Change script to take multiple audiences and other claims from comman…

…d line flag. (istio#4577) Automatic merge from submit-queue. Change script to take multiple audiences and other claims from command line flag.
mbhavya · Mar 28, 2018 · 464530f · 464530f
1 parent e30a1a9
commit 464530f
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 12 deletions.
diff --git a/security/tools/jwt/README.md b/security/tools/jwt/README.md
@@ -27,7 +27,7 @@ Type the following command to see the help message.
 
 It outputs the following:
 ```
-usage: sa-jwt.py [-h] [-iss ISS] [-aud AUD] [-sub SUB] service_account_file
+usage: sa-jwt.py [-h] [-iss ISS] [-aud AUD] [-sub SUB] [-claims CLAIMS] service_account_file
 
 Python script generates a JWT signed by a Google service account
 
@@ -38,18 +38,21 @@ positional arguments:
 optional arguments:
   -h, --help            show this help message and exit
   -iss ISS, --iss ISS   iss claim. This should be your service account email.
-  -aud AUD, --aud AUD   aud claim
+  -aud AUD, --aud AUD   aud claim. This is comma-separated-list of audiences.
   -sub SUB, --sub SUB   sub claim. If not provided, it is set to the same as
                         iss claim.
+  -claims CLAIMS, --claims CLAIMS
+                        Other claims in format name1:value1,name2:value2 etc.
+                        Only string values are supported.                        
 ```
 
-If you want to add custom claims to the JWT, you can edit sa-jwt.py, and add any claims to JWT payload
-(look for "Add any custom claims here" comment in the script).
-
 ## Example
 
 Here is an example of using sa-jwt.py to generate a JWT token.
 ```
-  python sa-jwt.py /path/to/service_account.json -iss <YOUR_SERVICE_ACCOUNT_EMAIL> -aud <YOUR_AUDIENCE>
+  sa-jwt.py /path/to/service_account.json -iss frod@gserviceaccount.com -aud foo,bar
 ```
 
+```
+  sa-jwt.py /path/to/service_account.json -iss frod@gserviceaccount.com -aud foo,bar -claims key1:value1,key2:value2
+```  
diff --git a/security/tools/jwt/sa-jwt.py b/security/tools/jwt/sa-jwt.py
@@ -1,3 +1,5 @@
+#!/usr/bin/python
+
 # Copyright 2018 Istio Authors
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -12,7 +14,11 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-"""Python script generates a JWT signed by a Google service account"""
+"""Python script generates a JWT signed by a Google service account
+
+Example:
+./sa-jwt.py  --iss example-issuer --aud foo,bar --claims=email:foo@google.com,dead:beef key.json 
+"""
 import argparse
 import time
 
@@ -29,9 +35,6 @@ def main(args):
         # expire in one hour.
         "exp": now + 3600,
         "iat": now,
-        # Add any custom claims here.
-        # e.g.,
-        # "email": alice@yahoo.com
     }
     if args.iss:
         payload["iss"] = args.iss
@@ -42,7 +45,15 @@ def main(args):
         payload["sub"] = args.iss
 
     if args.aud:
-        payload["aud"] = args.aud
+        if "," in args.aud:
+            payload["aud"] = args.aud.split(",")
+        else:
+            payload["aud"] = args.aud
+
+    if args.claims:
+        for item in args.claims.split(","):
+            k, v = item.split(':')
+            payload[k] = v
 
     signed_jwt = google.auth.jwt.encode(signer, payload)
     return signed_jwt
@@ -60,7 +71,9 @@ def main(args):
     parser.add_argument("-iss", "--iss",
                         help="iss claim. This should be your service account email.")
     parser.add_argument("-aud", "--aud",
-                        help="aud claim")
+                        help="aud claim. This is comma-separated-list of audiences")
     parser.add_argument("-sub", "--sub",
                         help="sub claim. If not provided, it is set to the same as iss claim.")
+    parser.add_argument("-claims", "--claims",
+                         help="Other claims in format name1:value1,name2:value2 etc. Only string values are supported.")
     print main(parser.parse_args())