openshift-online · tylercreller · Oct 17, 2024
diff --git a/cmd/ocm/delete/cmd.go b/cmd/ocm/delete/cmd.go
@@ -28,7 +28,6 @@ import (
 	"github.com/openshift-online/ocm-cli/cmd/ocm/delete/upgradepolicy"
 	"github.com/openshift-online/ocm-cli/cmd/ocm/delete/user"
 	"github.com/openshift-online/ocm-cli/pkg/arguments"
-	"github.com/openshift-online/ocm-cli/pkg/config"
 	"github.com/openshift-online/ocm-cli/pkg/dump"
 	"github.com/openshift-online/ocm-cli/pkg/ocm"
 	"github.com/openshift-online/ocm-cli/pkg/urls"
@@ -132,25 +131,6 @@ func run(cmd *cobra.Command, argv []string) error {
 		return fmt.Errorf("can't print body: %w", err)
 	}
 
-	// Load the configuration file:
-	cfg, err := config.Load()
-	if err != nil {
-		return fmt.Errorf("can't load config file: %w", err)
-	}
-	if cfg == nil {
-		return fmt.Errorf("not logged in, run the 'login' command")
-	}
-
-	// Save the configuration:
-	cfg.AccessToken, cfg.RefreshToken, err = connection.Tokens()
-	if err != nil {
-		return fmt.Errorf("can't get tokens: %w", err)
-	}
-	err = config.Save(cfg)
-	if err != nil {
-		return fmt.Errorf("can't save config file: %w", err)
-	}
-
 	// Bye:
 	if status >= 400 {
 		os.Exit(1)

diff --git a/cmd/ocm/get/cmd.go b/cmd/ocm/get/cmd.go
@@ -23,7 +23,6 @@ import (
 	"github.com/spf13/cobra"
 
 	"github.com/openshift-online/ocm-cli/pkg/arguments"
-	"github.com/openshift-online/ocm-cli/pkg/config"
 	"github.com/openshift-online/ocm-cli/pkg/dump"
 	"github.com/openshift-online/ocm-cli/pkg/ocm"
 	"github.com/openshift-online/ocm-cli/pkg/urls"
@@ -61,15 +60,6 @@ func run(cmd *cobra.Command, argv []string) error {
 		return fmt.Errorf("Could not create URI: %v", err)
 	}
 
-	// Load the configuration file:
-	cfg, err := config.Load()
-	if err != nil {
-		return fmt.Errorf("Can't load config file: %v", err)
-	}
-	if cfg == nil {
-		return fmt.Errorf("Not logged in, run the 'login' command")
-	}
-
 	// Create the client for the OCM API:
 	connection, err := ocm.NewConnection().Build()
 	if err != nil {
@@ -111,16 +101,6 @@ func run(cmd *cobra.Command, argv []string) error {
 		return fmt.Errorf("Can't print body: %v", err)
 	}
 
-	// Save the configuration:
-	cfg.AccessToken, cfg.RefreshToken, err = connection.Tokens()
-	if err != nil {
-		return fmt.Errorf("Can't get tokens: %v", err)
-	}
-	err = config.Save(cfg)
-	if err != nil {
-		return fmt.Errorf("Can't save config file: %v", err)
-	}
-
 	// Bye:
 	if status >= 400 {
 		os.Exit(1)

diff --git a/cmd/ocm/login/cmd.go b/cmd/ocm/login/cmd.go
@@ -329,20 +329,14 @@ func run(cmd *cobra.Command, argv []string) error {
 	cfg.Password = args.password
 	cfg.Insecure = args.insecure
 
-	// Create a connection and get the token to verify that the crendentials are correct:
-	connection, err := ocm.NewConnection().Config(cfg).Build()
+	// Create a connection to verify that the credentials are correct:
+	_, err = ocm.NewConnection().Config(cfg).Build()
 	if err != nil {
 		return fmt.Errorf("Can't create connection: %v", err)
 	}
-	accessToken, refreshToken, err := connection.Tokens()
-	if err != nil {
-		return fmt.Errorf("Can't get token: %v", err)
-	}
 
