sc/sgard
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
cefa9b7970caa74c8af28668efd8e4341f6b1bb6
sgard/cmd/sgard/main.go
Kyle Isom 490db0599c Step 25: Real FIDO2 hardware key support. 
HardwareFIDO2 implements FIDO2Device via go-libfido2 (CGo bindings to
Yubico's libfido2). Gated behind //go:build fido2 tag to keep default
builds CGo-free. Nix flake adds sgard-fido2 package variant.

CLI changes: --fido2-pin flag, unlockDEK helper tries FIDO2 first,
add-fido2/encrypt init --fido2 use real hardware, auto-unlock added
to restore/checkpoint/diff for encrypted entries.

Tested manually: add-fido2, add --encrypt, restore, checkpoint, diff
all work with hardware FIDO2 key (touch-to-unlock, no passphrase).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-24 12:40:46 -07:00

126 lines
3.3 KiB
Go
Raw Blame History

package main
import (
"context"
"crypto/tls"
"crypto/x509"
"fmt"
"os"
"path/filepath"
"strings"
"github.com/kisom/sgard/client"
"github.com/spf13/cobra"
"google.golang.org/grpc"
"google.golang.org/grpc/credentials"
"google.golang.org/grpc/credentials/insecure"
)
var (
repoFlag string
remoteFlag string
sshKeyFlag string
tlsFlag bool
tlsCAFlag string
)
var rootCmd = &cobra.Command{
Use: "sgard",
Short: "Shimmering Clarity Gardener: dotfile management",
}
func defaultRepo() string {
home, err := os.UserHomeDir()
if err != nil {
return ".sgard"
}
return filepath.Join(home, ".sgard")
}
// resolveRemote returns the remote address from flag, env, or repo config file.
func resolveRemote() (string, error) {
if remoteFlag != "" {
return remoteFlag, nil
}
if env := os.Getenv("SGARD_REMOTE"); env != "" {
return env, nil
}
// Try <repo>/remote file.
data, err := os.ReadFile(filepath.Join(repoFlag, "remote"))
if err == nil {
addr := strings.TrimSpace(string(data))
if addr != "" {
return addr, nil
}
}
return "", fmt.Errorf("no remote configured; use --remote, SGARD_REMOTE, or create %s/remote", repoFlag)
}
// dialRemote creates a gRPC client with token-based auth and auto-renewal.
func dialRemote(ctx context.Context) (*client.Client, func(), error) {
addr, err := resolveRemote()
if err != nil {
return nil, nil, err
}
signer, err := client.LoadSigner(sshKeyFlag)
if err != nil {
return nil, nil, err
}
cachedToken := client.LoadCachedToken()
creds := client.NewTokenCredentials(cachedToken)
var transportCreds grpc.DialOption
if tlsFlag {
tlsCfg := &tls.Config{MinVersion: tls.VersionTLS12}
if tlsCAFlag != "" {
caPEM, err := os.ReadFile(tlsCAFlag)
if err != nil {
return nil, nil, fmt.Errorf("reading CA cert: %w", err)
}
pool := x509.NewCertPool()
if !pool.AppendCertsFromPEM(caPEM) {
return nil, nil, fmt.Errorf("failed to parse CA cert %s", tlsCAFlag)
}
tlsCfg.RootCAs = pool
}
transportCreds = grpc.WithTransportCredentials(credentials.NewTLS(tlsCfg))
} else {
transportCreds = grpc.WithTransportCredentials(insecure.NewCredentials())
}
conn, err := grpc.NewClient(addr,
transportCreds,
grpc.WithPerRPCCredentials(creds),
)
if err != nil {
return nil, nil, fmt.Errorf("connecting to %s: %w", addr, err)
}
c := client.NewWithAuth(conn, creds, signer)
// Ensure we have a valid token before proceeding.
if err := c.EnsureAuth(ctx); err != nil {
_ = conn.Close()
return nil, nil, fmt.Errorf("authentication: %w", err)
}
cleanup := func() { _ = conn.Close() }
return c, cleanup, nil
}
func main() {
rootCmd.PersistentFlags().StringVar(&repoFlag, "repo", defaultRepo(), "path to sgard repository")
rootCmd.PersistentFlags().StringVar(&remoteFlag, "remote", "", "gRPC server address (host:port)")
rootCmd.PersistentFlags().StringVar(&sshKeyFlag, "ssh-key", "", "path to SSH private key")
rootCmd.PersistentFlags().BoolVar(&tlsFlag, "tls", false, "use TLS for remote connection")
rootCmd.PersistentFlags().StringVar(&tlsCAFlag, "tls-ca", "", "path to CA certificate for TLS verification")
rootCmd.PersistentFlags().StringVar(&fido2PinFlag, "fido2-pin", "", "PIN for FIDO2 device (if PIN-protected)")
if err := rootCmd.Execute(); err != nil {
fmt.Fprintln(os.Stderr, err)
os.Exit(1)
}
}
Reference in New Issue View Git Blame Copy Permalink