fix(cli): revert addition of support for credentials check, #1783 (#1784)

Author: pranav-new-relic

internal/changeTracking/command_create_test.go

@@ -3,9 +3,8 @@ package changeTracking
 import (
 	"testing"
 
-	"github.com/stretchr/testify/assert"
-
 	"github.com/newrelic/newrelic-cli/internal/testcobra"
+	"github.com/stretchr/testify/assert"
 )
 
 func TestChangeTrackingCommand(t *testing.T) {

internal/install/command.go

@@ -15,7 +15,6 @@ import (
 	configAPI "github.com/newrelic/newrelic-cli/internal/config/api"
 	"github.com/newrelic/newrelic-cli/internal/install/types"
 	"github.com/newrelic/newrelic-cli/internal/utils"
-	"github.com/newrelic/newrelic-client-go/v2/pkg/apiaccess"
 	nrErrors "github.com/newrelic/newrelic-client-go/v2/pkg/errors"
 	nrRegion "github.com/newrelic/newrelic-client-go/v2/pkg/region"
 )
@@ -212,10 +211,10 @@ func checkNetwork() error {
 }
 
 // Attempt to fetch and set a license key through 3 methods:
-// 1. NEW_RELIC_LICENSE_KEY environment variable (validates it belongs to the account),
-// 2. Active profile config.LicenseKey (validates it belongs to the account),
-// 3. API call (fetches a valid key for the account),
-// returns an error if all methods fail or if a provided key doesn't match the account.
+// 1. NEW_RELIC_LICENSE_KEY environment variable,
+// 2. Active profile config.LicenseKey,
+// 3. API call,
+// returns an error if all methods fail.
 func fetchLicenseKey() *types.DetailError {
 	var licenseKey string
 
@@ -229,43 +228,27 @@ func fetchLicenseKey() *types.DetailError {
 		log.Debug("using license key: ", utils.Obfuscate(licenseKey))
 	}
 
-	// Validate profile early since we'll need it for validation
-	detailErr := validateProfile()
-	if detailErr != nil {
-		return detailErr
-	}
-
-	accountID := configAPI.GetActiveProfileAccountID()
-
-	// Try environment variable first
 	licenseKey = fetchLicenseKeyFromEnvironment()
 
 	if licenseKey != "" {
-		log.Debug("validating that license key from environment belongs to account: ", accountID)
-		// Validate that the environment license key belongs to the configured account
-		if detailErr := validateLicenseKeyForAccount(licenseKey, accountID); detailErr != nil {
-			return detailErr
-		}
-		log.Debug("license key from environment validated: belongs to account ", accountID)
 		setLicenseKey(licenseKey)
 		return nil
 	}
 
-	// Try profile configuration
 	licenseKey = fetchLicenseKeyFromProfile()
 
 	if licenseKey != "" {
-		log.Debug("validating that license key from profile belongs to account: ", accountID)
-		// Validate that the profile license key belongs to the configured account
-		if detailErr := validateLicenseKeyForAccount(licenseKey, accountID); detailErr != nil {
-			return detailErr
-		}
-		log.Debug("license key from profile validated: belongs to account ", accountID)
 		setLicenseKey(licenseKey)
 		return nil
 	}
 
-	// Fetch licenseKey via API - this is already validated by definition since it comes from the account
+	// fetch licenseKey via API
+	detailErr := validateProfile()
+	if detailErr != nil {
+		log.Fatal(detailErr)
+	}
+
+	accountID := configAPI.GetActiveProfileAccountID()
 	maxTimeoutSeconds := config.DefaultMaxTimeoutSeconds
 
 	licenseKey, err := client.FetchLicenseKey(accountID, config.FlagProfileName, &maxTimeoutSeconds)
@@ -314,43 +297,3 @@ func fetchLicenseKeyFromProfile() string {
 
