From a5f14386a51c59bc90a2f4783d37693d5ccd2d59 Mon Sep 17 00:00:00 2001 From: Dave Dykstra <2129743+DrDaveD@users.noreply.github.com> Date: Thu, 20 Nov 2025 17:12:02 -0600 Subject: [PATCH 1/2] fix httokensh to pay attention to HTGETTOKENOPTS --- htgettoken.spec | 3 +++ httokensh | 37 ++++++++++++++++++++++++++++++------- 2 files changed, 33 insertions(+), 7 deletions(-) diff --git a/htgettoken.spec b/htgettoken.spec index 5499237..937f245 100644 --- a/htgettoken.spec +++ b/htgettoken.spec @@ -80,6 +80,9 @@ rm -rf $RPM_BUILD_ROOT # and --nokerberos. # - Again fix --showbearerurl to work in combination with --nobearertoken. # That was fixed in 1.17 but broke in 1.21 and 2.0. +# - Fix httokensh to pay attention to htgettoken options in $HTGETTOKENOPTS. +# - Fix httokensh to correctly locate the log file if a -o or --outfile +# is given, instead of writing to ".log" in the current directory. * Fri Jun 20 2025 Dave Dykstra 2.4-1 - Add the new -s and -f options to the htdecodetoken usage summary. diff --git a/httokensh b/httokensh index 17320a7..68c5ddd 100755 --- a/httokensh +++ b/httokensh @@ -30,15 +30,31 @@ GOTSEP=false MINSECS=60 GOTVERBOSE=false GOTOUTFILE=false +OUTFILE="" GOTVTFILE=false GOTVTTTL=false +# look at HTGETTOKENOPTS in addition to those options on the command line +# but don't explicitly pass them again to htgettoken +HTGETSEP="--HTSEP--" +set -- $HTGETTOKENOPTS $HTGETSEP "$@" +DONEHTGETTOKENOPTS=false for ARG; do if $GOTSEP; then COMMANDARGS+=("$ARG") + elif $GOTOUTFILE; then + OUTFILE="$ARG" + GOTOUTFILE=false + if $DONEHTGETTOKENOPTS; then + HTGETTOKENARGS+=("$ARG") + fi + elif [ "$ARG" = "$HTGETSEP" ]; then + DONEHTGETTOKENOPTS=true elif [ "$ARG" = "--" ]; then GOTSEP=true else - HTGETTOKENARGS+=("$ARG") + if $DONEHTGETTOKENOPTS; then + HTGETTOKENARGS+=("$ARG") + fi case "$ARG" in --minsecs=*) MINSECS="${ARG/--minsecs=/}" @@ -46,9 +62,12 @@ for ARG; do -v|--verbose) GOTVERBOSE=true ;; - -o|--outfile=*) + -o) GOTOUTFILE=true ;; + --outfile=*) + OUTFILE="${ARG/--outfile=/}" + ;; --vaulttokenfile=*) GOTVTFILE=true ;; @@ -73,12 +92,16 @@ if [ ${#COMMANDARGS[@]} = 0 ]; then COMMANDARGS=("$SHELL") fi -if [ -z "$BEARER_TOKEN_FILE" ] && ! $GOTOUTFILE; then - BTFILE="bt_u$(id -u).sh-$$" - if [ -n "$XDG_RUNTIME_DIR" ]; then - BEARER_TOKEN_FILE=$XDG_RUNTIME_DIR/$BTFILE +if [ -z "$BEARER_TOKEN_FILE" ]; then + if [ -n "$OUTFILE" ]; then + BEARER_TOKEN_FILE="$OUTFILE" else - BEARER_TOKEN_FILE=/tmp/$BTFILE + BTFILE="bt_u$(id -u).sh-$$" + if [ -n "$XDG_RUNTIME_DIR" ]; then + BEARER_TOKEN_FILE=$XDG_RUNTIME_DIR/$BTFILE + else + BEARER_TOKEN_FILE=/tmp/$BTFILE + fi fi export BEARER_TOKEN_FILE fi From d2f7a29ddf040a445aa8192b3d2cbb7ea0c7d8f7 Mon Sep 17 00:00:00 2001 From: Dave Dykstra <2129743+DrDaveD@users.noreply.github.com> Date: Tue, 25 Nov 2025 08:51:49 -0600 Subject: [PATCH 2/2] avoid sending --vaultmintokenttl to background htgettoken --- htgettoken.spec | 3 +++ httokensh | 13 +++++++++++++ httokensh.1 | 4 ++++ httokensh.html | 9 ++++++--- 4 files changed, 26 insertions(+), 3 deletions(-) diff --git a/htgettoken.spec b/htgettoken.spec index 937f245..f43a74a 100644 --- a/htgettoken.spec +++ b/htgettoken.spec @@ -83,6 +83,9 @@ rm -rf $RPM_BUILD_ROOT # - Fix httokensh to pay attention to htgettoken options in $HTGETTOKENOPTS. # - Fix httokensh to correctly locate the log file if a -o or --outfile # is given, instead of writing to ".log" in the current directory. +# - Fix httokensh to not pass on a --vaulttokenminttl option to the background +# htgettoken command, to make the vault token last as long as possible since +# it doesn't get renewed. * Fri Jun 20 2025 Dave Dykstra 2.4-1 - Add the new -s and -f options to the htdecodetoken usage summary. diff --git a/httokensh b/httokensh index 68c5ddd..1209b9a 100755 --- a/httokensh +++ b/httokensh @@ -146,6 +146,19 @@ gettoken() # beyond the minsecs, so reduce the minimum to just 1 second gettoken "not running command" 1 +# Remove any --vaulttokenminttl option so the background renewal +# gets to be as long as possible +if [[ "$HTGETTOKENOPTS" = *--vaulttokenminttl* ]]; then + HTGETTOKENOPTS="$(echo "$HTGETTOKENOPTS"|sed 's/--vaulttokenminttl=[^ ]*//')" +fi +NEWARGS=() +for ARG in "${HTGETTOKENARGS[@]}"; do + if [[ "$ARG" != --vaulttokenminttl* ]]; then + NEWARGS+=("$ARG") + fi +done +HTGETTOKENARGS=("${NEWARGS[@]}") + # make sure the logged info is verbose for easier diagnosis if ! $GOTVERBOSE; then HTGETTOKENARGS+=("-v") diff --git a/httokensh.1 b/httokensh.1 index 72cc88e..1987633 100644 --- a/httokensh.1 +++ b/httokensh.1 @@ -41,6 +41,10 @@ htgettoken options provided then .I \-\-vaulttokenminttl=6d will be automatically added to ensure there are at least 6 days remaining on the vault token. +The vault token will not be renewed when it expires, so +.B httokensh +is limited to being run for 6 days; it is intended only for interactive +use. The access token will be renewed just under .I \-\-minsecs diff --git a/httokensh.html b/httokensh.html index d93e42b..a883eb1 100644 --- a/httokensh.html +++ b/httokensh.html @@ -1,5 +1,5 @@ - - + + @@ -82,7 +82,10 @@

DESCRIPTION −−vaulttokenminttl htgettoken options provided then −−vaulttokenminttl=6d will be automatically added to ensure there are at least 6 days -remaining on the vault token.

+remaining on the vault token. The vault token will not be +renewed when it expires, so httokensh is limited to +being run for 6 days; it is intended only for interactive +use.

The access token will be renewed just under