From a1ac877260b5c0e3fd956d56deca6b0ea490c0e7 Mon Sep 17 00:00:00 2001
From: Simon Deziel <simon.deziel@canonical.com>
Date: Mon, 9 Sep 2024 13:40:55 -0400
Subject: [PATCH 1/2] pylxd/models/certificate: re-add password arg for
 backward compat

Fixes https://github.com/canonical/charm-lxd/issues/168 where charm-lxd is calling certificates.create():

```python
  config: Dict[str, Union[str, bytes, List[str], bool]] = {
      "name": name,
      "password": "",
      "cert_data": cert.encode(),
  }

  client.certificates.create(**config)
```

causing:

```
  File "./src/charm.py", line 1139, in _on_https_relation_changed
    if self.lxd_trust_add(cert=cert, name=cert_name, projects=projects):
  File "./src/charm.py", line 2294, in lxd_trust_add
    client.certificates.create(**config)
TypeError: create() got an unexpected keyword argument 'password'
```

Signed-off-by: Simon Deziel <simon.deziel@canonical.com>
---
 pylxd/models/certificate.py | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/pylxd/models/certificate.py b/pylxd/models/certificate.py
index eb616cf3..0b635c73 100644
--- a/pylxd/models/certificate.py
+++ b/pylxd/models/certificate.py
@@ -53,12 +53,13 @@ def all(cls, client):
     def create(
         cls,
         client,
-        secret,
+        password,
         cert_data,
         cert_type="client",
         name="",
         projects=None,
         restricted=False,
+        secret="",
     ):
         """Create a new certificate."""
         cert = x509.load_pem_x509_certificate(cert_data, default_backend())
@@ -68,14 +69,18 @@ def create(
         data = {
             "type": cert_type,
             "certificate": base64_cert,
+            "password": password,
             "name": name,
             "restricted": restricted,
             "projects": projects,
         }
-        if client.has_api_extension("explicit_trust_token"):
+
+        # secret/trust_token are safer than password but support for password is kept for
+        # backward compatibility
+        if client.has_api_extension("explicit_trust_token") and secret:
             data["trust_token"] = secret
-        else:
-            data["password"] = secret
+            del data["password"]
+
         response = client.api.certificates.post(json=data)
         location = response.headers["Location"]
         fingerprint = location.split("/")[-1]

From d131c013087c8ff2826395c9e5cd5c23ec1f451a Mon Sep 17 00:00:00 2001
From: Simon Deziel <simon.deziel@canonical.com>
Date: Mon, 9 Sep 2024 17:17:05 -0400
Subject: [PATCH 2/2] pylxd/client: fix auth without password support

Signed-off-by: Simon Deziel <simon.deziel@canonical.com>
---
 pylxd/client.py | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/pylxd/client.py b/pylxd/client.py
index c5c5c1eb..b8b37dd8 100644
--- a/pylxd/client.py
+++ b/pylxd/client.py
@@ -478,11 +478,15 @@ def assert_has_api_extension(self, name):
         if not self.has_api_extension(name):
             raise exceptions.LXDAPIExtensionNotAvailable(name)
 
-    def authenticate(self, secret):
+    def authenticate(self, secret, use_token_auth=True):
         if self.trusted:
             return
         cert = open(self.api.session.cert[0]).read().encode("utf-8")
-        self.certificates.create(secret, cert)
+
+        if self.has_api_extension("explicit_trust_token") and use_token_auth:
+            self.certificates.create(password="", cert_data=cert, secret=secret)
+        else:
+            self.certificates.create(password=secret, cert_data=cert)
 
         # Refresh the host info
         response = self.api.get()