllowedIPRanges:    []string{"0.0.0.0/0", "::/0"},
+			},
+			errFn: assert.NoError,
+		},
+		{
+			name: "missing name",
+			args: []string{
+				"--expires-in", "1h",
+			},
+			errFn: func(t assert.TestingT, err error, _ ...interface{}) bool {
+				return assert.ErrorContains(t, err, `required flag(s) "name" not set`)
+			},
+		},
+		{
+			name: "invalid expires-in",
+			args: []string{
+				"--name", "test",
+				"--expires-in", "seppo",
+			},
+			errFn: func(t assert.TestingT, err error, _ ...interface{}) bool {
+				return assert.ErrorContains(t, err, `invalid argument "seppo" for "--expires-in"`)
+			},
+		},
+		{
+			name: "invalid expires-at",
+			args: []string{
+				"--name", "test",
+				"--expires-at", "seppo",
+			},
+			errFn: func(t assert.TestingT, err error, _ ...interface{}) bool {
+				return assert.ErrorContains(t, err, `invalid expires-at: `)
+			},
+		},
+		{
+			name: "missing expiry",
+			args: []string{
+				"--name", "test",
+			},
+			errFn: func(t assert.TestingT, err error, _ ...interface{}) bool {
+				return assert.ErrorContains(t, err, `either expires-in or expires-at must be set`)
+			},
+		},
+	} {
+		t.Run(test.name, func(t *testing.T) {
+			conf := config.New()
+			testCmd := CreateCommand()
+			mService := new(smock.Service)
+
+			if test.resp != nil {
+				mService.On("CreateToken", mock.MatchedBy(func(req *request.CreateTokenRequest) bool {
+					// service uses time.Now() with "expires-in" added to it to set ExpiresAt, so we can't set a mock to any
+					// static value. Instead, we'll just check that the request has the correct name and that the ExpiresAt
+					// is within 1 second of "now".
+					return assert.Equal(t, test.req.Name, req.Name) && assert.InDelta(t, test.req.ExpiresAt.UnixMilli(), req.ExpiresAt.UnixMilli(), 1000)
+				})).Once().Return(test.resp, nil)
+			}
+
+			c := commands.BuildCommand(testCmd, nil, conf)
+			c.Cobra().SetArgs(test.args)
+			_, err := mockexecute.MockExecute(c, mService, conf)
+
+			if test.errFn(t, err) {
+				mService.AssertExpectations(t)
+			}
+		})
+	}
+}

internal/commands/account/token/delete.go

@@ -0,0 +1,47 @@
+package token
+
+import (
+	"fmt"
+
+	"github.com/UpCloudLtd/upcloud-cli/v3/internal/completion"
+	"github.com/UpCloudLtd/upcloud-cli/v3/internal/resolver"
+
+	"github.com/UpCloudLtd/upcloud-cli/v3/internal/commands"
+	"github.com/UpCloudLtd/upcloud-cli/v3/internal/output"
+	"github.com/UpCloudLtd/upcloud-go-api/v8/upcloud/request"
+)
+
+// DeleteCommand creates the "token delete" command
+func DeleteCommand() commands.Command {
+	return &deleteCommand{
+		BaseCommand: commands.New(
+			"delete",
+			"Delete an API token",
+			"upctl account token delete 0c0e2abf-cd89-490b-abdb-d06db6e8d816",
+		),
+	}
+}
+
+type deleteCommand struct {
+	*commands.BaseCommand
+	resolver.CachingToken
+	completion.Token
+}
+
+// Execute implements commands.MultipleArgumentCommand
+func (c *deleteCommand) Execute(exec commands.Executor, arg string) (output.Output, error) {
+	svc := exec.Token()
+	msg := fmt.Sprintf("Deleting API token %v", arg)
+	exec.PushProgressStarted(msg)
+
+	err := svc.DeleteToken(exec.Context(), &request.DeleteTokenRequest{
+		ID: arg,
+	})
+	if err != nil {
+		return commands.HandleError(exec, msg, err)
+	}
+
+	exec.PushProgressSuccess(msg)
+
+	return output.None{}, nil
+}

internal/commands/account/token/delete_test.go

@@ -0,0 +1,26 @@
+package token
+
+import (
+	"testing"
+
+	"github.com/UpCloudLtd/upcloud-cli/v3/internal/commands"
+	"github.com/UpCloudLtd/upcloud-cli/v3/internal/config"
+	smock "github.com/UpCloudLtd/upcloud-cli/v3/internal/mock"
+	"github.com/UpCloudLtd/upcloud-go-api/v8/upcloud/request"
+	"github.com/gemalto/flume"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestDeleteCommand(t *testing.T) {
+	svc := &smock.Service{}
+	conf := config.New()
+	dr := &request.DeleteTokenRequest{ID: "0cdabbf9-090b-4fc5-a6ae-3f76801ed171"}
+
+	svc.On("DeleteToken", dr).Once().Return(nil)
+
+	command := commands.BuildCommand(DeleteCommand(), nil, conf)
+	_, err := command.(commands.MultipleArgumentCommand).Execute(commands.NewExecutor(conf, svc, flume.New("test")), dr.ID)
+	assert.NoError(t, err)
+
+	svc.AssertExpectations(t)
+}

internal/commands/account/token/list.go

@@ -0,0 +1,63 @@
+package token
+
+import (
+	"github.com/UpCloudLtd/upcloud-cli/v3/internal/commands"
+	"github.com/UpCloudLtd/upcloud-cli/v3/internal/output"
+	"github.com/UpCloudLtd/upcloud-cli/v3/internal/paging"
+	"github.com/UpCloudLtd/upcloud-cli/v3/internal/ui"
+	"github.com/UpCloudLtd/upcloud-go-api/v8/upcloud/request"
+
+	"github.com/spf13/pflag"
+)
+
+// ListCommand creates the 'token list' command
+func ListCommand() commands.Command {
+	return &listCommand{
+		BaseCommand: commands.New("list", "List API tokens", "upctl account token list"),
+	}
+}
+
+func (l *listCommand) InitCommand() {
+	fs := &pflag.FlagSet{}
+	l.ConfigureFlags(fs)
+	l.AddFlags(fs)
+}
+
+type listCommand struct {
+	*commands.BaseCommand
+	paging.PageParameters
+}
+
+func (l *listCommand) ExecuteWithoutArguments(exec commands.Executor) (output.Output, error) {
+	svc := exec.All()
+	tokens, err := svc.GetTokens(exec.Context(), &request.GetTokensRequest{
+		Page: l.Page(),
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	var rows []output.TableRow
+	for _, token := range *tokens {
+		rows = append(rows, output.TableRow{
+			token.Name,
+			token.ID,
+			token.Type,
+			token.LastUsed,
+			token.ExpiresAt,
+		})
+	}
+	return output.MarshaledWithHumanOutput{
+		Value: tokens,
+		Output: output.Table{
+			Columns: []output.TableColumn{
+				{Key: "id", Header: "UUID", Colour: ui.DefaultUUUIDColours},
+				{Key: "name", Header: "Name"},
+				{Key: "type", Header: "Type"},
+				{Key: "last_used", Header: "Last Used"},
+				{Key: "expires_at", Header: "Expires At"},
+			},
+			Rows: rows,
+		},
+	}, nil
+}