Merge branch 'main' into secure-enclave-unlocker

2026-03-11 02:34:45 +01:00
parent e10b4cec82 4dc26c9394
commit b9aaf8ddac
35 changed files with 687 additions and 233 deletions
--- a/internal/cli/unlockers.go
+++ b/internal/cli/unlockers.go
@@ -1,6 +1,7 @@
 package cli

 import (
+	"log"
 	"encoding/json"
 	"fmt"
 	"os"
@@ -96,7 +97,10 @@ func newUnlockerListCmd() *cobra.Command {
 		RunE: func(cmd *cobra.Command, _ []string) error {
 			jsonOutput, _ := cmd.Flags().GetBool("json")

-			cli := NewCLIInstance()
+			cli, err := NewCLIInstance()
+			if err != nil {
+				return fmt.Errorf("failed to initialize CLI: %w", err)
+			}
 			cli.cmd = cmd

 			return cli.UnlockersList(jsonOutput)
@@ -158,7 +162,10 @@ to access the same vault. This provides flexibility and backup access options.`,
 		Args:      cobra.ExactArgs(1),
 		ValidArgs: strings.Split(supportedTypes, ", "),
 		RunE: func(cmd *cobra.Command, args []string) error {
-			cli := NewCLIInstance()
+			cli, err := NewCLIInstance()
+			if err != nil {
+				return fmt.Errorf("failed to initialize CLI: %w", err)
+			}
 			unlockerType := args[0]

 			// Validate unlocker type
@@ -191,7 +198,10 @@ to access the same vault. This provides flexibility and backup access options.`,
 }

 func newUnlockerRemoveCmd() *cobra.Command {
-	cli := NewCLIInstance()
+	cli, err := NewCLIInstance()
+	if err != nil {
+		log.Fatalf("failed to initialize CLI: %v", err)
+	}
 	cmd := &cobra.Command{
 		Use:     "remove <unlocker-id>",
 		Aliases: []string{"rm"},
@@ -203,7 +213,10 @@ func newUnlockerRemoveCmd() *cobra.Command {
 		ValidArgsFunction: getUnlockerIDsCompletionFunc(cli.fs, cli.stateDir),
 		RunE: func(cmd *cobra.Command, args []string) error {
 			force, _ := cmd.Flags().GetBool("force")
-			cli := NewCLIInstance()
+			cli, err := NewCLIInstance()
+			if err != nil {
+				return fmt.Errorf("failed to initialize CLI: %w", err)
+			}

 			return cli.UnlockersRemove(args[0], force, cmd)
 		},
@@ -215,7 +228,10 @@ func newUnlockerRemoveCmd() *cobra.Command {
 }

 func newUnlockerSelectCmd() *cobra.Command {
-	cli := NewCLIInstance()
+	cli, err := NewCLIInstance()
+	if err != nil {
+		log.Fatalf("failed to initialize CLI: %v", err)
+	}

 	return &cobra.Command{
 		Use:               "select <unlocker-id>",
@@ -223,7 +239,10 @@ func newUnlockerSelectCmd() *cobra.Command {
 		Args:              cobra.ExactArgs(1),
 		ValidArgsFunction: getUnlockerIDsCompletionFunc(cli.fs, cli.stateDir),
 		RunE: func(_ *cobra.Command, args []string) error {
-			cli := NewCLIInstance()
+			cli, err := NewCLIInstance()
+			if err != nil {
+				return fmt.Errorf("failed to initialize CLI: %w", err)
+			}

 			return cli.UnlockerSelect(args[0])
 		},
@@ -257,6 +276,8 @@ func (cli *Instance) UnlockersList(jsonOutput bool) error {
 		// Create unlocker instance to get the proper ID
 		vaultDir, err := vlt.GetDirectory()
 		if err != nil {
+			secret.Warn("Could not get vault directory while listing unlockers", "error", err)
+
 			continue
 		}

@@ -264,6 +285,8 @@ func (cli *Instance) UnlockersList(jsonOutput bool) error {
 		unlockersDir := filepath.Join(vaultDir, "unlockers.d")
 		files, err := afero.ReadDir(cli.fs, unlockersDir)
 		if err != nil {
+			secret.Warn("Could not read unlockers directory", "error", err)
+
 			continue
 		}

@@ -279,12 +302,16 @@ func (cli *Instance) UnlockersList(jsonOutput bool) error {
 			// Check if this is the right unlocker by comparing metadata
 			metadataBytes, err := afero.ReadFile(cli.fs, metadataPath)
 			if err != nil {
-				continue // FIXME this error needs to be handled
+				secret.Warn("Could not read unlocker metadata file", "path", metadataPath, "error", err)
+
+				continue
 			}

 			var diskMetadata secret.UnlockerMetadata
 			if err := json.Unmarshal(metadataBytes, &diskMetadata); err != nil {
-				continue // FIXME this error needs to be handled
+				secret.Warn("Could not parse unlocker metadata file", "path", metadataPath, "error", err)
+
+				continue
 			}

 			// Match by type and creation time
@@ -312,6 +339,7 @@ func (cli *Instance) UnlockersList(jsonOutput bool) error {
 		} else {
 			// Generate ID as fallback
 			properID = fmt.Sprintf("%s-%s", metadata.CreatedAt.Format("2006-01-02.15.04"), metadata.Type)
+			secret.Warn("Could not create unlocker instance, using fallback ID", "fallback_id", properID, "type", metadata.Type)
 		}

 		unlockerInfo := UnlockerInfo{
@@ -603,12 +631,16 @@ func (cli *Instance) checkUnlockerExists(vlt *vault.Vault, unlockerID string) er
 	// Get the list of unlockers and check if any match the ID
 	unlockers, err := vlt.ListUnlockers()
 	if err != nil {
+		secret.Warn("Could not list unlockers during duplicate check", "error", err)
+
 		return nil // If we can't list unlockers, assume it doesn't exist
 	}

 	// Get vault directory to construct unlocker instances
 	vaultDir, err := vlt.GetDirectory()
 	if err != nil {
+		secret.Warn("Could not get vault directory during duplicate check", "error", err)
+
 		return nil
 	}

@@ -618,6 +650,8 @@ func (cli *Instance) checkUnlockerExists(vlt *vault.Vault, unlockerID string) er
 		unlockersDir := filepath.Join(vaultDir, "unlockers.d")
 		files, err := afero.ReadDir(cli.fs, unlockersDir)
 		if err != nil {
+			secret.Warn("Could not read unlockers directory during duplicate check", "error", err)
+
 			continue
 		}

@@ -632,11 +666,15 @@ func (cli *Instance) checkUnlockerExists(vlt *vault.Vault, unlockerID string) er
 			// Check if this matches our metadata
 			metadataBytes, err := afero.ReadFile(cli.fs, metadataPath)
 			if err != nil {
+				secret.Warn("Could not read unlocker metadata during duplicate check", "path", metadataPath, "error", err)
+
 				continue
 			}

 			var diskMetadata secret.UnlockerMetadata
 			if err := json.Unmarshal(metadataBytes, &diskMetadata); err != nil {
+				secret.Warn("Could not parse unlocker metadata during duplicate check", "path", metadataPath, "error", err)
+
 				continue
 			}