ccm,ocm: eliminate legacy mode, convert to multi-credential at init

Author: nekohasekai

service/ccm/credential_builder.go

@@ -159,16 +159,18 @@ func validateCCMOptions(options option.CCMServiceOptions) error {
 func credentialForUser(
 	userConfigMap map[string]*option.CCMUser,
 	providers map[string]credentialProvider,
-	legacyProvider credentialProvider,
 	username string,
 ) (credentialProvider, error) {
-	if legacyProvider != nil {
-		return legacyProvider, nil
-	}
 	userConfig, exists := userConfigMap[username]
 	if !exists {
 		return nil, E.New("no credential mapping for user: ", username)
 	}
+	if userConfig.Credential == "" {
+		for _, provider := range providers {
+			return provider, nil
+		}
+		return nil, E.New("no credential available")
+	}
 	provider, exists := providers[userConfig.Credential]
 	if !exists {
 		return nil, E.New("unknown credential: ", userConfig.Credential)
@@ -178,15 +180,14 @@ func credentialForUser(
 
 func noUserCredentialProvider(
 	providers map[string]credentialProvider,
-	legacyProvider credentialProvider,
 	options option.CCMServiceOptions,
 ) credentialProvider {
-	if legacyProvider != nil {
-		return legacyProvider
-	}
 	if len(options.Credentials) > 0 {
 		tag := options.Credentials[0].Tag
 		return providers[tag]
 	}
+	for _, provider := range providers {
+		return provider
+	}
 	return nil
 }

service/ccm/service.go

@@ -161,11 +161,6 @@ type Service struct {
 	trackingGroup sync.WaitGroup
 	shuttingDown  bool
 
-	// Legacy mode (single credential)
-	legacyCredential *defaultCredential
-	legacyProvider   credentialProvider
-
-	// Multi-credential mode
 	providers      map[string]credentialProvider
 	allCredentials []Credential
 	userConfigMap  map[string]*option.CCMUser
@@ -220,9 +215,17 @@ func NewService(ctx context.Context, logger log.ContextLogger, tag string, optio
 		if err != nil {
 			return nil, err
 		}
-		service.legacyCredential = credential
-		service.legacyProvider = &singleCredentialProvider{credential: credential}
+		service.providers = map[string]credentialProvider{
+			"default": &singleCredentialProvider{credential: credential},
+		}
 		service.allCredentials = []Credential{credential}
+		if len(options.Users) > 0 {
+			userConfigMap := make(map[string]*option.CCMUser)
+			for i := range options.Users {
+				userConfigMap[options.Users[i].Name] = &options.Users[i]
+			}
+			service.userConfigMap = userConfigMap
+		}
 	}
 
 	if options.TLS != nil {

service/ccm/service_handler.go

@@ -168,14 +168,14 @@ func (s *Service) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	if len(s.options.Users) > 0 {
 		userConfig = s.userConfigMap[username]
 		var err error
-		provider, err = credentialForUser(s.userConfigMap, s.providers, s.legacyProvider, username)
+		provider, err = credentialForUser(s.userConfigMap, s.providers, username)
 		if err != nil {
 			s.logger.ErrorContext(ctx, "resolve credential: ", err)
 			writeJSONError(w, r, http.StatusInternalServerError, "api_error", err.Error())
 			return
 		}
 	} else {
-		provider = noUserCredentialProvider(s.providers, s.legacyProvider, s.options)
+		provider = noUserCredentialProvider(s.providers, s.options)
 	}
 	if provider == nil {
 		writeJSONError(w, r, http.StatusInternalServerError, "api_error", "no credential available")

service/ccm/service_status.go

@@ -15,42 +15,43 @@ func (s *Service) handleStatusEndpoint(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	if len(s.options.Users) == 0 {
-		writeJSONError(w, r, http.StatusForbidden, "authentication_error", "status endpoint requires user authentication")
-		return
-	}
-
-	if r.Header.Get("X-Api-Key") != "" || r.Header.Get("Api-Key") != "" {
-		writeJSONError(w, r, http.StatusBadRequest, "invalid_request_error",
-			"API key authentication is not supported; use Authorization: Bearer with a CCM user token")
-		return
-	}
+	var provider credentialProvider
+	var userConfig *option.CCMUser
+	if len(s.options.Users) > 0 {
+		if r.Header.Get("X-Api-Key") != "" || r.Header.Get("Api-Key") != "" {
+			writeJSONError(w, r, http.StatusBadRequest, "invalid_request_error",
+				"API key authentication is not supported; use Authorization: Bearer with a CCM user token")
+			return
+		}
 
