mirror of
https://github.com/netbirdio/netbird.git
synced 2026-04-16 07:16:38 +00:00
186 lines
5.3 KiB
Go
186 lines
5.3 KiB
Go
// Package tokencmd provides reusable cobra commands for managing proxy access tokens.
|
|
// Both the management and combined binaries use these commands, each providing
|
|
// their own StoreOpener to handle config loading and store initialization.
|
|
package tokencmd
|
|
|
|
import (
|
|
"context"
|
|
"fmt"
|
|
"io"
|
|
"strconv"
|
|
"text/tabwriter"
|
|
"time"
|
|
|
|
"github.com/spf13/cobra"
|
|
|
|
"github.com/netbirdio/netbird/management/server/store"
|
|
"github.com/netbirdio/netbird/management/server/types"
|
|
)
|
|
|
|
// StoreOpener initializes a store from the command context and calls fn.
|
|
type StoreOpener func(cmd *cobra.Command, fn func(ctx context.Context, s store.Store) error) error
|
|
|
|
// NewCommands creates the token command tree with the given store opener.
|
|
// Returns the parent "token" command with create, list, and revoke subcommands.
|
|
func NewCommands(opener StoreOpener) *cobra.Command {
|
|
var (
|
|
tokenName string
|
|
tokenExpireIn string
|
|
)
|
|
|
|
tokenCmd := &cobra.Command{
|
|
Use: "token",
|
|
Short: "Manage proxy access tokens",
|
|
Long: "Commands for creating, listing, and revoking proxy access tokens used by reverse proxy instances to authenticate with the management server.",
|
|
}
|
|
|
|
createCmd := &cobra.Command{
|
|
Use: "create",
|
|
Short: "Create a new proxy access token",
|
|
Long: "Creates a new proxy access token. The plain text token is displayed only once at creation time.",
|
|
RunE: func(cmd *cobra.Command, _ []string) error {
|
|
return opener(cmd, func(ctx context.Context, s store.Store) error {
|
|
return runCreate(ctx, s, cmd.OutOrStdout(), tokenName, tokenExpireIn)
|
|
})
|
|
},
|
|
}
|
|
createCmd.Flags().StringVar(&tokenName, "name", "", "Name for the token (required)")
|
|
createCmd.Flags().StringVar(&tokenExpireIn, "expires-in", "", "Token expiration duration (e.g., 365d, 24h, 30d). Empty means no expiration")
|
|
if err := createCmd.MarkFlagRequired("name"); err != nil {
|
|
panic(err)
|
|
}
|
|
|
|
listCmd := &cobra.Command{
|
|
Use: "list",
|
|
Aliases: []string{"ls"},
|
|
Short: "List all proxy access tokens",
|
|
Long: "Lists all proxy access tokens with their IDs, names, creation dates, expiration, and revocation status.",
|
|
RunE: func(cmd *cobra.Command, _ []string) error {
|
|
return opener(cmd, func(ctx context.Context, s store.Store) error {
|
|
return runList(ctx, s, cmd.OutOrStdout())
|
|
})
|
|
},
|
|
}
|
|
|
|
revokeCmd := &cobra.Command{
|
|
Use: "revoke [token-id]",
|
|
Short: "Revoke a proxy access token",
|
|
Long: "Revokes a proxy access token by its ID. Revoked tokens can no longer be used for authentication.",
|
|
Args: cobra.ExactArgs(1),
|
|
RunE: func(cmd *cobra.Command, args []string) error {
|
|
return opener(cmd, func(ctx context.Context, s store.Store) error {
|
|
return runRevoke(ctx, s, cmd.OutOrStdout(), args[0])
|
|
})
|
|
},
|
|
}
|
|
|
|
tokenCmd.AddCommand(createCmd, listCmd, revokeCmd)
|
|
return tokenCmd
|
|
}
|
|
|
|
func runCreate(ctx context.Context, s store.Store, w io.Writer, name string, expireIn string) error {
|
|
expiresIn, err := ParseDuration(expireIn)
|
|
if err != nil {
|
|
return fmt.Errorf("parse expiration: %w", err)
|
|
}
|
|
|
|
generated, err := types.CreateNewProxyAccessToken(name, expiresIn, nil, "CLI")
|
|
if err != nil {
|
|
return fmt.Errorf("generate token: %w", err)
|
|
}
|
|
|
|
if err := s.SaveProxyAccessToken(ctx, &generated.ProxyAccessToken); err != nil {
|
|
return fmt.Errorf("save token: %w", err)
|
|
}
|
|
|
|
fmt.Fprintln(w, "Token created successfully!")
