From cf3f3c1fd621f7a23387318abaed628659c0243c Mon Sep 17 00:00:00 2001
From: Michael Quigley <michael@quigley.com>
Date: Wed, 26 Feb 2025 13:06:05 -0500
Subject: [PATCH] env_core.Environment.Token ->
 env_core.Environment.AccountToken (#820); new 'zrok rebase' tree with 'zrok
 rebase apiEndpoint' and 'zrok rebase accountToken' (#897)

---
 CHANGELOG.md                                 |  2 +-
 cmd/zrok/accessPrivate.go                    |  2 +-
 cmd/zrok/disable.go                          |  2 +-
 cmd/zrok/enable.go                           |  2 +-
 cmd/zrok/main.go                             |  6 ++
 cmd/zrok/modifyShare.go                      |  2 +-
 cmd/zrok/orgAdminList.go                     |  2 +-
 cmd/zrok/orgAdminOverview.go                 |  2 +-
 cmd/zrok/orgMemberships.go                   |  2 +-
 cmd/zrok/rebaseAccountToken.go               | 66 ++++++++++++++++++++
 cmd/zrok/{rebase.go => rebaseApiEndpoint.go} | 14 ++---
 cmd/zrok/release.go                          |  2 +-
 cmd/zrok/shareReserved.go                    |  2 +-
 cmd/zrok/status.go                           |  6 +-
 environment/env_core/model.go                |  2 +-
 environment/env_v0_3/root.go                 | 14 ++---
 environment/env_v0_4/root.go                 | 14 ++---
 sdk/golang/sdk/access.go                     |  4 +-
 sdk/golang/sdk/overview.go                   |  2 +-
 sdk/golang/sdk/share.go                      |  4 +-
 20 files changed, 112 insertions(+), 40 deletions(-)
 create mode 100644 cmd/zrok/rebaseAccountToken.go
 rename cmd/zrok/{rebase.go => rebaseApiEndpoint.go} (79%)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 5fc990f9..db821582 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -14,7 +14,7 @@ FEATURE: `zrok share [public|private|reserved]` and `zrok access private` now au
 
 FEATURE: `zrok access private` supports a new `--auto` mode, which can automatically find an available open address/port to bind the frontend listener on. Also includes `--auto-address`, `--auto-start-port`, and `--auto-end-port` features with sensible defaults. Supported by both the agent and local operating modes (https://github.com/openziti/zrok/issues/780)
 
-FEATURE: `zrok rebase` command allows "rebasing" an enabled environment onto a different API endpoint. This is useful for migrating already-enabled environments between endpoints supporting different zrok versions (https://github.com/openziti/zrok/issues/869)
+FEATURE: `zrok rebase` commands (`zrok rebase apiEndpoint` and `zrok rebase accountToken`) allows "rebasing" an enabled environment onto a different API endpoint or a different account token. This is useful for migrating already-enabled environments between endpoints supporting different zrok versions, and is also useful when regenerating an account token (https://github.com/openziti/zrok/issues/869, https://github.com/openziti/zrok/issues/897)
 
 FEATURE: `zrok test canary` CLI tree replaces the old `zrok test loop` tree; new `zrok test canary public-proxy` and `zrok test canary private-proxy` provide modernized, updated versions of what the `zrok test loop` commands used to do. This new approach will serve as the foundation for all future zrok testing infrastructure (https://github.com/openziti/zrok/issues/771)
 
diff --git a/cmd/zrok/accessPrivate.go b/cmd/zrok/accessPrivate.go
index 249e0918..c06e2a2f 100644
--- a/cmd/zrok/accessPrivate.go
+++ b/cmd/zrok/accessPrivate.go
@@ -116,7 +116,7 @@ func (cmd *accessPrivateCommand) accessLocal(args []string, root env_core.Root)
 		cmd.error(err)
 	}
 
