mytoken client: st add support for capabilities

config/client/example-config.yaml

@@ -4,13 +4,19 @@ instance: "http://localhost:8000"
 token_name_prefix: "<hostname>"
 
 default_oidc_flow: "auth"
+# The default capabilities for super tokens
 default_token_capabilities:
-  - "AT"
-  - "create_super_token"
-  - "tokeninfo_history"
-  - "tokeninfo_tree"
-#  - "settings"
-#  - "list_super_tokens"
+  # The default capabilities for super tokens are stored by the client
+  stored:
+    - "AT"
+    - "create_super_token"
+    - "tokeninfo_history"
+    - "tokeninfo_tree"
+  #  - "settings"
+  #  - "list_super_tokens"
+  # The default capabilities for super tokens are returned for other usage
+  returned:
+    - "AT"
 default_gpg_key:
 default_provider:
 

internal/client/commands/st.go

@@ -16,6 +16,14 @@ func init() {
 	options.ST.Store.CommonSTOptions = options.ST.CommonSTOptions
 	st, _ := parser.AddCommand("ST", "Obtain super token", "Obtain a new mytoken super token", &options.ST)
 	st.SubcommandsOptional = true
+	for _, o := range st.Options() {
+		if o.LongName == "capability" {
+			o.Choices = capabilities.AllCapabilities.Strings()
+		}
+		if o.LongName == "subtoken-capability" {
+			o.Choices = capabilities.AllCapabilities.Strings()
+		}
+	}
 }
 
 type stCommand struct {
@@ -33,8 +41,8 @@ type CommonSTOptions struct {
 
 	Scopes               []string `long:"scope" description:"Request the passed scope. Can be used multiple times"`
 	Audiences            []string `long:"aud" description:"Request the passed audience. Can be used multiple times"`
-	Capabilities         []string `long:"capability" choice:"AT" choice:"create_supertoken" description:"Request the passed capabilities. Can be used multiple times"`                   //TODO
-	SubtokenCapabilities []string `long:"subtoken-capability" choice:"AT" choice:"create_supertoken" description:"Request the passed subtoken capabilities. Can be used multiple times"` //TODO
+	Capabilities         []string `long:"capability" default:"default" description:"Request the passed capabilities. Can be used multiple times"` //TODO
+	SubtokenCapabilities []string `long:"subtoken-capability" description:"Request the passed subtoken capabilities. Can be used multiple times"` //TODO
 	Restrictions         string
 }
 
@@ -49,6 +57,9 @@ type stStoreCommand struct {
 
 // Execute implements the flags.Commander interface
 func (stc *stCommand) Execute(args []string) error {
+	if len(stc.Capabilities) > 0 && stc.Capabilities[0] == "default" {
+		stc.Capabilities = config.Get().DefaultTokenCapabilities.Returned
+	}
 	st, err := obtainST(stc.CommonSTOptions, "", model.NewResponseType(stc.TokenType))
 	if err != nil {
 		return err
@@ -72,8 +83,8 @@ func obtainST(args *CommonSTOptions, name string, responseType model.ResponseTyp
 		tokenName = fmt.Sprintf("%s:%s", prefix, name)
 	}
 	var r restrictions.Restrictions = nil
-	var c capabilities.Capabilities = nil
-	var sc capabilities.Capabilities = nil
+	c := capabilities.NewCapabilities(args.Capabilities)
+	sc := capabilities.NewCapabilities(args.SubtokenCapabilities)
 	if len(args.OIDCFlow) > 0 {
 		if args.OIDCFlow == "default" {
 			args.OIDCFlow = config.Get().DefaultOIDCFlow
@@ -114,6 +125,9 @@ func obtainST(args *CommonSTOptions, name string, responseType model.ResponseTyp
 
