access: prevent login with username-password when command-line credentials given

[shwstppr]

Fixes #168

Prevents falling back to username-password login when credentials are passed as command-line argument and authentication fails.

⇒  bin/cmk -d -s anc -k bnm listzones id=b37b6f25-3c68-4fd1-8945-ed1852ca7e64                   
[debug] UpdateConfig key:apikey value:bnm update:false
[debug] UpdateConfig key:secretkey value:anc update:false
[debug] Trying to read API cache from:/home/shwstppr/.cmk/profiles/lab.cache
[debug] cmdline args:bin/cmk, -d, -s, anc, -k, bnm, listzones, id=b37b6f25-3c68-4fd1-8945-ed1852ca7e64
[debug] ExecCmd args: listzones, id=b37b6f25-3c68-4fd1-8945-ed1852ca7e64
[debug] NewAPIRequest API request URL:http://10.1.34.104:8080/client/api?apiKey=bnm&command=listZones&expires=2025-08-13T10%3A24%3A03Z&id=b37b6f25-3c68-4fd1-8945-ed1852ca7e64&response=json&signatureversion=3
[debug] NewAPIRequest response status code:401
[debug] Credentials supplied on command-line, not falling back to login
[debug] NewAPIRequest response body:{"listzonesresponse":{"uuidList":[],"errorcode":401,"errortext":"unable to verify user credentials and/or request signature"}}
🙈 Error: (HTTP 401, error code <nil>) unable to verify user credentials and/or request signature

When using cmk shell, fallback will work as before,

⇒  make run                                                                                      fix-wrongkeys-access| 
▶  Running gofmt…
▶  Building executable… ec3d185
▶  Done!
./bin/cmk
Apache CloudStack 🐵 CloudMonkey 6.4.0
Report issues: https://github.com/apache/cloudstack-cloudmonkey/issues

(lab) 🐱 > set apikey abc
(lab) 🐱 > set secretkey xyz
(lab) 🐱 > set debug true
[debug] UpdateConfig key:debug value:true update:true
[debug] Trying to read API cache from:/home/shwstppr/.cmk/profiles/lab.cache
(lab) 🐱 > listZones
[debug] ExecLine line:listZones
[debug] ExecCmd args: listZones
[debug] NewAPIRequest API request URL:http://10.1.34.104:8080/client/api?apiKey=abc&command=listZones&expires=2025-08-13T10%3A25%3A21Z&response=json&signatureversion=3
[debug] NewAPIRequest response status code:401
[debug] Login POST URL:http://10.1.34.104:8080/client/apimap[command:[login] domain:[] password:[password] response:[json] username:[admin]]
[debug] Login POST response status code:200
[debug] Login response body:{"loginresponse":{"username":"admin","userid":"74d47f65-775b-11f0-8165-1e00b8000b26","domainid":"23aedd87-775b-11f0-8165-1e00b8000b26","timeout":1800,"account":"admin","firstname":"admin","lastname":"cloud","type":"1","timezone":"UTC","timezoneoffset":"0.0","registered":"false","sessionkey":"rEAzq-E0b2YkARTO423lX0rxH2k","is2faenabled":"false","is2faverified":"true","issuerfor2fa":"CloudStack"}}
[debug] Login sessionkey:rEAzq-E0b2YkARTO423lX0rxH2k
[debug] Checking if 2FA is enabled and verified for the user map[account:admin domainid:23aedd87-775b-11f0-8165-1e00b8000b26 firstname:admin is2faenabled:false is2faverified:true issuerfor2fa:CloudStack lastname:cloud registered:false sessionkey:rEAzq-E0b2YkARTO423lX0rxH2k timeout:1800 timezone:UTC timezoneoffset:0.0 type:1 userid:74d47f65-775b-11f0-8165-1e00b8000b26 username:admin]
[debug] 2FA is not enabled for the user, skipping 2FA validation
[debug] NewAPIRequest API request URL:http://10.1.34.104:8080/client/api?apiKey=abc&command=listZones&expires=2025-08-13T10%3A25%3A21Z&response=json&sessionkey=rEAzq-E0b2YkARTO423lX0rxH2k&signature=fFYoHcaaDtrv93FPX7hjiRwia4E%3D&signatureversion=3
[debug] NewAPIRequest response body:{"listzonesresponse":{"count":1,"zone":[{"id":"b37b6f25-3c68-4fd1-8945-ed1852ca7e64","name":"ref-trl-5997-k-Mr9-abhishek-kumar","dns1":"10.1.32.1","dns2":"8.8.8.8","internaldns1":"10.1.32.1","internaldns2":"8.8.4.4","guestcidraddress":"10.1.1.0/24","networktype":"Advanced","securitygroupsenabled":false,"allocationstate":"Enabled","zonetoken":"c759dd00-13f1-3a2d-897f-c2f917a23e39","dhcpprovider":"VirtualRouter","localstorageenabled":false,"tags":[],"allowuserspecifyvrmtu":false,"routerprivateinterfacemaxmtu":1500,"routerpublicinterfacemaxmtu":1500,"type":"Core","isnsxenabled":false,"ismultiarch":false,"asnrange":"","routedmodeenabled":true,"hasannotations":false}]}}
{
  "count": 1,
  "zone": [
    {
      "allocationstate": "Enabled",
      "allowuserspecifyvrmtu": false,
      "asnrange": "",
      "dhcpprovider": "VirtualRouter",
      "dns1": "10.1.32.1",
      "dns2": "8.8.8.8",
      "guestcidraddress": "10.1.1.0/24",
      "hasannotations": false,
      "id": "b37b6f25-3c68-4fd1-8945-ed1852ca7e64",
      "internaldns1": "10.1.32.1",
      "internaldns2": "8.8.4.4",
      "ismultiarch": false,
      "isnsxenabled": false,
      "localstorageenabled": false,
      "name": "ref-trl-5997-k-Mr9-abhishek-kumar",
      "networktype": "Advanced",
      "routedmodeenabled": true,
      "routerprivateinterfacemaxmtu": 1500,
      "routerpublicinterfacemaxmtu": 1500,
      "securitygroupsenabled": false,
      "tags": [],
      "type": "Core",
      "zonetoken": "c759dd00-13f1-3a2d-897f-c2f917a23e39"
    }
  ]
}

