From 2174b9b251d88f9c2e0fc17478098a85576db1d2 Mon Sep 17 00:00:00 2001 From: Be Date: Thu, 19 Dec 2024 21:02:02 -0600 Subject: [PATCH] client: read attestation CA list JSON from file (#3232) instead of passing a giant blob of JSON as a command argument. Before, it was not possible to allow all valid authenticators certified by the FIDO Alliance because fido-mds-list query -o "status gte valid" outputs a JSON string longer than Linux allows for command arguments. Co-authored-by: Firstyear --- tools/cli/src/cli/group/account_policy.rs | 9 +++++++-- tools/cli/src/opt/kanidm.rs | 2 +- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/tools/cli/src/cli/group/account_policy.rs b/tools/cli/src/cli/group/account_policy.rs index d90aecc1e..3f6d0f49a 100644 --- a/tools/cli/src/cli/group/account_policy.rs +++ b/tools/cli/src/cli/group/account_policy.rs @@ -113,12 +113,17 @@ impl GroupAccountPolicyOpt { } GroupAccountPolicyOpt::WebauthnAttestationCaList { name, - attestation_ca_list_json, + attestation_ca_list_json_file, copt, } => { let client = copt.to_client(OpType::Write).await; + let json = std::fs::read_to_string(attestation_ca_list_json_file).unwrap_or_else(|e| { + error!("Could not read attestation CA list JSON file {attestation_ca_list_json_file:?}: {e:?}"); + std::process::exit(1); + }); + if let Err(e) = client - .group_account_policy_webauthn_attestation_set(name, attestation_ca_list_json) + .group_account_policy_webauthn_attestation_set(name, &json) .await { handle_client_error(e, copt.output_mode); diff --git a/tools/cli/src/opt/kanidm.rs b/tools/cli/src/opt/kanidm.rs index 83a61fe4c..1fb39d0ba 100644 --- a/tools/cli/src/opt/kanidm.rs +++ b/tools/cli/src/opt/kanidm.rs @@ -216,7 +216,7 @@ pub enum GroupAccountPolicyOpt { #[clap(name = "webauthn-attestation-ca-list")] WebauthnAttestationCaList { name: String, - attestation_ca_list_json: String, + attestation_ca_list_json_file: PathBuf, #[clap(flatten)] copt: CommonOpt, },