-
Notifications
You must be signed in to change notification settings - Fork 4.4k
/
token_read.go
155 lines (131 loc) · 3.65 KB
/
token_read.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
package tokenread
import (
"flag"
"fmt"
"strings"
"github.com/mitchellh/cli"
"github.com/hashicorp/consul/api"
"github.com/hashicorp/consul/command/acl"
"github.com/hashicorp/consul/command/acl/token"
"github.com/hashicorp/consul/command/flags"
)
func New(ui cli.Ui) *cmd {
c := &cmd{UI: ui}
c.init()
return c
}
type cmd struct {
UI cli.Ui
flags *flag.FlagSet
http *flags.HTTPFlags
help string
tokenID string
self bool
showMeta bool
format string
expanded bool
}
func (c *cmd) init() {
c.flags = flag.NewFlagSet("", flag.ContinueOnError)
c.flags.BoolVar(&c.showMeta, "meta", false, "Indicates that token metadata such "+
"as the content hash and Raft indices should be shown for each entry")
c.flags.BoolVar(&c.self, "self", false, "Indicates that the current HTTP token "+
"should be read by secret ID instead of expecting a -id option")
c.flags.BoolVar(&c.expanded, "expanded", false, "Indicates that the contents of the "+
" policies and roles affecting the token should also be shown.")
c.flags.StringVar(&c.tokenID, "id", "", "The Accessor ID of the token to read. "+
"It may be specified as a unique ID prefix but will error if the prefix "+
"matches multiple token Accessor IDs")
c.flags.StringVar(
&c.format,
"format",
token.PrettyFormat,
fmt.Sprintf("Output format {%s}", strings.Join(token.GetSupportedFormats(), "|")),
)
c.http = &flags.HTTPFlags{}
flags.Merge(c.flags, c.http.ClientFlags())
flags.Merge(c.flags, c.http.ServerFlags())
flags.Merge(c.flags, c.http.MultiTenancyFlags())
c.help = flags.Usage(help, c.flags)
}
func (c *cmd) Run(args []string) int {
if err := c.flags.Parse(args); err != nil {
return 1
}
if c.tokenID == "" && !c.self {
c.UI.Error(fmt.Sprintf("Must specify the -id parameter"))
return 1
}
client, err := c.http.APIClient()
if err != nil {
c.UI.Error(fmt.Sprintf("Error connecting to Consul agent: %s", err))
return 1
}
var t *api.ACLToken
var expanded *api.ACLTokenExpanded
if !c.self {
tokenID, err := acl.GetTokenIDFromPartial(client, c.tokenID)
if err != nil {
c.UI.Error(fmt.Sprintf("Error determining token ID: %v", err))
return 1
}
if !c.expanded {
t, _, err = client.ACL().TokenRead(tokenID, nil)
} else {
expanded, _, err = client.ACL().TokenReadExpanded(tokenID, nil)
}
if err != nil {
c.UI.Error(fmt.Sprintf("Error reading token %q: %v", tokenID, err))
return 1
}
} else {
// TODO: consider updating this CLI command and underlying HTTP API endpoint
// to support expanded read of a "self" token, which is a much better user workflow.
if c.expanded {
c.UI.Error("Cannot use both -expanded and -self. Instead, use -expanded and -id=<accessor id>.")
return 1
}
t, _, err = client.ACL().TokenReadSelf(nil)
if err != nil {
c.UI.Error(fmt.Sprintf("Error reading token: %v", err))
return 1
}
}
formatter, err := token.NewFormatter(c.format, c.showMeta)
if err != nil {
c.UI.Error(err.Error())
return 1
}
var out string
if !c.expanded {
out, err = formatter.FormatToken(t)
} else {
out, err = formatter.FormatTokenExpanded(expanded)
}
if err != nil {
c.UI.Error(err.Error())
return 1
}
if out != "" {
c.UI.Info(out)
}
return 0
}
func (c *cmd) Synopsis() string {
return synopsis
}
func (c *cmd) Help() string {
return flags.Usage(c.help, nil)
}
const (
synopsis = "Read an ACL token"
help = `
Usage: consul acl token read [options] -id TOKENID
This command will retrieve and print out the details of
a single token.
Using a partial ID:
$ consul acl token read -id 4be56c77-82
Using the full ID:
$ consul acl token read -id 4be56c77-8244-4c7d-b08c-667b8c71baed
`
)