cli: add and remove scopes using --scope=+Scope or --scope=-Scope

2025-04-05 16:39:34 +00:00 · 2025-03-12 10:15:12 +01:00 · 2025-03-12 10:15:12 +01:00 · d2a064bb1b
commit d2a064bb1b
parent 88b4623bf1
2 changed files with 36 additions and 6 deletions
--- a/src/garage/cli/remote/admin_token.rs
+++ b/src/garage/cli/remote/admin_token.rs
@ -152,10 +152,28 @@ impl Cli {
 						.transpose()
 						.ok_or_message("Invalid duration passed for --expires-in parameter")?
 						.map(|dur| Utc::now() + dur),
-					scope: opt.scope.map(|s| {
-						s.split(",")
-							.map(|x| x.trim().to_string())
-							.collect::<Vec<_>>()
+					scope: opt.scope.map({
+						let mut new_scope = token.scope;
+						|scope_str| {
+							if let Some(add) = scope_str.strip_prefix("+") {
+								for a in add.split(",").map(|x| x.trim().to_string()) {
+									if !new_scope.contains(&a) {
+										new_scope.push(a);
+									}
+								}
+								new_scope
+							} else if let Some(sub) = scope_str.strip_prefix("-") {
+								for r in sub.split(",").map(|x| x.trim()) {
+									new_scope.retain(|x| x != r);
+								}
+								new_scope
+							} else {
+								scope_str
+									.split(",")
+									.map(|x| x.trim().to_string())
+									.collect::<Vec<_>>()
+							}
+						}
 					}),
 				},
 			})
--- a/src/garage/cli/structs.rs
+++ b/src/garage/cli/structs.rs
@ -528,7 +528,12 @@ pub struct AdminTokenCreateOp {
 	/// format)
 	#[structopt(long = "expires-in")]
 	pub expires_in: Option<String>,
-	/// Set a limited scope for the token (by default, `*`)
+	/// Set a limited scope for the token, as a comma-separated list of
+	/// admin API functions (e.g. GetClusterStatus, etc.). The default scope
+	/// is `*`, which allows access to all admin API functions.
+	/// Note that granting a scope that allows `CreateAdminToken` or
+	/// `UpdateAdminToken` allows for privilege escalation, and is therefore
+	/// equivalent to `*`.
 	#[structopt(long = "scope")]
 	pub scope: Option<String>,
 	/// Print only the newly generated API token to stdout
@ -544,7 +549,14 @@ pub struct AdminTokenSetOp {
 	/// format)
 	#[structopt(long = "expires-in")]
 	pub expires_in: Option<String>,
-	/// Set a limited scope for the token
+	/// Set a limited scope for the token, as a comma-separated list of
+	/// admin API functions (e.g. GetClusterStatus, etc.), or `*` to allow
+	/// all admin API functions.
+	/// Use `--scope=+Scope1,Scope2` to add scopes to the existing list,
+	/// and `--scope=-Scope1,Scope2` to remove scopes from the existing list.
+	/// Note that granting a scope that allows `CreateAdminToken` or
+	/// `UpdateAdminToken` allows for privilege escalation, and is therefore
+	/// equivalent to `*`.
 	#[structopt(long = "scope")]
 	pub scope: Option<String>,
 }