-	auth := httptransport.APIKeyAuth("X-TOKEN", "header", root.Environment().Token)
+	auth := httptransport.APIKeyAuth("X-TOKEN", "header", root.Environment().AccountToken)
 	req := share.NewAccessParams()
 	req.Body.ShareToken = shrToken
 	req.Body.EnvZID = root.Environment().ZitiIdentity
diff --git a/cmd/zrok/disable.go b/cmd/zrok/disable.go
index 8ffb4273..6a5a6115 100644
--- a/cmd/zrok/disable.go
+++ b/cmd/zrok/disable.go
@@ -49,7 +49,7 @@ func (cmd *disableCommand) run(_ *cobra.Command, _ []string) {
 		}
 		panic(err)
 	}
-	auth := httpTransport.APIKeyAuth("X-TOKEN", "header", env.Environment().Token)
+	auth := httpTransport.APIKeyAuth("X-TOKEN", "header", env.Environment().AccountToken)
 	req := restEnvironment.NewDisableParams()
 	req.Body.Identity = env.Environment().ZitiIdentity
 
diff --git a/cmd/zrok/enable.go b/cmd/zrok/enable.go
index 0a2a4942..3a0de186 100644
--- a/cmd/zrok/enable.go
+++ b/cmd/zrok/enable.go
@@ -120,7 +120,7 @@ func (cmd *enableCommand) run(_ *cobra.Command, args []string) {
 		prg.Send("writing the environment details...")
 	}
 	apiEndpoint, _ := env.ApiEndpoint()
-	if err := env.SetEnvironment(&env_core.Environment{Token: token, ZitiIdentity: resp.Payload.Identity, ApiEndpoint: apiEndpoint}); err != nil {
+	if err := env.SetEnvironment(&env_core.Environment{AccountToken: token, ZitiIdentity: resp.Payload.Identity, ApiEndpoint: apiEndpoint}); err != nil {
 		if !cmd.headless && prg != nil {
 			prg.Send(fmt.Sprintf("there was an error saving the new environment: %v", err))
 			prg.Quit()
diff --git a/cmd/zrok/main.go b/cmd/zrok/main.go
index 32a46f42..8c45a3bc 100644
--- a/cmd/zrok/main.go
+++ b/cmd/zrok/main.go
@@ -33,6 +33,7 @@ func init() {
 	rootCmd.AddCommand(modifyCmd)
 	organizationCmd.AddCommand(organizationAdminCmd)
 	rootCmd.AddCommand(organizationCmd)
+	rootCmd.AddCommand(rebaseCmd)
 	rootCmd.AddCommand(shareCmd)
 	rootCmd.AddCommand(testCmd)
 	testCmd.AddCommand(testCanaryCmd)
@@ -126,6 +127,11 @@ var organizationCmd = &cobra.Command{
 	Short:   "Organization commands",
 }
 
+var rebaseCmd = &cobra.Command{
+	Use:   "rebase",
+	Short: "Rebase enabled zrok environment",
+}
+
 var shareCmd = &cobra.Command{
 	Use:   "share",
 	Short: "Create backend access for shares",
diff --git a/cmd/zrok/modifyShare.go b/cmd/zrok/modifyShare.go
index db62d219..a2f80f8f 100644
--- a/cmd/zrok/modifyShare.go
+++ b/cmd/zrok/modifyShare.go
@@ -54,7 +54,7 @@ func (cmd *modifyShareCommand) run(_ *cobra.Command, args []string) {
 		}
 		panic(err)
 	}
-	auth := httptransport.APIKeyAuth("X-TOKEN", "header", root.Environment().Token)
+	auth := httptransport.APIKeyAuth("X-TOKEN", "header", root.Environment().AccountToken)
 
 	if len(cmd.addAccessGrants) > 0 || len(cmd.removeAccessGrants) > 0 {
 		req := share.NewUpdateShareParams()
diff --git a/cmd/zrok/orgAdminList.go b/cmd/zrok/orgAdminList.go
index 543fbbbd..459d3162 100644
--- a/cmd/zrok/orgAdminList.go
+++ b/cmd/zrok/orgAdminList.go
@@ -50,7 +50,7 @@ func (c *orgAdminListCommand) run(_ *cobra.Command, args []string) {
 		}
 		panic(err)
 	}
-	auth := httptransport.APIKeyAuth("X-TOKEN", "header", root.Environment().Token)
+	auth := httptransport.APIKeyAuth("X-TOKEN", "header", root.Environment().AccountToken)
 
