make the Gateway Service domain name configurable

qrkourier · qrkourier · commit 1683c3b18905 · 2022-07-27T10:58:08.000-04:00
diff --git a/netfoundry/ctl.py b/netfoundry/ctl.py
@@ -94,6 +94,7 @@ def __call__(self, parser, namespace, values, option_string=None):
 @cli.argument('-Y', '--yes', action='store_true', arg_only=True, help='answer yes to potentially-destructive operations')
 @cli.argument('-W', '--wait', help='seconds to wait for long-running processes to finish', default=900)
 @cli.argument('--proxy', help=argparse.SUPPRESS)
+@cli.argument('--gateway', default="gateway", help=argparse.SUPPRESS)
 @cli.entrypoint('configure the CLI to manage a network')
 def main(cli):
     """Configure the CLI to manage a network."""
@@ -1153,7 +1154,7 @@ def use_organization(cli, spinner: object = None, prompt: bool = True):
                 expiry_minimum=0,
                 proxy=cli.config.general.proxy,
                 logger=cli.log,
-                gateway="gatewayv2",
+                gateway=cli.config.general.gateway,
             )
     except NFAPINoCredentials:
         if prompt:
@@ -1178,7 +1179,7 @@ def use_organization(cli, spinner: object = None, prompt: bool = True):
                         expiry_minimum=0,
                         proxy=cli.config.general.proxy,
                         logger=cli.log,
-                        gateway="gatewayv2",
+                        gateway=cli.config.general.gateway,
                     )
             except PyJWTError:
                 spinner.fail("Not a valid token")
diff --git a/netfoundry/organization.py b/netfoundry/organization.py
@@ -46,7 +46,6 @@ def __init__(self,
                  proxy: str = None,
                  gateway: str = "gateway"):
         """Initialize an instance of organization."""
-        self.gateway = gateway
         # set debug and file if specified and let the calling application dictate logging handlers
         self.log_file = log_file
         self.debug = debug
@@ -81,6 +80,9 @@ def __init__(self,
             else:
                 self.verify = False
 
+        self.gateway = gateway
+        self.logger.debug(f"got 'gateway' param {self.gateway}")
+
         epoch = round(time.time())
         self.expiry_seconds = 0  # initialize a placeholder for remaining seconds until expiry
         client_id = None
@@ -258,6 +260,8 @@ def __init__(self,
             if not re.search(self.environment, self.audience):
                 self.logger.error(f"mismatched audience URL '{self.audience}' and environment '{self.environment}'")
                 exit(1)
+            else:
+                self.logger.debug(f"found audience already computed '{self.audience}' and matching environment '{self.environment}'")
 
         # the purpose of this try-except block is to soft-fail all attempts
         # to parse the JWT, which is intended for the API, not this
@@ -290,12 +294,15 @@ def __init__(self,
                 self.logger.debug(f"using environment parsed from authenticationUrl: {self.environment}")
             # re: scope: we're not using scopes with Cognito, but a non-empty value is required;
             #  hence "/ignore-scope"
-            scope = f"https://{self.gateway}.{self.environment}.netfoundry.io//ignore-scope"
-            self.logger.debug(f"computed scope URL from gateway and environment: {scope}")
+            scope = f"https://gateway.{self.environment}.netfoundry.io//ignore-scope"
+            self.logger.debug(f"computed scope URL from 'gateway' and environment: {scope}")
             # we can gather the URL of the API from the first part of the scope string by
             #  dropping the scope suffix
             self.audience = scope.replace(r'/ignore-scope', '')
-            self.logger.debug(f"using audience parsed from authenticationUrl: {self.audience}")
+            self.logger.debug(f"computed audience from authenticationUrl sans the trailing '/ignore-scope': {self.audience}")
+            audience_parts = self.audience.split('.')
+            self.audience = '.'.join([f"https://{self.gateway}"]+audience_parts[1:])
+            self.logger.debug(f"computed audience with substituted param 'gateway': {self.audience}")
             assertion = {
                 "scope": scope,
                 "grant_type": "client_credentials"
diff --git a/netfoundry/utility.py b/netfoundry/utility.py
@@ -185,7 +185,7 @@ def jwt_environment(setup: object):
 
     else:
         if re.match(r'https://cognito-', iss):
-            environment = re.sub(f'https://{setup.gateway}\.([^.]+)\.netfoundry\.io.*', r'\1', claim['scope'])
+            environment = re.sub(r'https://gateway\.([^.]+)\.netfoundry\.io.*', r'\1', claim['scope'])
             setup.logger.debug(f"matched Cognito issuer URL convention, found environment '{environment}'")
         elif re.match(r'.*\.auth0\.com', iss):
             environment = re.sub(r'https://netfoundry-([^.]+)\.auth0\.com.*', r'\1', claim['iss'])
@@ -319,6 +319,8 @@ def create_generic_resource(setup: object, url: str, body: dict, headers: dict =
         proxies=setup.proxies,
         verify=setup.verify,
     )
+    if response.status_code in range(400, 600):
+        setup.logger.debug(response.request)
     response.raise_for_status()
     resource = response.json()
 
