Switched to use Access API for checking expired token

[alexhung]

Remove mutex from RefreshAccessToken()

Switch to RW lock for pathConfigUserTokenRead() and pathUserTokenCreatePerform()

Add scripts for testing refreshable tokens creation and concurrent token generation

Fixes #225

[alexhung]

@elestedt Would you be able to test this out before I merge this into master and release it?

[elestedt]

I will test it today. But I did notice that the API used requires some form of admin permissions. If you run this as a normal user the endpoint returns

{
  "errors" : [ {
    "code" : "FORBIDDEN",
    "message" : "Forbidden"
  } ]

response back. It would be better to use an endpoint that does not generate and "error" in the artifactory logs. Such as the /access/api/v1/tokens endpoint.

[elestedt]

When I tried to build, I had to change go.mod to go 1.22.0 from go 1.22 or I got a "Toolchain not available" error. Not sure why.

[elestedt]

The new method works flawlessly - if the user is a platform Admin. For normal users it always fails with

{"errors":["failed to refresh access token"]}

[elestedt]

I built a local version that uses /access/api/v1/tokens instead of the role endpoint - and then it seems to work for non-admin users. This endpoint however I realized is not ideal as if the user has many tokens it will take a fairly long time to complete. Some other comparable, but faster, endpoint is needed.

[elestedt]

Just to be clear - this is the endpoint that seems to require some form of admin permissions.

[alexhung]

Thanks for building and testing in your environment. I don't think there's a faster Access API to use for checking.

I just had a Doh! moment as I realized the expiration value is part of the token. I just need to decode it and check if the exp value is passed/after the current time.

[elestedt]

Yeah - that would be a good inital check. But assumes that the system time pf vault server is matched with the artifactory server and tinezones are set correctly. Now adays it should be, but... So if you go that route, add it as a requirement for the plugin and maybe also still have a backup that if it fails to create a token it renews the refreshable.

[elestedt]

You also only have the expiry in the JWT, if someone uses a reference token, it's not there. Another requirement if you want to inspect the token.

[alexhung]

😠 Never mind. To parse the token I need the public key from the root certificate, which requires a admin token to fetch.

[alexhung]

@elestedt I found the API to use. The Get token by ID API will work for both admin and non-admin tokens.

[elestedt]

That will work, as long as save the token id of the refreshable token. Assume you will do a rotation immediately when it's set? (As the token id is not supplied by the user)

[alexhung]

The API accepts me as the token ID to get info about the token (in header). It's a reasonable 'hack'.

[alexhung]

[elestedt]

Yeah, that is a good way to do it. Non admin and time deterministic, maybe even constant.
Go for it.