-	// Save the configuration, but clear the user name and password before unless we have
+	// clear the user name and password before unless we have
 	// explicitly been asked to store them persistently:
-	cfg.AccessToken = accessToken
-	cfg.RefreshToken = refreshToken
 	if !args.persistent {
 		cfg.User = ""
 		cfg.Password = ""

diff --git a/cmd/ocm/patch/cmd.go b/cmd/ocm/patch/cmd.go
@@ -23,7 +23,6 @@ import (
 	"github.com/spf13/cobra"
 
 	"github.com/openshift-online/ocm-cli/pkg/arguments"
-	"github.com/openshift-online/ocm-cli/pkg/config"
 	"github.com/openshift-online/ocm-cli/pkg/dump"
 	"github.com/openshift-online/ocm-cli/pkg/ocm"
 	"github.com/openshift-online/ocm-cli/pkg/urls"
@@ -92,20 +91,6 @@ func run(cmd *cobra.Command, argv []string) error {
 	if err != nil {
 		return fmt.Errorf("Can't print body: %v", err)
 	}
-	// Load the configuration file:
-	cfg, err := config.Load()
-	if err != nil {
-		return fmt.Errorf("Can't load config file: %v", err)
-	}
-	// Save the configuration:
-	cfg.AccessToken, cfg.RefreshToken, err = connection.Tokens()
-	if err != nil {
-		return fmt.Errorf("Can't get tokens: %v", err)
-	}
-	err = config.Save(cfg)
-	if err != nil {
-		return fmt.Errorf("Can't save config file: %v", err)
-	}
 
 	// Bye:
 	if status >= 400 {

diff --git a/cmd/ocm/post/cmd.go b/cmd/ocm/post/cmd.go
@@ -23,7 +23,6 @@ import (
 	"github.com/spf13/cobra"
 
 	"github.com/openshift-online/ocm-cli/pkg/arguments"
-	"github.com/openshift-online/ocm-cli/pkg/config"
 	"github.com/openshift-online/ocm-cli/pkg/dump"
 	"github.com/openshift-online/ocm-cli/pkg/ocm"
 	"github.com/openshift-online/ocm-cli/pkg/urls"
@@ -93,21 +92,6 @@ func run(cmd *cobra.Command, argv []string) error {
 		return fmt.Errorf("Can't print body: %v", err)
 	}
 
-	// Load the configuration file:
-	cfg, err := config.Load()
-	if err != nil {
-		return fmt.Errorf("Can't load config file: %v", err)
-	}
-	// Save the configuration:
-	cfg.AccessToken, cfg.RefreshToken, err = connection.Tokens()
-	if err != nil {
-		return fmt.Errorf("Can't get tokens: %v", err)
-	}
-	err = config.Save(cfg)
-	if err != nil {
-		return fmt.Errorf("Can't save config file: %v", err)
-	}
-
 	// Bye:
 	if status >= 400 {
 		os.Exit(1)

diff --git a/cmd/ocm/token/cmd.go b/cmd/ocm/token/cmd.go
@@ -107,21 +107,21 @@ func run(cmd *cobra.Command, argv []string) error {
 	}
 	defer connection.Close()
 
-	var accessToken string
-	var refreshToken string
+	// Load the configuration file:
+	cfg, err := config.Load()
+	if err != nil {
+		return fmt.Errorf("Can't load config file: %v", err)
+	}
+
+	var accessToken = cfg.AccessToken
+	var refreshToken = cfg.RefreshToken
 
 	if args.generate {
 		// Get new tokens:
 		accessToken, refreshToken, err = connection.Tokens(15 * time.Minute)
 		if err != nil {
 			return fmt.Errorf("Can't get new tokens: %v", err)
 		}
-	} else {
-		// Get the tokens:
-		accessToken, refreshToken, err = connection.Tokens()
-		if err != nil {
-			return fmt.Errorf("Can't get token: %v", err)
-		}
 	}
 
 	// Select the token according to the options:
@@ -170,20 +170,15 @@ func run(cmd *cobra.Command, argv []string) error {
 		fmt.Fprintf(os.Stdout, "%s\n", selectedToken)
 	}
 
