Skip to content

Commit

Permalink
feat: added options to specify a scope prefix and extra scopes to tok…
Browse files Browse the repository at this point in the history
…en request (#107)
  • Loading branch information
cd-rite authored Mar 28, 2024
1 parent b39e86e commit b5fe8b3
Show file tree
Hide file tree
Showing 3 changed files with 21 additions and 5 deletions.
2 changes: 1 addition & 1 deletion CONTRIBUTING.md
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# Contributing to STIGMAN-Watcher

**NOTE: This CONTRIBUTING.md describes our software contribution policy. You do not need to follow the Developer's Certificate of Origin (DCO) process for commenting on the STIG Manager repository documentation, such as CONTRIBUTING.md, INTENT.md, etc. or for submitting issues. For more information about developing and contributing to the project, please see the [STIG Manager Contribution Guide](https://stig-manager.readthedocs.io/en/latest/the-project/contributing.html) that is part of our [overall documentation](https://stig-manager.readthedocs.io/en/latest/index.html)**
**NOTE: This CONTRIBUTING.md describes our software contribution policy. You do not need to follow the Developer's Certificate of Origin (DCO) process for commenting on the STIGMAN-Watcher repository documentation, such as CONTRIBUTING.md, INTENT.md, etc. or for submitting issues. For more information about developing and contributing to the project, please see the [STIG Manager Contribution Guide](https://stig-manager.readthedocs.io/en/latest/the-project/contributing.html) that is part of our [overall documentation](https://stig-manager.readthedocs.io/en/latest/index.html)**

