shush/client_token.go at main · tiangong-dev/shush · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
package shush

import (
	"crypto/rand"
	"encoding/base64"
	"encoding/hex"
	"errors"
	"fmt"
	"strings"
	"time"
)

// RegisterToken registers a one-time-use secret token in the agent.
// Returns the token string and a cleanup function.
func RegisterToken(socketPath, secret string, ttl time.Duration, maxUses int) (string, func(), error) {
	return RegisterTokenWithCapability(socketPath, ResolveCapability(nil), secret, ttl, maxUses)
}

// RegisterTokenWithCapability registers a one-time-use secret token with capability.
func RegisterTokenWithCapability(socketPath, capability, secret string, ttl time.Duration, maxUses int) (string, func(), error) {
	if strings.TrimSpace(secret) == "" {
		return "", nil, errors.New("secret must not be empty")
	}
	if ttl <= 0 {
		ttl = defaultTokenTTL
	}
	if maxUses <= 0 {
		maxUses = defaultTokenMaxUses
	}

	if err := startProcess(socketPath, nil, capability); err != nil {
		return "", nil, err
	}

	token, err := generateToken()
	if err != nil {
		return "", nil, err
	}
	client := &Client{SocketPath: socketPath, Capability: capability}
	_, err = client.do(request{
		Action:    actionSetToken,
		Token:     token,
		SecretB64: base64.StdEncoding.EncodeToString([]byte(secret)),
		ExpiresAt: time.Now().Add(ttl).Unix(),
		MaxUses:   maxUses,
	})
	if err != nil {
		return "", nil, err
	}

	cleanup := func() {
		_, _ = client.do(request{
			Action: actionClearToken,
			Token:  token,
		})
	}
	return token, cleanup, nil
}

// ResolveToken retrieves and consumes a one-time token.
func ResolveToken(socketPath, token string) (string, error) {
	return ResolveTokenWithCapability(socketPath, ResolveCapability(nil), token)
}

// ResolveTokenWithCapability retrieves and consumes a token with capability.
func ResolveTokenWithCapability(socketPath, capability, token string) (string, error) {
	client := &Client{SocketPath: socketPath, Capability: capability}
	resp, err := client.do(request{
		Action: actionGetToken,
		Token:  token,
	})
	if err != nil {
		return "", err
	}
	if !resp.Found {
		return "", errors.New("token not found or expired")
	}
	secret, err := base64.StdEncoding.DecodeString(resp.SecretB64)
	if err != nil || len(secret) == 0 {
		return "", errors.New("invalid token secret payload")
	}
	return string(secret), nil
}

func generateToken() (string, error) {
	buf := make([]byte, tokenBytes)
	if _, err := rand.Read(buf); err != nil {
		return "", fmt.Errorf("generate token: %w", err)
	}
	return hex.EncodeToString(buf), nil
}