client: read attestation CA list JSON from file (#3232)

instead of passing a giant blob of JSON as a command argument. Before, it was not possible to allow all valid authenticators certified by the FIDO Alliance because fido-mds-list query -o "status gte valid" outputs a JSON string longer than Linux allows for command arguments. Co-authored-by: Firstyear <william@blackhats.net.au>
2025-02-23 12:37:00 +01:00 · 2024-12-19 21:02:02 -06:00 · 2024-12-19 21:02:02 -06:00 · 2174b9b251
parent 4f2eb8b5f8
commit 2174b9b251
2 changed files with 8 additions and 3 deletions
--- a/tools/cli/src/cli/group/account_policy.rs
+++ b/tools/cli/src/cli/group/account_policy.rs
@ -113,12 +113,17 @@ impl GroupAccountPolicyOpt {
            }
            GroupAccountPolicyOpt::WebauthnAttestationCaList {
                name,
-                attestation_ca_list_json,
+                attestation_ca_list_json_file,
                copt,
            } => {
                let client = copt.to_client(OpType::Write).await;
+                let json = std::fs::read_to_string(attestation_ca_list_json_file).unwrap_or_else(|e| {
+                    error!("Could not read attestation CA list JSON file {attestation_ca_list_json_file:?}: {e:?}");
+                    std::process::exit(1);
+                });
+
                if let Err(e) = client
-                    .group_account_policy_webauthn_attestation_set(name, attestation_ca_list_json)
+                    .group_account_policy_webauthn_attestation_set(name, &json)
                    .await
                {
                    handle_client_error(e, copt.output_mode);
--- a/tools/cli/src/opt/kanidm.rs
+++ b/tools/cli/src/opt/kanidm.rs
@ -216,7 +216,7 @@ pub enum GroupAccountPolicyOpt {
    #[clap(name = "webauthn-attestation-ca-list")]
    WebauthnAttestationCaList {
        name: String,
-        attestation_ca_list_json: String,
+        attestation_ca_list_json_file: PathBuf,
        #[clap(flatten)]
        copt: CommonOpt,
    },