[weizhouapache]

@shwstppr
if in .cmk/config, the apikey and secretkey are wrong, but username and password are correct , will it work ?

[shwstppr]

@weizhouapache no. I think that is the issue @ingox was mentioning.
Currently, you can set username/password for the admin and apikey/secretkey for any user. If the API call fails with keys, it logs in with username/pass, which could be problematic for the use case Ingo was referring.

[weizhouapache]

@weizhouapache no. I think that is the issue @ingox was mentioning.

Yes, it is the issue that @ingox reported. It seems like @DaanHoogland and @ingox have agreed it is a bash issue.

Currently, you can set username/password for the admin and apikey/secretkey for any user. If the API call fails with keys, it logs in with username/pass, which could be problematic for the use case Ingo was referring.

my understanding is a bit different.
if users use -s or -k or "set apikey" or "set secretkey" , do not load any profiles in config file, or clean existing profile.
Otherwise, load the profile in config file. if apikey/secretkey are wrong in config file, then use username and password instead.

[shwstppr]

Thanks @weizhouapache. I don't have a strong opinion either way, so I'm happy to close this if we have agreement, it should work as it is.

[github-actions]

✅ Build complete for PR #174.

🔗 Download the cmk binaries (expires on August 23, 2025)

[DaanHoogland]

@shwstppr work kind of like expected. I have one functional concern though:

(randy) 🐱 > sync
Discovered 877 APIs
(randy) 🐱 > set apikey 
(randy) 🐱 > sync
Discovered 877 APIs
(randy) 🐱 > set apikey plplpl
(randy) 🐱 > sync
Discovered 877 APIs
(randy) 🐱 > set secretkey plplpl
(randy) 🐱 > sync
🙈 Error: (HTTP 401, error code <nil>) unable to verify user credentials and/or request signature
(randy) 🐱 > set secretkey
(randy) 🐱 > sync
Discovered 877 APIs

as you can see above, setting only a “wrong” APIkey does not stop me from logging in. Is that what we want? I think this does not address all of @ingox concern. In this way we can still fool ourselfves.

