Merge pull request #527 from rbino/gen-edgehog-jwt-admin

tools: allow creating admin JWT with gen-edgehog-jwt
edgehog-device-manager · May 24, 2024 · 24e5160 · 24e5160
2 parents cfa5d2c + 40bddac
commit 24e5160
Show file tree

Hide file tree

Showing 4 changed files with 16 additions and 9 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,6 +5,8 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ## [0.9.0-dev] - Unreleased
+### Added
+- Allow generating admin JWT using `gen-edgehog-jwt`.
 
 ## [0.8.0] - 2024-03-29
 ### Changed

diff --git a/doc/pages/admin/deploying_with_kubernetes.md b/doc/pages/admin/deploying_with_kubernetes.md
@@ -789,7 +789,7 @@ repo](https://github.com/edgehog-device-manager/edgehog/tree/main/tools).
 
 ```bash
 $ pip3 install pyjwt
-$ ./gen-edgehog-jwt -k <PATH-TO-TENANT-PRIVATE-KEY>
+$ ./gen-edgehog-jwt -t tenant -k <PATH-TO-TENANT-PRIVATE-KEY>
 ```
 
 Values to be replaced

diff --git a/doc/pages/tutorials/edgehog_in_5_minutes.md b/doc/pages/tutorials/edgehog_in_5_minutes.md
@@ -130,13 +130,13 @@ $ cd tools && pip install -r requirements.txt
 Now you can generate the login token with
 
 ```sh
-$ ./gen-edgehog-jwt -k ../acme_private.pem
+$ ./gen-edgehog-jwt -t tenant -k ../acme_private.pem
 ```
 
 > If in the previous section you had decided not to use a custom key, use this command instead
 >
 > ```sh
-> $ ./gen-edgehog-jwt -k ../backend/priv/repo/seeds/keys/tenant_private.pem
+> $ ./gen-edgehog-jwt -t tenant -k ../backend/priv/repo/seeds/keys/tenant_private.pem
 > ```
 
 You can finally navigate to `http://edgehog.localhost` in your browser and login to the

diff --git a/tools/gen-edgehog-jwt b/tools/gen-edgehog-jwt
@@ -2,7 +2,7 @@
 #
 # This file is part of Edgehog.
 #
-# Copyright 2021 SECO Mind Srl
+# Copyright 2021-2024 SECO Mind Srl
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -23,25 +23,30 @@ import argparse
 import datetime
 import jwt
 
-default_auth_paths = [".*::.*"]
+default_claim_payload = "*"
 
 if __name__ == "__main__":
     parser = argparse.ArgumentParser(description="Generate a valid JWT for Edgehog")
     parser.add_argument("-k", "--private-key", type=str, required=True, help="Path to the private key file for signing "\
         "the Authorization token.")
     parser.add_argument("-e", "--expiry", type=int, required=False, default=86400, help="Expiry of the token in seconds. "\
         "If 0, the token never expires. Defaults to 24 hours.")
-    parser.add_argument("-a", "--auth-paths", type=str, required=False, nargs='+', default=default_auth_paths,
-        help="Defines a series of regular expressions for path-based authorization.")
+    parser.add_argument("-t", "--token-type", required=True, choices=["tenant", "admin"], help="The type of token to "\
+        "generate. `tenant` generates a token for the Tenant GraphQL API, `admin` generates a token for the Admin REST API.")
     args = parser.parse_args()
     args_map = vars(args)
 
     with open(args_map["private_key"], "r") as pk:
         private_key_pem = pk.read()
 
-        auth_paths = args_map["auth_paths"]
         now = datetime.datetime.utcnow()
-        claims = {"e_tga": auth_paths, "iat": now}
+        claims = {"iat": now}
+        if args_map["token_type"] == "tenant":
+            # Currently claims can have any payload, we just pass "*"
+            claims["e_tga"] = default_claim_payload
+        else:
+            # Currently claims can have any payload, we just pass "*"
+            claims["e_ara"] = default_claim_payload
         expiry = args_map["expiry"]
         if expiry > 0:
             claims["exp"] = now + datetime.timedelta(seconds=expiry)