indigo-dc / oidc-agent

oidc-agent for managing OpenID Connect tokens on the command line
MIT License
115 stars 30 forks source link

oidc-token prints shell code to different outputs #503

Closed paulmillar closed 1 year ago

paulmillar commented 1 year ago

The oidc-token options -o, -e and -i return the access token itself, the expiry time and the issuer (respectively). If multiple of these options are present or if a single option has an argument then shell code is generated that assigns the value to a particular variable; for example,

paul@celebrimbor:~$ oidc-token -o EGI-CHECKIN
eyJh[...]vznQ
paul@celebrimbor:~$ oidc-token -oFOO EGI-CHECKIN
FOO=eyJh[...]vznQ; export FOO;
paul@celebrimbor:~$ 

The problem comes with how -e and -i handle shell printing.

In the case of -o, both the regular output and the shell code are emitted on stdout:

paul@celebrimbor:~$ oidc-token -o EGI-CHECKIN 2> >(awk '{print "{stderr} "$0}' 1>&2) | awk '{print "{stdout} "$0}'
{stdout} eyJh[...]vznQ
paul@celebrimbor:~$ oidc-token -oFOO EGI-CHECKIN 2> >(awk '{print "{stderr} "$0}' 1>&2) | awk '{print "{stdout} "$0}'
{stdout} FOO=eyJh[...]vznQ; export FOO;
paul@celebrimbor:~$ 

However, for -e and -i, the normal (non-shell) output is emitted on stdout while the shell code is printed on stderr.

Here is the -e output:

paul@celebrimbor:~$ oidc-token -e EGI-CHECKIN 2> >(awk '{print "{stderr} "$0}' 1>&2) | awk '{print "{stdout} "$0}'
{stdout} 1681805554
paul@celebrimbor:~$ oidc-token -eFOO EGI-CHECKIN 2> >(awk '{print "{stderr} "$0}' 1>&2) | awk '{print "{stdout} "$0}'
{stderr} FOO=1681805554; export FOO;
paul@celebrimbor:~$ 

Here is the same commands for -i:

paul@celebrimbor:~$ oidc-token -i EGI-CHECKIN 2> >(awk '{print "{stderr} "$0}' 1>&2) | awk '{print "{stdout} "$0}'
{stdout} https://aai.egi.eu/auth/realms/egi
paul@celebrimbor:~$ oidc-token -iFOO EGI-CHECKIN 2> >(awk '{print "{stderr} "$0}' 1>&2) | awk '{print "{stdout} "$0}'
{stderr} FOO=https://aai.egi.eu/auth/realms/egi; export FOO;
paul@celebrimbor:~$ 

There is consistent behaviour if multiple of -o, -e and -i are specified. This forces oidc-token to emit shell code, with the -o output going to stdout and -e and -i going to stderr:

paul@celebrimbor:~$ oidc-token -o -e -i EGI-CHECKIN 2> >(awk '{print "{stderr} "$0}' 1>&2) | awk '{print "{stdout} "$0}'
{stdout} OIDC_AT=eyJh[...]vznQ; export OIDC_AT;
{stderr} OIDC_ISS=https://aai.egi.eu/auth/realms/egi; export OIDC_ISS;
{stderr} OIDC_EXP=1681805554; export OIDC_EXP;
paul@celebrimbor:~$ 

The command option -c (or --env) is documented as equivalent to specifying -o, -e, -i. This seems to be the case, as it shows the same behaviour:

paul@celebrimbor:~$ oidc-token -c EGI-CHECKIN 2> >(awk '{print "{stderr} "$0}' 1>&2) | awk '{print "{stdout} "$0}'
{stdout} OIDC_AT=eyJh[...]vznQ; export OIDC_AT;
{stderr} OIDC_ISS=https://aai.egi.eu/auth/realms/egi; export OIDC_ISS;
{stderr} OIDC_EXP=1681805554; export OIDC_EXP;
paul@celebrimbor:~$ 

This use of stderr is not documented in the man pages.

Moreover, I can't imagine what benefit it brings. It looks (to me) like a bug.

zachmann commented 1 year ago

That's indeed a bug. All of the output should be printed to stdout. The bug was introduced in version 4.5.0.

We will correct it.