func main() {
flag.Parse()
lis, err := net.Listen("tcp", *serverAddr)
if err != nil {
grpclog.Fatalf("failed to listen: %v", err)
}
var opts []grpc.ServerOption
if *tls {
creds, err := credentials.NewServerTLSFromFile(*certFile, *keyFile)
if err != nil {
grpclog.Fatalf("Failed to generate credentials %v", err)
}
opts = append(opts, grpc.Creds(creds))
}
grpcServer := grpc.NewServer(opts...)
oidcClient, err := util.GetOIDCClient(*clientID, *clientSecret, *discovery, *redirectURL)
if err != nil {
grpclog.Fatalf("unable to get oidc client: %s", err)
}
s, err := server.NewRoloServer(oidcClient, *policyFile)
if err != nil {
grpclog.Fatalln("unable to create ca from parent:", err)
}
pb.RegisterRoloServer(grpcServer, s)
grpclog.Println("serving at", *serverAddr)
grpcServer.Serve(lis)
}
func main() {
flag.Parse()
if *idRefreshTokenFile == "" {
fmt.Println("Must set -refresh-token-file")
return
}
oidcClient, err := util.GetOIDCClient(*clientID, *clientSecret, *discovery, *redirectURL)
if err != nil {
fmt.Println(err)
return
}
var tok *oauth2.TokenResponse
f, err := os.Open(*idRefreshTokenFile)
defer f.Close()
if err != nil {
fmt.Println("error reading refresh token, fetching a new one and writing to", *idRefreshTokenFile)
oac, jwtChan, err := getJWT(oidcClient, "localhost:5555")
if err != nil {
fmt.Println(err)
return
}
if err != nil {
fmt.Println(err)
return
}
fmt.Println(oac.AuthCodeURL("", "", ""))
tok = <-jwtChan
f, err := os.Create(*idRefreshTokenFile)
defer f.Close()
if err != nil {
fmt.Println(err)
return
}
f.Write([]byte(tok.RefreshToken))
}
refToken, err := ioutil.ReadAll(f)
if err != nil {
fmt.Println(err)
return
}
jwt, err := oidcClient.RefreshToken(string(refToken))
if err != nil {
fmt.Println(err)
return
}
c, err := client.NewRoloClient(jwt, false, *rolodAddr, "", "")
if err != nil {
fmt.Println(err)
return
}
allowed, err := c.Authorize(*user, *group, *resource, *namespace, *readonly)
if err != nil {
fmt.Println(err)
}
if !allowed {
fmt.Println("not authorized")
os.Exit(1)
}
fmt.Println("authorized")
}