Release v0.1.3
This commit is contained in:
parent
b6309a9e12
commit
f0e29d38a4
4 changed files with 249 additions and 5 deletions
10
CHANGELOG.md
10
CHANGELOG.md
|
|
@ -4,6 +4,16 @@
|
||||||
|
|
||||||
Changes yet to be released are documented here.
|
Changes yet to be released are documented here.
|
||||||
|
|
||||||
|
## v0.1.3
|
||||||
|
|
||||||
|
- Improve `status` for server use by detecting service-account mode from config
|
||||||
|
- Detect whether the current token is a service-account token and validate it matches configured `client_id`
|
||||||
|
- Add explicit `status` health states for service-account mode (`OK`, `WARNING`, `EXPIRED`)
|
||||||
|
- Make `status` exit non-zero for `WARNING` and `EXPIRED` states
|
||||||
|
- Add unit tests for status mode/token detection helpers
|
||||||
|
|
||||||
|
## v0.1.2
|
||||||
|
|
||||||
- Fix path expansion when running in systemd
|
- Fix path expansion when running in systemd
|
||||||
- Fix bug in netrc writing
|
- Fix bug in netrc writing
|
||||||
- Add nixos, home-manager, and darwin-nix modules
|
- Add nixos, home-manager, and darwin-nix modules
|
||||||
|
|
|
||||||
|
|
@ -3,6 +3,7 @@ package cmd
|
||||||
import (
|
import (
|
||||||
"fmt"
|
"fmt"
|
||||||
"os"
|
"os"
|
||||||
|
"strings"
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
"github.com/spf13/cobra"
|
"github.com/spf13/cobra"
|
||||||
|
|
@ -24,6 +25,16 @@ func init() {
|
||||||
}
|
}
|
||||||
|
|
||||||
func runStatus(cmd *cobra.Command, args []string) error {
|
func runStatus(cmd *cobra.Command, args []string) error {
|
||||||
|
exitNonZero := false
|
||||||
|
|
||||||
|
configuredServiceAccountMode := isConfiguredServiceAccountMode(cfg)
|
||||||
|
if configuredServiceAccountMode {
|
||||||
|
fmt.Fprintln(os.Stdout, "Mode: service-account")
|
||||||
|
fmt.Fprintf(os.Stdout, "Client ID: %s\n", cfg.ClientID)
|
||||||
|
} else {
|
||||||
|
fmt.Fprintln(os.Stdout, "Mode: user")
|
||||||
|
}
|
||||||
|
|
||||||
// Read token from netrc
|
// Read token from netrc
|
||||||
pw, err := netrc.GetPassword(cfg.NetrcPath, cfg.CacheHost)
|
pw, err := netrc.GetPassword(cfg.NetrcPath, cfg.CacheHost)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
|
@ -31,7 +42,7 @@ func runStatus(cmd *cobra.Command, args []string) error {
|
||||||
}
|
}
|
||||||
|
|
||||||
if pw == "" {
|
if pw == "" {
|
||||||
fmt.Fprintln(os.Stderr, "No token found.")
|
fmt.Fprintln(os.Stdout, "Status: NOT AUTHENTICATED (no token found in netrc)")
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -51,24 +62,99 @@ func runStatus(cmd *cobra.Command, args []string) error {
|
||||||
if name, ok := claims["preferred_username"].(string); ok {
|
if name, ok := claims["preferred_username"].(string); ok {
|
||||||
fmt.Fprintf(os.Stdout, "User: %s\n", name)
|
fmt.Fprintf(os.Stdout, "User: %s\n", name)
|
||||||
}
|
}
|
||||||
|
tokenServiceAccountMode := isServiceAccountToken(claims)
|
||||||
|
serviceAccountMismatch := false
|
||||||
|
if configuredServiceAccountMode {
|
||||||
|
if tokenServiceAccountMode {
|
||||||
|
fmt.Fprintln(os.Stdout, "Token mode: service-account")
|
||||||
|
} else {
|
||||||
|
fmt.Fprintln(os.Stdout, "Token mode: user")
|
||||||
|
fmt.Fprintln(os.Stdout, "Warning: config expects a service-account token, but netrc token looks like a user token")
|
||||||
|
serviceAccountMismatch = true
|
||||||
|
}
|
||||||
|
if claimedClientID := tokenClientID(claims); claimedClientID != "" {
|
||||||
|
fmt.Fprintf(os.Stdout, "Token client: %s\n", claimedClientID)
|
||||||
|
if claimedClientID != cfg.ClientID {
|
||||||
|
fmt.Fprintf(os.Stdout, "Warning: token client_id/azp (%s) does not match configured client_id (%s)\n", claimedClientID, cfg.ClientID)
|
||||||
|
serviceAccountMismatch = true
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
exp, remaining := token.ExpiryInfo(claims)
|
exp, remaining := token.ExpiryInfo(claims)
|
||||||
if !exp.IsZero() {
|
if !exp.IsZero() {
|
||||||
fmt.Fprintf(os.Stdout, "Expires: %s\n", exp.Local().Format(time.RFC1123))
|
fmt.Fprintf(os.Stdout, "Expires: %s\n", exp.Local().Format(time.RFC1123))
