2023-03-28 19:12:30 +00:00
// Copyright (c) HashiCorp, Inc.
2023-08-11 13:12:13 +00:00
// SPDX-License-Identifier: BUSL-1.1
2023-03-28 19:12:30 +00:00
2018-10-19 16:04:07 +00:00
package tokencreate
import (
"flag"
"fmt"
2020-02-15 15:06:05 +00:00
"strings"
2019-04-08 17:05:51 +00:00
"time"
2018-10-19 16:04:07 +00:00
2022-04-05 21:10:06 +00:00
"github.com/mitchellh/cli"
2018-10-19 16:04:07 +00:00
"github.com/hashicorp/consul/api"
"github.com/hashicorp/consul/command/acl"
2020-02-15 15:06:05 +00:00
"github.com/hashicorp/consul/command/acl/token"
2018-10-19 16:04:07 +00:00
"github.com/hashicorp/consul/command/flags"
)
func New ( ui cli . Ui ) * cmd {
c := & cmd { UI : ui }
c . init ( )
return c
}
type cmd struct {
UI cli . Ui
flags * flag . FlagSet
http * flags . HTTPFlags
help string
2023-09-08 12:45:24 +00:00
accessor string
secret string
policyIDs [ ] string
policyNames [ ] string
description string
roleIDs [ ] string
roleNames [ ] string
serviceIdents [ ] string
nodeIdents [ ] string
templatedPolicy string
templatedPolicyFile string
templatedPolicyVariables [ ] string
expirationTTL time . Duration
local bool
showMeta bool
format string
2018-10-19 16:04:07 +00:00
}
func ( c * cmd ) init ( ) {
c . flags = flag . NewFlagSet ( "" , flag . ContinueOnError )
2019-04-30 15:45:36 +00:00
c . flags . StringVar ( & c . accessor , "accessor" , "" , "Create the token with this Accessor ID. " +
"It must be a UUID. If not specified one will be auto-generated" )
c . flags . StringVar ( & c . secret , "secret" , "" , "Create the token with this Secret ID. " +
"It must be a UUID. If not specified one will be auto-generated" )
2018-10-24 14:24:29 +00:00
c . flags . BoolVar ( & c . showMeta , "meta" , false , "Indicates that token metadata such " +
"as the content hash and raft indices should be shown for each entry" )
2018-10-19 16:04:07 +00:00
c . flags . BoolVar ( & c . local , "local" , false , "Create this as a datacenter local token" )
c . flags . StringVar ( & c . description , "description" , "" , "A description of the token" )
c . flags . Var ( ( * flags . AppendSliceValue ) ( & c . policyIDs ) , "policy-id" , "ID of a " +
"policy to use for this token. May be specified multiple times" )
c . flags . Var ( ( * flags . AppendSliceValue ) ( & c . policyNames ) , "policy-name" , "Name of a " +
"policy to use for this token. May be specified multiple times" )
2019-04-15 20:43:19 +00:00
c . flags . Var ( ( * flags . AppendSliceValue ) ( & c . roleIDs ) , "role-id" , "ID of a " +
"role to use for this token. May be specified multiple times" )
c . flags . Var ( ( * flags . AppendSliceValue ) ( & c . roleNames ) , "role-name" , "Name of a " +
"role to use for this token. May be specified multiple times" )
2019-04-08 18:19:09 +00:00
c . flags . Var ( ( * flags . AppendSliceValue ) ( & c . serviceIdents ) , "service-identity" , "Name of a " +
"service identity to use for this token. May be specified multiple times. Format is " +
"the SERVICENAME or SERVICENAME:DATACENTER1,DATACENTER2,..." )
2020-06-16 16:54:27 +00:00
c . flags . Var ( ( * flags . AppendSliceValue ) ( & c . nodeIdents ) , "node-identity" , "Name of a " +
"node identity to use for this token. May be specified multiple times. Format is " +
"NODENAME:DATACENTER" )
2019-04-08 17:05:51 +00:00
c . flags . DurationVar ( & c . expirationTTL , "expires-ttl" , 0 , "Duration of time this " +
"token should be valid for" )
2020-02-15 15:06:05 +00:00
c . flags . StringVar (
& c . format ,
"format" ,
token . PrettyFormat ,
fmt . Sprintf ( "Output format {%s}" , strings . Join ( token . GetSupportedFormats ( ) , "|" ) ) ,
)
2023-09-08 12:45:24 +00:00
c . flags . Var ( ( * flags . AppendSliceValue ) ( & c . templatedPolicyVariables ) , "var" , "Templated policy variables." +
" Must be used in combination with -templated-policy flag to specify required variables." +
" May be specified multiple times with different variables." +
" Format is VariableName:Value" )
c . flags . StringVar ( & c . templatedPolicy , "templated-policy" , "" , "The templated policy name. Use -var flag to specify variables when required." )
c . flags . StringVar ( & c . templatedPolicyFile , "templated-policy-file" , "" , "Path to a file containing templated policies and variables." )
2018-10-19 16:04:07 +00:00
c . http = & flags . HTTPFlags { }
flags . Merge ( c . flags , c . http . ClientFlags ( ) )
flags . Merge ( c . flags , c . http . ServerFlags ( ) )
2021-07-21 19:45:24 +00:00
flags . Merge ( c . flags , c . http . MultiTenancyFlags ( ) )
2018-10-19 16:04:07 +00:00
c . help = flags . Usage ( help , c . flags )
}
func ( c * cmd ) Run ( args [ ] string ) int {
if err := c . flags . Parse ( args ) ; err != nil {
return 1
}
2019-04-08 18:19:09 +00:00
if len ( c . policyNames ) == 0 && len ( c . policyIDs ) == 0 &&
2019-04-15 20:43:19 +00:00
len ( c . roleNames ) == 0 && len ( c . roleIDs ) == 0 &&
2023-09-08 12:45:24 +00:00
len ( c . serviceIdents ) == 0 && len ( c . nodeIdents ) == 0 &&
len ( c . templatedPolicy ) == 0 && len ( c . templatedPolicyFile ) == 0 {
c . UI . Error ( "Cannot create a token without specifying -policy-name, -policy-id, -role-name, -role-id, -service-identity, -node-identity, -templated-policy, or -templated-policy-file at least once" )
2018-10-19 16:04:07 +00:00
return 1
}
2023-10-26 18:15:12 +00:00
if len ( c . templatedPolicyFile ) != 0 && len ( c . templatedPolicy ) != 0 {
c . UI . Error ( "Cannot combine the use of templated-policy flag with templated-policy-file. " +
"To create a token with a single templated policy and simple use case, use -templated-policy. " +
"For multiple templated policies and more complicated use cases, use -templated-policy-file" )
return 1
}
2018-10-19 16:04:07 +00:00
client , err := c . http . APIClient ( )
if err != nil {
c . UI . Error ( fmt . Sprintf ( "Error connecting to Consul agent: %s" , err ) )
return 1
}
newToken := & api . ACLToken {
Description : c . description ,
Local : c . local ,
2019-04-30 15:45:36 +00:00
AccessorID : c . accessor ,
SecretID : c . secret ,
2018-10-19 16:04:07 +00:00
}
2019-04-08 17:05:51 +00:00
if c . expirationTTL > 0 {
newToken . ExpirationTTL = c . expirationTTL
}
2018-10-19 16:04:07 +00:00
2019-04-08 18:19:09 +00:00
parsedServiceIdents , err := acl . ExtractServiceIdentities ( c . serviceIdents )
if err != nil {
c . UI . Error ( err . Error ( ) )
return 1
}
newToken . ServiceIdentities = parsedServiceIdents
2020-06-16 16:54:27 +00:00
parsedNodeIdents , err := acl . ExtractNodeIdentities ( c . nodeIdents )
if err != nil {
c . UI . Error ( err . Error ( ) )
return 1
}
newToken . NodeIdentities = parsedNodeIdents
2023-09-08 12:45:24 +00:00
parsedTemplatedPolicies , err := acl . ExtractTemplatedPolicies ( c . templatedPolicy , c . templatedPolicyFile , c . templatedPolicyVariables )
if err != nil {
c . UI . Error ( err . Error ( ) )
return 1
}
newToken . TemplatedPolicies = parsedTemplatedPolicies
2018-10-19 16:04:07 +00:00
for _ , policyName := range c . policyNames {
// We could resolve names to IDs here but there isn't any reason why its would be better
// than allowing the agent to do it.
