re-use IAP cookie when present and still valid

stang · stang · commit b2f6ea09a2d0 · 2020-03-23T00:37:20.000Z
diff --git a/cmd/git-remote-https+iap/main.go b/cmd/git-remote-https+iap/main.go
@@ -4,6 +4,7 @@ import (
 	"fmt"
 	_url "net/url"
 	"os"
+	"time"
 
 	"github.com/adohkan/git-remote-https-iap/internal/git"
 	"github.com/adohkan/git-remote-https-iap/internal/iap"
@@ -65,9 +66,21 @@ func handleIAPAuthCookieFor(url string) {
 		log.Error().Msgf("Could not convert %s in https://: %s", url, err)
 	}
 
-	log.Debug().Msgf("Manage IAP auth for %s", os.Args[0], url)
+	log.Debug().Msgf("Manage IAP auth for %s", url)
 
-	if _, err = iap.NewCookie(url); err != nil {
+	cookie, err := iap.ReadCookie(url)
+	switch {
+	case err != nil:
+		log.Debug().Msgf("could not read IAP cookie for %s: %s", url, err.Error())
+		cookie, err = iap.NewCookie(url)
+	case cookie.Expired():
+		log.Debug().Msgf("IAP cookie for %s has expired", url)
+		cookie, err = iap.NewCookie(url)
+	case !cookie.Expired():
+		log.Debug().Msgf("IAP Cookie still valid until %s", time.Unix(cookie.Claims.ExpiresAt, 0))
+	}
+
+	if err != nil {
 		log.Fatal().Msg(err.Error())
 	}
 }
diff --git a/internal/iap/cookie.go b/internal/iap/cookie.go
@@ -1,10 +1,13 @@
 package iap
 
 import (
+	"bufio"
 	"fmt"
 	"net/url"
 	"os"
 	"path/filepath"
+	"strings"
+	"time"
 
 	jwt "github.com/dgrijalva/jwt-go"
 
@@ -25,6 +28,68 @@ type Cookie struct {
 	Claims  jwt.StandardClaims
 }
 
+// ReadCookie lookup the http.cookieFile for a given domain and try to load it from the filesystem
+func ReadCookie(domain string) (*Cookie, error) {
+	cookieFile := git.ConfigGetURLMatch("http.cookieFile", domain)
+
+	url, err := url.Parse(domain)
+	if err != nil {
+		return nil, err
+	}
+
+	c := Cookie{
+		JarPath: cookieFile,
+		Domain:  url.Host,
+	}
+
+	rawToken, err := c.readRawTokenFromJar()
+	if err != nil {
+		return nil, err
+	}
+
+	token, claims, err := parseJWToken(rawToken)
+	if err != nil {
+		return nil, err
+	}
+
+	c.Token = token
+	c.Claims = claims
+
+	return &c, nil
+}
+
+func (c *Cookie) readRawTokenFromJar() (string, error) {
+	path := expandHome(c.JarPath)
+
+	file, err := os.Open(path)
+	if err != nil {
+		return "", err
+	}
+	defer file.Close()
+
+	scanner := bufio.NewScanner(file)
+	for scanner.Scan() {
+		line := scanner.Text()
+		if strings.HasPrefix(line, "#") || line == "" {
+			continue
+		}
+		fields := strings.Split(line, "\t")
+		if len(fields) != 7 {
+			log.Warn().Msgf("readRawTokenFromJar - unexpected format while parsing IAP cookie: %v", line)
+			continue
+		}
+		// see: https://curl.haxx.se/docs/http-cookies.html
+		cookieName, cookieValue := fields[5], strings.TrimSpace(fields[6])
+		if cookieName != IAPCookieName {
+			log.Debug().Msgf("readRawTokenFromJar - skip '%s' while parsing IAP cookie", cookieName)
+			continue
+		}
+
+		return cookieValue, nil
+	}
+	return "", fmt.Errorf("readRawTokenFromJar - %s not found", IAPCookieName)
+}
+
 // NewCookie takes care of the authentication workflow and creates the relevant IAP Cookie on the filesystem
 func NewCookie(domain string) (*Cookie, error) {
 
@@ -81,6 +146,11 @@ func (c *Cookie) write(token string, exp int64) error {
 	return nil
 }
 
+// Expired returns a boolean that indicate if the expires-at claim is in the future
+func (c *Cookie) Expired() bool {
+	return c.Claims.ExpiresAt < time.Now().Unix()
+}
+
 func parseJWToken(rawToken string) (jwt.Token, jwt.StandardClaims, error) {
 	var p jwt.Parser
 	var claims jwt.StandardClaims
