Skip to content

Commit

Permalink
createToken.py: Allow specification of the JWT key file and output file
Browse files Browse the repository at this point in the history
Current version of the script assumes that jwt key file is located in
the same directory as the script itself and token is written into the
same directory as json specification. This is not convinient for binary
distribution with key files placed under /etc and script under bin or
libexec dirs.
Allowing specification of key file and output files location fixes this
and application token can be generated with [1] while keeping backward
compatibility and existing behaviour (single argument to specify json
policy definition)
Error out if both output option and multiple input files have been
specified

[1]
/usr/libexec/kuksa-createToken.py /usr/share/kuksa-val/jwt/all-read-write.json --key /etc/pki/kuksa/jwt.key --output /etc/xdg/AGL/%i/%i.token
  • Loading branch information
landgraf authored and erikbosch committed Mar 1, 2024
1 parent 0ac8ecf commit 4077045
Showing 1 changed file with 25 additions and 9 deletions.
34 changes: 25 additions & 9 deletions kuksa_certificates/jwt/createToken.py
Original file line number Diff line number Diff line change
Expand Up @@ -16,22 +16,30 @@
# SPDX-License-Identifier: Apache-2.0
########################################################################


import argparse
import sys
from os import path

import json
import jwt

from os import path

def error_exit(msg):
print(msg, file=sys.stderr)
sys.exit(1)

def createJWTToken(input_filename, priv_key):

def createJWTToken(input_filename, priv_key, output_filename=None):
print("Reading JWT payload from {}".format(input_filename))
with open(input_filename, "r") as file:
payload = json.load(file)

encoded = jwt.encode(payload, priv_key, algorithm="RS256")

output_filename = input_filename[:-5] if input_filename.endswith(".json") else input_filename
output_filename += ".token"
if output_filename is None:
output_filename = input_filename[:-5] if input_filename.endswith(".json") else input_filename
output_filename += ".token"

print("Writing signed access token to {}".format(output_filename))
with open(output_filename, "w") as output:
Expand All @@ -41,17 +49,25 @@ def createJWTToken(input_filename, priv_key):
def main():
parser = argparse.ArgumentParser()
parser.add_argument("files", help="Read JWT payload from these files", nargs="+")
script_dir = path.abspath(path.dirname(__file__))
default_key_filename = path.join(script_dir, "jwt.key")

parser.add_argument("--key", help="Private key location", dest="priv_key_filename", default=default_key_filename)
parser.add_argument("--output", help="Name of the output file to store token to", dest="output")
args = parser.parse_args()

script_dir = path.abspath(path.dirname(__file__))
priv_key_filename = path.join(script_dir, "jwt.key")
if args.output is not None and len(args.files) > 1:
error_exit("""
Both --output option and multiple files have been specified.
Output filename can be specified for single input file only!
""")

print("Reading private key from {}".format("jwt.key"))
with open(priv_key_filename, "r") as file:
with open(args.priv_key_filename, "r") as file:
priv_key = file.read()

for input in args.files:
createJWTToken(input, priv_key)
for input_file in args.files:
createJWTToken(input_file, priv_key, args.output)


if __name__ == "__main__":
Expand Down

0 comments on commit 4077045

Please sign in to comment.