tools: Allow external program for --print to stop callback

Use for external validation programs.

Signed-off-by: Ben Collins <bcollins@ubuntu.com>

Author: benmcollins

tools/TODO.md

@@ -0,0 +1,12 @@
+= TODO
+
+== jwt-generate
+
+- if we pass file:xxxx to -j, assume it is a file to read in the json from
+
+== Common
+
+=== JWK handling
+
+- CLI option to select key the JWKS by index
+- CLI option to select key by ``kid``

tools/jwt-generate.1

@@ -29,10 +29,18 @@ which is \f[B]Issued At\f[R] and is the time in seconds since the
 When using the \f[B]\-\-verbose\f[R] option, \f[B]jwt\-generate\f[R]
 will print the JSON \f[I]HEADER\f[R] and \f[I]PAYLOAD\f[R] to
 \f[B]stdout\f[R].
+.PP
 If used in conjuction with \f[B]\-\-print\f[R], the JSON will be piped
 to the command\[cq]s \f[B]stdin\f[R].
-One use for this is to pass it through \f[B]jq \-C\f[R] for indenting
-and colorization.
+It will be called twice: once for \f[I]HEAD\f[R] and once for
+\f[I]PAYLOAD\f[R].
+.PP
+One use is to pass it through \f[B]jq \-C\f[R] for indenting and
+colorization.
+Another would be to use an external program to inspect the
+\f[I]PAYLOAD\f[R] contents.
+A non\-0 exit status from the program will cause generating the token to
+fail.
 .SS Options
 .TP
 \f[B]\-h\f[R], \f[B]\-\-help\f[R]

tools/jwt-generate.1.md

@@ -26,9 +26,15 @@ One token will be generated for each call. You can specify claims using the
 is **Issued At** and is the time in seconds since the *Unix Epcoch*.
 
 When using the **\-\-verbose** option, **jwt-generate** will print the JSON
-_HEADER_ and _PAYLOAD_ to **stdout**. If used in conjuction with **\-\-print**,
-the JSON will be piped to the command's **stdin**. One use for this is to pass
-it through **jq -C** for indenting and colorization.
+_HEADER_ and _PAYLOAD_ to **stdout**.
+
+If used in conjuction with **\-\-print**, the JSON will be piped to the
+command's **stdin**. It will be called twice: once for _HEAD_ and once for
+_PAYLOAD_.
+
+One use is to pass it through **jq -C** for indenting and colorization. Another
+would be to use an external program to inspect the _PAYLOAD_ contents. A non-0
+exit status from the program will cause generating the token to fail.
 
 ## Options
 

tools/jwt-generate.c

@@ -42,7 +42,7 @@ Generate and (optionally) sign a JSON Web Token\n\
       v                 The value of the claim. For integer, must be parsable\n\
                         by strtol(). For boolean, if the value starts with 'f',\n\
                         'F', or '0' it is taken as false. Anything else is true.\n\
-  -j, --json=STRING     JSON string to be used as the body of the token\n\
+  -j, --json=STRING     JSON string to be used as the body of the token.\n\
   -q, --quiet           No output other than the generated token\n\
   -v, --verbose         Show encoded header and payload while verifying. Note that\n\
                         the header will not who the 'tpy' and 'alg' attributes\n\
@@ -51,7 +51,8 @@ Generate and (optionally) sign a JSON Web Token\n\
 This program will encode and sign a token in JWT format.\n\
 \n\
 For the --print option, output will be piped to the command's stdin. This\n\
-is useful if you wanted to use something like `jq -C`.\n\
+is useful if you wanted to use something like `jq -C` to colorize it. A\n\
+non-0 exit status will stop the token from getting generated.\n\
 \n\
 If you need to convert a key to JWT (e.g. from PEM or DER format) see\n\
 key2jwk(1).\n", __progname);
@@ -135,18 +136,23 @@ int main(int argc, char *argv[])
 
 		case 'c':
 			t = strtok(optarg, ":");
-			if (t == NULL)
-				usage("Invalid --claim format",
-						EXIT_FAILURE);
+			if (t == NULL) {
+				fprintf(stderr, "Invalid claim format [%s]\n",
+					optarg);
+				exit(EXIT_FAILURE);
+			}
 			k = strtok(NULL, "=");
-			if (k == NULL)
-				usage("Invalid --claim format",
-						EXIT_FAILURE);
-
+			if (k == NULL) {
+				fprintf(stderr, "Invalid claim format [%s]\n",
+					optarg);
+				exit(EXIT_FAILURE);
+			}
 			v = strtok(NULL, "=");
-			if (v == NULL)
-				usage("Invalid --claim format",
-						EXIT_FAILURE);
+			if (v == NULL) {
+				fprintf(stderr, "Invalid claim format [%s]\n",
+					optarg);
+				exit(EXIT_FAILURE);
+			}
 
 			switch (t[0]) {
 			case 's':
@@ -230,7 +236,8 @@ int main(int argc, char *argv[])
 	if (json) {
 		jwt_set_ADD_JSON(&jval, NULL, json);
 		if (jwt_builder_claim_add(builder, &jval)) {
-			fprintf(stderr, "Error adding json\n");
+			fprintf(stderr, "Error adding JSON (%d)\n",
+				jval.error);
 			exit(EXIT_FAILURE);
 		}
 	}

tools/jwt-util.h

@@ -9,7 +9,7 @@ static char *pipe_cmd;
 
 static FILE *json_fp;
 
