From b040df5155b3d02c79af1283ba20ea1b8e97378d Mon Sep 17 00:00:00 2001 From: Alex Hung Date: Mon, 9 Dec 2024 10:33:03 -0800 Subject: [PATCH] Switch to use get token API to check expiration --- artifactory.go | 18 ++++++++++-------- test/expired.sh | 7 ++++++- 2 files changed, 16 insertions(+), 9 deletions(-) diff --git a/artifactory.go b/artifactory.go index 3bfaee7..a493270 100644 --- a/artifactory.go +++ b/artifactory.go @@ -347,8 +347,8 @@ func (b *backend) refreshExpiredAccessToken(ctx context.Context, req *logical.Re // check if user access token is expired or not // if so, refresh it with new tokens - logger.Debug("check if access token is expired by getting Viewer role") - err := b.getRole(*config) + logger.Debug("check if access token is expired by getting token itself") + err := b.getTokenByID(*config) if err != nil { logger.Debug("failed to get Viewer role", "err", err) @@ -414,14 +414,16 @@ func (b *backend) getVersion(config baseConfiguration) (version string, err erro return systemVersion.Version, nil } -func (b *backend) getRole(config baseConfiguration) error { - logger := b.Logger().With("func", "getRole") +func (b *backend) getTokenByID(config baseConfiguration) error { + logger := b.Logger().With("func", "getTokenByID") logger.Debug("fetching Viewer role") - resp, err := b.performArtifactoryGet(config, "/access/api/v1/roles/Viewer") + // '/me' is special value to get info about token itself + // https://jfrog.com/help/r/jfrog-rest-apis/get-token-by-id + resp, err := b.performArtifactoryGet(config, "/access/api/v1/tokens/me") if err != nil { - logger.Error("error making get role request", "response", resp, "err", err) + logger.Error("error making get token request", "response", resp, "err", err) return err } @@ -434,14 +436,14 @@ func (b *backend) getRole(config baseConfiguration) error { err := json.NewDecoder(resp.Body).Decode(&errResp) if err != nil { logger.Error("could not parse error response", "response", resp, "err", err) - return fmt.Errorf("could not get role. Err: %w", err) + return fmt.Errorf("could not get token. Err: %w", err) } if resp.StatusCode == http.StatusUnauthorized && invalidTokenRegex.MatchString(errResp.String()) { return &TokenExpiredError{} } - return fmt.Errorf("could not get the role: HTTP response %v", errResp.String()) + return fmt.Errorf("could not get the token: HTTP response %v", errResp.String()) } return nil diff --git a/test/expired.sh b/test/expired.sh index 0ed42b7..ec9ee86 100755 --- a/test/expired.sh +++ b/test/expired.sh @@ -2,7 +2,12 @@ vault write artifactory/config/admin url=$JFROG_URL use_expiring_tokens=true max_ttl=14400 default_ttl=3600 -USER_TOKEN=$(curl -s -L "${JFROG_URL}/access/api/v1/tokens" -H 'Content-Type: application/json' -H "Authorization: Bearer ${JFROG_ACCESS_TOKEN}" --data-raw '{"grant_type":"client_credentials","username":"admin","scope":"applied-permissions/user applied-permissions/admin","refreshable":true,"audience":"*@*","expires_in":60,"force_revocable":false,"include_reference_token":false}') +# create non-admin token +# ensure there's a non-admin user named `test` in Artifactory first +USER_TOKEN=$(curl -s -L "${JFROG_URL}/access/api/v1/tokens" -H 'Content-Type: application/json' -H "Authorization: Bearer ${JFROG_ACCESS_TOKEN}" --data-raw '{"grant_type":"client_credentials","username":"test","scope":"applied-permissions/user","refreshable":true,"audience":"*@*","expires_in":60,"force_revocable":false,"include_reference_token":false}') + +# create admin token +# USER_TOKEN=$(curl -s -L "${JFROG_URL}/access/api/v1/tokens" -H 'Content-Type: application/json' -H "Authorization: Bearer ${JFROG_ACCESS_TOKEN}" --data-raw '{"grant_type":"client_credentials","username":"admin","scope":"applied-permissions/admin","refreshable":true,"audience":"*@*","expires_in":60,"force_revocable":false,"include_reference_token":false}') USER_ACCESS_TOKEN=$(echo ${USER_TOKEN} | jq -r ".access_token") echo "USER_ACCESS_TOKEN: ${USER_ACCESS_TOKEN}"