|
||||||
if remaining > 0 {
|
if remaining > 0 {
|
||||||
fmt.Fprintf(os.Stdout, "Remaining: %s\n", remaining.Round(time.Second))
|
fmt.Fprintf(os.Stdout, "Remaining: %s\n", remaining.Round(time.Second))
|
||||||
|
if configuredServiceAccountMode && serviceAccountMismatch {
|
||||||
|
fmt.Fprintln(os.Stdout, "Status: WARNING (token is valid but does not match configured service-account client)")
|
||||||
|
exitNonZero = true
|
||||||
|
} else if configuredServiceAccountMode && tokenServiceAccountMode {
|
||||||
|
fmt.Fprintln(os.Stdout, "Status: OK (service-account token valid)")
|
||||||
|
} else {
|
||||||
|
fmt.Fprintln(os.Stdout, "Status: OK")
|
||||||
|
}
|
||||||
} else {
|
} else {
|
||||||
fmt.Fprintf(os.Stdout, "Status: EXPIRED (%s ago)\n", (-remaining).Round(time.Second))
|
fmt.Fprintf(os.Stdout, "Status: EXPIRED (%s ago)\n", (-remaining).Round(time.Second))
|
||||||
|
exitNonZero = true
|
||||||
}
|
}
|
||||||
|
} else {
|
||||||
|
fmt.Fprintln(os.Stdout, "Status: UNKNOWN (token has no exp claim)")
|
||||||
}
|
}
|
||||||
|
|
||||||
// Check refresh token
|
// Check refresh token
|
||||||
rtPath := config.RefreshTokenPath()
|
rtPath := config.RefreshTokenPath()
|
||||||
if _, err := os.Stat(rtPath); err == nil {
|
_, rtErr := os.Stat(rtPath)
|
||||||
fmt.Fprintf(os.Stdout, "Refresh token: present\n")
|
if configuredServiceAccountMode {
|
||||||
|
if rtErr == nil {
|
||||||
|
fmt.Fprintf(os.Stdout, "Refresh token: present (not used in service-account mode)\n")
|
||||||
|
} else {
|
||||||
|
fmt.Fprintf(os.Stdout, "Refresh token: not used in service-account mode\n")
|
||||||
|
}
|
||||||
} else {
|
} else {
|
||||||
fmt.Fprintf(os.Stdout, "Refresh token: not found\n")
|
if rtErr == nil {
|
||||||
|
fmt.Fprintf(os.Stdout, "Refresh token: present\n")
|
||||||
|
} else {
|
||||||
|
fmt.Fprintf(os.Stdout, "Refresh token: not found\n")
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if exitNonZero {
|
||||||
|
os.Exit(1)
|
||||||
}
|
}
|
||||||
|
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func isConfiguredServiceAccountMode(cfg *config.Config) bool {
|
||||||
|
return cfg != nil && strings.TrimSpace(cfg.ClientSecretFile) != ""
|
||||||
|
}
|
||||||
|
|
||||||
|
func isServiceAccountToken(claims map[string]interface{}) bool {
|
||||||
|
if claims == nil {
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
if grantType, ok := claims["gty"].(string); ok && (grantType == "client_credentials" || grantType == "client-credentials") {
|
||||||
|
return true
|
||||||
|
}
|
||||||
|
if username, ok := claims["preferred_username"].(string); ok && strings.HasPrefix(username, "service-account-") {
|
||||||
|
return true
|
||||||
|
}
|
||||||
|
if subject, ok := claims["sub"].(string); ok && strings.HasPrefix(subject, "service-account-") {
|
||||||
|
return true
|
||||||
|
}
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
|
||||||
|
func tokenClientID(claims map[string]interface{}) string {
|
||||||
|
if claims == nil {
|
||||||
|
return ""
|
||||||
|
}
|
||||||
|
if azp, ok := claims["azp"].(string); ok {
|
||||||
|
return azp
|
||||||
|
}
|
||||||
|
if clientID, ok := claims["client_id"].(string); ok {
|
||||||
|
return clientID
|
||||||
|
}
|
||||||
|
return ""
|
||||||
|
}
|
||||||
|
|
|
||||||
148
cmd/status_test.go
Normal file
148
cmd/status_test.go
Normal file
|
|
@ -0,0 +1,148 @@
|
||||||
|
package cmd
|
||||||
|
|
||||||
|
import (
|
||||||
|
"testing"
|
||||||
|
|
||||||
|
"guardianproject.dev/ops/nix-cache-login/internal/config"
|
||||||
|
)
|
||||||
|
|
||||||
|
func TestIsConfiguredServiceAccountMode(t *testing.T) {
|
||||||
|
tests := []struct {
|
||||||
|
name string
|
||||||
|
cfg *config.Config
|
||||||
|
want bool
|
||||||
|
}{
|
||||||
|
{
|
||||||
|
name: "nil config",
|
||||||
|
cfg: nil,
|
||||||
|
want: false,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name: "user mode",
|
||||||
|
cfg: &config.Config{},
|
||||||
|
want: false,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name: "service account mode",
|
||||||
|
cfg: &config.Config{
|
||||||
|
