[#387] authmate: fix parsing session rules

Signed-off-by: Denis Kirillov <denis@nspcc.ru>
2022-03-30 15:23:00 +03:00 · 2022-03-30 15:23:00 +03:00 · 4322da90d8
commit 4322da90d8
parent 83bb6fc020
2 changed files with 11 additions and 5 deletions
--- a/authmate/authmate.go
+++ b/authmate/authmate.go
@ -98,6 +98,7 @@ type (
 		GatesPublicKeys       []*keys.PublicKey
 		EACLRules             []byte
 		SessionTokenRules     []byte
+		SkipSessionRules      bool
 		Lifetime              time.Duration
 		AwsCliCredentialsFile string
 		ContainerPolicies     ContainerPolicies
@ -439,7 +440,7 @@ func createTokens(options *IssueSecretOptions, lifetime lifetimeOptions) ([]*acc
 		gates[i] = accessbox.NewGateData(gateKey, bearerTokens[i])
 	}

-	if options.SessionTokenRules != nil {
+	if !options.SkipSessionRules {
 		sessionRules, err := buildContext(options.SessionTokenRules)
 		if err != nil {
 			return nil, fmt.Errorf("failed to build context for session token: %w", err)
--- a/cmd/authmate/main.go
+++ b/cmd/authmate/main.go
@ -276,7 +276,7 @@ It will be ceil rounded to the nearest amount of epoch.`,
 				return cli.Exit(fmt.Sprintf("couldn't parse 'bearer-rules' flag: %s", err.Error()), 7)
 			}

-			sessionRules, err := getSessionRules(sessionTokenFlag)
+			sessionRules, skipSessionRules, err := getSessionRules(sessionTokenFlag)
 			if err != nil {
 				return cli.Exit(fmt.Sprintf("couldn't parse 'session-token' flag: %s", err.Error()), 8)
 			}
@ -291,6 +291,7 @@ It will be ceil rounded to the nearest amount of epoch.`,
 				GatesPublicKeys:       gatesPublicKeys,
 				EACLRules:             bearerRules,
 				SessionTokenRules:     sessionRules,
+				SkipSessionRules:      skipSessionRules,
 				ContainerPolicies:     policies,
 				Lifetime:              lifetimeFlag,
 				AwsCliCredentialsFile: awcCliCredFile,
@ -343,11 +344,15 @@ func getJSONRules(val string) ([]byte, error) {
 	return nil, fmt.Errorf("coudln't read json file or its content is invalid")
 }

-func getSessionRules(r string) ([]byte, error) {
+// getSessionRules reads json session rules.
+// Returns true if rules must be skipped.
+func getSessionRules(r string) ([]byte, bool, error) {
 	if r == "none" {
-		return nil, nil
+		return nil, true, nil
 	}
-	return getJSONRules(r)
+
+	data, err := getJSONRules(r)
+	return data, false, err
 }

 func obtainSecret() *cli.Command {