Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: Add webauthn diagnostic commands to tctl #41558

Merged
merged 6 commits into from
May 16, 2024
Merged

feat: Add webauthn diagnostic commands to tctl #41558

merged 6 commits into from
May 16, 2024

Conversation

codingllama
Copy link
Contributor

Adds the following hidden/utility commands to tctl:

  • fido2 diag
  • fido2 attobj
  • webauthnwin diag
  • touchid diag
  • touchid ls
  • touchid rm

Since admin actions the fido2 and webauthnwin families are applicable. Touch ID isn't yet applicable, but it might be in a near future so I'm already porting those. It's useful to have the diag commands in the tctl binary as they can easily detect whether build tags, signing or entitlements are missing.

Closes #39629

Changelog: Add webauthn diagnostics commands to tctl

@github-actions github-actions bot added size/md tctl tctl - Teleport admin tool tsh tsh - Teleport's command line tool for logging into nodes running Teleport. labels May 14, 2024
codingllama
codingllama commented May 14, 2024
View reviewed changes
tool/common/fido2/fido2.go

return root
}

type fido2DiagCommand struct {
// TryRun attempts to execute a "fido2" command. Used by tctl.
func (c *Command) TryRun(ctx context.Context, selectedCommand string) (match bool, err error) {
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've kept the "Try" methods in here, even though they don't exactly match CLICommand, as it's easier to spot them in this file if/when we add new subcommands.

codingllama
codingllama commented May 14, 2024
View reviewed changes
tool/common/fido2/fido2.go
*kingpin.CmdClause
}

func (*fido2DiagCommand) run(cf *CLIConf) error {
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Removed CLIConf, as that's a tsh construction.

codingllama
codingllama commented May 14, 2024
View reviewed changes
tool/common/touchid/touchid.go
// MatchesCommand returns true if LsCommand matches the given fullCommand, as
// per [kingpin.CmdClause.FullCommand].
// Safe even if LsCommand is nil.
func (c *LsCommand) MatchesCommand(fullCommand string) bool {
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The Ls and Rm commands are not bound if touchid is not available, so I've removed the embed and changed the public interfaces to make them harder to panic. This is more important now as the commands are public and reused in two distinct binaries.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(I could revisit the conditionally-present decision, but I decided against that for now.)

codingllama
codingllama commented May 14, 2024
View reviewed changes
tool/tctl/common/fido2.go
impl *fido2.Command
}

func (c *fido2Command) Initialize(app *kingpin.Application, _ *servicecfg.Config) {
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've added the wrappers here so we avoid importing both servicecfg and lib/auth in the "common" packages. The former is not imported by tsh, so that should keep binary sizes as-is.

Same for the other wrappers.

@codingllama
Copy link
Contributor Author

FYI @Joerger and @russjones.

RJ: this should help you evaluate touch ID on tctl when you get there.

@codingllama codingllama mentioned this pull request May 14, 2024
Open
@public-teleport-github-review-bot public-teleport-github-review-bot bot removed the request for review from espadolini May 15, 2024 17:10
@codingllama codingllama added this pull request to the merge queue May 16, 2024
Merged via the queue into master with commit ced3482 May 16, 2024
37 checks passed
@codingllama codingllama deleted the codingllama/wan-diag-commands branch May 16, 2024 13:00
@public-teleport-github-review-bot
Copy link

@codingllama See the table below for backport results.

Branch Result
branch/v15 Create PR

@codingllama codingllama mentioned this pull request May 16, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@zmb3 zmb3 zmb3 approved these changes

@capnspacehook capnspacehook capnspacehook approved these changes

Assignees
No one assigned
Labels
backport/branch/v15 size/md tctl tctl - Teleport admin tool tsh tsh - Teleport's command line tool for logging into nodes running Teleport.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add WebAuthn diagnostic commands to tctl
3 participants
@codingllama @zmb3 @capnspacehook