open-nomad/command/acl_bootstrap.go

// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: MPL-2.0

package command

import (
	"fmt"
	"io"
	"os"
	"strings"
	"time"

	"github.com/hashicorp/nomad/api"
	"github.com/mitchellh/cli"
	"github.com/posener/complete"
)

type ACLBootstrapCommand struct {
	Meta
}

func (c *ACLBootstrapCommand) Help() string {
	helpText := `
Usage: nomad acl bootstrap [options]

  Bootstrap is used to bootstrap the ACL system and get an initial token.

General Options:

  ` + generalOptionsUsage(usageOptsDefault|usageOptsNoNamespace) + `

Bootstrap Options:

  -json
    Output the bootstrap response in JSON format.

  -t
    Format and display the bootstrap response using a Go template.

`
	return strings.TrimSpace(helpText)
}

func (c *ACLBootstrapCommand) AutocompleteFlags() complete.Flags {
	return mergeAutocompleteFlags(c.Meta.AutocompleteFlags(FlagSetClient),
		complete.Flags{
			"-json": complete.PredictNothing,
			"-t":    complete.PredictAnything,
		})
}

func (c *ACLBootstrapCommand) AutocompleteArgs() complete.Predictor {
	return complete.PredictNothing
}

func (c *ACLBootstrapCommand) Synopsis() string {
	return "Bootstrap the ACL system for initial token"
}

func (c *ACLBootstrapCommand) Name() string { return "acl bootstrap" }

func (c *ACLBootstrapCommand) Run(args []string) int {

	var (
		json bool
		tmpl string
		file string
	)

	flags := c.Meta.FlagSet(c.Name(), FlagSetClient)
	flags.Usage = func() { c.Ui.Output(c.Help()) }
	flags.BoolVar(&json, "json", false, "")
	flags.StringVar(&tmpl, "t", "", "")
	if err := flags.Parse(args); err != nil {
		return 1
	}

	// Check that we got no arguments
	args = flags.Args()
	if l := len(args); l < 0 || l > 1 {
		c.Ui.Error("This command takes up to one argument")
		c.Ui.Error(commandErrorText(c))
		return 1
	}

	var terminalToken []byte
	var err error

	if len(args) == 1 {
		switch args[0] {
		case "":
			terminalToken = []byte{}
		case "-":
			terminalToken, err = io.ReadAll(os.Stdin)
		default:
			file = args[0]
			terminalToken, err = os.ReadFile(file)
		}
		if err != nil {
			c.Ui.Error(fmt.Sprintf("Error reading provided token: %v", err))
			return 1
		}
	}

	// Remove newline from the token if it was passed by stdin
	boottoken := strings.TrimSuffix(string(terminalToken), "\n")

	// Get the HTTP client
	client, err := c.Meta.Client()
	if err != nil {
		c.Ui.Error(fmt.Sprintf("Error initializing client: %s", err))
		return 1
	}

	// Get the bootstrap token
	token, _, err := client.ACLTokens().BootstrapOpts(boottoken, nil)
	if err != nil {
		c.Ui.Error(fmt.Sprintf("Error bootstrapping: %s", err))
		return 1
	}

	if json || len(tmpl) > 0 {
		out, err := Format(json, tmpl, token)
		if err != nil {
			c.Ui.Error(err.Error())
			return 1
		}

		c.Ui.Output(out)
		return 0
	}

	// Format the output
	outputACLToken(c.Ui, token)
	return 0
}

// formatACLPolicy returns formatted policy
func formatACLPolicy(policy *api.ACLPolicy) string {
	output := []string{
		fmt.Sprintf("Name|%s", policy.Name),
		fmt.Sprintf("Description|%s", policy.Description),
		fmt.Sprintf("CreateIndex|%v", policy.CreateIndex),
		fmt.Sprintf("ModifyIndex|%v", policy.ModifyIndex),
	}

	formattedOut := formatKV(output)

	if policy.JobACL != nil {
		output := []string{
			fmt.Sprintf("Namespace|%v", policy.JobACL.Namespace),
			fmt.Sprintf("JobID|%v", policy.JobACL.JobID),
			fmt.Sprintf("Group|%v", policy.JobACL.Group),
			fmt.Sprintf("Task|%v", policy.JobACL.Task),
		}
		formattedOut += "\n\n[bold]Associated Workload[reset]\n"
		formattedOut += formatKV(output)
	}

	// these are potentially large blobs so leave till the end
	formattedOut += "\n\n[bold]Rules[reset]\n\n"
	formattedOut += policy.Rules

	return formattedOut
}

// outputACLToken formats and outputs the ACL token via the UI in the correct
// format.
func outputACLToken(ui cli.Ui, token *api.ACLToken) {

	// Build the initial KV output which is always the same not matter whether
	// the token is a management or client type.
	kvOutput := []string{
		fmt.Sprintf("Accessor ID|%s", token.AccessorID),
		fmt.Sprintf("Secret ID|%s", token.SecretID),
		fmt.Sprintf("Name|%s", token.Name),
		fmt.Sprintf("Type|%s", token.Type),
		fmt.Sprintf("Global|%v", token.Global),
		fmt.Sprintf("Create Time|%v", token.CreateTime),
		fmt.Sprintf("Expiry Time |%s", expiryTimeString(token.ExpirationTime)),
		fmt.Sprintf("Create Index|%d", token.CreateIndex),
		fmt.Sprintf("Modify Index|%d", token.ModifyIndex),
	}

	// If the token is a management type, make it obvious that it is not
	// possible to have policies or roles assigned to it and just output the
	// KV data.
	if token.Type == "management" {
		kvOutput = append(kvOutput, "Policies|n/a", "Roles|n/a")
		ui.Output(formatKV(kvOutput))
	} else {

		// Policies are only currently referenced by name, so keep the previous
		// format. When/if policies gain an ID alongside name like roles, this
		// output should follow that of the roles.
		kvOutput = append(kvOutput, fmt.Sprintf("Policies|%v", token.Policies))

		var roleOutput []string

		// If we have linked roles, add the ID and name in a list format to the
		// output. Otherwise, make it clear there are no linked roles.
		if len(token.Roles) > 0 {
			roleOutput = append(roleOutput, "ID|Name")
			for _, roleLink := range token.Roles {
				roleOutput = append(roleOutput, roleLink.ID+"|"+roleLink.Name)
			}
		} else {
			roleOutput = append(roleOutput, "<none>")
		}

		// Output the mixed formats of data, ensuring there is a space between
		// the KV and list data.
		ui.Output(formatKV(kvOutput))
		ui.Output("")
		ui.Output(fmt.Sprintf("Roles\n%s", formatList(roleOutput)))
	}
}

func expiryTimeString(t *time.Time) string {
	if t == nil || t.IsZero() {
		return "<none>"
	}
	return t.String()
}