ClientSecretFile: "/run/secrets/nix-cache-client-secret",
|
||||||
|
},
|
||||||
|
want: true,
|
||||||
|
},
|
||||||
|
}
|
||||||
|
|
||||||
|
for _, tt := range tests {
|
||||||
|
t.Run(tt.name, func(t *testing.T) {
|
||||||
|
if got := isConfiguredServiceAccountMode(tt.cfg); got != tt.want {
|
||||||
|
t.Fatalf("isConfiguredServiceAccountMode() = %v, want %v", got, tt.want)
|
||||||
|
}
|
||||||
|
})
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func TestIsServiceAccountToken(t *testing.T) {
|
||||||
|
tests := []struct {
|
||||||
|
name string
|
||||||
|
claims map[string]interface{}
|
||||||
|
want bool
|
||||||
|
}{
|
||||||
|
{
|
||||||
|
name: "grant type client_credentials",
|
||||||
|
claims: map[string]interface{}{
|
||||||
|
"gty": "client_credentials",
|
||||||
|
},
|
||||||
|
want: true,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name: "grant type client-credentials",
|
||||||
|
claims: map[string]interface{}{
|
||||||
|
"gty": "client-credentials",
|
||||||
|
},
|
||||||
|
want: true,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name: "service-account preferred_username",
|
||||||
|
claims: map[string]interface{}{
|
||||||
|
"preferred_username": "service-account-nix-cache-server",
|
||||||
|
},
|
||||||
|
want: true,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name: "service-account subject",
|
||||||
|
claims: map[string]interface{}{
|
||||||
|
"sub": "service-account-nix-cache-server",
|
||||||
|
},
|
||||||
|
want: true,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name: "normal user token",
|
||||||
|
claims: map[string]interface{}{
|
||||||
|
"preferred_username": "alice",
|
||||||
|
"sub": "9f788180-5f78-4ce4-8126-8f9406de5628",
|
||||||
|
},
|
||||||
|
want: false,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name: "nil claims",
|
||||||
|
claims: nil,
|
||||||
|
want: false,
|
||||||
|
},
|
||||||
|
}
|
||||||
|
|
||||||
|
for _, tt := range tests {
|
||||||
|
t.Run(tt.name, func(t *testing.T) {
|
||||||
|
if got := isServiceAccountToken(tt.claims); got != tt.want {
|
||||||
|
t.Fatalf("isServiceAccountToken() = %v, want %v", got, tt.want)
|
||||||
|
}
|
||||||
|
})
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func TestTokenClientID(t *testing.T) {
|
||||||
|
tests := []struct {
|
||||||
|
name string
|
||||||
|
claims map[string]interface{}
|
||||||
|
want string
|
||||||
|
}{
|
||||||
|
{
|
||||||
|
name: "from azp",
|
||||||
|
claims: map[string]interface{}{
|
||||||
|
"azp": "nix-cache-server",
|
||||||
|
},
|
||||||
|
want: "nix-cache-server",
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name: "from client_id",
|
||||||
|
claims: map[string]interface{}{
|
||||||
|
"client_id": "nix-cache-server",
|
||||||
|
},
|
||||||
|
want: "nix-cache-server",
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name: "prefer azp over client_id",
|
||||||
|
claims: map[string]interface{}{
|
||||||
|
"azp": "nix-cache-server",
|
||||||
|
"client_id": "other",
|
||||||
|
},
|
||||||
|
want: "nix-cache-server",
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name: "not present",
|
||||||
|
claims: map[string]interface{}{},
|
||||||
|
want: "",
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name: "nil claims",
|
||||||
|
claims: nil,
|
||||||
|
want: "",
|
||||||
|
},
|
||||||
|
}
|
||||||
|
|
||||||
|
for _, tt := range tests {
|
||||||
|
t.Run(tt.name, func(t *testing.T) {
|
||||||
|
if got := tokenClientID(tt.claims); got != tt.want {
|
||||||
|
t.Fatalf("tokenClientID() = %q, want %q", got, tt.want)
|
||||||
|
}
|
||||||
|
})
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
@ -6,7 +6,7 @@
|
||||||
|
|
||||||
buildGoModule {
|
buildGoModule {
|
||||||
pname = "nix-cache-login";
|
pname = "nix-cache-login";
|
||||||
version = "0.1.2";
|
version = "0.1.3";
|
||||||
src = ./.;
|
src = ./.;
|
||||||
# src = fetchgit {
|
# src = fetchgit {
|
||||||
# url = "https://guardianproject.dev/ops/nix-cache-login.git";
|
# url = "https://guardianproject.dev/ops/nix-cache-login.git";
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue