From 4b7005471c8dc8a22307fadacd24bf587982d335 Mon Sep 17 00:00:00 2001 From: Randy Barlow Date: Thu, 3 May 2018 20:48:00 +0000 Subject: [PATCH] Add a script to help generate OIDC tokens. Signed-off-by: Randy Barlow --- scripts/generate-oidc-token | 72 +++++++++++++++++++++++++++++++++++++ 1 file changed, 72 insertions(+) create mode 100755 scripts/generate-oidc-token diff --git a/scripts/generate-oidc-token b/scripts/generate-oidc-token new file mode 100755 index 0000000000..dc692507bc --- /dev/null +++ b/scripts/generate-oidc-token @@ -0,0 +1,72 @@ +#!/usr/bin/python2 +# Copyright (c) 2018 Red Hat, Inc. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# version 2 as published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +""" +This script will accept some parameters and will print out some SQL you can run against the Ipsilon +database, and a token you can give to an application to authenticate against a service. +""" +import base64 +import json +import os +import uuid + +import click + + +secret = base64.urlsafe_b64encode(os.urandom(64))[:64] + + +template = """BEGIN; +insert into token values ('{uuid}','username','{service_name}@service'); +insert into token values ('{uuid}','security_check','{secret}'); +insert into token values ('{uuid}','client_id','{service_name}'); +insert into token values ('{uuid}','expires_at','time.time()+{expiration}'); +insert into token values ('{uuid}','type','Bearer'); +insert into token values ('{uuid}','issued_at','time.time()'); +insert into token values ('{uuid}','scope','{scope}'); +COMMIT; +""" + + +@click.command() +@click.argument('service_name') +@click.option('--expiration', '-e', prompt='Number of days until expiration', type=int, + help='The number of days from now until this token expires.') +@click.option('--scope', '-s', multiple=True, + help='A scope to include for this token. May be supplied multiple times.') +@click.option('--no-openid', is_flag=True, help='Do not use "openid" as the first item in scope.') +def generate_token(service_name, expiration, scope, no_openid): + """ + Print out SQL to insert a token in the Ipsilon database, and the token itself. + + SERVICE_NAME is the name of the service that the token will be used by, (e.g., bodhi). + """ + identifier = uuid.uuid4() + + expiration = expiration * 24 * 3600 + + scope = list(scope) + if not no_openid: + scope.insert(0, 'openid') + scope = json.dumps(scope) + + print template.format(uuid=identifier, service_name=service_name, secret=secret, + expiration=expiration, scope=scope) + + print "Token: {}_{}".format(identifier, secret) + + +if __name__ == '__main__': + generate_token()