 	req := metadata.NewListOrgMembersParams()
 	req.OrganizationToken = args[0]
diff --git a/cmd/zrok/orgAdminOverview.go b/cmd/zrok/orgAdminOverview.go
index a082b622..d26f155d 100644
--- a/cmd/zrok/orgAdminOverview.go
+++ b/cmd/zrok/orgAdminOverview.go
@@ -51,7 +51,7 @@ func (cmd *orgAdminOverviewCommand) run(_ *cobra.Command, args []string) {
 		}
 		panic(err)
 	}
-	req.Header.Add("X-TOKEN", root.Environment().Token)
+	req.Header.Add("X-TOKEN", root.Environment().AccountToken)
 	resp, err := client.Do(req)
 	if err != nil {
 		if !panicInstead {
diff --git a/cmd/zrok/orgMemberships.go b/cmd/zrok/orgMemberships.go
index bd1be377..8dd04128 100644
--- a/cmd/zrok/orgMemberships.go
+++ b/cmd/zrok/orgMemberships.go
@@ -49,7 +49,7 @@ func (c *orgMembershipsCommand) run(_ *cobra.Command, _ []string) {
 		}
 		panic(err)
 	}
-	auth := httptransport.APIKeyAuth("X-TOKEN", "header", root.Environment().Token)
+	auth := httptransport.APIKeyAuth("X-TOKEN", "header", root.Environment().AccountToken)
 
 	in, err := zrok.Metadata.ListMemberships(nil, auth)
 	if err != nil {
diff --git a/cmd/zrok/rebaseAccountToken.go b/cmd/zrok/rebaseAccountToken.go
new file mode 100644
index 00000000..e7b4d61b
--- /dev/null
+++ b/cmd/zrok/rebaseAccountToken.go
@@ -0,0 +1,66 @@
+package main
+
+import (
+	"bufio"
+	"fmt"
+	"github.com/openziti/zrok/environment"
+	"github.com/openziti/zrok/tui"
+	"github.com/spf13/cobra"
+	"os"
+)
+
+func init() {
+	rebaseCmd.AddCommand(newRebaseAccountTokenCommand().cmd)
+}
+
+type rebaseAccountTokenCommand struct {
+	cmd *cobra.Command
+}
+
+func newRebaseAccountTokenCommand() *rebaseAccountTokenCommand {
+	cmd := &cobra.Command{
+		Use:   "accountToken <accountToken>",
+		Short: "Rebase an enabled environment onto a different account token",
+		Args:  cobra.ExactArgs(1),
+	}
+	command := &rebaseAccountTokenCommand{cmd: cmd}
+	cmd.Run = command.run
+	return command
+}
+
+func (cmd *rebaseAccountTokenCommand) run(_ *cobra.Command, args []string) {
+	root, err := environment.LoadRoot()
+	if err != nil {
+		tui.Error("error loading root", err)
+	}
+
+	if !root.IsEnabled() {
+		tui.Error("environment not enabled; 'zrok enable' your environment instead", nil)
+	}
+
+	env := root.Environment()
+	if args[0] != env.AccountToken {
+		fmt.Printf("this action will rebase your enabled environment to use the account token '%v'\n", args[0])
+		fmt.Println()
+		fmt.Println("you should only proceed if you understand why you're doing this!")
+		fmt.Println()
+		fmt.Print("to proceed, type 'yes': ")
+		scanner := bufio.NewScanner(os.Stdin)
+		if scanner.Scan() {
+			text := scanner.Text()
+			if text != "yes" {
+				tui.Error("rebase aborted!", nil)
+			}
+		}
+		fmt.Println()
+
+		env.AccountToken = args[0]
+		if err := root.SetEnvironment(env); err != nil {
+			tui.Error("error rebasing environment", err)
+		}
+
+		fmt.Printf("environment rebased to account token '%v'\n", env.AccountToken)
+	} else {
+		fmt.Printf("environment already configured to use the account token '%v'\n", env.AccountToken)
+	}
+}
diff --git a/cmd/zrok/rebase.go b/cmd/zrok/rebaseApiEndpoint.go
similarity index 79%
rename from cmd/zrok/rebase.go
rename to cmd/zrok/rebaseApiEndpoint.go
index 7d21843b..ebfa8876 100644
--- a/cmd/zrok/rebase.go
+++ b/cmd/zrok/rebaseApiEndpoint.go
@@ -10,25 +10,25 @@ import (
 )
 
