Make cloud authentication more intuitive (#738)

The prior behavior with cloud authentication was a bit confusing
when authenticating against anything but https://pulumi.com/.  This
change fixes a few aspects of this:

* Improve error messages to differentiate between "authentication
  failed" and "you haven't logged into the target cloud URL."

* Default to the cloud you're currently authenticated with, rather
  than unconditionally selecting https://pulumi.com/.  This ensures

      $ pulumi login -c https://api.moolumi.io
      $ pulumi stack ls

  works, versus what was currently required

      $ pulumi login -c https://api.moolumi.io
      $ pulumi stack ls -c https://api.moolumi.io

  with confusing error messages if you forgot the second -c.

* To do this, our default cloud logic changes to

    1) Prefer the explicit -c if supplied;

    2) Otherwise, pick the "currently authenticated" cloud; this is
       the last cloud to have been targeted with pulumi login, or
       otherwise the single cloud in the list if there is only one;

    3) https://pulumi.com/ otherwise.

cmd/logout.go

@@ -22,7 +22,7 @@ func newLogoutCmd() *cobra.Command {
 		Run: cmdutil.RunFunc(func(cmd *cobra.Command, args []string) error {
 			// If --all is passed, log out of all clouds.
 			if all {
-				bes, err := cloud.CurrentBackends(cmdutil.Diag())
+				bes, _, err := cloud.CurrentBackends(cmdutil.Diag())
 				if err != nil {
 					return errors.Wrap(err, "could not read list of current clouds")
 				}

cmd/pulumi.go

@@ -50,13 +50,17 @@ func NewPulumiCmd() *cobra.Command {
 	cmd.SetHelpFunc(func(cmd *cobra.Command, args []string) {
 		defaultHelp(cmd, args)
 
-		loggedInto, logErr := cloud.CurrentBackends(cmdutil.Diag())
+		loggedInto, current, logErr := cloud.CurrentBackends(cmdutil.Diag())
 		contract.IgnoreError(logErr) // we want to make progress anyway.
 		if len(loggedInto) > 0 {
 			fmt.Printf("\n")
 			fmt.Printf("Currently logged into the Pulumi Cloud ☁️\n")
 			for _, be := range loggedInto {
-				fmt.Printf("    %s\n", be.Name())
+				var marker string
+				if be.Name() == current {
+					marker = "*"
+				}
+				fmt.Printf("    %s%s\n", be.Name(), marker)
 			}
 		}
 	})

cmd/util.go

@@ -29,7 +29,7 @@ func allBackends() ([]backend.Backend, bool) {
 	// in addition to all of those cloud backends we are currently logged into.
 	d := cmdutil.Diag()
 	backends := []backend.Backend{local.New(d)}
-	cloudBackends, err := cloud.CurrentBackends(d)
+	cloudBackends, _, err := cloud.CurrentBackends(d)
 	if err != nil {
 		// Print the error, but keep going so that the local operations still occur.
 		_, fmterr := fmt.Fprintf(os.Stderr, "error: could not obtain current cloud backends: %v", err)

pkg/backend/cloud/api.go

@@ -30,18 +30,38 @@ const (
 )
 
 // DefaultURL returns the default cloud URL.  This may be overridden using the PULUMI_API environment
-// variable.  If no override is found, the default is the pulumi.com cloud.
+// variable.  If no override is found, and we are authenticated with only one cloud, choose that.  Otherwise,
+// we will default to the https://api.pulumi.com/ endpoint.
 func DefaultURL() string {
-	cloudURL := os.Getenv(defaultURLEnvVar)
-	return ValueOrDefaultURL(cloudURL)
+	return ValueOrDefaultURL("")
 }
 
 // ValueOrDefaultURL returns the value if specified, or the default cloud URL otherwise.
 func ValueOrDefaultURL(cloudURL string) string {
-	if cloudURL == "" {
-		cloudURL = defaultURL
+	// If we have a cloud URL, just return it.
+	if cloudURL != "" {
+		return cloudURL
 	}
-	return cloudURL
+
+	// Otherwise, respect the PULUMI_API override.
+	if cloudURL := os.Getenv(defaultURLEnvVar); cloudURL != "" {
+		return cloudURL
+	}
+
+	// If that didn't work, see if we're authenticated with any clouds.
+	urls, current, err := CurrentBackendURLs()
+	if err == nil {
+		if current != "" {
+			// If there's a current cloud selected, return that.
+			return current
+		} else if len(urls) == 1 {
+			// Else, if we're authenticated with a single cloud, use that.
+			return urls[0]
+		}
+	}
+
+	// If none of those led to a cloud URL, simply return the default.
+	return defaultURL
 }
 