-	authHeader := r.Header.Get("Authorization")
-	if authHeader == "" {
-		writeJSONError(w, r, http.StatusUnauthorized, "authentication_error", "missing api key")
-		return
-	}
-	clientToken := strings.TrimPrefix(authHeader, "Bearer ")
-	if clientToken == authHeader {
-		writeJSONError(w, r, http.StatusUnauthorized, "authentication_error", "invalid api key format")
-		return
-	}
-	username, ok := s.userManager.Authenticate(clientToken)
-	if !ok {
-		writeJSONError(w, r, http.StatusUnauthorized, "authentication_error", "invalid api key")
-		return
-	}
+		authHeader := r.Header.Get("Authorization")
+		if authHeader == "" {
+			writeJSONError(w, r, http.StatusUnauthorized, "authentication_error", "missing api key")
+			return
+		}
+		clientToken := strings.TrimPrefix(authHeader, "Bearer ")
+		if clientToken == authHeader {
+			writeJSONError(w, r, http.StatusUnauthorized, "authentication_error", "invalid api key format")
+			return
+		}
+		username, ok := s.userManager.Authenticate(clientToken)
+		if !ok {
+			writeJSONError(w, r, http.StatusUnauthorized, "authentication_error", "invalid api key")
+			return
+		}
 
-	userConfig := s.userConfigMap[username]
-	if userConfig == nil {
-		writeJSONError(w, r, http.StatusInternalServerError, "api_error", "user config not found")
-		return
+		userConfig = s.userConfigMap[username]
+		var err error
+		provider, err = credentialForUser(s.userConfigMap, s.providers, username)
+		if err != nil {
+			writeJSONError(w, r, http.StatusInternalServerError, "api_error", err.Error())
+			return
+		}
+	} else {
+		provider = noUserCredentialProvider(s.providers, s.options)
 	}
-
-	provider, err := credentialForUser(s.userConfigMap, s.providers, s.legacyProvider, username)
-	if err != nil {
-		writeJSONError(w, r, http.StatusInternalServerError, "api_error", err.Error())
+	if provider == nil {
+		writeJSONError(w, r, http.StatusInternalServerError, "api_error", "no credential available")
 		return
 	}
 
@@ -72,10 +73,10 @@ func (s *Service) computeAggregatedUtilization(provider credentialProvider, user
 		if !credential.isAvailable() {
 			continue
 		}
-		if userConfig.ExternalCredential != "" && credential.tagName() == userConfig.ExternalCredential {
+		if userConfig != nil && userConfig.ExternalCredential != "" && credential.tagName() == userConfig.ExternalCredential {
 			continue
 		}
-		if !userConfig.AllowExternalUsage && credential.isExternal() {
+		if userConfig != nil && !userConfig.AllowExternalUsage && credential.isExternal() {
 			continue
 		}
 		weight := credential.planWeight()
@@ -100,7 +101,7 @@ func (s *Service) computeAggregatedUtilization(provider credentialProvider, user
 }
 
 func (s *Service) rewriteResponseHeadersForExternalUser(headers http.Header, userConfig *option.CCMUser) {
-	provider, err := credentialForUser(s.userConfigMap, s.providers, s.legacyProvider, userConfig.Name)
+	provider, err := credentialForUser(s.userConfigMap, s.providers, userConfig.Name)
 	if err != nil {
 		return
 	}

