[CLI-2360] Revoking Auth0 refresh token on cloud logout

[kevin-wu24]

Release Notes

Bug Fixes

• confluent logout revokes the refresh token when logging out of Confluent Cloud

Checklist

1. [CRUCIAL] Is the change for features that are already live in prod?
   • yes: ok

What

Running confluent logout for cloud users now makes a request to DELETE /api/sessions.

References

https://confluentinc.atlassian.net/browse/CLI-2360
confluentinc/ccloud-sdk-go-v1-public#24

Test & Review

Unit and integration tests still pass
Request returns a reply with code 200 OK.

[brianstrauch]

Why can't we just use the default c.Client in login/command.go?

[kevin-wu24]

I mentioned this in slack, but that was the reason I was getting Error 401. I was using the AnonHTTPClientFactory before, which I assume is what you mean by default client. However, the backend handler expects to have a userId in the header, so using the JwtHTTPClient worked.

[brianstrauch]

Hmm, seems like this is due to confluent logout being an unauthenticated command. Maybe we should switch it to an authenticated command (we should be able to assume that the user is logged in before using it)

[MuweiHe]

where else is this var being used?

[kevin-wu24]

In a logout unit test.

[MuweiHe]

Suggested change

	context = "Confluent Cloud"
	context = "Confluent Cloud"
	AuthenticatedCLICommand: pcmd.NewAuthenticatedCLICommand(cmd, prerunner),

move it down for readibility

[kevin-wu24]

If we're not logged in, we still want to have this struct field set. I originally had the code this way, but it resulted in a panic rather than an error when the user was not logged in.

[MuweiHe]

Have you manually tested, that IsSSO field in get ccloud credentials is always correct?

[kevin-wu24]

Have you manually tested, that IsSSO field in get ccloud credentials is always correct?

yup! It's the same code that used to exist in login/command.go, but I just moved it to pkg since it is shared.

EDIT: did some refactoring and it turns out we don't even need to call the getCCloudCredentials function, since logout an authenticated command now.

[brianstrauch]

Suggested change

	logoutCmd, cfg1 := newLogoutCmd(auth, userInterface, s.isCloud, req, mockNetrcHandler, AuthTokenHandler, mockLoginCredentialsManager, LoginOrganizationManager, ctx.Name)
	logoutCmd, cfg := newLogoutCmd(auth, userInterface, s.isCloud, req, mockNetrcHandler, AuthTokenHandler, mockLoginCredentialsManager, LoginOrganizationManager, ctx.Name)

[kevin-wu24]

This needs to be changed so that the newLogoutCmd doesn't generate a new config, but use the same config as above.

[brianstrauch]

Package names should always be lowercase.

Suggested change

	mdsClient.TokensAndAuthenticationApi = &mdsMock.TokensAndAuthenticationApi{
	mdsClient.TokensAndAuthenticationApi = &mdsmock.TokensAndAuthenticationApi{

[brianstrauch]

This is a crazy number of arguments. Do we really need all of them?

[kevin-wu24]

Yeah I forgot to remove some of these, as they aren't used anymore.

[brianstrauch]

Suggested change

	GetTokenFunc: func(ctx context.Context) (mdsv1.AuthenticationResponse, *http.Response, error) {
	GetTokenFunc: func(_ context.Context) (mdsv1.AuthenticationResponse, *http.Response, error) {

[brianstrauch]

Suggested change

	return mdsv1.AuthenticationResponse{
	AuthToken: testToken1,
	TokenType: "JWT",
	ExpiresIn: 100,
	}, nil, nil
	res := mdsv1.AuthenticationResponse{
	AuthToken: testToken1,
	TokenType: "JWT",
	ExpiresIn: 100,
	}
	return res, nil, nil

[brianstrauch]

Does this function need to be inside AuthTokenHandlerImpl? (I don't see a being used anywhere here) It looks like you're introducing a dependency for no reason.

[brianstrauch]

Seems like this should only run when isCloud is true?

[kevin-wu24]

It looks like the NewPreRunnerMock function that takes in this variable runs whether or not isCloud is true.

