From 4322da90d8bee15b099508956cceb64f43b1ef3f Mon Sep 17 00:00:00 2001 From: Denis Kirillov Date: Wed, 30 Mar 2022 15:23:00 +0300 Subject: [PATCH] [#387] authmate: fix parsing session rules Signed-off-by: Denis Kirillov --- authmate/authmate.go | 3 ++- cmd/authmate/main.go | 13 +++++++++---- 2 files changed, 11 insertions(+), 5 deletions(-) diff --git a/authmate/authmate.go b/authmate/authmate.go index d6e712192..13fcc455e 100644 --- a/authmate/authmate.go +++ b/authmate/authmate.go @@ -98,6 +98,7 @@ type ( GatesPublicKeys []*keys.PublicKey EACLRules []byte SessionTokenRules []byte + SkipSessionRules bool Lifetime time.Duration AwsCliCredentialsFile string ContainerPolicies ContainerPolicies @@ -439,7 +440,7 @@ func createTokens(options *IssueSecretOptions, lifetime lifetimeOptions) ([]*acc gates[i] = accessbox.NewGateData(gateKey, bearerTokens[i]) } - if options.SessionTokenRules != nil { + if !options.SkipSessionRules { sessionRules, err := buildContext(options.SessionTokenRules) if err != nil { return nil, fmt.Errorf("failed to build context for session token: %w", err) diff --git a/cmd/authmate/main.go b/cmd/authmate/main.go index c5592c07a..983727c77 100644 --- a/cmd/authmate/main.go +++ b/cmd/authmate/main.go @@ -276,7 +276,7 @@ It will be ceil rounded to the nearest amount of epoch.`, return cli.Exit(fmt.Sprintf("couldn't parse 'bearer-rules' flag: %s", err.Error()), 7) } - sessionRules, err := getSessionRules(sessionTokenFlag) + sessionRules, skipSessionRules, err := getSessionRules(sessionTokenFlag) if err != nil { return cli.Exit(fmt.Sprintf("couldn't parse 'session-token' flag: %s", err.Error()), 8) } @@ -291,6 +291,7 @@ It will be ceil rounded to the nearest amount of epoch.`, GatesPublicKeys: gatesPublicKeys, EACLRules: bearerRules, SessionTokenRules: sessionRules, + SkipSessionRules: skipSessionRules, ContainerPolicies: policies, Lifetime: lifetimeFlag, AwsCliCredentialsFile: awcCliCredFile, @@ -343,11 +344,15 @@ func getJSONRules(val string) ([]byte, error) { return nil, fmt.Errorf("coudln't read json file or its content is invalid") } -func getSessionRules(r string) ([]byte, error) { +// getSessionRules reads json session rules. +// Returns true if rules must be skipped. +func getSessionRules(r string) ([]byte, bool, error) { if r == "none" { - return nil, nil + return nil, true, nil } - return getJSONRules(r) + + data, err := getJSONRules(r) + return data, false, err } func obtainSecret() *cli.Command {