 // Execute implements the flags.Commander interface
 func (sstc *stStoreCommand) Execute(args []string) error {
+	if len(sstc.Capabilities) > 0 && sstc.Capabilities[0] == "default" {
+		sstc.Capabilities = config.Get().DefaultTokenCapabilities.Stored
+	}
 	provider, err := sstc.CommonSTOptions.generalOptions.checkProvider()
 	if err != nil {
 		return err

internal/client/config/config.go

@@ -13,6 +13,7 @@ import (
 
 	"github.com/zachmann/mytoken/internal/client/model"
 	"github.com/zachmann/mytoken/internal/client/utils/cryptutils"
+	"github.com/zachmann/mytoken/internal/server/supertoken/capabilities"
 	"github.com/zachmann/mytoken/internal/utils/fileutil"
 	"github.com/zachmann/mytoken/pkg/mytokenlib"
 )
@@ -21,9 +22,13 @@ type config struct {
 	URL     string              `yaml:"instance"`
 	Mytoken *mytokenlib.Mytoken `yaml:"-"`
 
-	DefaultGPGKey   string `yaml:"default_gpg_key"`
-	DefaultProvider string `yaml:"default_provider"`
-	DefaultOIDCFlow string `yaml:"default_oidc_flow"`
+	DefaultGPGKey            string `yaml:"default_gpg_key"`
+	DefaultProvider          string `yaml:"default_provider"`
+	DefaultOIDCFlow          string `yaml:"default_oidc_flow"`
+	DefaultTokenCapabilities struct {
+		Stored   []string `yaml:"stored"`
+		Returned []string `yaml:"returned"`
+	} `yaml:"default_token_capabilities"`
 
 	TokenNamePrefix string `yaml:"token_name_prefix"`
 
@@ -68,9 +73,16 @@ func (c *config) GetToken(issuer, name string) (string, error) {
 }
 
 var defaultConfig = config{
-	TokensFile:      "tokens.json",
-	TokenNamePrefix: "<hostname>",
 	DefaultOIDCFlow: "auth",
+	DefaultTokenCapabilities: struct {
+		Stored   []string `yaml:"stored"`
+		Returned []string `yaml:"returned"`
+	}{
+		Stored:   capabilities.Capabilities{capabilities.CapabilityAT, capabilities.CapabilityCreateST, capabilities.CapabilityTokeninfoHistory, capabilities.CapabilityTokeninfoTree}.Strings(),
+		Returned: capabilities.Capabilities{capabilities.CapabilityAT}.Strings(),
+	},
+	TokenNamePrefix: "<hostname>",
+	TokensFile:      "tokens.json",
 }
 
 var conf *config

internal/server/supertoken/capabilities/capability.go

@@ -8,13 +8,39 @@ import (
 // Constants for capabilities
 const (
 	CapabilityAT               Capability = "AT"
-	CapabilityCreateST                    = "create_super_token"
-	CapabilitySettings                    = "settings"
-	CapabilityTokeninfoHistory            = "tokeninfo_history"
-	CapabilityTokeninfoTree               = "tokeninfo_tree"
-	CapabilityListST                      = "list_super_tokens"
+	CapabilityCreateST         Capability = "create_super_token"
+	CapabilitySettings         Capability = "settings"
+	CapabilityTokeninfoHistory Capability = "tokeninfo_history"
+	CapabilityTokeninfoTree    Capability = "tokeninfo_tree"
+	CapabilityListST           Capability = "list_super_tokens"
 )
 
+// AllCapabilities holds all defined capabilities
+var AllCapabilities = Capabilities{
+	CapabilityAT,
+	CapabilityCreateST,
+	CapabilitySettings,
+	CapabilityTokeninfoHistory,
+	CapabilityTokeninfoTree,
+	CapabilityListST,
+}
+
+// NewCapabilities casts a []string into Capabilities
+func NewCapabilities(caps []string) (c Capabilities) {
+	for _, cc := range caps {
+		c = append(c, Capability(cc))
+	}
+	return
+}
+
+// Strings returns a slice of strings for these capabilities
+func (c Capabilities) Strings() (s []string) {
+	for _, cc := range c {
+		s = append(s, string(cc))
+	}
+	return
+}
+
 // Capabilities is a slice of Capability
 type Capabilities []Capability