 // cloudProjectIdentifier is the set of data needed to identify a Pulumi Cloud project. This the
@@ -93,6 +113,8 @@ func pulumiRESTCall(cloudAPI, method, path string, reqObj interface{}, respObj i
 	token, err := workspace.GetAccessToken(cloudAPI)
 	if err != nil {
 		return fmt.Errorf("getting stored credentials: %v", err)
+	} else if token == "" {
+		return fmt.Errorf("not yet authenticated with %s; please 'pulumi login' first", cloudAPI)
 	}
 	return pulumiRESTCallWithAccessToken(cloudAPI, method, path, reqObj, respObj, token)
 }

pkg/backend/cloud/backend.go

@@ -484,7 +484,7 @@ func Login(cloudURL string) error {
 	}
 
 	// Save them.
-	return workspace.StoreAccessToken(cloudURL, accessToken)
+	return workspace.StoreAccessToken(cloudURL, accessToken, true)
 }
 
 // isValidAccessToken tries to use the provided Pulumi access token and returns if it is accepted
@@ -507,25 +507,37 @@ func Logout(cloudURL string) error {
 }
 
 // CurrentBackends returns a list of the cloud backends the user is currently logged into.
-func CurrentBackends(d diag.Sink) ([]Backend, error) {
-	creds, err := workspace.GetStoredCredentials()
+func CurrentBackends(d diag.Sink) ([]Backend, string, error) {
+	urls, current, err := CurrentBackendURLs()
 	if err != nil {
-		return nil, err
+		return nil, "", err
 	}
 
 	var backends []Backend
+	for _, url := range urls {
+		backends = append(backends, New(d, url))
+	}
+	return backends, current, nil
+}
+
+// CurrentBackendURLs returns a list of the cloud backend URLS the user is currently logged into.
+func CurrentBackendURLs() ([]string, string, error) {
+	creds, err := workspace.GetStoredCredentials()
+	if err != nil {
+		return nil, "", err
+	}
+
+	var current string
+	var cloudURLs []string
 	if creds.AccessTokens != nil {
+		current = creds.Current
+
 		// Sort the URLs so that we return them in a deterministic order.
-		var cloudURLs []string
 		for url := range creds.AccessTokens {
 			cloudURLs = append(cloudURLs, url)
 		}
 		sort.Strings(cloudURLs)
-
-		for _, url := range cloudURLs {
-			backends = append(backends, New(d, url))
-		}
 	}
 
-	return backends, nil
+	return cloudURLs, current, nil
 }

pkg/workspace/creds.go

@@ -39,11 +39,14 @@ func DeleteAccessToken(key string) error {
 	if creds.AccessTokens != nil {
 		delete(creds.AccessTokens, key)
 	}
+	if creds.Current == key {
+		creds.Current = ""
+	}
 	return StoreCredentials(creds)
 }
 
 // StoreAccessToken saves the given access token underneath the given key.
-func StoreAccessToken(key string, token string) error {
+func StoreAccessToken(key string, token string, current bool) error {
 	creds, err := GetStoredCredentials()
 	if err != nil && !os.IsNotExist(err) {
 		return err
@@ -52,13 +55,17 @@ func StoreAccessToken(key string, token string) error {
 		creds.AccessTokens = make(map[string]string)
 	}
 	creds.AccessTokens[key] = token
+	if current {
+		creds.Current = key
+	}
 	return StoreCredentials(creds)
 }
 
 // Credentials hold the information necessary for authenticating Pulumi Cloud API requests.  It contains
 // a map from the cloud API URL to the associated access token.
 type Credentials struct {
-	AccessTokens map[string]string `json:"accessTokens"`
+	Current      string            `json:"current,omitempty"`      // the currently selected key.
+	AccessTokens map[string]string `json:"accessTokens,omitempty"` // a map of arbitrary key strings to tokens.
 }
 
 // getCredsFilePath returns the path to the Pulumi credentials file on disk, regardless of