Merge pull request #82 from DrDaveD/add-httokensh

DrDaveD · web-flow · commit 664f2e6e4527 · 2023-07-27T17:28:55.000-05:00
Add httokensh, update to 1.19
diff --git a/htgettoken b/htgettoken
@@ -17,7 +17,7 @@
 from __future__ import print_function
 
 prog = "htgettoken"
-version = "1.18"
+version = "1.19"
 
 import os
 import sys
diff --git a/htgettoken.spec b/htgettoken.spec
@@ -2,7 +2,7 @@
 
 Summary: Get OIDC bearer tokens by interacting with Hashicorp vault
 Name: htgettoken
-Version: 1.18
+Version: 1.19
 Release: 1%{?dist}
 License: BSD
 Group: Applications/System
@@ -108,6 +108,7 @@ exec %{_libexecdir}/%{name}/%{name} "$@"
 cp htdestroytoken $RPM_BUILD_ROOT%{_bindir}
 cp httokendecode $RPM_BUILD_ROOT%{_bindir}
 ln -s httokendecode $RPM_BUILD_ROOT%{_bindir}/htdecodetoken
+cp httokensh $RPM_BUILD_ROOT%{_bindir}
 chmod +x $RPM_BUILD_ROOT%{_bindir}/*
 gzip -c %{name}.1 >$RPM_BUILD_ROOT%{_datadir}/man/man1/%{name}.1.gz
 