[brianstrauch]

Sounds like we should change that too?

[brianstrauch]

Suggested change

	return &ccloudv1.Client{Params: &ccloudv1.Params{HttpClient: new(http.Client)}, Auth: auth, User: userInterface}
	return &ccloudv1.Client{
	Params: &ccloudv1.Params{HttpClient: new(http.Client)},
	Auth: auth,
	User: userInterface,
	}

[brianstrauch]

Do you know why we need to do this? It looks wrong- can it be shortened?

[kevin-wu24]

Yeah we can just pass ctx into the function.

[brianstrauch]

Can we get the URL from the configuration instead? This seems hacky

[brianstrauch]

This looks like duplicate code. Can we de-duplicate?

[kevin-wu24]

Is there a place in the code base where shared unit test helpers already exist? Looks like the ccloudClientFactory and mdsClient are used in both the login and logout unit tests.

[brianstrauch]

Not yet, but since these tests span two packages, I'd expect it to go somewhere in pkg/

[kevin-wu24]

I tried putting this in existing packages that made sense in pkg/ (auth and mock) but both result in circular imports, so I had to create a new directory unfortunately.

[brianstrauch]

Suggested change

	testhelp "github.com/confluentinc/cli/v3/pkg/test-helpers"
	testhelpers "github.com/confluentinc/cli/v3/pkg/test-helpers"

[brianstrauch]

Suggested change

	return mdsv1.AuthenticationResponse{
	AuthToken: token,
	TokenType: "JWT",
	ExpiresIn: 100,
	}, nil, nil
	res := mdsv1.AuthenticationResponse{
	AuthToken: token,
	TokenType: "JWT",
	ExpiresIn: 100,
	}
	return res, nil, nil

[brianstrauch]

Suggested change

	var mdsClient *mdsv1.APIClient
	mdsConfig := mdsv1.NewConfiguration()
	mdsClient = mdsv1.NewAPIClient(mdsConfig)
	mdsConfig := mdsv1.NewConfiguration()
	mdsClient := mdsv1.NewAPIClient(mdsConfig)

[brianstrauch]

test_helpers is a really generic name and has the potential to get really big the more things we move into here. Why not put this in pkg/mock?

[kevin-wu24]

I get a circular import unfortunately.

[brianstrauch]

try to fix it another way?

[kevin-wu24]

I can move it to mock, just not pkg/mock.

[brianstrauch]

Likewise, this looks like it should only be declared inside the if

[brianstrauch]

Suggested change

	logoutCmd := logout.New(cfg, prerunner, netrcHandler, authTokenHandler)
	return logoutCmd
	return logout.New(cfg, prerunner, netrcHandler, authTokenHandler)

[brianstrauch]

Suggested change

	if isCCloud := ccloudv2.IsCCloudURL(ctx.Platform.Server, c.cfg.IsTest); isCCloud {
	if ccloudv2.IsCCloudURL(ctx.Platform.Server, c.cfg.IsTest) {

[brianstrauch]

This comment seems wrong

[brianstrauch]

Are there any other errors that could surface and cause a breaking change? We may want to re-evaluate this approach. If not, let's keep as is, but definitely write a comment here explaining why (and open a ticket to remove this hack in v4)

[kevin-wu24]

I tried some other scenarios and it looks like other errors can surface. If the login token expires, logout throws an expired token error, and if you try logging out again after that you get the not logged in error again (which is because although our current context exists, but we're no longer considered logged into it). These errors result from the fact that we're trying to have logout work exactly the same as before when the user is not logged in, despite it now being an authenticatedCLICommand.

I think we should probably just wait until v4 to add this since it doesn't look like all the possible breaking changes from errors can be avoided without putting several of these hacky exceptions for the logout command in the prerunner.

[brianstrauch]

I think we should probably just wait until v4 to add this since it doesn't look like all the possible breaking changes from errors can be avoided without putting several of these hacky exceptions for the logout command in the prerunner.

Labeling as v4!

[kevin-wu24]

Going to revert the last two commits since we want the breaking changes to be visible.