Fix httokensh to honor HTGETTOKENOPTS and not pass on --vaultmintokenttl

htgettoken.spec

@@ -80,6 +80,12 @@ rm -rf $RPM_BUILD_ROOT
 #   and --nokerberos.
 # - Again fix --showbearerurl to work in combination with --nobearertoken.
 #   That was fixed in 1.17 but broke in 1.21 and 2.0.
+# - Fix httokensh to pay attention to htgettoken options in $HTGETTOKENOPTS.
+# - Fix httokensh to correctly locate the log file if a -o or --outfile
+#   is given, instead of writing to ".log" in the current directory.
+# - Fix httokensh to not pass on a --vaulttokenminttl option to the background
+#   htgettoken command, to make the vault token last as long as possible since
+#   it doesn't get renewed.
 
 * Fri Jun 20 2025 Dave Dykstra <dwd@fnal.gov> 2.4-1
 - Add the new -s and -f options to the htdecodetoken usage summary.

httokensh

@@ -30,25 +30,44 @@ GOTSEP=false
 MINSECS=60
 GOTVERBOSE=false
 GOTOUTFILE=false
+OUTFILE=""
 GOTVTFILE=false
 GOTVTTTL=false
+# look at HTGETTOKENOPTS in addition to those options on the command line
+# but don't explicitly pass them again to htgettoken
+HTGETSEP="--HTSEP--"
+set -- $HTGETTOKENOPTS $HTGETSEP "$@"
+DONEHTGETTOKENOPTS=false
 for ARG; do
     if $GOTSEP; then
         COMMANDARGS+=("$ARG")
+    elif $GOTOUTFILE; then
+        OUTFILE="$ARG"
+        GOTOUTFILE=false
+        if $DONEHTGETTOKENOPTS; then
+            HTGETTOKENARGS+=("$ARG")
+        fi
+    elif [ "$ARG" = "$HTGETSEP" ]; then
+        DONEHTGETTOKENOPTS=true
     elif [ "$ARG" = "--" ]; then
         GOTSEP=true
     else
-        HTGETTOKENARGS+=("$ARG")
+        if $DONEHTGETTOKENOPTS; then
+            HTGETTOKENARGS+=("$ARG")
+        fi
         case "$ARG" in
             --minsecs=*)
                 MINSECS="${ARG/--minsecs=/}"
                 ;;
             -v|--verbose)
                 GOTVERBOSE=true
                 ;;
-            -o|--outfile=*)
+            -o)
                 GOTOUTFILE=true
                 ;;
+            --outfile=*)
+                OUTFILE="${ARG/--outfile=/}"
+                ;;
             --vaulttokenfile=*)
                 GOTVTFILE=true
                 ;;
@@ -73,12 +92,16 @@ if [ ${#COMMANDARGS[@]} = 0 ]; then
     COMMANDARGS=("$SHELL")
 fi
 
-if [ -z "$BEARER_TOKEN_FILE" ] && ! $GOTOUTFILE; then
-    BTFILE="bt_u$(id -u).sh-$$"
-    if [ -n "$XDG_RUNTIME_DIR" ]; then
-        BEARER_TOKEN_FILE=$XDG_RUNTIME_DIR/$BTFILE
+if [ -z "$BEARER_TOKEN_FILE" ]; then
+    if [ -n "$OUTFILE" ]; then
+        BEARER_TOKEN_FILE="$OUTFILE"
     else
-        BEARER_TOKEN_FILE=/tmp/$BTFILE
+        BTFILE="bt_u$(id -u).sh-$$"
+        if [ -n "$XDG_RUNTIME_DIR" ]; then
+            BEARER_TOKEN_FILE=$XDG_RUNTIME_DIR/$BTFILE
+        else
+            BEARER_TOKEN_FILE=/tmp/$BTFILE
+        fi
     fi
     export BEARER_TOKEN_FILE
 fi
@@ -123,6 +146,19 @@ gettoken()
 # beyond the minsecs, so reduce the minimum to just 1 second
 gettoken "not running command" 1
 
+# Remove any --vaulttokenminttl option so the background renewal
+#  gets to be as long as possible
+if [[ "$HTGETTOKENOPTS" = *--vaulttokenminttl* ]]; then
+    HTGETTOKENOPTS="$(echo "$HTGETTOKENOPTS"|sed 's/--vaulttokenminttl=[^ ]*//')"
+fi
+NEWARGS=()
+for ARG in "${HTGETTOKENARGS[@]}"; do
+    if [[ "$ARG" != --vaulttokenminttl* ]]; then
+        NEWARGS+=("$ARG")
+    fi
+done
+HTGETTOKENARGS=("${NEWARGS[@]}")
+
 # make sure the logged info is verbose for easier diagnosis
 if ! $GOTVERBOSE; then
     HTGETTOKENARGS+=("-v")

httokensh.1

@@ -41,6 +41,10 @@ htgettoken options provided then
 .I \-\-vaulttokenminttl=6d
 will be automatically added to ensure there are at least 6 days remaining
 on the vault token.
+The vault token will not be renewed when it expires, so
+.B httokensh
+is limited to being run for 6 days; it is intended only for interactive
+use.
 
 The access token will be renewed just under 
 .I \-\-minsecs