## Policy

Expand Down
7 changes: 5 additions & 2 deletions lib/args.js
Original file line number Diff line number Diff line change
Expand Up @@ -78,6 +78,8 @@ program
.requiredOption('--api <url>', 'Base URL of the STIG Manager API service (`WATCHER_API_BASE`).', pe.WATCHER_API_BASE)
.requiredOption('--authority <url>', 'Base URL of the OIDC authentication service that issues OAuth2 tokens for the API (`WATCHER_AUTHORITY`)', pe.WATCHER_AUTHORITY)
.requiredOption('--client-id <string>', 'OIDC clientId to authenticate (`WATCHER_CLIENT_ID`). You will be prompted for the client secret if `--client-key` is not present and `--prompt` is present, unless `WATCHER_CLIENT_SECRET` is set', pe.WATCHER_CLIENT_ID)
.option('--scope-prefix <string>', 'String used as a prefix for default stig-manager scopes (except `openid`) when authenticating to the OIDC Provider.', pe.WATCHER_SCOPE_PREFIX ?? '')
.option('--extra-scopes <string>', 'Space separated OAuth2 scopes to request in addition to the default scopes. Will not be automatically prefixed with WATCHER_SCOPE_PREFIX value.', pe.WATCHER_EXTRA_SCOPES)
.option('--client-key <path>', 'Path to a PEM encoded private key (`WATCHER_CLIENT_KEY`). If the key is encrypted, you will be prompted for the passphrase if `--prompt` is present, unless `WATCHER_CLIENT_KEY_PASSPHRASE` is set.', pe.WATCHER_CLIENT_KEY)
.option('--add-existing', 'For `--mode events`, existing files in the path will generate an `add` event (`WATCHER_ADD_EXISTING=1`). Ignored if `--mode scan`, negate with `--no-add-existing`.', getBoolean('WATCHER_ADD_EXISTING', false))
.option('--no-add-existing', 'Ignore existing files in the watched path (`WATCHER_ADD_EXISTING=0`).')
Expand All @@ -87,10 +89,10 @@ program
.option('--create-objects', 'Create Assets or STIG Assignments as needed (`WATCHER_CREATE_OBJECTS=1`). Negate with `--no-create-objects`.', getBoolean('WATCHER_CREATE_OBJECTS', true))
.option('--no-create-objects', 'Do not create Assets or STIG Assignments (`WATCHER_CREATE_OBJECTS=0`).')
.option('--ignore-dir [name...]', 'DEPRECATED, use --ignore-glob. Sub-directory name to ignore. Can be invoked multiple times.(`WATCHER_IGNORE_DIRS=<csv>`)', pe.WATCHER_IGNORE_DIRS?.split(','))
.option('--ignore-glob [glob...]', 'File or diectory glob(s) to ignore. Can be invoked multiple times.(`WATCHER_IGNORE_GLOBS=<csv>`)', pe.WATCHER_IGNORE_GLOBS?.split(','))
.option('--ignore-glob [glob...]', 'File or directory glob(s) to ignore. Can be invoked multiple times.(`WATCHER_IGNORE_GLOBS=<csv>`)', pe.WATCHER_IGNORE_GLOBS?.split(','))
.option('--event-polling', 'Use polling with `--mode events`, necessary for watching network files (`WATCHER_EVENT_POLLING=1`). Ignored if `--mode scan`, negate with `--no-event-polling`.', getBoolean('WATCHER_EVENT_POLLING', true))
.option('--no-event-polling', 'Don\'t use polling with `--mode events`, reduces CPU usage (`WATCHER_EVENT_POLLING=0`).')
.option('--stability-threshold <ms>', 'If `--mode events`, milliseconds to wait for file size to stabilize. May be helpful when watching network shares. (`WATCHER_STABILITY_THRESHOLD`). Igonred with `--mode scan`', parseIntegerArg, parseIntegerEnv(pe.WATCHER_STABILITY_THRESHOLD) ?? 0)
.option('--stability-threshold <ms>', 'If `--mode events`, milliseconds to wait for file size to stabilize. May be helpful when watching network shares. (`WATCHER_STABILITY_THRESHOLD`). Ignored with `--mode scan`', parseIntegerArg, parseIntegerEnv(pe.WATCHER_STABILITY_THRESHOLD) ?? 0)
.option('--one-shot', 'Process existing files in the path and exit. Sets `--add-existing`.', false)
.option('--log-color', 'Colorize the console log output. Might confound downstream piped processes.', false)
.option('-d, --debug', 'Shortcut for `--log-level debug --log-file-level debug`', false)
Expand All @@ -101,6 +103,7 @@ program
.option('--no-strict-revision-check', 'For CKL, allow checklist of uninstalled STIG revision (`WATCHER_STRICT_REVISION_CHECK=0`). This is the default behavior.')

// Parse ARGV and get the parsed options object
// Options properties are created as camelCase versions of the long option name
program.parse(process.argv)
const options = program.opts()

Expand Down
17 changes: 15 additions & 2 deletions lib/auth.js
Original file line number Diff line number Diff line change
Expand Up @@ -9,11 +9,24 @@ const self = {}

self.url = null
self.threshold = 10
self.scope = 'openid stig-manager:collection stig-manager:stig:read stig-manager:user:read'
self.key = options.clientKey
self.authenticateFn = options.clientKey ? authenticateSignedJwt : authenticateClientSecret
self.authentication = options.clientKey ? 'signed-jwt' : 'client-secret'

const scopePrefix = options.scopePrefix

const scopeArray= [
`openid`,
`${scopePrefix}stig-manager:stig:read`,
`${scopePrefix}stig-manager:collection`,
`${scopePrefix}stig-manager:user:read`,
]
if (options.extraScopes) {
scopeArray.push(...options.extraScopes.split(" "))
}

self.scope = scopeArray.join(" ")

let tokens, tokenDecoded
/**
* Fetches OpenID configuration from the specified authority URL.
Expand Down Expand Up @@ -93,7 +106,7 @@ async function authenticateClientSecret () {
const parameters = {
form: {
grant_type: 'client_credentials',
scope: self.scope,
scope: self.scope
},
username: options.clientId,
password: options.clientSecret,
Expand Down

0 comments on commit b5fe8b3

Please sign in to comment.