-	// Load the configuration file:
-	cfg, err := config.Load()
-	if err != nil {
-		return fmt.Errorf("Can't load config file: %v", err)
-	}
-
-	// Save the configuration:
-	cfg.AccessToken = accessToken
-	cfg.RefreshToken = refreshToken
-	err = config.Save(cfg)
-	if err != nil {
-		return fmt.Errorf("Can't save config file: %v", err)
+	if args.generate {
+		// Save the configuration:
+		cfg.AccessToken = accessToken
+		cfg.RefreshToken = refreshToken
+		err = config.Save(cfg)
+		if err != nil {
+			return fmt.Errorf("Can't save config file: %v", err)
+		}
 	}
 
-	// Bye:
 	return nil
 }
diff --git a/pkg/ocm/connection-builder/connection.go b/pkg/ocm/connection-builder/connection.go
@@ -15,7 +15,9 @@ package connection
 
 import (
 	"fmt"
+	"strings"
 
+	"github.com/golang-jwt/jwt/v4"
 	"github.com/golang/glog"
 	sdk "github.com/openshift-online/ocm-sdk-go"
 	"github.com/openshift-online/ocm-sdk-go/logging"
@@ -114,7 +116,32 @@ func (b *ConnectionBuilder) Build() (result *sdk.Connection, err error) {
 	}
 
 	// Create the connection:
-	return builder.Build()
+	conn, err := builder.Build()
+	if err != nil {
+		return conn, err
+	}
+
+	// Token management:
+	accessToken, refreshToken, err := conn.Tokens()
+	if err != nil {
+		return nil, fmt.Errorf("Can't get tokens: %v", err)
+	}
+
+	// Only execute if the refresh token has changed. This helps limit warnings for users
+	// to only on login and when their refresh token is cycled by SSO instead of on every command.
+	if b.cfg.RefreshToken != refreshToken {
+		offlineTokenDeprecationWarning(refreshToken)
+	}
+
+	b.cfg.AccessToken = accessToken
+	b.cfg.RefreshToken = refreshToken
+
+	err = config.Save(b.cfg)
+	if err != nil {
+		return nil, fmt.Errorf("Can't save config file: %v", err)
+	}
+
+	return conn, nil
 }
 
 func (b *ConnectionBuilder) initConnectionBuilderFromConfig() *sdk.ConnectionBuilder {
@@ -178,3 +205,38 @@ func (b *ConnectionBuilder) getAgent() string {
 	}
 	return "OCM-CLI/" + info.Version
 }
+
+// Prints a deprecation warning if tokens have changed and the new refresh token contains the 'offline_access' scope
+// Swallow and log errors as this is a non-essential warning that should not block the user
+func offlineTokenDeprecationWarning(refreshToken string) {
+	const offlineTokenDeprecationMessage = "Logging in with offline tokens is being deprecated and will no longer " +
+		"be maintained or enhanced. Instead, log in with --use-auth-code or --use-device-code. See 'ocm login --help' " +
+		"for usage. Learn more about deprecating offline tokens via https://console.redhat.com/openshift/token"
+
+	parser := new(jwt.Parser)
+	token, _, err := parser.ParseUnverified(refreshToken, jwt.MapClaims{})
+	if err != nil {
+		if debug.Enabled() {
+			fmt.Printf("Failed to parse refresh token for deprecation warning: %v\n", err)
+		}
+		return
+	}
+	claims, ok := token.Claims.(jwt.MapClaims)
+	if !ok {
+		if debug.Enabled() {
+			fmt.Printf("Failed to get claims from refresh token for deprecation warning: %v\n", err)
+		}
+		return
+	}
+	scopes, ok := claims["scope"].(string)
+	if !ok {
+		if debug.Enabled() {
+			fmt.Printf("Failed to get scopes from refresh token for deprecation warning: %v\n", err)
+		}
+		return
+	}
+	if strings.Contains(scopes, "offline_access") {
+		fmt.Println(offlineTokenDeprecationMessage)
+		return
+	}
+}