forked from pydio/cells
-
Notifications
You must be signed in to change notification settings - Fork 0
/
admin-user-personal-token.go
112 lines (94 loc) · 3.63 KB
/
admin-user-personal-token.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
package cmd
import (
"context"
"fmt"
"os"
"time"
"github.com/manifoldco/promptui"
"github.com/spf13/cobra"
"github.com/pydio/cells/common"
"github.com/pydio/cells/common/log"
"github.com/pydio/cells/common/proto/auth"
"github.com/pydio/cells/common/proto/idm"
"github.com/pydio/cells/common/registry"
"github.com/pydio/cells/common/utils/permissions"
)
var (
tokUserLogin string
tokExpireTime string
tokAutoRefresh int
tokScopes []string
)
var pTokCmd = &cobra.Command{
Use: "token",
Short: "Generate a personal token for a given user",
Long: `
DESCRIPTION
This command generates an authentication token for a specific user.
Expiration can be either a "hard" limit, by using the -e flag and a golang duration, or a "sliding window"
defined in seconds using the -a flag.
EXAMPLES
Generate a token that lasts 24 hours for user admin
$ ` + os.Args[0] + ` user token -u admin -e 24h
Generate a token that lasts by default 10mn, but which expiration is refreshed to the next 10mn each time
token is used.
$ ` + os.Args[0] + ` user token -u admin -a 600
TOKEN USAGE
These token can be used in replacement of an OAuth2-based access token : they can replace the "Bearer" access
token when calling any REST API. They can also be used as the password (in conjunction with username) for all
basic-auth based APIs (e.g. webDAV).
TOKEN SCOPE
By default, generated tokens grant the same level of access as a standard login operation. To improve security,
it is possible to restrict these accesses to a specific file or folder (given it is accessible by the user in
first place) with a "scope" in the format "node:NODE_UUID:PERMISSION" where PERMISSION string contains either "r"
(read) or "w" (write) or both.
`,
Run: func(cmd *cobra.Command, args []string) {
if tokUserLogin == "" && tokExpireTime == "" && tokAutoRefresh == 0 {
cmd.Help()
return
}
var expire time.Time
if tokExpireTime != "" {
if d, e := time.ParseDuration(tokExpireTime); e == nil {
expire = time.Now().Add(d)
} else {
fmt.Println(promptui.IconBad + " Cannot parse expire duration. Use golang format like 30s, 30m, 24h")
}
}
u, e := permissions.SearchUniqueUser(context.Background(), tokUserLogin, "")
if e != nil {
cmd.Println("Cannot find user")
return
}
cli := auth.NewPersonalAccessTokenServiceClient(registry.GetClient(common.ServiceToken))
resp, e := cli.Generate(context.Background(), &auth.PatGenerateRequest{
Type: auth.PatType_PERSONAL,
UserUuid: u.Uuid,
UserLogin: tokUserLogin,
Label: "Command generated token",
ExpiresAt: expire.Unix(),
AutoRefreshWindow: int32(tokAutoRefresh),
Scopes: tokScopes,
})
if e != nil {
log.Fatal(e.Error())
return
}
var uDisplay = u.Login
if u.Attributes != nil && u.Attributes[idm.UserAttrDisplayName] != "" {
uDisplay = u.Attributes[idm.UserAttrDisplayName]
}
cmd.Println(promptui.IconGood + fmt.Sprintf(" This token for %s will expire on %s.", uDisplay, expire))
cmd.Println(promptui.IconGood + " " + resp.AccessToken)
cmd.Println("")
cmd.Println(promptui.IconWarn + " Make sure to secure it as it grants access to the user resources!")
},
}
func init() {
UserCmd.AddCommand(pTokCmd)
pTokCmd.Flags().StringVarP(&tokUserLogin, "user", "u", "", "User login (mandatory)")
pTokCmd.Flags().StringVarP(&tokExpireTime, "expire", "e", "", "Expire after (golang duration format)...")
pTokCmd.Flags().IntVarP(&tokAutoRefresh, "auto", "a", 0, "Auto-refresh (number of seconds, see help)")
pTokCmd.Flags().StringSliceVarP(&tokScopes, "scope", "s", []string{}, "Optional scopes")
}