Release v0.1.3

2026-02-28 20:12:46 +01:00 · 2026-02-28 20:12:46 +01:00 · f0e29d38a4
commit f0e29d38a4
parent b6309a9e12
4 changed files with 249 additions and 5 deletions
--- a/cmd/status.go
+++ b/cmd/status.go
@ -3,6 +3,7 @@ package cmd
 import (
 	"fmt"
 	"os"
+	"strings"
 	"time"

 	"github.com/spf13/cobra"
@ -24,6 +25,16 @@ func init() {
 }

 func runStatus(cmd *cobra.Command, args []string) error {
+	exitNonZero := false
+
+	configuredServiceAccountMode := isConfiguredServiceAccountMode(cfg)
+	if configuredServiceAccountMode {
+		fmt.Fprintln(os.Stdout, "Mode: service-account")
+		fmt.Fprintf(os.Stdout, "Client ID: %s\n", cfg.ClientID)
+	} else {
+		fmt.Fprintln(os.Stdout, "Mode: user")
+	}
+
 	// Read token from netrc
 	pw, err := netrc.GetPassword(cfg.NetrcPath, cfg.CacheHost)
 	if err != nil {
@ -31,7 +42,7 @@ func runStatus(cmd *cobra.Command, args []string) error {
 	}

 	if pw == "" {
-		fmt.Fprintln(os.Stderr, "No token found.")
+		fmt.Fprintln(os.Stdout, "Status: NOT AUTHENTICATED (no token found in netrc)")
 		return nil
 	}

@ -51,24 +62,99 @@ func runStatus(cmd *cobra.Command, args []string) error {
 	if name, ok := claims["preferred_username"].(string); ok {
 		fmt.Fprintf(os.Stdout, "User:    %s\n", name)
 	}
+	tokenServiceAccountMode := isServiceAccountToken(claims)
+	serviceAccountMismatch := false
+	if configuredServiceAccountMode {
+		if tokenServiceAccountMode {
+			fmt.Fprintln(os.Stdout, "Token mode: service-account")
+		} else {
+			fmt.Fprintln(os.Stdout, "Token mode: user")
+			fmt.Fprintln(os.Stdout, "Warning: config expects a service-account token, but netrc token looks like a user token")
+			serviceAccountMismatch = true
+		}
+		if claimedClientID := tokenClientID(claims); claimedClientID != "" {
+			fmt.Fprintf(os.Stdout, "Token client: %s\n", claimedClientID)
+			if claimedClientID != cfg.ClientID {
+				fmt.Fprintf(os.Stdout, "Warning: token client_id/azp (%s) does not match configured client_id (%s)\n", claimedClientID, cfg.ClientID)
+				serviceAccountMismatch = true
+			}
+		}
+	}

 	exp, remaining := token.ExpiryInfo(claims)
 	if !exp.IsZero() {
 		fmt.Fprintf(os.Stdout, "Expires: %s\n", exp.Local().Format(time.RFC1123))
 		if remaining > 0 {
 			fmt.Fprintf(os.Stdout, "Remaining: %s\n", remaining.Round(time.Second))
+			if configuredServiceAccountMode && serviceAccountMismatch {
+				fmt.Fprintln(os.Stdout, "Status: WARNING (token is valid but does not match configured service-account client)")
+				exitNonZero = true
+			} else if configuredServiceAccountMode && tokenServiceAccountMode {
+				fmt.Fprintln(os.Stdout, "Status: OK (service-account token valid)")
+			} else {
+				fmt.Fprintln(os.Stdout, "Status: OK")
+			}
 		} else {
 			fmt.Fprintf(os.Stdout, "Status: EXPIRED (%s ago)\n", (-remaining).Round(time.Second))
+			exitNonZero = true
 		}
+	} else {
+		fmt.Fprintln(os.Stdout, "Status: UNKNOWN (token has no exp claim)")
 	}

 	// Check refresh token
 	rtPath := config.RefreshTokenPath()
-	if _, err := os.Stat(rtPath); err == nil {
-		fmt.Fprintf(os.Stdout, "Refresh token: present\n")
+	_, rtErr := os.Stat(rtPath)
+	if configuredServiceAccountMode {
+		if rtErr == nil {
+			fmt.Fprintf(os.Stdout, "Refresh token: present (not used in service-account mode)\n")
+		} else {
+			fmt.Fprintf(os.Stdout, "Refresh token: not used in service-account mode\n")
+		}
 	} else {
-		fmt.Fprintf(os.Stdout, "Refresh token: not found\n")
+		if rtErr == nil {
+			fmt.Fprintf(os.Stdout, "Refresh token: present\n")
+		} else {
+			fmt.Fprintf(os.Stdout, "Refresh token: not found\n")
+		}
+	}
+
+	if exitNonZero {
+		os.Exit(1)
 	}