 	return ""
 }
-
-// validateLicenseKeyForAccount verifies that a license key belongs to the specified account
-// to prevent installation validation failures where data is sent to one account but validated against another.
-func validateLicenseKeyForAccount(licenseKey string, accountID int) *types.DetailError {
-	if client.NRClient == nil {
-		return nil
-	}
-
-	// Search for all ingest keys (including license keys) associated with the account
-	params := apiaccess.APIAccessKeySearchQuery{
-		Scope: apiaccess.APIAccessKeySearchScope{
-			AccountIDs: []int{accountID},
-		},
-		Types: []apiaccess.APIAccessKeyType{
-			apiaccess.APIAccessKeyTypeTypes.INGEST,
-		},
-	}
-
-	keys, err := client.NRClient.APIAccess.SearchAPIAccessKeysWithContext(utils.SignalCtx, params)
-
-	if err != nil {
-		// If we can't verify, log a warning but don't fail the installation
-		log.Warnf("unable to verify credential account match: %s", err)
-		return nil
-	}
-
-	// Check if the license key belongs to this account
-	for _, k := range keys {
-		if k.Key == licenseKey {
-			return nil
-		}
-	}
-
-	// License key does not belong to this account
-	log.Error("credential mismatch detected: license key does not belong to the configured account")
-	return types.NewDetailError(
-		types.EventTypes.CredentialAccountMismatch,
-		fmt.Sprintf(types.ErrCredentialMismatch, utils.Obfuscate(licenseKey), accountID),
-	)
-}

internal/install/command_test.go

@@ -13,7 +13,6 @@ import (
 
 	"github.com/newrelic/newrelic-cli/internal/install/types"
 	"github.com/newrelic/newrelic-cli/internal/testcobra"
-	"github.com/newrelic/newrelic-cli/internal/utils"
 )
 
 func TestInstallCommand(t *testing.T) {
@@ -72,86 +71,22 @@ func TestValidateProfile(t *testing.T) {
 }
 
 func TestFetchLicenseKey(t *testing.T) {
+	okCase := func() *types.DetailError { return nil }()
 	// TODO: Error case
+
 	// TODO: From API (mock?)
+
 	// TODO: From profile
 
-	// Save original environment to restore later
-	origAccountID := os.Getenv("NEW_RELIC_ACCOUNT_ID")
-	origAPIKey := os.Getenv("NEW_RELIC_API_KEY")
-	origRegion := os.Getenv("NEW_RELIC_REGION")
-	origLicenseKey := os.Getenv("NEW_RELIC_LICENSE_KEY")
-
-	// Restore environment after test
-	defer func() {
-		os.Setenv("NEW_RELIC_ACCOUNT_ID", origAccountID)
-		os.Setenv("NEW_RELIC_API_KEY", origAPIKey)
-		os.Setenv("NEW_RELIC_REGION", origRegion)
-		os.Setenv("NEW_RELIC_LICENSE_KEY", origLicenseKey)
-	}()
-
-	// ==================================================================================
-	// TEST 1: License key matches account - NEW validation accepts it
-	// ==================================================================================
-	t.Run("LicenseKeyProvided_MatchingAccount", func(t *testing.T) {
-		if origAccountID == "" || origAPIKey == "" || origRegion == "" || origLicenseKey == "" {
-			t.Skip("Skipping: requires NEW_RELIC_ACCOUNT_ID, NEW_RELIC_API_KEY, NEW_RELIC_REGION, NEW_RELIC_LICENSE_KEY")
-		}
-
-		os.Setenv("NEW_RELIC_ACCOUNT_ID", origAccountID)
-		os.Setenv("NEW_RELIC_API_KEY", origAPIKey)
-		os.Setenv("NEW_RELIC_REGION", origRegion)
-		os.Setenv("NEW_RELIC_LICENSE_KEY", origLicenseKey)
-
-		err := fetchLicenseKey()
-
-		assert.Nil(t, err, "License key belonging to account should be accepted. Account: %s, Key: %s",
-			origAccountID, utils.Obfuscate(origLicenseKey))
-		assert.Equal(t, origLicenseKey, os.Getenv("NEW_RELIC_LICENSE_KEY"))
-	})
-
-	// ==================================================================================
-	// TEST 2: License key doesn't match account - NEW validation rejects it
-	// ==================================================================================
-	t.Run("LicenseKeyProvided_NonMatchingAccount", func(t *testing.T) {
-		if origAccountID == "" || origAPIKey == "" || origRegion == "" || origLicenseKey == "" {
-			t.Skip("Skipping: requires NEW_RELIC_ACCOUNT_ID, NEW_RELIC_API_KEY, NEW_RELIC_REGION, NEW_RELIC_LICENSE_KEY")
-		}
-
-		wrongAccountID := "9999999"
-		os.Setenv("NEW_RELIC_ACCOUNT_ID", wrongAccountID)
-		os.Setenv("NEW_RELIC_API_KEY", origAPIKey)
-		os.Setenv("NEW_RELIC_REGION", origRegion)
-		os.Setenv("NEW_RELIC_LICENSE_KEY", origLicenseKey)
-
-		err := fetchLicenseKey()
-
-		assert.NotNil(t, err, "License key not belonging to account should be rejected")
-		assert.Equal(t, types.EventTypes.CredentialAccountMismatch, err.EventName,
-			"Expected CredentialAccountMismatch. Account: %s, Key: %s", wrongAccountID, utils.Obfuscate(origLicenseKey))
-		assert.Contains(t, err.Error(), "credential mismatch detected")
-		assert.Contains(t, err.Error(), wrongAccountID)
-	})
-
-	// ==================================================================================
-	// TEST 3: No license key provided - API fetch should succeed
-	// ==================================================================================
-	t.Run("NoLicenseKeyProvided_FetchesFromAPI", func(t *testing.T) {
-		if origAccountID == "" || origAPIKey == "" || origRegion == "" {
-			t.Skip("Skipping: requires NEW_RELIC_ACCOUNT_ID, NEW_RELIC_API_KEY, NEW_RELIC_REGION")
-		}
-
-		os.Setenv("NEW_RELIC_ACCOUNT_ID", origAccountID)
-		os.Setenv("NEW_RELIC_API_KEY", origAPIKey)
-		os.Setenv("NEW_RELIC_REGION", origRegion)
-		os.Unsetenv("NEW_RELIC_LICENSE_KEY")
-
-		err := fetchLicenseKey()
-
-		assert.Nil(t, err, "API fetch should succeed. Account: %s, API Key: %s",
-			origAccountID, utils.Obfuscate(origAPIKey))
-		assert.NotEmpty(t, os.Getenv("NEW_RELIC_LICENSE_KEY"), "License key should be fetched and set")
-	})
+	// From environment variable
+	expect := "0123456789abcdefABCDEF0123456789abcdNRAL"
+	os.Setenv("NEW_RELIC_LICENSE_KEY", expect)
+
+	err := fetchLicenseKey()
+	assert.Equal(t, okCase, err)
+
+	actual := os.Getenv("NEW_RELIC_LICENSE_KEY")
+	assert.Equal(t, expect, actual)
 }
 
