fix(middleware): added client credential login to middleware

[alesstimec]

Description

Enables client credential login to http endpoints we proxy.

Engineering checklist

• Documentation updated
• Covered by unit tests
• Covered by integration tests

Test instructions

1. apply the plan below
2. change resource revision to 2 and reapply the plan

terraform {
	required_providers {
		juju = {
			source  = "juju/juju"
			version = "1.2.0"
		}
	}
	required_version = ">= 1.5.0"
}


provider "juju" {
	client_id     = "test-client-id"
	client_secret = "2M2blFbO4GX4zfggQpivQSxwWX1XGgNf"
	controller_addresses = "jimm.localhost:443"
}

# Pull existing cloud credential for LXD from local Juju file store
resource "juju_credential" "lxd" {
	name   = "lxd-credential"

    cloud {
      name = "lxd"
    }

	auth_type = "certificate"

	attributes = {
		client-cert = <<-EOT
<REDACTED>
		EOT
		client-key  = <<-EOK
<REDACTED>
		EOK
		server-cert = <<-EOS
<REDACTED>
		EOS
	}
}


resource "juju_model" "test-model" {
	name        = "test-model"

	credential = juju_credential.lxd.name

    cloud {
      name = "lxd"
    }
}

resource "juju_application" "test" {
	name 	 = "test-app"
	model_uuid = juju_model.test-model.uuid

	charm {
		name = "juju-qa-test"
		revision = 26
		channel = "latest/stable"
	}

	resources = {
		"foo-file" = "1"
	}
}

[SimoneDutto]

rip: JIMMAuthner

[luci1900]

That's nice.

[ale8k]

I'd prefer an explicit method for client creds, I wouldn't consider them basic auth as that implies it is a person. It also doesn't read well as the method is called AuthenticateWithSessionTokenViaBasicAuth, so oyou could call it AuthenticateWithSessionTokenViaBasicAuthOrClientCredentials or just make a new method.

[kian99]

Agreed with Alex that we are overloading things here. It would make more sense to parse the Authorization header. If it's basic auth, i.e. Basic <base64value> we treat it as a client-id/secret, and if it's Bearer <token> we treat it as a session token. The auth schemes are covered here. Unfortunately we can't change the handling for tokens since that would break backwards compatibility.

We could change the format for the ClientCredentials login provider since only JIMM parses it and clearly that doesn't work yet. I.e. on the Juju client side use a different scheme rather than Basic. There aren't any good schemes that cover this though. And it also takes me back to the idea that JIMM "technically" shouldn't receive a client-id/secret, the client should exchange those with the identity server for a token, then it's always bearer auth.

A long term option would be to change the Juju client's SessionTokenLoginProvider to send a Bearer <token> header and support both for a time. A bunch of effort for not much gain though.

In the end, what you've done is fine. To avoid the try option 1 then try option 2, you could choose to check if username != "" and do the client-credentials login else do SessionToken login but that's a nit imo.

[kian99]

I'd expand the docstring to explain why we have to try one option then another.