Skip to content

Commit 15e6760

Browse files
committed
tools: Allow external program for --print to stop callback
Use for external validation programs. Signed-off-by: Ben Collins <bcollins@ubuntu.com>
1 parent 797d10d commit 15e6760

File tree

8 files changed

+88
-34
lines changed

8 files changed

+88
-34
lines changed

tools/TODO.md

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,12 @@
1+
= TODO
2+
3+
== jwt-generate
4+
5+
- if we pass file:xxxx to -j, assume it is a file to read in the json from
6+
7+
== Common
8+
9+
=== JWK handling
10+
11+
- CLI option to select key the JWKS by index
12+
- CLI option to select key by ``kid``

tools/jwt-generate.1

Lines changed: 10 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -29,10 +29,18 @@ which is \f[B]Issued At\f[R] and is the time in seconds since the
2929
When using the \f[B]\-\-verbose\f[R] option, \f[B]jwt\-generate\f[R]
3030
will print the JSON \f[I]HEADER\f[R] and \f[I]PAYLOAD\f[R] to
3131
\f[B]stdout\f[R].
32+
.PP
3233
If used in conjuction with \f[B]\-\-print\f[R], the JSON will be piped
3334
to the command\[cq]s \f[B]stdin\f[R].
34-
One use for this is to pass it through \f[B]jq \-C\f[R] for indenting
35-
and colorization.
35+
It will be called twice: once for \f[I]HEAD\f[R] and once for
36+
\f[I]PAYLOAD\f[R].
37+
.PP
38+
One use is to pass it through \f[B]jq \-C\f[R] for indenting and
39+
colorization.
40+
Another would be to use an external program to inspect the
41+
\f[I]PAYLOAD\f[R] contents.
42+
A non\-0 exit status from the program will cause generating the token to
43+
fail.
3644
.SS Options
3745
.TP
3846
\f[B]\-h\f[R], \f[B]\-\-help\f[R]

tools/jwt-generate.1.md

Lines changed: 9 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -26,9 +26,15 @@ One token will be generated for each call. You can specify claims using the
2626
is **Issued At** and is the time in seconds since the *Unix Epcoch*.
2727

2828
When using the **\-\-verbose** option, **jwt-generate** will print the JSON
29-
_HEADER_ and _PAYLOAD_ to **stdout**. If used in conjuction with **\-\-print**,
30-
the JSON will be piped to the command's **stdin**. One use for this is to pass
31-
it through **jq -C** for indenting and colorization.
29+
_HEADER_ and _PAYLOAD_ to **stdout**.
30+
31+
If used in conjuction with **\-\-print**, the JSON will be piped to the
32+
command's **stdin**. It will be called twice: once for _HEAD_ and once for
33+
_PAYLOAD_.
34+
35+
One use is to pass it through **jq -C** for indenting and colorization. Another
36+
would be to use an external program to inspect the _PAYLOAD_ contents. A non-0
37+
exit status from the program will cause generating the token to fail.
3238

3339
## Options
3440

tools/jwt-generate.c

Lines changed: 20 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -42,7 +42,7 @@ Generate and (optionally) sign a JSON Web Token\n\
4242
v The value of the claim. For integer, must be parsable\n\
4343
by strtol(). For boolean, if the value starts with 'f',\n\
4444
'F', or '0' it is taken as false. Anything else is true.\n\
45-
-j, --json=STRING JSON string to be used as the body of the token\n\
45+
-j, --json=STRING JSON string to be used as the body of the token.\n\
4646
-q, --quiet No output other than the generated token\n\
4747
-v, --verbose Show encoded header and payload while verifying. Note that\n\
4848
the header will not who the 'tpy' and 'alg' attributes\n\
@@ -51,7 +51,8 @@ Generate and (optionally) sign a JSON Web Token\n\
5151
This program will encode and sign a token in JWT format.\n\
5252
\n\
5353
For the --print option, output will be piped to the command's stdin. This\n\
54-
is useful if you wanted to use something like `jq -C`.\n\
54+
is useful if you wanted to use something like `jq -C` to colorize it. A\n\
55+
non-0 exit status will stop the token from getting generated.\n\
5556
\n\
5657
If you need to convert a key to JWT (e.g. from PEM or DER format) see\n\
5758
key2jwk(1).\n", __progname);
@@ -135,18 +136,23 @@ int main(int argc, char *argv[])
135136

136137
case 'c':
137138
t = strtok(optarg, ":");
138-
if (t == NULL)
139-
usage("Invalid --claim format",
140-
EXIT_FAILURE);
139+
if (t == NULL) {
140+
fprintf(stderr, "Invalid claim format [%s]\n",
141+
optarg);
142+
exit(EXIT_FAILURE);
143+
}
141144
k = strtok(NULL, "=");
142-
if (k == NULL)
143-
usage("Invalid --claim format",
144-
EXIT_FAILURE);
145-
145+
if (k == NULL) {
146+
fprintf(stderr, "Invalid claim format [%s]\n",
147+
optarg);
148+
exit(EXIT_FAILURE);
149+
}
146150
v = strtok(NULL, "=");
147-
if (v == NULL)
148-
usage("Invalid --claim format",
149-
EXIT_FAILURE);
151+
if (v == NULL) {
152+
fprintf(stderr, "Invalid claim format [%s]\n",
153+
optarg);
154+
exit(EXIT_FAILURE);
155+
}
150156