newToken . Policies = append ( newToken . Policies , & api . ACLTokenPolicyLink { Name : policyName } )
}
for _ , policyID := range c . policyIDs {
policyID , err := acl . GetPolicyIDFromPartial ( client , policyID )
if err != nil {
c . UI . Error ( fmt . Sprintf ( "Error resolving policy ID %s: %v" , policyID , err ) )
return 1
}
newToken . Policies = append ( newToken . Policies , & api . ACLTokenPolicyLink { ID : policyID } )
}
2019-04-15 20:43:19 +00:00
for _ , roleName := range c . roleNames {
// We could resolve names to IDs here but there isn't any reason why its would be better
// than allowing the agent to do it.
newToken . Roles = append ( newToken . Roles , & api . ACLTokenRoleLink { Name : roleName } )
}
for _ , roleID := range c . roleIDs {
roleID , err := acl . GetRoleIDFromPartial ( client , roleID )
if err != nil {
c . UI . Error ( fmt . Sprintf ( "Error resolving role ID %s: %v" , roleID , err ) )
return 1
}
newToken . Roles = append ( newToken . Roles , & api . ACLTokenRoleLink { ID : roleID } )
}
2020-02-15 15:06:05 +00:00
t , _ , err := client . ACL ( ) . TokenCreate ( newToken , nil )
2018-10-19 16:04:07 +00:00
if err != nil {
c . UI . Error ( fmt . Sprintf ( "Failed to create new token: %v" , err ) )
return 1
}
2020-02-15 15:06:05 +00:00
formatter , err := token . NewFormatter ( c . format , c . showMeta )
if err != nil {
c . UI . Error ( err . Error ( ) )
return 1
}
out , err := formatter . FormatToken ( t )
if err != nil {
c . UI . Error ( err . Error ( ) )
2020-03-26 15:24:21 +00:00
return 1
2020-02-15 15:06:05 +00:00
}
if out != "" {
c . UI . Info ( out )
}
2018-10-19 16:04:07 +00:00
return 0
}
func ( c * cmd ) Synopsis ( ) string {
return synopsis
}
func ( c * cmd ) Help ( ) string {
return flags . Usage ( c . help , nil )
}
2021-07-21 19:45:24 +00:00
const (
synopsis = "Create an ACL token"
help = `
2018-10-19 16:04:07 +00:00
Usage : consul acl token create [ options ]
When creating a new token policies may be linked using either the - policy - id
or the - policy - name options . When specifying policies by IDs you may use a
unique prefix of the UUID as a shortcut for specifying the entire UUID .
Create a new token :
2019-04-08 17:05:51 +00:00
$ consul acl token create - description "Replication token" \
- policy - id b52fc3de - 5 \
2019-04-08 18:19:09 +00:00
- policy - name "acl-replication" \
2019-04-15 20:43:19 +00:00
- role - id c630d4ef - 6 \
- role - name "db-updater" \
2019-04-08 18:19:09 +00:00
- service - identity "web" \
2023-09-08 12:45:24 +00:00
- service - identity "db:east,west" \
- templated - policy "builtin/service" \
- var "name:web"
2018-10-19 16:04:07 +00:00
`
2021-07-21 19:45:24 +00:00
)