Switch to use get token API to check expiration

jfrog · Dec 9, 2024 · b040df5 · b040df5
1 parent cb09ca6
commit b040df5
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 9 deletions.
diff --git a/artifactory.go b/artifactory.go
@@ -347,8 +347,8 @@ func (b *backend) refreshExpiredAccessToken(ctx context.Context, req *logical.Re
 
 	// check if user access token is expired or not
 	// if so, refresh it with new tokens
-	logger.Debug("check if access token is expired by getting Viewer role")
-	err := b.getRole(*config)
+	logger.Debug("check if access token is expired by getting token itself")
+	err := b.getTokenByID(*config)
 	if err != nil {
 		logger.Debug("failed to get Viewer role", "err", err)
 
@@ -414,14 +414,16 @@ func (b *backend) getVersion(config baseConfiguration) (version string, err erro
 	return systemVersion.Version, nil
 }
 
-func (b *backend) getRole(config baseConfiguration) error {
-	logger := b.Logger().With("func", "getRole")
+func (b *backend) getTokenByID(config baseConfiguration) error {
+	logger := b.Logger().With("func", "getTokenByID")
 
 	logger.Debug("fetching Viewer role")
 
-	resp, err := b.performArtifactoryGet(config, "/access/api/v1/roles/Viewer")
+	// '/me' is special value to get info about token itself
+	// https://jfrog.com/help/r/jfrog-rest-apis/get-token-by-id
+	resp, err := b.performArtifactoryGet(config, "/access/api/v1/tokens/me")
 	if err != nil {
-		logger.Error("error making get role request", "response", resp, "err", err)
+		logger.Error("error making get token request", "response", resp, "err", err)
 		return err
 	}
 
@@ -434,14 +436,14 @@ func (b *backend) getRole(config baseConfiguration) error {
 		err := json.NewDecoder(resp.Body).Decode(&errResp)
 		if err != nil {
 			logger.Error("could not parse error response", "response", resp, "err", err)
-			return fmt.Errorf("could not get role. Err: %w", err)
+			return fmt.Errorf("could not get token. Err: %w", err)
 		}
 
 		if resp.StatusCode == http.StatusUnauthorized && invalidTokenRegex.MatchString(errResp.String()) {
 			return &TokenExpiredError{}
 		}
 
-		return fmt.Errorf("could not get the role: HTTP response %v", errResp.String())
+		return fmt.Errorf("could not get the token: HTTP response %v", errResp.String())
 	}
 
 	return nil

diff --git a/test/expired.sh b/test/expired.sh
@@ -2,7 +2,12 @@
 
 vault write artifactory/config/admin url=$JFROG_URL use_expiring_tokens=true max_ttl=14400 default_ttl=3600
 
-USER_TOKEN=$(curl -s -L "${JFROG_URL}/access/api/v1/tokens" -H 'Content-Type: application/json' -H "Authorization: Bearer ${JFROG_ACCESS_TOKEN}" --data-raw '{"grant_type":"client_credentials","username":"admin","scope":"applied-permissions/user applied-permissions/admin","refreshable":true,"audience":"*@*","expires_in":60,"force_revocable":false,"include_reference_token":false}')
+# create non-admin token
+# ensure there's a non-admin user named `test` in Artifactory first
+USER_TOKEN=$(curl -s -L "${JFROG_URL}/access/api/v1/tokens" -H 'Content-Type: application/json' -H "Authorization: Bearer ${JFROG_ACCESS_TOKEN}" --data-raw '{"grant_type":"client_credentials","username":"test","scope":"applied-permissions/user","refreshable":true,"audience":"*@*","expires_in":60,"force_revocable":false,"include_reference_token":false}')
+
+# create admin token
+# USER_TOKEN=$(curl -s -L "${JFROG_URL}/access/api/v1/tokens" -H 'Content-Type: application/json' -H "Authorization: Bearer ${JFROG_ACCESS_TOKEN}" --data-raw '{"grant_type":"client_credentials","username":"admin","scope":"applied-permissions/admin","refreshable":true,"audience":"*@*","expires_in":60,"force_revocable":false,"include_reference_token":false}')
 
 USER_ACCESS_TOKEN=$(echo ${USER_TOKEN} | jq -r ".access_token")
 echo "USER_ACCESS_TOKEN: ${USER_ACCESS_TOKEN}"