-static void write_json(const char *title, const char *str)
+static int write_json(const char *title, const char *str)
 {
 	char *argv[4] = { "/bin/sh", "-c", NULL, NULL };
 	int pipe_fd[2];
@@ -53,15 +53,18 @@ static void write_json(const char *title, const char *str)
 	}
 
 	if (myfd) {
-                close(myfd);
-                waitpid(pid, &status, 0);
-        }
+		close(myfd);
+		waitpid(pid, &status, 0);
+		return WEXITSTATUS(status);
+	}
+
+	return 0;
 }
 
 static int __jwt_wcb(jwt_t *jwt, jwt_config_t *config)
 {
 	jwt_value_t jval;
-	int ret;
+	int ret = 0, result = 0;
 
 	if (config == NULL)
 		return 1;
@@ -70,17 +73,17 @@ static int __jwt_wcb(jwt_t *jwt, jwt_config_t *config)
 	jval.pretty = 1;
 	ret = jwt_header_get(jwt, &jval);
 	if (!ret) {
-		write_json("HEADER", jval.json_val);
+		result |= write_json("HEADER", jval.json_val);
 		free(jval.json_val);
 	}
 
 	jwt_set_GET_JSON(&jval, NULL);
 	jval.pretty = 1;
 	ret = jwt_grant_get(jwt, &jval);
 	if (!ret) {
-		write_json("PAYLOAD", jval.json_val);
+		result |= write_json("PAYLOAD", jval.json_val);
 		free(jval.json_val);
 	}
 
-	return 0;
+	return result;
 }

tools/jwt-verify.1

@@ -33,10 +33,17 @@ argument after any options.
 When using the \f[B]\-\-verbose\f[R] option, \f[B]jwt\-verify\f[R] will
 print the JSON \f[I]HEADER\f[R] and \f[I]PAYLOAD\f[R] to
 \f[B]stdout\f[R].
+.PP
 If used in conjuction with \f[B]\-\-print\f[R], the JSON will be piped
 to the command\[cq]s \f[B]stdin\f[R].
-One use for this is to pass it through \f[B]jq \-C\f[R] for indenting
-and colorization.
+It will be called twice: once for \f[I]HEAD\f[R] and once for
+\f[I]PAYLOAD\f[R].
+.PP
+One use is to pass it through \f[B]jq \-C\f[R] for indenting and
+colorization.
+Another would be to use an external program to validate the
+\f[I]PAYLOAD\f[R] contents.
+A non\-0 exit status from the program will cause verification to fail.
 .SS Options
 .TP
 \f[B]\-h\f[R], \f[B]\-\-help\f[R]

tools/jwt-verify.1.md

@@ -29,9 +29,15 @@ by spaces, or passed via **stdin**, one per line. To use **stdin**, you
 must pass **-** as the last and only argument after any options.
 
 When using the **\-\-verbose** option, **jwt-verify** will print the JSON
-_HEADER_ and _PAYLOAD_ to **stdout**. If used in conjuction with **\-\-print**,
-the JSON will be piped to the command's **stdin**. One use for this is to pass
-it through **jq -C** for indenting and colorization.
+_HEADER_ and _PAYLOAD_ to **stdout**.
+
+If used in conjuction with **\-\-print**, the JSON will be piped to the
+command's **stdin**. It will be called twice: once for _HEAD_ and once for
+_PAYLOAD_.
+
+One use is to pass it through **jq -C** for indenting and colorization. Another
+would be to use an external program to validate the _PAYLOAD_ contents. A non-0
+exit status from the program will cause verification to fail.
 
 ## Options
 

tools/jwt-verify.c

@@ -43,7 +43,10 @@ If - is given as the only argument to token, then tokens will be read\n\
 from stdin, one per line.\n\
 \n\
 For the --print option, output will be piped to the command's stdin. This\n\
-is useful if you wanted to use something like `jq -C`.\n\
+is useful if you wanted to use something like `jq -C` to colorize it or\n\
+another program to validate it. The program will be called twice; once\n\
+for the HEAD, and once for the PAYLOAD. A non-0 exit status will cause\n\
+the verification to fail.\n\
 \n\
 If you need to convert a key to JWK (e.g. from PEM or DER format) see\n\
 key2jwk(1).\n", __progname);
@@ -155,8 +158,10 @@ int main(int argc, char *argv[])
 		case 'a':
 			alg = jwt_str_alg(optarg);
 			if (alg >= JWT_ALG_INVAL) {
-				usage("Unknown algorithm (use -l to see a list of "
-				      "supported algorithms)\n", EXIT_FAILURE);
+				fprintf(stderr, "Unknown algorithm [%s]\nUse "
+					"-l to see a list of supported "
+					"algorithms)\n", optarg);
+				exit(EXIT_FAILURE);
 			}
 			break;