|
|
fmt.Fprintf(w, "Token: %s\n", generated.PlainToken)
|
|
fmt.Fprintln(w)
|
|
fmt.Fprintln(w, "IMPORTANT: Save this token now. It will not be shown again.")
|
|
fmt.Fprintf(w, "Token ID: %s\n", generated.ID)
|
|
return nil
|
|
}
|
|
|
|
func runList(ctx context.Context, s store.Store, out io.Writer) error {
|
|
tokens, err := s.GetAllProxyAccessTokens(ctx, store.LockingStrengthNone)
|
|
if err != nil {
|
|
return fmt.Errorf("list tokens: %w", err)
|
|
}
|
|
|
|
if len(tokens) == 0 {
|
|
fmt.Fprintln(out, "No proxy access tokens found.")
|
|
return nil
|
|
}
|
|
|
|
w := tabwriter.NewWriter(out, 0, 0, 2, ' ', 0)
|
|
fmt.Fprintln(w, "ID\tNAME\tCREATED\tEXPIRES\tLAST USED\tREVOKED")
|
|
fmt.Fprintln(w, "--\t----\t-------\t-------\t---------\t-------")
|
|
|
|
for _, t := range tokens {
|
|
expires := "never"
|
|
if t.ExpiresAt != nil {
|
|
expires = t.ExpiresAt.Format("2006-01-02")
|
|
}
|
|
|
|
lastUsed := "never"
|
|
if t.LastUsed != nil {
|
|
lastUsed = t.LastUsed.Format("2006-01-02 15:04")
|
|
}
|
|
|
|
revoked := "no"
|
|
if t.Revoked {
|
|
revoked = "yes"
|
|
}
|
|
|
|
fmt.Fprintf(w, "%s\t%s\t%s\t%s\t%s\t%s\n",
|
|
t.ID,
|
|
t.Name,
|
|
t.CreatedAt.Format("2006-01-02"),
|
|
expires,
|
|
lastUsed,
|
|
revoked,
|
|
)
|
|
}
|
|
|
|
w.Flush()
|
|
|
|
return nil
|
|
}
|
|
|
|
func runRevoke(ctx context.Context, s store.Store, w io.Writer, tokenID string) error {
|
|
if err := s.RevokeProxyAccessToken(ctx, tokenID); err != nil {
|
|
return fmt.Errorf("revoke token: %w", err)
|
|
}
|
|
|
|
fmt.Fprintf(w, "Token %s revoked successfully.\n", tokenID)
|
|
return nil
|
|
}
|
|
|
|
// ParseDuration parses a duration string with support for days (e.g., "30d", "365d").
|
|
// An empty string returns zero duration (no expiration).
|
|
func ParseDuration(s string) (time.Duration, error) {
|
|
if len(s) == 0 {
|
|
return 0, nil
|
|
}
|
|
|
|
if s[len(s)-1] == 'd' {
|
|
d, err := strconv.Atoi(s[:len(s)-1])
|
|
if err != nil {
|
|
return 0, fmt.Errorf("invalid day format: %s", s)
|
|
}
|
|
if d <= 0 {
|
|
return 0, fmt.Errorf("duration must be positive: %s", s)
|
|
}
|
|
return time.Duration(d) * 24 * time.Hour, nil
|
|
}
|
|
|
|
d, err := time.ParseDuration(s)
|
|
if err != nil {
|
|
return 0, err
|
|
}
|
|
if d <= 0 {
|
|
return 0, fmt.Errorf("duration must be positive: %s", s)
|
|
}
|
|
return d, nil
|
|
}
|