 	return nil
 }
+
+func isConfiguredServiceAccountMode(cfg *config.Config) bool {
+	return cfg != nil && strings.TrimSpace(cfg.ClientSecretFile) != ""
+}
+
+func isServiceAccountToken(claims map[string]interface{}) bool {
+	if claims == nil {
+		return false
+	}
+	if grantType, ok := claims["gty"].(string); ok && (grantType == "client_credentials" || grantType == "client-credentials") {
+		return true
+	}
+	if username, ok := claims["preferred_username"].(string); ok && strings.HasPrefix(username, "service-account-") {
+		return true
+	}
+	if subject, ok := claims["sub"].(string); ok && strings.HasPrefix(subject, "service-account-") {
+		return true
+	}
+	return false
+}
+
+func tokenClientID(claims map[string]interface{}) string {
+	if claims == nil {
+		return ""
+	}
+	if azp, ok := claims["azp"].(string); ok {
+		return azp
+	}
+	if clientID, ok := claims["client_id"].(string); ok {
+		return clientID
+	}
+	return ""
+}
--- a/cmd/status_test.go
+++ b/cmd/status_test.go
@ -0,0 +1,148 @@
+package cmd
+
+import (
+	"testing"
+
+	"guardianproject.dev/ops/nix-cache-login/internal/config"
+)
+
+func TestIsConfiguredServiceAccountMode(t *testing.T) {
+	tests := []struct {
+		name string
+		cfg  *config.Config
+		want bool
+	}{
+		{
+			name: "nil config",
+			cfg:  nil,
+			want: false,
+		},
+		{
+			name: "user mode",
+			cfg:  &config.Config{},
+			want: false,
+		},
+		{
+			name: "service account mode",
+			cfg: &config.Config{
+				ClientSecretFile: "/run/secrets/nix-cache-client-secret",
+			},
+			want: true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if got := isConfiguredServiceAccountMode(tt.cfg); got != tt.want {
+				t.Fatalf("isConfiguredServiceAccountMode() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}
+
+func TestIsServiceAccountToken(t *testing.T) {
+	tests := []struct {
+		name   string
+		claims map[string]interface{}
+		want   bool
+	}{
+		{
+			name: "grant type client_credentials",
+			claims: map[string]interface{}{
+				"gty": "client_credentials",
+			},
+			want: true,
+		},
+		{
+			name: "grant type client-credentials",
+			claims: map[string]interface{}{
+				"gty": "client-credentials",
+			},
+			want: true,
+		},
+		{
+			name: "service-account preferred_username",
+			claims: map[string]interface{}{
+				"preferred_username": "service-account-nix-cache-server",
+			},
+			want: true,
+		},
+		{
+			name: "service-account subject",
+			claims: map[string]interface{}{
+				"sub": "service-account-nix-cache-server",
+			},
+			want: true,
+		},
+		{
+			name: "normal user token",
+			claims: map[string]interface{}{
+				"preferred_username": "alice",
+				"sub":                "9f788180-5f78-4ce4-8126-8f9406de5628",
+			},
+			want: false,
+		},
+		{
+			name:   "nil claims",
+			claims: nil,
+			want:   false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if got := isServiceAccountToken(tt.claims); got != tt.want {
+				t.Fatalf("isServiceAccountToken() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}
+
+func TestTokenClientID(t *testing.T) {
+	tests := []struct {
+		name   string
+		claims map[string]interface{}
+		want   string
+	}{
+		{
+			name: "from azp",
+			claims: map[string]interface{}{
+				"azp": "nix-cache-server",
+			},
+			want: "nix-cache-server",
+		},
+		{
+			name: "from client_id",
+			claims: map[string]interface{}{
+				"client_id": "nix-cache-server",
+			},
+			want: "nix-cache-server",
+		},
+		{
+			name: "prefer azp over client_id",
+			claims: map[string]interface{}{
+				"azp":       "nix-cache-server",
+				"client_id": "other",
+			},
+			want: "nix-cache-server",
+		},
+		{
+			name:   "not present",
+			claims: map[string]interface{}{},
+			want:   "",
+		},
+		{
+			name:   "nil claims",
+			claims: nil,
+			want:   "",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if got := tokenClientID(tt.claims); got != tt.want {
+				t.Fatalf("tokenClientID() = %q, want %q", got, tt.want)
+			}
+		})
+	}
+}