Fix cross-platform build issues and security vulnerabilities
- Add build tags to keychain implementation files (Darwin-only) - Create stub implementations for non-Darwin platforms that panic - Conditionally show keychain support in help text based on platform - Platform check in UnlockersAdd prevents keychain usage on non-Darwin - Verified GPG operations already protected against command injection via validateGPGKeyID() and proper exec.Command argument passing - Keychain operations use go-keychain library, no shell commands The application now builds and runs on Linux/non-Darwin platforms with keychain functionality properly isolated to macOS only.
This commit is contained in:
@@ -6,6 +6,7 @@ import (
|
||||
"os"
|
||||
"os/exec"
|
||||
"path/filepath"
|
||||
"runtime"
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
@@ -90,10 +91,16 @@ func newUnlockersListCmd() *cobra.Command {
|
||||
}
|
||||
|
||||
func newUnlockersAddCmd() *cobra.Command {
|
||||
// Build the supported types list based on platform
|
||||
supportedTypes := "passphrase, pgp"
|
||||
if runtime.GOOS == "darwin" {
|
||||
supportedTypes = "passphrase, keychain, pgp"
|
||||
}
|
||||
|
||||
cmd := &cobra.Command{
|
||||
Use: "add <type> [keyid]",
|
||||
Short: "Add a new unlocker",
|
||||
Long: `Add a new unlocker of the specified type (passphrase, keychain, pgp).`,
|
||||
Long: fmt.Sprintf(`Add a new unlocker of the specified type (%s).`, supportedTypes),
|
||||
Args: cobra.RangeArgs(1, 2), //nolint:mnd // Command accepts 1 or 2 arguments
|
||||
RunE: func(cmd *cobra.Command, args []string) error {
|
||||
cli := NewCLIInstance()
|
||||
@@ -295,6 +302,12 @@ func (cli *Instance) UnlockersList(jsonOutput bool) error {
|
||||
|
||||
// UnlockersAdd adds a new unlocker
|
||||
func (cli *Instance) UnlockersAdd(unlockerType string, cmd *cobra.Command) error {
|
||||
// Build the supported types list based on platform
|
||||
supportedTypes := "passphrase, pgp"
|
||||
if runtime.GOOS == "darwin" {
|
||||
supportedTypes = "passphrase, keychain, pgp"
|
||||
}
|
||||
|
||||
switch unlockerType {
|
||||
case "passphrase":
|
||||
// Get current vault
|
||||
@@ -329,6 +342,10 @@ func (cli *Instance) UnlockersAdd(unlockerType string, cmd *cobra.Command) error
|
||||
return nil
|
||||
|
||||
case "keychain":
|
||||
if runtime.GOOS != "darwin" {
|
||||
return fmt.Errorf("keychain unlockers are only supported on macOS")
|
||||
}
|
||||
|
||||
keychainUnlocker, err := secret.CreateKeychainUnlocker(cli.fs, cli.stateDir)
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to create macOS Keychain unlocker: %w", err)
|
||||
@@ -387,7 +404,7 @@ func (cli *Instance) UnlockersAdd(unlockerType string, cmd *cobra.Command) error
|
||||
return nil
|
||||
|
||||
default:
|
||||
return fmt.Errorf("unsupported unlocker type: %s (supported: passphrase, keychain, pgp)", unlockerType)
|
||||
return fmt.Errorf("unsupported unlocker type: %s (supported: %s)", unlockerType, supportedTypes)
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@@ -1,3 +1,6 @@
|
||||
//go:build darwin
|
||||
// +build darwin
|
||||
|
||||
package secret
|
||||
|
||||
import (
|
||||
|
||||
69
internal/secret/keychainunlocker_stub.go
Normal file
69
internal/secret/keychainunlocker_stub.go
Normal file
@@ -0,0 +1,69 @@
|
||||
//go:build !darwin
|
||||
// +build !darwin
|
||||
|
||||
package secret
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
|
||||
"filippo.io/age"
|
||||
"github.com/spf13/afero"
|
||||
)
|
||||
|
||||
// KeychainUnlockerMetadata is a stub for non-Darwin platforms
|
||||
type KeychainUnlockerMetadata struct {
|
||||
UnlockerMetadata
|
||||
KeychainItemName string `json:"keychainItemName"`
|
||||
}
|
||||
|
||||
// KeychainUnlocker is a stub for non-Darwin platforms
|
||||
type KeychainUnlocker struct {
|
||||
Directory string
|
||||
Metadata UnlockerMetadata
|
||||
fs afero.Fs
|
||||
}
|
||||
|
||||
// GetIdentity panics on non-Darwin platforms
|
||||
func (k *KeychainUnlocker) GetIdentity() (*age.X25519Identity, error) {
|
||||
panic("keychain unlockers are only supported on macOS")
|
||||
}
|
||||
|
||||
// GetType panics on non-Darwin platforms
|
||||
func (k *KeychainUnlocker) GetType() string {
|
||||
panic("keychain unlockers are only supported on macOS")
|
||||
}
|
||||
|
||||
// GetMetadata panics on non-Darwin platforms
|
||||
func (k *KeychainUnlocker) GetMetadata() UnlockerMetadata {
|
||||
panic("keychain unlockers are only supported on macOS")
|
||||
}
|
||||
|
||||
// GetDirectory panics on non-Darwin platforms
|
||||
func (k *KeychainUnlocker) GetDirectory() string {
|
||||
panic("keychain unlockers are only supported on macOS")
|
||||
}
|
||||
|
||||
// GetID returns the unlocker ID
|
||||
func (k *KeychainUnlocker) GetID() string {
|
||||
panic("keychain unlockers are only supported on macOS")
|
||||
}
|
||||
|
||||
// GetKeychainItemName panics on non-Darwin platforms
|
||||
func (k *KeychainUnlocker) GetKeychainItemName() (string, error) {
|
||||
panic("keychain unlockers are only supported on macOS")
|
||||
}
|
||||
|
||||
// Remove panics on non-Darwin platforms
|
||||
func (k *KeychainUnlocker) Remove() error {
|
||||
panic("keychain unlockers are only supported on macOS")
|
||||
}
|
||||
|
||||
// NewKeychainUnlocker panics on non-Darwin platforms
|
||||
func NewKeychainUnlocker(fs afero.Fs, directory string, metadata UnlockerMetadata) *KeychainUnlocker {
|
||||
panic("keychain unlockers are only supported on macOS")
|
||||
}
|
||||
|
||||
// CreateKeychainUnlocker panics on non-Darwin platforms
|
||||
func CreateKeychainUnlocker(fs afero.Fs, stateDir string) (*KeychainUnlocker, error) {
|
||||
panic("keychain unlockers are only supported on macOS")
|
||||
}
|
||||
Reference in New Issue
Block a user