-
Notifications
You must be signed in to change notification settings - Fork 804
/
oidctokenkeyring.go
71 lines (56 loc) · 1.6 KB
/
oidctokenkeyring.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
package vault
import (
"encoding/json"
"fmt"
"log"
"time"
"github.com/99designs/keyring"
"github.com/aws/aws-sdk-go/service/ssooidc"
)
type OIDCTokenKeyring struct {
Keyring keyring.Keyring
}
type OIDCTokenData struct {
Token ssooidc.CreateTokenOutput
Expiration time.Time
}
func (o *OIDCTokenKeyring) key(startURL string) string {
return "oidc:" + startURL
}
func (o OIDCTokenKeyring) Get(startURL string) (*ssooidc.CreateTokenOutput, error) {
item, err := o.Keyring.Get(o.key(startURL))
if err != nil {
return nil, err
}
val := OIDCTokenData{}
if err = json.Unmarshal(item.Data, &val); err != nil {
return nil, fmt.Errorf("Invalid data in keyring: %w", err)
}
if time.Now().After(val.Expiration) {
log.Printf("OIDC token for '%s' expired, removing", startURL)
_ = o.Remove(startURL)
return nil, fmt.Errorf("Token expired")
}
secondsLeft := int64(time.Until(val.Expiration) / time.Second)
val.Token.ExpiresIn = &secondsLeft
return &val.Token, err
}
func (o OIDCTokenKeyring) Set(startURL string, token *ssooidc.CreateTokenOutput) error {
val := OIDCTokenData{
Token: *token,
Expiration: time.Now().Add(time.Duration(*token.ExpiresIn) * time.Second),
}
valJson, err := json.Marshal(val)
if err != nil {
return err
}
return o.Keyring.Set(keyring.Item{
Key: o.key(startURL),
Data: valJson,
Label: fmt.Sprintf("aws-vault oidc token for %s (expires %s)", startURL, val.Expiration.Format(time.RFC3339)),
Description: "aws-vault oidc token",
})
}
func (o OIDCTokenKeyring) Remove(startURL string) error {
return o.Keyring.Remove(o.key(startURL))
}