160 lines
4.5 KiB
Go
160 lines
4.5 KiB
Go
package cmd
|
|
|
|
import (
|
|
"fmt"
|
|
"os"
|
|
"strings"
|
|
"time"
|
|
|
|
"github.com/spf13/cobra"
|
|
|
|
"guardianproject.dev/ops/nix-cache-login/internal/config"
|
|
"guardianproject.dev/ops/nix-cache-login/internal/netrc"
|
|
"guardianproject.dev/ops/nix-cache-login/internal/token"
|
|
)
|
|
|
|
var statusCmd = &cobra.Command{
|
|
Use: "status",
|
|
Short: "Show current token status",
|
|
Long: `Decodes the JWT from the netrc file (without verification) and shows expiry information.`,
|
|
RunE: runStatus,
|
|
}
|
|
|
|
func init() {
|
|
rootCmd.AddCommand(statusCmd)
|
|
}
|
|
|
|
func runStatus(cmd *cobra.Command, args []string) error {
|
|
exitNonZero := false
|
|
|
|
configuredServiceAccountMode := isConfiguredServiceAccountMode(cfg)
|
|
if configuredServiceAccountMode {
|
|
fmt.Fprintln(os.Stdout, "Mode: service-account")
|
|
fmt.Fprintf(os.Stdout, "Client ID: %s\n", cfg.ClientID)
|
|
} else {
|
|
fmt.Fprintln(os.Stdout, "Mode: user")
|
|
}
|
|
|
|
// Read token from netrc
|
|
pw, err := netrc.GetPassword(cfg.NetrcPath, cfg.CacheHost)
|
|
if err != nil {
|
|
return fmt.Errorf("reading netrc: %w", err)
|
|
}
|
|
|
|
if pw == "" {
|
|
fmt.Fprintln(os.Stdout, "Status: NOT AUTHENTICATED (no token found in netrc)")
|
|
return nil
|
|
}
|
|
|
|
// Decode JWT payload
|
|
claims, err := token.DecodePayload(pw)
|
|
if err != nil {
|
|
return fmt.Errorf("decoding token: %w", err)
|
|
}
|
|
|
|
// Show claims
|
|
if iss, ok := claims["iss"].(string); ok {
|
|
fmt.Fprintf(os.Stdout, "Issuer: %s\n", iss)
|
|
}
|
|
if sub, ok := claims["sub"].(string); ok {
|
|
fmt.Fprintf(os.Stdout, "Subject: %s\n", sub)
|
|
}
|
|
if name, ok := claims["preferred_username"].(string); ok {
|
|
fmt.Fprintf(os.Stdout, "User: %s\n", name)
|
|
}
|
|
tokenServiceAccountMode := isServiceAccountToken(claims)
|
|
serviceAccountMismatch := false
|
|
if configuredServiceAccountMode {
|
|
if tokenServiceAccountMode {
|
|
fmt.Fprintln(os.Stdout, "Token mode: service-account")
|
|
} else {
|
|
fmt.Fprintln(os.Stdout, "Token mode: user")
|
|
fmt.Fprintln(os.Stdout, "Warning: config expects a service-account token, but netrc token looks like a user token")
|
|
serviceAccountMismatch = true
|
|
}
|
|
if claimedClientID := tokenClientID(claims); claimedClientID != "" {
|
|
fmt.Fprintf(os.Stdout, "Token client: %s\n", claimedClientID)
|
|
if claimedClientID != cfg.ClientID {
|
|
fmt.Fprintf(os.Stdout, "Warning: token client_id/azp (%s) does not match configured client_id (%s)\n", claimedClientID, cfg.ClientID)
|
|
serviceAccountMismatch = true
|
|
}
|
|
}
|
|
}
|
|
|
|
exp, remaining := token.ExpiryInfo(claims)
|
|
if !exp.IsZero() {
|
|
fmt.Fprintf(os.Stdout, "Expires: %s\n", exp.Local().Format(time.RFC1123))
|
|
if remaining > 0 {
|
|
fmt.Fprintf(os.Stdout, "Remaining: %s\n", remaining.Round(time.Second))
|
|
if configuredServiceAccountMode && serviceAccountMismatch {
|
|
fmt.Fprintln(os.Stdout, "Status: WARNING (token is valid but does not match configured service-account client)")
|
|
exitNonZero = true
|
|
} else if configuredServiceAccountMode && tokenServiceAccountMode {
|
|
fmt.Fprintln(os.Stdout, "Status: OK (service-account token valid)")
|
|
} else {
|
|
fmt.Fprintln(os.Stdout, "Status: OK")
|
|
}
|
|
} else {
|
|
fmt.Fprintf(os.Stdout, "Status: EXPIRED (%s ago)\n", (-remaining).Round(time.Second))
|
|
exitNonZero = true
|
|
}
|
|
} else {
|
|
fmt.Fprintln(os.Stdout, "Status: UNKNOWN (token has no exp claim)")
|
|
}
|
|
|
|
// Check refresh token
|
|
rtPath := config.RefreshTokenPath()
|
|
_, rtErr := os.Stat(rtPath)
|
|
if configuredServiceAccountMode {
|
|
if rtErr == nil {
|
|
fmt.Fprintf(os.Stdout, "Refresh token: present (not used in service-account mode)\n")
|
|
} else {
|
|
fmt.Fprintf(os.Stdout, "Refresh token: not used in service-account mode\n")
|
|
}
|
|
} else {
|
|
if rtErr == nil {
|
|
fmt.Fprintf(os.Stdout, "Refresh token: present\n")
|
|
} else {
|
|
fmt.Fprintf(os.Stdout, "Refresh token: not found\n")
|
|
}
|
|
}
|
|
|
|
if exitNonZero {
|
|
os.Exit(1)
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
func isConfiguredServiceAccountMode(cfg *config.Config) bool {
|
|
return cfg != nil && strings.TrimSpace(cfg.ClientSecretFile) != ""
|
|
}
|
|
|
|
func isServiceAccountToken(claims map[string]interface{}) bool {
|
|
if claims == nil {
|
|
return false
|
|
}
|
|
if grantType, ok := claims["gty"].(string); ok && (grantType == "client_credentials" || grantType == "client-credentials") {
|
|
return true
|
|
}
|
|
if username, ok := claims["preferred_username"].(string); ok && strings.HasPrefix(username, "service-account-") {
|
|
return true
|
|
}
|
|
if subject, ok := claims["sub"].(string); ok && strings.HasPrefix(subject, "service-account-") {
|
|
return true
|
|
}
|
|
return false
|
|
}
|
|
|
|
func tokenClientID(claims map[string]interface{}) string {
|
|
if claims == nil {
|
|
return ""
|
|
}
|
|
if azp, ok := claims["azp"].(string); ok {
|
|
return azp
|
|
}
|
|
if clientID, ok := claims["client_id"].(string); ok {
|
|
return clientID
|
|
}
|
|
return ""
|
|
}
|