Skip to content

Commit

Permalink
Merge pull request #1032 from projectsyn/fix/report-compile-meta
Browse files Browse the repository at this point in the history
Refresh expired API token before pushing compile metadata to Lieutenant
  • Loading branch information
simu authored Oct 10, 2024
2 parents fc4f62d + b4b6061 commit fa6774b
Show file tree
Hide file tree
Showing 3 changed files with 29 additions and 13 deletions.
6 changes: 6 additions & 0 deletions commodore/cluster.py
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@
from .component import component_parameters_key, Component
from .config import Config
from .inventory import Inventory
from .login import login


class Cluster:
Expand Down Expand Up @@ -333,6 +334,11 @@ def report_compile_metadata(
)

if report:
if cfg.api_token is None:
# Re-login to ensure we have a valid API token. This assumes that the only case where we
# call `report_compile_metadata()` and the api_token is None is when a short-lived OIDC
# token expired while we were compiling the catalog.
login(cfg)
lieutenant_post(
cfg.api_url,
cfg.api_token,
Expand Down
34 changes: 22 additions & 12 deletions commodore/config.py
Original file line number Diff line number Diff line change
Expand Up @@ -202,18 +202,28 @@ def api_token(self):
if self._api_token is None and self.api_url:
tokens = tokencache.get(self.api_url)
token = tokens.get("id_token")
if token is not None:
# We don't verify the signature, we just want to know if the token is expired
# lieutenant will decide if it's valid
try:
t = jwt.decode(
token, algorithms=["RS256"], options={"verify_signature": False}
)
if "exp" in t and t["exp"] < time.time() + 10:
return None
except jwt.exceptions.InvalidTokenError:
return None
self._api_token = token
self._api_token = token

if self._api_token:
# Clear cached token if it's expired.
#
# NOTE(sg): This assumes that users of this property call `login.login()` if they see
# that the property is None. Callers that don't do so must expect failed API operations
# when Commodore is invoked with a short-lived OIDC token.
try:
# We don't verify the signature, we just want to know if the token is expired.
t = jwt.decode(
self._api_token,
algorithms=["RS256"],
options={"verify_signature": False},
)
if "exp" in t and t["exp"] < time.time() + 10:
self._api_token = None
# Here: tokens without 'exp' don't expire
except jwt.exceptions.InvalidTokenError:
# Assume that unparseable tokens are long-lived.
pass

return self._api_token

@api_token.setter
Expand Down
2 changes: 1 addition & 1 deletion commodore/login.py
Original file line number Diff line number Diff line change
Expand Up @@ -276,7 +276,7 @@ def login(config: Config):
raise click.ClickException("Required OIDC discovery URL not set")

if config.api_token:
# Short-circuit if we already have a valid API token
# Short-circuit if we have a valid API token
return

client = WebApplicationClient(config.oidc_client)
Expand Down

0 comments on commit fa6774b

Please sign in to comment.