 func initSegmentMockServer() *httptest.Server {

internal/install/types/errors.go

@@ -17,7 +17,6 @@ var (
 	ErrPostEvent              = errors.New("there was a failure posting data to New Relic. Please try again later or contact New Relic support. For real-time platform status info visit https://status.newrelic.com/")
 	ErrLicenseKey             = errors.New("the configured license key is invalid for the configured account. Please set a valid license key with the `newrelic profile` command. For more details visit https://docs.newrelic.com/docs/apis/intro-apis/new-relic-api-keys/#ingest-license-key")
 	ErrAgentControl           = errors.New("agent control is installed, preventing the installation of this recipe")
-	ErrCredentialMismatch     = "credential mismatch detected: the license key %s does not belong to the configured account %d. This will cause installation validation to fail because data will be sent to one account but validated against another. Please ensure your API key, account ID, and license key are all from the same New Relic account. For more details about API keys visit https://docs.newrelic.com/docs/apis/intro-apis/new-relic-api-keys/"
 )
 
 type EventType string
@@ -41,7 +40,6 @@ var EventTypes = struct {
 	UnableToLocatePostedData   EventType
 	InvalidUserAPIKeyFormat    EventType
 	InvalidRegion              EventType
-	CredentialAccountMismatch  EventType
 }{
 	InstallStarted:             "InstallStarted",
 	AccountIDMissing:           "AccountIDMissing",
@@ -61,7 +59,6 @@ var EventTypes = struct {
 	OtherError:                 "OtherError",
 	InvalidUserAPIKeyFormat:    "InvalidUserAPIKeyFormat",
 	InvalidRegion:              "InvalidRegion",
-	CredentialAccountMismatch:  "CredentialAccountMismatch",
 }
 
 func TryParseEventType(e string) (EventType, bool) {
@@ -96,8 +93,6 @@ func TryParseEventType(e string) (EventType, bool) {
 		return EventTypes.InvalidUserAPIKeyFormat, true
 	case "InvalidRegion":
 		return EventTypes.InvalidRegion, true
-	case "CredentialAccountMismatch":
-		return EventTypes.CredentialAccountMismatch, true
 	}
 
 	return "", false