vmware · dataclouder · Nov 11, 2020 · Nov 9, 2020 · Nov 9, 2020 · Nov 9, 2020
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,11 +2,13 @@
 
 * Added functions to retrieve and use VCD version `client.GetVcdVersion`, `client.GetVcdShortVersion`, `client.GetVcdFullVersion`, `client.VersionEqualOrGreater` [#339](https://github.com/vmware/go-vcloud-director/pull/339)
 * Added methods `VM.UpdateStorageProfile`, `VM.UpdateStorageProfileAsync` [#338](https://github.com/vmware/go-vcloud-director/pull/338)
+* Added support for bearer tokens [#341](https://github.com/vmware/go-vcloud-director/pull/341)
 * Added methods `adminVdc.UpdateStorageProfile` [#340](https://github.com/vmware/go-vcloud-director/pull/340)
 
 BREAKING CHANGES:
 
 * type.VdcConfiguration (used for creation) changed the type for storage profile from `[]*VdcStorageProfile` to `[]*VdcStorageProfileConfiguration`
+>>>>>>> master
 
 ## 2.9.0 (October 15, 2020)
 

diff --git a/govcd/api.go b/govcd/api.go
@@ -57,6 +57,9 @@ type Client struct {
 // AuthorizationHeader header key used by default to set the authorization token.
 const AuthorizationHeader = "X-Vcloud-Authorization"
 
+// BearerTokenHeader is the header key containing a bearer token
+const BearerTokenHeader = "X-Vmware-Vcloud-Access-Token"
+
 // General purpose error to be used whenever an entity is not found from a "GET" request
 // Allows a simpler checking of the call result
 // such as
@@ -206,6 +209,12 @@ func (cli *Client) newRequest(params map[string]string, notEncodedParams map[str
 		// Add the Accept header for VCD
 		req.Header.Add("Accept", "application/*+xml;version="+apiVersion)
 	}
+	// The deprecated authorization token is 32 characters long
+	// The bearer token is 612 characters long
+	if len(cli.VCDToken) > 32 {
+		req.Header.Add("X-Vmware-Vcloud-Token-Type", "Bearer")
+		req.Header.Add("Authorization", "bearer "+cli.VCDToken)
+	}
 
 	// Merge in additional headers before logging if any where specified in additionalHeader
 	// parameter

diff --git a/govcd/api_vcd.go b/govcd/api_vcd.go
@@ -74,8 +74,8 @@ func (vcdCli *VCDClient) vcdAuthorize(user, pass, org string) (*http.Response, e
 	}
 	defer resp.Body.Close()
 	// Store the authorization header
-	vcdCli.Client.VCDToken = resp.Header.Get(AuthorizationHeader)
-	vcdCli.Client.VCDAuthHeader = AuthorizationHeader
+	vcdCli.Client.VCDToken = resp.Header.Get(BearerTokenHeader)
+	vcdCli.Client.VCDAuthHeader = BearerTokenHeader
 	vcdCli.Client.IsSysAdmin = strings.EqualFold(org, "system")
 	// Get query href
 	vcdCli.QueryHREF = vcdCli.Client.VCDHREF
@@ -160,7 +160,6 @@ func (vcdCli *VCDClient) GetAuthResponse(username, password, org string) (*http.
 // Up to version 29, token authorization uses the the header key x-vcloud-authorization
 // In version 30+ it also uses X-Vmware-Vcloud-Access-Token:TOKEN coupled with
 // X-Vmware-Vcloud-Token-Type:"bearer"
-// TODO: when enabling version 30+ for SDK, add ability of using bearer token
 func (vcdCli *VCDClient) SetToken(org, authHeader, token string) error {
 	vcdCli.Client.VCDAuthHeader = authHeader
 	vcdCli.Client.VCDToken = token

diff --git a/govcd/openapi.go b/govcd/openapi.go
@@ -604,6 +604,12 @@ func (client *Client) newOpenApiRequest(apiVersion string, params url.Values, me
 	if client.VCDAuthHeader != "" && client.VCDToken != "" {
 		// Add the authorization header
 		req.Header.Add(client.VCDAuthHeader, client.VCDToken)
+		// The deprecated authorization token is 32 characters long
+		// The bearer token is 612 characters long
+		if len(client.VCDToken) > 32 {
+			req.Header.Add("Authorization", "bearer "+client.VCDToken)
+			req.Header.Add("X-Vmware-Vcloud-Token-Type", "Bearer")
+		}
 		// Add the Accept header for VCD
 		acceptMime := types.JSONMime + ";version=" + apiVersion
 		req.Header.Add("Accept", acceptMime)

diff --git a/scripts/get_token.sh b/scripts/get_token.sh
@@ -1,6 +1,6 @@
 #!/bin/bash
 # This script will connect to the vCD using username and password,
-# and show the header that contains an authorization token.
+# and show the headers that contain a bearer or authorization token.
 #
 user=$1
 password=$2
@@ -15,11 +15,28 @@ fi
 
 auth=$(echo -n "$user@$org:$password" |base64)
 
-curl -I -k --header "Accept: application/*;version=29.0" \
+curl -I -k --header "Accept: application/*;version=32.0" \
     --header "Authorization: Basic $auth" \
     --request POST https://$IP/api/sessions
 
-# If successful, the output of this command will include a line like the following
-# x-vcloud-authorization: 08a321735de84f1d9ec80c3b3e18fa8b
+# If successful, the output of this command will include lines like the following
+# X-VCLOUD-AUTHORIZATION: 08a321735de84f1d9ec80c3b3e18fa8b
+# X-VMWARE-VCLOUD-ACCESS-TOKEN: eyJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJhZG1pbmlzdHJhdG9yI[562 more characters]
 #
-# The string after `x-vcloud-authorization:` is the token.
+# The string after `X-VCLOUD-AUTHORIZATION:` is the old (deprecated) token.
+# The 612-character string after `X-VMWARE-VCLOUD-ACCESS-TOKEN` is the bearer token
+
+# For VCD version 10.0+, you can use one of the following commands instead.
+
+# PROVIDER:
+# curl -I -k --header "Accept: application/*;version=33.0" \
+#    --header "Authorization: Basic $auth" \
+#    --request POST https://$IP/cloudapi/1.0.0/sessions/provider
+
+# TENANT
+# curl -I -k --header "Accept: application/*;version=33.0" \
+#    --header "Authorization: Basic $auth" \
+#    --request POST https://$IP/cloudapi/1.0.0/sessions
+#
+# The cloudapi requests will only return the bearer token
+
diff --git a/util/logging.go b/util/logging.go
@@ -79,7 +79,7 @@ var (
 	LogHttpResponse bool = true
 
 	// List of tags to be excluded from logging
-	skipTags = []string{"SupportedVersions", "ovf:License"}
+	skipTags = []string{"ovf:License"}
 
 	// List of functions included in logging
 	// If this variable is filled, only operations from matching function names will be logged