 func init() {
-	rootCmd.AddCommand(newRebaseCommand().cmd)
+	rebaseCmd.AddCommand(newRebaseApiEndpointCommand().cmd)
 }
 
-type rebaseCommand struct {
+type rebaseApiEndpointCommand struct {
 	cmd *cobra.Command
 }
 
-func newRebaseCommand() *rebaseCommand {
+func newRebaseApiEndpointCommand() *rebaseApiEndpointCommand {
 	cmd := &cobra.Command{
-		Use:   "rebase <apiEndpoint>",
+		Use:   "apiEndpoint <apiEndpoint>",
 		Short: "Rebase an enabled environment onto a different API endpoint URL",
 		Args:  cobra.ExactArgs(1),
 	}
-	command := &rebaseCommand{cmd: cmd}
+	command := &rebaseApiEndpointCommand{cmd: cmd}
 	cmd.Run = command.run
 	return command
 }
 
-func (cmd *rebaseCommand) run(_ *cobra.Command, args []string) {
+func (cmd *rebaseApiEndpointCommand) run(_ *cobra.Command, args []string) {
 	root, err := environment.LoadRoot()
 	if err != nil {
 		tui.Error("error loading root", err)
@@ -40,7 +40,7 @@ func (cmd *rebaseCommand) run(_ *cobra.Command, args []string) {
 
 	currentEndpoint, _ := root.ApiEndpoint()
 	if args[0] != currentEndpoint {
-		fmt.Printf("this action will rebase your enabled environment to use the zrok API at: %v\n", currentEndpoint)
+		fmt.Printf("this action will rebase your enabled environment to use the zrok API at: %v\n", args[0])
 		fmt.Println()
 		fmt.Println("you should only proceed if you understand why you're doing this!")
 		fmt.Println()
diff --git a/cmd/zrok/release.go b/cmd/zrok/release.go
index 238ec468..a96c89ba 100644
--- a/cmd/zrok/release.go
+++ b/cmd/zrok/release.go
@@ -50,7 +50,7 @@ func (cmd *releaseCommand) run(_ *cobra.Command, args []string) {
 		panic(err)
 	}
 
