htgettoken/htdestroytoken at master · fermitools/htgettoken · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
#!/bin/bash

ME=htdestroytoken

usage()
{
    echo "Usage: $ME [-h] [-q] [-f [htgettoken options]]"
    echo "Removes bearer and vault tokens if present"
    echo "  -h prints this help message and exits"
    echo "  -q do removals silently"
    echo "  -f first force removal of refresh token from vault, if vault token is valid."
    echo "     Runs htgettoken to find the vault path so requires sufficient htgettoken"
    echo "     options on command line or in \$HTGETTOKENOPTS."
    echo "The location of the bearer token can be set by \$BEARER_TOKEN_FILE"
    echo "  and the location of the vault token can be set by \$VAULT_TOKEN_FILE."
    exit 2
} >&2

VERBOSE=true
RMREFRESH=false
HTGETOPTS=""
CAFILE=""
CAPATH="${X509_CERT_DIR:-/etc/grid-security/certificates}"
for ARG; do
    case $ARG in
        -h) usage;;
        -q) VERBOSE=false; HTGETOPTS="$HTGETOPTS -q";;
        -f) RMREFRESH=true;;
        *)  if $RMREFRESH; then
                HTGETOPTS="$HTGETOPTS $ARG"
                if [[ "$ARG" = "--cafile="* ]]; then
                    CAFILE="${ARG#--cafile=}"
                elif [[ "$ARG" = "--capath="* ]]; then
                    CAPATH="${ARG#--capath=}"
                fi
            else
                usage
            fi;;
    esac
done

# UID is a standard bash variable
VTFILE="/tmp/vt_u$UID"
if [ -n "$VAULT_TOKEN_FILE" ]; then
    VTFILE="$VAULT_TOKEN_FILE"
    HTGETOPTS="$HTGETOPTS --vaulttokenfile=$VTFILE"
fi
if $RMREFRESH && [ -f "$VTFILE" ]; then
    if ( [ -z "$HTGETOPTS" ] || [ "$HTGETOPTS" = "-q" ] ) \
                && [ -z "$HTGETTOKENOPTS" ]; then
        echo "$ME: no htgettoken options were given" >&2
        usage
    fi
    BEARERURL="$(htgettoken $HTGETOPTS --novaulttoken --nobearertoken --showbearerurl)"
    if [ -z "$BEARERURL" ]; then
        echo "$ME: Unable to obtain vault URL to remove refresh token" >&2
        exit 3
    fi
    if $VERBOSE; then
        echo "Deleting refresh token"
        echo "  at path $BEARERURL"
    fi
    # be careful to not let the vault token show up in a ps list; send to stdin
    CURLOPTS="-q -f -m 5"
    if [ -n "$CAFILE" ]; then
        CURLOPTS="$CURLOPTS --cacert $CAFILE"
    fi
    if [ -n "$CAPATH" ]; then
        CURLOPTS="$CURLOPTS --capath $CAPATH"
    fi
    if ! (echo -n "X-Vault-Token: ";cat $VTFILE) | \
                curl $CURLOPTS -H @- -X DELETE "$BEARERURL"; then
        echo "$ME: Unable to delete refresh token" >&2
        exit 3
    fi
fi
TOKENFILE="${BEARER_TOKEN_FILE:-${XDG_RUNTIME_DIR:-/tmp}/bt_u$UID}"
for FILE in $TOKENFILE ${VTFILE}; do
    if [ -f "$FILE" ]; then
        if $VERBOSE; then
            echo "Removing $FILE"
        fi
        rm -f $FILE
    fi
done