service/ocm/credential_builder.go

@@ -190,16 +190,18 @@ func validateOCMCompositeCredentialModes(
 func credentialForUser(
 	userConfigMap map[string]*option.OCMUser,
 	providers map[string]credentialProvider,
-	legacyProvider credentialProvider,
 	username string,
 ) (credentialProvider, error) {
-	if legacyProvider != nil {
-		return legacyProvider, nil
-	}
 	userConfig, exists := userConfigMap[username]
 	if !exists {
 		return nil, E.New("no credential mapping for user: ", username)
 	}
+	if userConfig.Credential == "" {
+		for _, provider := range providers {
+			return provider, nil
+		}
+		return nil, E.New("no credential available")
+	}
 	provider, exists := providers[userConfig.Credential]
 	if !exists {
 		return nil, E.New("unknown credential: ", userConfig.Credential)
@@ -209,15 +211,14 @@ func credentialForUser(
 
 func noUserCredentialProvider(
 	providers map[string]credentialProvider,
-	legacyProvider credentialProvider,
 	options option.OCMServiceOptions,
 ) credentialProvider {
-	if legacyProvider != nil {
-		return legacyProvider
-	}
 	if len(options.Credentials) > 0 {
 		tag := options.Credentials[0].Tag
 		return providers[tag]
 	}
+	for _, provider := range providers {
+		return provider
+	}
 	return nil
 }

service/ocm/service.go

@@ -176,11 +176,6 @@ type Service struct {
 	webSocketConns  map[*webSocketSession]struct{}
 	shuttingDown    bool
 
-	// Legacy mode
-	legacyCredential *defaultCredential
-	legacyProvider   credentialProvider
-
-	// Multi-credential mode
 	providers      map[string]credentialProvider
 	allCredentials []Credential
 	userConfigMap  map[string]*option.OCMUser
@@ -234,9 +229,17 @@ func NewService(ctx context.Context, logger log.ContextLogger, tag string, optio
 		if err != nil {
 			return nil, err
 		}
-		service.legacyCredential = credential
-		service.legacyProvider = &singleCredentialProvider{credential: credential}
+		service.providers = map[string]credentialProvider{
+			"default": &singleCredentialProvider{credential: credential},
+		}
 		service.allCredentials = []Credential{credential}
+		if len(options.Users) > 0 {
+			userConfigMap := make(map[string]*option.OCMUser)
+			for i := range options.Users {
+				userConfigMap[options.Users[i].Name] = &options.Users[i]
+			}
+			service.userConfigMap = userConfigMap
+		}
 	}
 
 	if options.TLS != nil {

service/ocm/service_handler.go

@@ -53,9 +53,9 @@ func extractWeeklyCycleHint(headers http.Header) *WeeklyCycleHint {
 
 func (s *Service) resolveCredentialProvider(username string) (credentialProvider, error) {
 	if len(s.options.Users) > 0 {
-		return credentialForUser(s.userConfigMap, s.providers, s.legacyProvider, username)
+		return credentialForUser(s.userConfigMap, s.providers, username)
 	}
-	provider := noUserCredentialProvider(s.providers, s.legacyProvider, s.options)
+	provider := noUserCredentialProvider(s.providers, s.options)
 	if provider == nil {
 		return nil, E.New("no credential available")
 	}
@@ -117,14 +117,14 @@ func (s *Service) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	if len(s.options.Users) > 0 {
 		userConfig = s.userConfigMap[username]
 		var err error
-		provider, err = credentialForUser(s.userConfigMap, s.providers, s.legacyProvider, username)
+		provider, err = credentialForUser(s.userConfigMap, s.providers, username)
 		if err != nil {
 			s.logger.ErrorContext(ctx, "resolve credential: ", err)
 			writeJSONError(w, r, http.StatusInternalServerError, "api_error", err.Error())
 			return
 		}
 	} else {
-		provider = noUserCredentialProvider(s.providers, s.legacyProvider, s.options)
+		provider = noUserCredentialProvider(s.providers, s.options)
 	}
 	if provider == nil {
 		writeJSONError(w, r, http.StatusInternalServerError, "api_error", "no credential available")

