From 3404509e748d28241fc6d12e1cf7c183fb2a45e2 Mon Sep 17 00:00:00 2001 From: Shreyas Bhat Date: Wed, 18 Jun 2025 14:44:36 -0500 Subject: [PATCH 1/4] Added -s/-f flags to skip/force token validation As discussed in issue #130, if stdout is a TTY, we will keep the current default behavior of verifying the token. If stdout is not a TTY, we will skip verification of the token by default. The default behavior can be overridden using the -s/-f flags. --- htdecodetoken | 36 +++++++++++++++++++++++++++++++++++- 1 file changed, 35 insertions(+), 1 deletion(-) diff --git a/htdecodetoken b/htdecodetoken index f8e9def..3755aad 100755 --- a/htdecodetoken +++ b/htdecodetoken @@ -11,6 +11,8 @@ usage() echo 'Decodes a JSON Web Token' echo ' -a: show algorithm portion of JWT' echo ' -H: show dates in human readable format instead of epoch' + echo ' -s: skip scitokens-verify validation (cannot be used with -f)' + echo ' -f: force scitokens-verify validation (cannot be used with -s)' echo 'File name may be "-" to read from stdin.' echo 'If file name not given, follows WLCG Bearer Token Discovery' echo ' which is to first try $BEARER_TOKEN, next $BEARER_TOKEN_FILE,' @@ -68,10 +70,18 @@ human_dates() { set -e +# If stdout is not a TTY, we should not validate the token with scitokens-verify by default +SKIPVERIFY=false +if [ ! -t 1 ]; then + SKIPVERIFY=true +fi + SHOWALG=false HUMANDATE=false +SKIPVERIFYFLAGSET=false +FORCEVERIFYFLAGSET=false NUMSHIFT=0 -while getopts ":aH" opt; do +while getopts ":aHsf" opt; do case "$opt" in a) SHOWALG=true @@ -81,6 +91,24 @@ while getopts ":aH" opt; do HUMANDATE=true (( NUMSHIFT+=1 )) ;; + s) + if "$FORCEVERIFYFLAGSET" ; then + echo "Cannot use both -s and -f options together" >&2 + usage + fi + SKIPVERIFY=true + SKIPVERIFYFLAGSET=true + (( NUMSHIFT+=1 )) + ;; + f) + if "$SKIPVERIFYFLAGSET" ; then + echo "Cannot use both -s and -f options together" >&2 + usage + fi + SKIPVERIFY=false + FORCEVERIFYFLAGSET=true + (( NUMSHIFT+=1 )) + ;; *) usage esac @@ -126,6 +154,12 @@ if "$HUMANDATE" ; then else echo "$JWT" | jq . fi +RET=$? + +if "$SKIPVERIFY" ; then + # If we want to skip token verification, exit now + exit $RET +fi set +e VERIFY="$(command -v scitokens-verify)" From b0ea1f05cfc096abf1c2bd967d29b6552e4beb4f Mon Sep 17 00:00:00 2001 From: Shreyas Bhat Date: Wed, 18 Jun 2025 15:10:57 -0500 Subject: [PATCH 2/4] Added message to usage indicating that -s is default when stdout is not a TTY, or if scitokens-verify is not available in the PATH. --- htdecodetoken | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/htdecodetoken b/htdecodetoken index 3755aad..caf412e 100755 --- a/htdecodetoken +++ b/htdecodetoken @@ -11,13 +11,14 @@ usage() echo 'Decodes a JSON Web Token' echo ' -a: show algorithm portion of JWT' echo ' -H: show dates in human readable format instead of epoch' - echo ' -s: skip scitokens-verify validation (cannot be used with -f)' + echo ' -s: skip scitokens-verify validation (cannot be used with -f). This is' + echo ' the default if stdout is not a TTY, or if scitokens-verify is not available' + echo ' in the PATH.' echo ' -f: force scitokens-verify validation (cannot be used with -s)' echo 'File name may be "-" to read from stdin.' echo 'If file name not given, follows WLCG Bearer Token Discovery' echo ' which is to first try $BEARER_TOKEN, next $BEARER_TOKEN_FILE,' echo ' and next ${XDG_RUNTIME_DIR:-/tmp}/bt_u`id -u`.' - echo 'If scitokens-verify is available, will also validate the token.' exit 1 } >&2 From d75c0079069a85b5451e8cd29a627035681b02ec Mon Sep 17 00:00:00 2001 From: Shreyas Bhat Date: Wed, 18 Jun 2025 15:14:59 -0500 Subject: [PATCH 3/4] Redid the line breaks for added message from commit b0ea1f --- htdecodetoken | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/htdecodetoken b/htdecodetoken index caf412e..d4179c0 100755 --- a/htdecodetoken +++ b/htdecodetoken @@ -11,9 +11,9 @@ usage() echo 'Decodes a JSON Web Token' echo ' -a: show algorithm portion of JWT' echo ' -H: show dates in human readable format instead of epoch' - echo ' -s: skip scitokens-verify validation (cannot be used with -f). This is' - echo ' the default if stdout is not a TTY, or if scitokens-verify is not available' - echo ' in the PATH.' + echo ' -s: skip scitokens-verify validation (cannot be used with -f).' + echo ' This is the default if stdout is not a TTY, or if scitokens-verify' + echo ' is not available in the PATH.' echo ' -f: force scitokens-verify validation (cannot be used with -s)' echo 'File name may be "-" to read from stdin.' echo 'If file name not given, follows WLCG Bearer Token Discovery' From 764c6c777e4597194817d6fd80f2ee79d97873d1 Mon Sep 17 00:00:00 2001 From: Shreyas Bhat Date: Wed, 18 Jun 2025 17:31:56 -0500 Subject: [PATCH 4/4] Removed trailing period at end -s description first line --- htdecodetoken | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/htdecodetoken b/htdecodetoken index d4179c0..e6f7b6e 100755 --- a/htdecodetoken +++ b/htdecodetoken @@ -11,7 +11,7 @@ usage() echo 'Decodes a JSON Web Token' echo ' -a: show algorithm portion of JWT' echo ' -H: show dates in human readable format instead of epoch' - echo ' -s: skip scitokens-verify validation (cannot be used with -f).' + echo ' -s: skip scitokens-verify validation (cannot be used with -f)' echo ' This is the default if stdout is not a TTY, or if scitokens-verify' echo ' is not available in the PATH.' echo ' -f: force scitokens-verify validation (cannot be used with -s)'