~/Downloads/cmk-binaries.pr174/cmk.darwin.arm64 -p randy -k plpl
Apache CloudStack 🐵 CloudMonkey 6.4.0
Report issues: https://github.com/apache/cloudstack-cloudmonkey/issues

(randy) 🐱 > sync
Discovered 877 APIs
(randy) 🐱 > exit
~/Downloads/cmk-binaries.pr174/cmk.darwin.arm64 -p randy -k <good key>
Apache CloudStack 🐵 CloudMonkey 6.4.0
Report issues: https://github.com/apache/cloudstack-cloudmonkey/issues

(randy) 🐱 > sync
Discovered 877 APIs
(randy) 🐱 > exit
~/Downloads/cmk-binaries.pr174/cmk.darwin.arm64 -p randy -k <good key> -s <good key>
Apache CloudStack 🐵 CloudMonkey 6.4.0
Report issues: https://github.com/apache/cloudstack-cloudmonkey/issues

(randy) 🐱 > sync
Discovered 877 APIs
(randy) 🐱 > exit
~/Downloads/cmk-binaries.pr174/cmk.darwin.arm64 -p randy -k <good key> -s <bad key>
Apache CloudStack 🐵 CloudMonkey 6.4.0
Report issues: https://github.com/apache/cloudstack-cloudmonkey/issues

(randy) 🐱 > sync
Discovered 877 APIs

when not using a profile as the basis it works as expected btw:

~/Downloads/cmk-binaries.pr174/cmk.darwin.arm64 -k <good key> -s <good key> -u http://10.0.34.242:8080/client/api
Apache CloudStack 🐵 CloudMonkey 6.4.0
Report issues: https://github.com/apache/cloudstack-cloudmonkey/issues

(randy) 🐱 > sync
Discovered 877 APIs
(randy) 🐱 > exit
~/Downloads/cmk-binaries.pr174/cmk.darwin.arm64 -k <good key> -s <bad key> -u http://10.0.34.242:8080/client/api
Apache CloudStack 🐵 CloudMonkey 6.4.0
Report issues: https://github.com/apache/cloudstack-cloudmonkey/issues

(randy) 🐱 > sync
🙈 Error: (HTTP 401, error code <nil>) unable to verify user credentials and/or request signature

What do you think about my comment here ? In short, I would expect any configured credentials to be ignored once the CLI contains any credentials.

[shwstppr]

@DaanHoogland I think this needs a bit more discussion. I agree that if valid credentials are available, any invalid ones should be ignored. However, the use case @ingox raised is also valid.

One option is to add a config flag—say, allowfallback—to toggle this behaviour. Alternatively, to keep cmk simple, we could avoid a new setting and address Ingo’s scenario with a few preparatory steps before setting keys (e.g., clear stale credentials, explicitly select the target profile, and validate with a quick API call).
cmk set profile user
cmk set username <USER_ACCOUNT_NAME>
cmk -s -k

I'm converting this to draft for now

[DaanHoogland]

@ingox can you read #174 (comment) and #174 (comment) and give your opinion, please?

[shwstppr]

@ingox @DaanHoogland @weizhouapache can you please check now

(PR description updated)

[DaanHoogland]

✅ Build complete for PR #174.

🔗 Download the cmk binaries (expires on August 23, 2025)

@ingox can you download these files and do a test with the version for your platform, please?

[DaanHoogland]

clgtm

[ingox]

Hello all,
here are my test results using CloudMonkey 6.4.0 (build: ec3d185, 2025-08-13T10:07:02+0000)
./cmk.linux.x86-64 -k right -s right #once loged in: list users --> I'm a user
./cmk.linux.x86-64 -k wrong -s wrong #once loged in: list users --> I'm admin
./cmk.linux.x86-64 -k right -s right list users --> I'm a user
./cmk.linux.x86-64 -k wrong -s wrong list users --> Error: (HTTP 401, error code ) unable to verify user credentials and/or request signature

So there is a different behavior between passing the command directly or logging into cmk and run the command from there.