service/ocm/service_status.go

@@ -15,42 +15,43 @@ func (s *Service) handleStatusEndpoint(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	if len(s.options.Users) == 0 {
-		writeJSONError(w, r, http.StatusForbidden, "authentication_error", "status endpoint requires user authentication")
-		return
-	}
-
-	if r.Header.Get("X-Api-Key") != "" || r.Header.Get("Api-Key") != "" {
-		writeJSONError(w, r, http.StatusBadRequest, "invalid_request_error",
-			"API key authentication is not supported; use Authorization: Bearer with an OCM user token")
-		return
-	}
+	var provider credentialProvider
+	var userConfig *option.OCMUser
+	if len(s.options.Users) > 0 {
+		if r.Header.Get("X-Api-Key") != "" || r.Header.Get("Api-Key") != "" {
+			writeJSONError(w, r, http.StatusBadRequest, "invalid_request_error",
+				"API key authentication is not supported; use Authorization: Bearer with an OCM user token")
+			return
+		}
 
-	authHeader := r.Header.Get("Authorization")
-	if authHeader == "" {
-		writeJSONError(w, r, http.StatusUnauthorized, "authentication_error", "missing api key")
-		return
-	}
-	clientToken := strings.TrimPrefix(authHeader, "Bearer ")
-	if clientToken == authHeader {
-		writeJSONError(w, r, http.StatusUnauthorized, "authentication_error", "invalid api key format")
-		return
-	}
-	username, ok := s.userManager.Authenticate(clientToken)
-	if !ok {
-		writeJSONError(w, r, http.StatusUnauthorized, "authentication_error", "invalid api key")
-		return
-	}
+		authHeader := r.Header.Get("Authorization")
+		if authHeader == "" {
+			writeJSONError(w, r, http.StatusUnauthorized, "authentication_error", "missing api key")
+			return
+		}
+		clientToken := strings.TrimPrefix(authHeader, "Bearer ")
+		if clientToken == authHeader {
+			writeJSONError(w, r, http.StatusUnauthorized, "authentication_error", "invalid api key format")
+			return
+		}
+		username, ok := s.userManager.Authenticate(clientToken)
+		if !ok {
+			writeJSONError(w, r, http.StatusUnauthorized, "authentication_error", "invalid api key")
+			return
+		}
 
-	userConfig := s.userConfigMap[username]
-	if userConfig == nil {
-		writeJSONError(w, r, http.StatusInternalServerError, "api_error", "user config not found")
-		return
+		userConfig = s.userConfigMap[username]
+		var err error
+		provider, err = credentialForUser(s.userConfigMap, s.providers, username)
+		if err != nil {
+			writeJSONError(w, r, http.StatusInternalServerError, "api_error", err.Error())
+			return
+		}
+	} else {
+		provider = noUserCredentialProvider(s.providers, s.options)
 	}
-
-	provider, err := credentialForUser(s.userConfigMap, s.providers, s.legacyProvider, username)
-	if err != nil {
-		writeJSONError(w, r, http.StatusInternalServerError, "api_error", err.Error())
+	if provider == nil {
+		writeJSONError(w, r, http.StatusInternalServerError, "api_error", "no credential available")
 		return
 	}
 
@@ -72,10 +73,10 @@ func (s *Service) computeAggregatedUtilization(provider credentialProvider, user
 		if !credential.isAvailable() {
 			continue
 		}
-		if userConfig.ExternalCredential != "" && credential.tagName() == userConfig.ExternalCredential {
+		if userConfig != nil && userConfig.ExternalCredential != "" && credential.tagName() == userConfig.ExternalCredential {
 			continue
 		}
-		if !userConfig.AllowExternalUsage && credential.isExternal() {
+		if userConfig != nil && !userConfig.AllowExternalUsage && credential.isExternal() {
 			continue
 		}
 		weight := credential.planWeight()
@@ -100,7 +101,7 @@ func (s *Service) computeAggregatedUtilization(provider credentialProvider, user
 }
 
 func (s *Service) rewriteResponseHeadersForExternalUser(headers http.Header, userConfig *option.OCMUser) {
-	provider, err := credentialForUser(s.userConfigMap, s.providers, s.legacyProvider, userConfig.Name)
+	provider, err := credentialForUser(s.userConfigMap, s.providers, userConfig.Name)
 	if err != nil {
 		return
 	}