-	auth := httptransport.APIKeyAuth("X-TOKEN", "header", env.Environment().Token)
+	auth := httptransport.APIKeyAuth("X-TOKEN", "header", env.Environment().AccountToken)
 	req := share.NewUnshareParams()
 	req.Body.EnvZID = env.Environment().ZitiIdentity
 	req.Body.ShareToken = shrToken
diff --git a/cmd/zrok/shareReserved.go b/cmd/zrok/shareReserved.go
index b02641cd..92c8bfae 100644
--- a/cmd/zrok/shareReserved.go
+++ b/cmd/zrok/shareReserved.go
@@ -105,7 +105,7 @@ func (cmd *shareReservedCommand) shareLocal(args []string, root env_core.Root) {
 	if err != nil {
 		cmd.error("unable to create zrok client", err)
 	}
-	auth := httptransport.APIKeyAuth("X-TOKEN", "header", root.Environment().Token)
+	auth := httptransport.APIKeyAuth("X-TOKEN", "header", root.Environment().AccountToken)
 	req := metadata.NewGetShareDetailParams()
 	req.ShareToken = shrToken
 	resp, err := zrok.Metadata.GetShareDetail(req, auth)
diff --git a/cmd/zrok/status.go b/cmd/zrok/status.go
index 304b7dca..8fbea225 100644
--- a/cmd/zrok/status.go
+++ b/cmd/zrok/status.go
@@ -67,14 +67,14 @@ func (cmd *statusCommand) run(_ *cobra.Command, _ []string) {
 		t.SetStyle(table.StyleColoredDark)
 		t.AppendHeader(table.Row{"Property", "Value"})
 		if cmd.secrets {
-			t.AppendRow(table.Row{"Secret Token", env.Environment().Token})
+			t.AppendRow(table.Row{"Account Token", env.Environment().AccountToken})
 			t.AppendRow(table.Row{"Ziti Identity", env.Environment().ZitiIdentity})
 		} else {
 			secretToken := "<<SET>>"
-			if env.Environment().Token == "" {
+			if env.Environment().AccountToken == "" {
 				secretToken = "<<UNSET>>"
 			}
-			t.AppendRow(table.Row{"Secret Token", secretToken})
+			t.AppendRow(table.Row{"Account Token", secretToken})
 
 			zId := "<<SET>>"
 			if env.Environment().ZitiIdentity == "" {
diff --git a/environment/env_core/model.go b/environment/env_core/model.go
index 39624774..84a1d98a 100644
--- a/environment/env_core/model.go
+++ b/environment/env_core/model.go
@@ -32,7 +32,7 @@ type Root interface {
 }
 
 type Environment struct {
-	Token        string
+	AccountToken string
 	ZitiIdentity string
 	ApiEndpoint  string
 }
diff --git a/environment/env_v0_3/root.go b/environment/env_v0_3/root.go
index f8034593..2fa97582 100644
--- a/environment/env_v0_3/root.go
+++ b/environment/env_v0_3/root.go
@@ -205,7 +205,7 @@ func loadEnvironment() (*env_core.Environment, error) {
 		return nil, errors.Wrapf(err, "error unmarshaling environment file '%v'", ef)
 	}
 	out := &env_core.Environment{
-		Token:        env.Token,
+		AccountToken: env.AccountToken,
 		ZitiIdentity: env.ZId,
 		ApiEndpoint:  env.ApiEndpoint,
 	}
@@ -214,9 +214,9 @@ func loadEnvironment() (*env_core.Environment, error) {
 
 func saveEnvironment(env *env_core.Environment) error {
 	in := &environment{
-		Token:       env.Token,
-		ZId:         env.ZitiIdentity,
-		ApiEndpoint: env.ApiEndpoint,
+		AccountToken: env.AccountToken,
+		ZId:          env.ZitiIdentity,
+		ApiEndpoint:  env.ApiEndpoint,
 	}
 	data, err := json.MarshalIndent(in, "", "  ")
 	if err != nil {
@@ -256,7 +256,7 @@ type config struct {
 }
 
 type environment struct {
-	Token       string `json:"zrok_token"`
-	ZId         string `json:"ziti_identity"`
-	ApiEndpoint string `json:"api_endpoint"`
+	AccountToken string `json:"zrok_token"`
+	ZId          string `json:"ziti_identity"`
+	ApiEndpoint  string `json:"api_endpoint"`
 }
diff --git a/environment/env_v0_4/root.go b/environment/env_v0_4/root.go
index 329c7fd1..e87b8c2b 100644
--- a/environment/env_v0_4/root.go
+++ b/environment/env_v0_4/root.go
@@ -282,7 +282,7 @@ func loadEnvironment() (*env_core.Environment, error) {
 		return nil, errors.Wrapf(err, "error unmarshaling environment file '%v'", ef)
 	}
 	out := &env_core.Environment{
-		Token:        env.Token,
+		AccountToken: env.AccountToken,
 		ZitiIdentity: env.ZId,
 		ApiEndpoint:  env.ApiEndpoint,
 	}
@@ -291,9 +291,9 @@ func loadEnvironment() (*env_core.Environment, error) {
 
