-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: Add webauthn diagnostic commands to tctl #41558
Conversation
|
||
return root | ||
} | ||
|
||
type fido2DiagCommand struct { | ||
// TryRun attempts to execute a "fido2" command. Used by tctl. | ||
func (c *Command) TryRun(ctx context.Context, selectedCommand string) (match bool, err error) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've kept the "Try" methods in here, even though they don't exactly match CLICommand, as it's easier to spot them in this file if/when we add new subcommands.
*kingpin.CmdClause | ||
} | ||
|
||
func (*fido2DiagCommand) run(cf *CLIConf) error { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Removed CLIConf, as that's a tsh construction.
// MatchesCommand returns true if LsCommand matches the given fullCommand, as | ||
// per [kingpin.CmdClause.FullCommand]. | ||
// Safe even if LsCommand is nil. | ||
func (c *LsCommand) MatchesCommand(fullCommand string) bool { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The Ls and Rm commands are not bound if touchid is not available, so I've removed the embed and changed the public interfaces to make them harder to panic. This is more important now as the commands are public and reused in two distinct binaries.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
(I could revisit the conditionally-present decision, but I decided against that for now.)
impl *fido2.Command | ||
} | ||
|
||
func (c *fido2Command) Initialize(app *kingpin.Application, _ *servicecfg.Config) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've added the wrappers here so we avoid importing both servicecfg
and lib/auth
in the "common" packages. The former is not imported by tsh, so that should keep binary sizes as-is.
Same for the other wrappers.
FYI @Joerger and @russjones. RJ: this should help you evaluate touch ID on tctl when you get there. |
@codingllama See the table below for backport results.
|
Adds the following hidden/utility commands to tctl:
Since admin actions the fido2 and webauthnwin families are applicable. Touch ID isn't yet applicable, but it might be in a near future so I'm already porting those. It's useful to have the diag commands in the
tctl
binary as they can easily detect whether build tags, signing or entitlements are missing.Closes #39629
Changelog: Add webauthn diagnostics commands to tctl