diff --git a/CHANGELOG.md b/CHANGELOG.md index 4c0ba04..78a7cca 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,16 @@ Changes yet to be released are documented here. +## v0.1.3 + +- Improve `status` for server use by detecting service-account mode from config +- Detect whether the current token is a service-account token and validate it matches configured `client_id` +- Add explicit `status` health states for service-account mode (`OK`, `WARNING`, `EXPIRED`) +- Make `status` exit non-zero for `WARNING` and `EXPIRED` states +- Add unit tests for status mode/token detection helpers + +## v0.1.2 + - Fix path expansion when running in systemd - Fix bug in netrc writing - Add nixos, home-manager, and darwin-nix modules diff --git a/cmd/status.go b/cmd/status.go index c4d7412..30d13c7 100644 --- a/cmd/status.go +++ b/cmd/status.go @@ -3,6 +3,7 @@ package cmd import ( "fmt" "os" + "strings" "time" "github.com/spf13/cobra" @@ -24,6 +25,16 @@ func init() { } func runStatus(cmd *cobra.Command, args []string) error { + exitNonZero := false + + configuredServiceAccountMode := isConfiguredServiceAccountMode(cfg) + if configuredServiceAccountMode { + fmt.Fprintln(os.Stdout, "Mode: service-account") + fmt.Fprintf(os.Stdout, "Client ID: %s\n", cfg.ClientID) + } else { + fmt.Fprintln(os.Stdout, "Mode: user") + } + // Read token from netrc pw, err := netrc.GetPassword(cfg.NetrcPath, cfg.CacheHost) if err != nil { @@ -31,7 +42,7 @@ func runStatus(cmd *cobra.Command, args []string) error { } if pw == "" { - fmt.Fprintln(os.Stderr, "No token found.") + fmt.Fprintln(os.Stdout, "Status: NOT AUTHENTICATED (no token found in netrc)") return nil } @@ -51,24 +62,99 @@ func runStatus(cmd *cobra.Command, args []string) error { if name, ok := claims["preferred_username"].(string); ok { fmt.Fprintf(os.Stdout, "User: %s\n", name) } + tokenServiceAccountMode := isServiceAccountToken(claims) + serviceAccountMismatch := false + if configuredServiceAccountMode { + if tokenServiceAccountMode { + fmt.Fprintln(os.Stdout, "Token mode: service-account") + } else { + fmt.Fprintln(os.Stdout, "Token mode: user") + fmt.Fprintln(os.Stdout, "Warning: config expects a service-account token, but netrc token looks like a user token") + serviceAccountMismatch = true + } + if claimedClientID := tokenClientID(claims); claimedClientID != "" { + fmt.Fprintf(os.Stdout, "Token client: %s\n", claimedClientID) + if claimedClientID != cfg.ClientID { + fmt.Fprintf(os.Stdout, "Warning: token client_id/azp (%s) does not match configured client_id (%s)\n", claimedClientID, cfg.ClientID) + serviceAccountMismatch = true + } + } + } exp, remaining := token.ExpiryInfo(claims) if !exp.IsZero() { fmt.Fprintf(os.Stdout, "Expires: %s\n", exp.Local().Format(time.RFC1123)) if remaining > 0 { fmt.Fprintf(os.Stdout, "Remaining: %s\n", remaining.Round(time.Second)) + if configuredServiceAccountMode && serviceAccountMismatch { + fmt.Fprintln(os.Stdout, "Status: WARNING (token is valid but does not match configured service-account client)") + exitNonZero = true + } else if configuredServiceAccountMode && tokenServiceAccountMode { + fmt.Fprintln(os.Stdout, "Status: OK (service-account token valid)") + } else { + fmt.Fprintln(os.Stdout, "Status: OK") + } } else { fmt.Fprintf(os.Stdout, "Status: EXPIRED (%s ago)\n", (-remaining).Round(time.Second)) + exitNonZero = true } + } else { + fmt.Fprintln(os.Stdout, "Status: UNKNOWN (token has no exp claim)") } // Check refresh token rtPath := config.RefreshTokenPath() - if _, err := os.Stat(rtPath); err == nil { - fmt.Fprintf(os.Stdout, "Refresh token: present\n") + _, rtErr := os.Stat(rtPath) + if configuredServiceAccountMode { + if rtErr == nil { + fmt.Fprintf(os.Stdout, "Refresh token: present (not used in service-account mode)\n") + } else { + fmt.Fprintf(os.Stdout, "Refresh token: not used in service-account mode\n") + } } else { - fmt.Fprintf(os.Stdout, "Refresh token: not found\n") + if rtErr == nil { + fmt.Fprintf(os.Stdout, "Refresh token: present\n") + } else { + fmt.Fprintf(os.Stdout, "Refresh token: not found\n") + } + } + + if exitNonZero { + os.Exit(1) } return nil } + +func isConfiguredServiceAccountMode(cfg *config.Config) bool { + return cfg != nil && strings.TrimSpace(cfg.ClientSecretFile) != "" +} + +func isServiceAccountToken(claims map[string]interface{}) bool { + if claims == nil { + return false + } + if grantType, ok := claims["gty"].