Allow specifying audiences in jvsctl (#178)

Fixes GH-171
abcxyz · Jan 25, 2023 · 6bb6a36 · 6bb6a36
1 parent 0584bea
commit 6bb6a36
Show file tree

Hide file tree

Showing 2 changed files with 27 additions and 6 deletions.
diff --git a/pkg/cli/token.go b/pkg/cli/token.go
@@ -41,6 +41,7 @@ import (
 type tokenCmdOptions struct {
 	config *config.CLIConfig
 
+	audiences    []string
 	explanation  string
 	breakglass   bool
 	ttl          time.Duration
@@ -66,6 +67,9 @@ For example:
     # Generate a token with a 30min ttl
     jvsctl token --explanation "issues/12345" --ttl 30m
 
+    # Generate a token with custom audiences
+    jvsctl token --explanation "access production" --audiences "my.service.dev"
+
     # Generate a breakglass token
     jvsctl token --explanation "everything is broken" --breakglass
 `, "\n"),
@@ -79,6 +83,8 @@ For example:
 	flags.StringVarP(&opts.explanation, "explanation", "e", "",
 		"The explanation for the action")
 	cmd.MarkFlagRequired("explanation") //nolint // not expect err
+	flags.StringSliceVar(&opts.audiences, "audiences", []string{justification.DefaultAudience},
+		"The list of audiences for the token")
 	flags.BoolVar(&opts.breakglass, "breakglass", false,
 		"Whether it will be a breakglass action")
 	flags.DurationVar(&opts.ttl, "ttl", 15*time.Minute,
@@ -181,7 +187,7 @@ func breakglassToken(ctx context.Context, opts *tokenCmdOptions) (string, error)
 	exp := now.Add(opts.ttl)
 
 	token, err := jwt.NewBuilder().
-		Audience([]string{justification.DefaultAudience}).
+		Audience(opts.audiences).
 		Expiration(exp).
 		IssuedAt(now).
 		Issuer(Issuer).

diff --git a/pkg/cli/token_test.go b/pkg/cli/token_test.go
@@ -47,6 +47,7 @@ func TestNewTokenCmd(t *testing.T) {
 		name              string
 		config            *config.CLIConfig
 		args              []string
+		expAudiences      []string
 		expJustifications []*jvspb.Justification
 		expErr            string
 	}{
@@ -75,7 +76,8 @@ func TestNewTokenCmd(t *testing.T) {
 				Server:   goodJVS,
 				Insecure: true,
 			},
-			args: []string{"-e=for testing purposes", "--disable-authn"},
+			args:         []string{"-e=for testing purposes", "--disable-authn"},
+			expAudiences: []string{justification.DefaultAudience},
 			expJustifications: []*jvspb.Justification{
 				{
 					Category: "explanation",
@@ -84,9 +86,22 @@ func TestNewTokenCmd(t *testing.T) {
 			},
 		},
 		{
-			name:   "breakglass",
-			config: &config.CLIConfig{},
-			args:   []string{"-e=prod is down", "--breakglass", "--iat=0"},
+			name:         "breakglass",
+			config:       &config.CLIConfig{},
+			args:         []string{"-e=prod is down", "--breakglass", "--iat=0"},
+			expAudiences: []string{justification.DefaultAudience},
+			expJustifications: []*jvspb.Justification{
+				{
+					Category: "breakglass",
+					Value:    "prod is down",
+				},
+			},
+		},
+		{
+			name:         "audiences",
+			config:       &config.CLIConfig{},
+			args:         []string{"-e=prod is down", "--breakglass", "--audiences=foo,bar"},
+			expAudiences: []string{"foo", "bar"},
 			expJustifications: []*jvspb.Justification{
 				{
 					Category: "breakglass",
@@ -123,7 +138,7 @@ func TestNewTokenCmd(t *testing.T) {
 			}
 
 			// Validate standard claims.
-			if got, want := token.Audience(), []string{justification.DefaultAudience}; !reflect.DeepEqual(got, want) {
+			if got, want := token.Audience(), tc.expAudiences; !reflect.DeepEqual(got, want) {
 				t.Errorf("aud: expected %q to be %q", got, want)
 			}
 			if got := token.Expiration(); !got.After(now) {