@@ -125,6 +126,9 @@ rm -rf $RPM_BUILD_ROOT
 
 
 %changelog
+* Thu Jul 27 2023 Dave Dykstra <dwd@fnal.gov> 1.19-1
+- Add httokensh command.
+
 * Wed May 24 2023 Dave Dykstra <dwd@fnal.gov> 1.18-1
 - Fix crash introduced in 1.17 when using --nobearertoken while the
   credkey is not known.
diff --git a/httokensh b/httokensh
@@ -0,0 +1,166 @@
+#!/bin/bash
+#
+# Run htgettoken and then start a shell command and keep the access
+# token updated for as long as the command runs.  If there is no 
+# -o/--outfile htgettoken option and BEARER_TOKEN_FILE is not already
+# set, choose a unique location and set BEARER_TOKEN_FILE to point
+# to the token.  If there is no --vaulttokenfile option, the vault token
+# will be stored in a file name based on a hash of the arguments given,
+# so that multiple httokensh commands run by the same user on the same
+# machine with the same options will share a vault token and otherwise
+# will get a different vault token.  The access token will be renewed
+# just under --minsecs seconds (default 60) before it is set to expire.
+# Output from the background htgettoken goes to $BEARER_TOKEN_FILE.log.
+
+usage()
+{
+    echo "Usage: httokensh [-h] [htgettokenoptions] -- [command]"
+    echo 
+    echo "Runs htgettoken with given options, starts the command, and runs"
+    echo "htgettoken again in the background as needed to renew the token"
+    echo "until the command exits."
+    echo
+    echo "Options:"
+    echo "  -h, --help     show this help message and exit"
+    echo
+    echo "command defaults to \$SHELL"
+    exit 1
+} >&2
+
+if [ $# = 0 ] || [ "$1" = "-h" ] || [ "$1" = "--help" ]; then
+    usage
+fi
+
+HTGETOKENARGS=()
+COMMANDARGS=()
+GOTSEP=false
+MINSECS=60
+GOTVERBOSE=false
+GOTOUTFILE=false
+GOTVTFILE=false
+for ARG; do
+    if $GOTSEP; then
+        COMMANDARGS+=("$ARG")
+    elif [ "$ARG" = "--" ]; then
+        GOTSEP=true
+    else
+        HTGETTOKENARGS+=("$ARG")
+        case "$ARG" in
+            --minsecs=*)
+                MINSECS="${ARG/--minsecs=/}"
+                ;;
+            -v|--verbose)
+                GOTVERBOSE=true
+                ;;
+            -o|--outfile=*)
+                GOTOUTFILE=true
+                ;;
+            --vaulttokenfile=*)
+                GOTVTFILE=true
+                ;;
+        esac
+    fi
+done
+
+if ! $GOTSEP; then
+    echo "No -- separator given" >&2
+    usage
+fi
+
+if [ ${#HTGETTOKENARGS[@]} = 0 ]; then
+    echo "No htgettoken options given" >&2
+    usage
+fi
+
+if [ ${#COMMANDARGS[@]} = 0 ]; then
+    COMMANDARGS=("$SHELL")
+fi
+
+if [ -z "$BEARER_TOKEN_FILE" ] && ! $GOTOUTFILE; then
+    BTFILE="bt_u$(id -u).sh-$$"
+    if [ -n "$XDG_RUNTIME_DIR" ]; then
+        BEARER_TOKEN_FILE=$XDG_RUNTIME_DIR/$BTFILE
+    else
+        BEARER_TOKEN_FILE=/tmp/$BTFILE
+    fi
+    export BEARER_TOKEN_FILE
+fi
+
+if ! $GOTVTFILE; then
+    ARGHASH="$(echo "${HTGETTOKENARGS[@]}"|md5sum -)"
+    ARGHASH="${ARGHASH%% *}"
+    VTFILE="/tmp/vt_u$(id -u).sh-$ARGHASH"
+    HTGETTOKENARGS+=("--vaulttokenfile=$VTFILE")
+fi
+
+gettoken()
+{
+    htgettoken "${HTGETTOKENARGS[@]}"
+    RETVAL="$?"
+    if [ $RETVAL != 0 ]; then
+        echo "htgettoken failed, $1" >&2
+        exit $RETVAL
+    fi
+
+    TOKENJSON="$(htdecodetoken)"
+    RETVAL="$?"
+    if [ $RETVAL != 0 ]; then
+        echo "htdecodetoken failed, $1" >&2
+        exit $RETVAL
+    fi
+
+    EXP="$(echo $TOKENJSON|jq .exp)"
+    NOW="$(date +%s)"
+    let SLEEPSECS="$EXP - $MINSECS - $NOW + 2"
+    if [ "$SLEEPSECS" -lt $2 ]; then
+        echo "Calculated renewal time of $SLEEPSECS seconds is less than $2, $1"
+        exit 1
+    fi
+}
+
+# The first time it is possible to get a cached token that is barely
+# beyond the minsecs, so reduce the minimum to just 1 second
+gettoken "not running command" 1
+
+# make sure the logged info is verbose for easier diagnosis
+if ! $GOTVERBOSE; then
+    HTGETTOKENARGS+=("-v")
+fi
+
+# enable job control so background processes get their own process group
+set -m
+
+echo "Renewal log is at \$BEARER_TOKEN_FILE.log"
+{
+    echo htgettoken args are "${HTGETTOKENARGS[@]}"
+    while true; do
+        date
+        echo "Renewal scheduled in $SLEEPSECS seconds"
+        sleep $SLEEPSECS
+        date
+        if kill -0 $PPID; then
+            gettoken "exiting" 60
+        else
+            echo "Parent process $PPID not running, exiting"
+            exit 0
+        fi
+    done
+} >$BEARER_TOKEN_FILE.log 2>&1 &
+
+BACKGROUND_PID=$!
+
+cleanup()
+{
+    if kill -- -$BACKGROUND_PID 2>/dev/null; then
+        wait 2>/dev/null
+        rm -f $BEARER_TOKEN_FILE $BEARER_TOKEN_FILE.log
+    else
+        echo >&2
+        echo "Renewal background process failed, see $BEARER_TOKEN_FILE.log" >&2
+        exit 1
+    fi
+}
+
+trap cleanup 0
+
+"${COMMANDARGS[@]}"
