open-nomad/command/acl_token_create.go
2023-04-10 15:36:59 +00:00

196 lines
5.3 KiB
Go

// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: MPL-2.0
package command
import (
"fmt"
"strings"
"time"
"github.com/hashicorp/go-set"
"github.com/hashicorp/nomad/api"
"github.com/hashicorp/nomad/helper"
"github.com/posener/complete"
)
type ACLTokenCreateCommand struct {
Meta
roleNames []string
roleIDs []string
}
func (c *ACLTokenCreateCommand) Help() string {
helpText := `
Usage: nomad acl token create [options]
Create is used to issue new ACL tokens. Requires a management token.
General Options:
` + generalOptionsUsage(usageOptsDefault|usageOptsNoNamespace) + `
Create Options:
-name=""
Sets the human readable name for the ACL token.
-type="client"
Sets the type of token. Must be one of "client" (default), or "management".
-global=false
Toggles the global mode of the token. Global tokens are replicated to all regions.
-policy=""
Specifies a policy to associate with the token. Can be specified multiple times,
but only with client type tokens.
-role-id
ID of a role to use for this token. May be specified multiple times.
-role-name
Name of a role to use for this token. May be specified multiple times.
-ttl
Specifies the time-to-live of the created ACL token. This takes the form of
a time duration such as "5m" and "1h". By default, tokens will be created
without a TTL and therefore never expire.
-json
Output the ACL token information in JSON format.
-t
Format and display the ACL token information using a Go template.
`
return strings.TrimSpace(helpText)
}
func (c *ACLTokenCreateCommand) AutocompleteFlags() complete.Flags {
return mergeAutocompleteFlags(c.Meta.AutocompleteFlags(FlagSetClient),
complete.Flags{
"name": complete.PredictAnything,
"type": complete.PredictAnything,
"global": complete.PredictNothing,
"policy": complete.PredictAnything,
"role-id": complete.PredictAnything,
"role-name": complete.PredictAnything,
"ttl": complete.PredictAnything,
"-json": complete.PredictNothing,
"-t": complete.PredictAnything,
})
}
func (c *ACLTokenCreateCommand) AutocompleteArgs() complete.Predictor {
return complete.PredictNothing
}
func (c *ACLTokenCreateCommand) Synopsis() string {
return "Create a new ACL token"
}
func (c *ACLTokenCreateCommand) Name() string { return "acl token create" }
func (c *ACLTokenCreateCommand) Run(args []string) int {
var name, tokenType, ttl, tmpl string
var global, json bool
var policies []string
flags := c.Meta.FlagSet(c.Name(), FlagSetClient)
flags.Usage = func() { c.Ui.Output(c.Help()) }
flags.StringVar(&name, "name", "", "")
flags.StringVar(&tokenType, "type", "client", "")
flags.BoolVar(&global, "global", false, "")
flags.StringVar(&ttl, "ttl", "", "")
flags.BoolVar(&json, "json", false, "")
flags.StringVar(&tmpl, "t", "", "")
flags.Var((funcVar)(func(s string) error {
policies = append(policies, s)
return nil
}), "policy", "")
flags.Var((funcVar)(func(s string) error {
c.roleNames = append(c.roleNames, s)
return nil
}), "role-name", "")
flags.Var((funcVar)(func(s string) error {
c.roleIDs = append(c.roleIDs, s)
return nil
}), "role-id", "")
if err := flags.Parse(args); err != nil {
return 1
}
// Check that we got no arguments
args = flags.Args()
if l := len(args); l != 0 {
c.Ui.Error("This command takes no arguments")
c.Ui.Error(commandErrorText(c))
return 1
}
// Set up the token.
tk := &api.ACLToken{
Name: name,
Type: tokenType,
Policies: policies,
Roles: generateACLTokenRoleLinks(c.roleNames, c.roleIDs),
Global: global,
}
// If the user set a TTL flag value, convert this to a time duration and
// add it to our token request object.
if ttl != "" {
ttlDuration, err := time.ParseDuration(ttl)
if err != nil {
c.Ui.Error(fmt.Sprintf("Failed to parse TTL as time duration: %s", err))
return 1
}
tk.ExpirationTTL = ttlDuration
}
// Get the HTTP client
client, err := c.Meta.Client()
if err != nil {
c.Ui.Error(fmt.Sprintf("Error initializing client: %s", err))
return 1
}
// Create the bootstrap token
token, _, err := client.ACLTokens().Create(tk, nil)
if err != nil {
c.Ui.Error(fmt.Sprintf("Error creating token: %s", err))
return 1
}
if json || len(tmpl) > 0 {
out, err := Format(json, tmpl, token)
if err != nil {
c.Ui.Error(err.Error())
return 1
}
c.Ui.Output(out)
return 0
}
// Format the output
outputACLToken(c.Ui, token)
return 0
}
// generateACLTokenRoleLinks takes the command input role links by ID and name
// and coverts this to the relevant API object. It handles de-duplicating
// entries to the best effort, so this doesn't need to be done on the leader.
func generateACLTokenRoleLinks(roleNames, roleIDs []string) []*api.ACLTokenRoleLink {
var tokenLinks []*api.ACLTokenRoleLink
roleNameSet := set.From[string](roleNames).List()
roleNameFn := func(name string) *api.ACLTokenRoleLink { return &api.ACLTokenRoleLink{Name: name} }
roleIDsSet := set.From[string](roleIDs).List()
roleIDFn := func(id string) *api.ACLTokenRoleLink { return &api.ACLTokenRoleLink{ID: id} }
tokenLinks = append(tokenLinks, helper.ConvertSlice(roleNameSet, roleNameFn)...)
tokenLinks = append(tokenLinks, helper.ConvertSlice(roleIDsSet, roleIDFn)...)
return tokenLinks
}