(string); ok && (grantType == "client_credentials" || grantType == "client-credentials") { + return true + } + if username, ok := claims["preferred_username"].(string); ok && strings.HasPrefix(username, "service-account-") { + return true + } + if subject, ok := claims["sub"].(string); ok && strings.HasPrefix(subject, "service-account-") { + return true + } + return false +} + +func tokenClientID(claims map[string]interface{}) string { + if claims == nil { + return "" + } + if azp, ok := claims["azp"].(string); ok { + return azp + } + if clientID, ok := claims["client_id"].(string); ok { + return clientID + } + return "" +} diff --git a/cmd/status_test.go b/cmd/status_test.go new file mode 100644 index 0000000..f26963a --- /dev/null +++ b/cmd/status_test.go @@ -0,0 +1,148 @@ +package cmd + +import ( + "testing" + + "guardianproject.dev/ops/nix-cache-login/internal/config" +) + +func TestIsConfiguredServiceAccountMode(t *testing.T) { + tests := []struct { + name string + cfg *config.Config + want bool + }{ + { + name: "nil config", + cfg: nil, + want: false, + }, + { + name: "user mode", + cfg: &config.Config{}, + want: false, + }, + { + name: "service account mode", + cfg: &config.Config{ + ClientSecretFile: "/run/secrets/nix-cache-client-secret", + }, + want: true, + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + if got := isConfiguredServiceAccountMode(tt.cfg); got != tt.want { + t.Fatalf("isConfiguredServiceAccountMode() = %v, want %v", got, tt.want) + } + }) + } +} + +func TestIsServiceAccountToken(t *testing.T) { + tests := []struct { + name string + claims map[string]interface{} + want bool + }{ + { + name: "grant type client_credentials", + claims: map[string]interface{}{ + "gty": "client_credentials", + }, + want: true, + }, + { + name: "grant type client-credentials", + claims: map[string]interface{}{ + "gty": "client-credentials", + }, + want: true, + }, + { + name: "service-account preferred_username", + claims: map[string]interface{}{ + "preferred_username": "service-account-nix-cache-server", + }, + want: true, + }, + { + name: "service-account subject", + claims: map[string]interface{}{ + "sub": "service-account-nix-cache-server", + }, + want: true, + }, + { + name: "normal user token", + claims: map[string]interface{}{ + "preferred_username": "alice", + "sub": "9f788180-5f78-4ce4-8126-8f9406de5628", + }, + want: false, + }, + { + name: "nil claims", + claims: nil, + want: false, + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + if got := isServiceAccountToken(tt.claims); got != tt.want { + t.Fatalf("isServiceAccountToken() = %v, want %v", got, tt.want) + } + }) + } +} + +func TestTokenClientID(t *testing.T) { + tests := []struct { + name string + claims map[string]interface{} + want string + }{ + { + name: "from azp", + claims: map[string]interface{}{ + "azp": "nix-cache-server", + }, + want: "nix-cache-server", + }, + { + name: "from client_id", + claims: map[string]interface{}{ + "client_id": "nix-cache-server", + }, + want: "nix-cache-server", + }, + { + name: "prefer azp over client_id", + claims: map[string]interface{}{ + "azp": "nix-cache-server", + "client_id": "other", + }, + want: "nix-cache-server", + }, + { + name: "not present", + claims: map[string]interface{}{}, + want: "", + }, + { + name: "nil claims", + claims: nil, + want: "", + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + if got := tokenClientID(tt.claims); got != tt.want { + t.Fatalf("tokenClientID() = %q, want %q", got, tt.want) + } + }) + } +} diff --git a/package.nix b/package.nix index e85a434..8a1d18f 100644 --- a/package.nix +++ b/package.nix @@ -6,7 +6,7 @@ buildGoModule { pname = "nix-cache-login"; - version = "0.1.2"; + version = "0.1.3"; src = ./.; # src = fetchgit { # url = "https://guardianproject.dev/ops/nix-cache-login.git";