151157
switch (t[0]) {
152158
case 's':
@@ -230,7 +236,8 @@ int main(int argc, char *argv[])
230236
if (json) {
231237
jwt_set_ADD_JSON(&jval, NULL, json);
232238
if (jwt_builder_claim_add(builder, &jval)) {
233-
fprintf(stderr, "Error adding json\n");
239+
fprintf(stderr, "Error adding JSON (%d)\n",
240+
jval.error);
234241
exit(EXIT_FAILURE);
235242
}
236243
}

tools/jwt-util.h

Lines changed: 11 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -9,7 +9,7 @@ static char *pipe_cmd;
99

1010
static FILE *json_fp;
1111

12-
static void write_json(const char *title, const char *str)
12+
static int write_json(const char *title, const char *str)
1313
{
1414
char *argv[4] = { "/bin/sh", "-c", NULL, NULL };
1515
int pipe_fd[2];
@@ -53,15 +53,18 @@ static void write_json(const char *title, const char *str)
5353
}
5454

5555
if (myfd) {
56-
close(myfd);
57-
waitpid(pid, &status, 0);
58-
}
56+
close(myfd);
57+
waitpid(pid, &status, 0);
58+
return WEXITSTATUS(status);
59+
}
60+
61+
return 0;
5962
}
6063

6164
static int __jwt_wcb(jwt_t *jwt, jwt_config_t *config)
6265
{
6366
jwt_value_t jval;
64-
int ret;
67+
int ret = 0, result = 0;
6568

6669
if (config == NULL)
6770
return 1;
@@ -70,17 +73,17 @@ static int __jwt_wcb(jwt_t *jwt, jwt_config_t *config)
7073
jval.pretty = 1;
7174
ret = jwt_header_get(jwt, &jval);
7275
if (!ret) {
73-
write_json("HEADER", jval.json_val);
76+
result |= write_json("HEADER", jval.json_val);
7477
free(jval.json_val);
7578
}
7679

7780
jwt_set_GET_JSON(&jval, NULL);
7881
jval.pretty = 1;
7982
ret = jwt_grant_get(jwt, &jval);
8083
if (!ret) {
81-
write_json("PAYLOAD", jval.json_val);
84+
result |= write_json("PAYLOAD", jval.json_val);
8285
free(jval.json_val);
8386
}
8487

85-
return 0;
88+
return result;
8689
}

tools/jwt-verify.1

Lines changed: 9 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -33,10 +33,17 @@ argument after any options.
3333
When using the \f[B]\-\-verbose\f[R] option, \f[B]jwt\-verify\f[R] will
3434
print the JSON \f[I]HEADER\f[R] and \f[I]PAYLOAD\f[R] to
3535
\f[B]stdout\f[R].
36+
.PP
3637
If used in conjuction with \f[B]\-\-print\f[R], the JSON will be piped
3738
to the command\[cq]s \f[B]stdin\f[R].
38-
One use for this is to pass it through \f[B]jq \-C\f[R] for indenting
39-
and colorization.
39+
It will be called twice: once for \f[I]HEAD\f[R] and once for
40+
\f[I]PAYLOAD\f[R].
41+
.PP
42+
One use is to pass it through \f[B]jq \-C\f[R] for indenting and
43+
colorization.
44+
Another would be to use an external program to validate the
45+
\f[I]PAYLOAD\f[R] contents.
46+
A non\-0 exit status from the program will cause verification to fail.
4047
.SS Options
4148
.TP
4249
\f[B]\-h\f[R], \f[B]\-\-help\f[R]

tools/jwt-verify.1.md

Lines changed: 9 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -29,9 +29,15 @@ by spaces, or passed via **stdin**, one per line. To use **stdin**, you
2929
must pass **-** as the last and only argument after any options.
3030

3131
When using the **\-\-verbose** option, **jwt-verify** will print the JSON
32-
_HEADER_ and _PAYLOAD_ to **stdout**. If used in conjuction with **\-\-print**,
33-
the JSON will be piped to the command's **stdin**. One use for this is to pass
34-
it through **jq -C** for indenting and colorization.
32+
_HEADER_ and _PAYLOAD_ to **stdout**.
33+
34+
If used in conjuction with **\-\-print**, the JSON will be piped to the
35+
command's **stdin**. It will be called twice: once for _HEAD_ and once for
36+
_PAYLOAD_.
37+
38+
One use is to pass it through **jq -C** for indenting and colorization. Another
39+
would be to use an external program to validate the _PAYLOAD_ contents. A non-0
40+
exit status from the program will cause verification to fail.
3541

3642
## Options
3743

tools/jwt-verify.c

Lines changed: 8 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -43,7 +43,10 @@ If - is given as the only argument to token, then tokens will be read\n\
4343
from stdin, one per line.\n\
4444
\n\
4545
For the --print option, output will be piped to the command's stdin. This\n\
46-
is useful if you wanted to use something like `jq -C`.\n\
46+
is useful if you wanted to use something like `jq -C` to colorize it or\n\
47+
another program to validate it. The program will be called twice; once\n\
48+
for the HEAD, and once for the PAYLOAD. A non-0 exit status will cause\n\
49+
the verification to fail.\n\
4750
\n\
4851
If you need to convert a key to JWK (e.g. from PEM or DER format) see\n\
4952
key2jwk(1).\n", __progname);
@@ -155,8 +158,10 @@ int main(int argc, char *argv[])
155158
case 'a':
156159
alg = jwt_str_alg(optarg);
157160
if (alg >= JWT_ALG_INVAL) {
158-
usage("Unknown algorithm (use -l to see a list of "
159-
"supported algorithms)\n", EXIT_FAILURE);
161+
fprintf(stderr, "Unknown algorithm [%s]\nUse "
162+
"-l to see a list of supported "
163+
"algorithms)\n", optarg);
164+
exit(EXIT_FAILURE);
160165
}
161166
break;
162167

0 commit comments

Comments
 (0)