Add ability to authorize using a Service Account

.changes/v2.20.0/562-improvements.md

@@ -0,0 +1,2 @@
+* Add `SetServiceAccountApiToken` method of `*VCDClient` that allows 
+  authenticating using a service account token file and handles the refresh token rotation [GH-562]

README.md

@@ -114,7 +114,7 @@ func main() {
 
 ## Authentication
 
-You can authenticate to the vCD in four ways:
+You can authenticate to the vCD in five ways:
 
 * With a System Administration user and password (`administrator@system`)
 * With an Organization user and password (`tenant-admin@org-name`)
@@ -133,6 +133,11 @@ For the above two methods, you use:
 The file `scripts/get_token.sh` provides a handy method of extracting the token
 (`x-vcloud-authorization` value) for future use.
 
+* With a service account token (the file needs to have `r+w` rights)
+```go
+	err := vcdClient.SetServiceAccountApiToken(Org, "tokenfile.json")
+```
+
 * SAML user and password (works with ADFS as IdP using WS-TRUST endpoint
   "/adfs/services/trust/13/usernamemixed"). One must pass `govcd.WithSamlAdfs(true,customAdfsRptId)`
   and username must be formatted so that ADFS understands it ('user@contoso.com' or

govcd/api_token.go

@@ -11,6 +11,8 @@ import (
 	"io"
 	"net/http"
 	"net/url"
+	"os"
+	"path/filepath"
 	"strings"
 
 	"github.com/vmware/go-vcloud-director/v2/types/v56"
@@ -31,6 +33,51 @@ func (vcdClient *VCDClient) SetApiToken(org, apiToken string) (*types.ApiTokenRe
 	return tokenRefresh, nil
 }
 
+// SetServiceAccountApiToken reads the current Service Account API token,
+// sets the client's bearer token and fetches a new API token for next
+// authentication request using SetApiToken and overwrites the old file.
+func (vcdClient *VCDClient) SetServiceAccountApiToken(org, apiTokenFile string) error {
+	if vcdClient.Client.APIVCDMaxVersionIs("< 37.0") {
+		version, err := vcdClient.Client.GetVcdFullVersion()
+		if err == nil {
+			return fmt.Errorf("minimum version for Service Account authentication is 10.4 - Version detected: %s", version.Version)
+		}
+		// If we can't get the VCD version, we return API version info
+		return fmt.Errorf("minimum API version for Service Account authentication is 37.0 - Version detected: %s", vcdClient.Client.APIVersion)
+	}
+
+	apiTokenFile = filepath.Clean(apiTokenFile)
+	data, err := os.ReadFile(apiTokenFile)
+	if err != nil {
+		return fmt.Errorf("failed to read tokenfile: %s", err)
+	}
+
+	saApiToken := &types.ApiTokenRefresh{}
+	err = json.Unmarshal(data, &saApiToken)
+	if err != nil {
+		return fmt.Errorf("failed to unmarshal tokenfile, check if your JSON file is valid: %s", err)
+	}
+
+	saApiToken, err = vcdClient.SetApiToken(org, saApiToken.RefreshToken)
+	if err != nil {
+		return err
+	}
+
+	data, err = json.Marshal(&types.ApiTokenRefresh{
+		RefreshToken: saApiToken.RefreshToken,
+	})
+	if err != nil {
+		return err
+	}
+
+	err = os.WriteFile(apiTokenFile, data, 0600)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
 // GetBearerTokenFromApiToken uses an API token to retrieve a bearer token
 // using the refresh token operation.
 func (vcdClient *VCDClient) GetBearerTokenFromApiToken(org, token string) (*types.ApiTokenRefresh, error) {

types/v56/types.go

@@ -3257,10 +3257,10 @@ type UpdateVdcStorageProfiles struct {
 
 // ApiTokenRefresh contains the access token resulting from a refresh_token operation
 type ApiTokenRefresh struct {
-	AccessToken  string      `json:"access_token"`
-	TokenType    string      `json:"token_type"`
-	ExpiresIn    int         `json:"expires_in"`
-	RefreshToken interface{} `json:"refresh_token"`
+	AccessToken  string `json:"access_token,omitempty"`
+	TokenType    string `json:"token_type,omitempty"`
+	ExpiresIn    int    `json:"expires_in,omitempty"`
+	RefreshToken string `json:"refresh_token,omitempty"`
 }
 
 /**/