 func saveEnvironment(env *env_core.Environment) error {
 	in := &environment{
-		Token:       env.Token,
-		ZId:         env.ZitiIdentity,
-		ApiEndpoint: env.ApiEndpoint,
+		AccountToken: env.AccountToken,
+		ZId:          env.ZitiIdentity,
+		ApiEndpoint:  env.ApiEndpoint,
 	}
 	data, err := json.MarshalIndent(in, "", "  ")
 	if err != nil {
@@ -335,7 +335,7 @@ type config struct {
 }
 
 type environment struct {
-	Token       string `json:"zrok_token"`
-	ZId         string `json:"ziti_identity"`
-	ApiEndpoint string `json:"api_endpoint"`
+	AccountToken string `json:"zrok_token"`
+	ZId          string `json:"ziti_identity"`
+	ApiEndpoint  string `json:"api_endpoint"`
 }
diff --git a/sdk/golang/sdk/access.go b/sdk/golang/sdk/access.go
index 56c1c2df..fd7068c9 100644
--- a/sdk/golang/sdk/access.go
+++ b/sdk/golang/sdk/access.go
@@ -20,7 +20,7 @@ func CreateAccess(root env_core.Root, request *AccessRequest) (*Access, error) {
 	if err != nil {
 		return nil, errors.Wrap(err, "error getting zrok client")
 	}
-	auth := httptransport.APIKeyAuth("X-TOKEN", "header", root.Environment().Token)
+	auth := httptransport.APIKeyAuth("X-TOKEN", "header", root.Environment().AccountToken)
 
 	in, err := zrok.Share.Access(out, auth)
 	if err != nil {
@@ -40,7 +40,7 @@ func DeleteAccess(root env_core.Root, acc *Access) error {
 	if err != nil {
 		return errors.Wrap(err, "error getting zrok client")
 	}
-	auth := httptransport.APIKeyAuth("X-TOKEN", "header", root.Environment().Token)
+	auth := httptransport.APIKeyAuth("X-TOKEN", "header", root.Environment().AccountToken)
 
 	_, err = zrok.Share.Unaccess(out, auth)
 	if err != nil {
diff --git a/sdk/golang/sdk/overview.go b/sdk/golang/sdk/overview.go
index cff5d5d3..9154935e 100644
--- a/sdk/golang/sdk/overview.go
+++ b/sdk/golang/sdk/overview.go
@@ -19,7 +19,7 @@ func Overview(root env_core.Root) (string, error) {
 	if err != nil {
 		return "", err
 	}
-	req.Header.Add("X-TOKEN", root.Environment().Token)
+	req.Header.Add("X-TOKEN", root.Environment().AccountToken)
 	resp, err := client.Do(req)
 	if err != nil {
 		return "", err
diff --git a/sdk/golang/sdk/share.go b/sdk/golang/sdk/share.go
index 4184c413..eaaa3375 100644
--- a/sdk/golang/sdk/share.go
+++ b/sdk/golang/sdk/share.go
@@ -50,7 +50,7 @@ func CreateShare(root env_core.Root, request *ShareRequest) (*Share, error) {
 	if err != nil {
 		return nil, errors.Wrap(err, "error getting zrok client")
 	}
-	auth := httptransport.APIKeyAuth("X-TOKEN", "header", root.Environment().Token)
+	auth := httptransport.APIKeyAuth("X-TOKEN", "header", root.Environment().AccountToken)
 
 	in, err := zrok.Share.Share(out, auth)
 	if err != nil {
@@ -104,7 +104,7 @@ func DeleteShare(root env_core.Root, shr *Share) error {
 	if err != nil {
 		return errors.Wrap(err, "error getting zrok client")
 	}
-	auth := httptransport.APIKeyAuth("X-TOKEN", "header", root.Environment().Token)
+	auth := httptransport.APIKeyAuth("X-TOKEN", "header", root.Environment().AccountToken)
 
 	_, err = zrok.Share.Unshare(req, auth)
 	if err != nil {