Monorepo for Tangled
tangled.org
keyfetch: add --guard-path and --secure-mode flags
author
Anirudh Oppiliappan
date
(Jun 12, 2026, 12:02 PM +0300)
commit
4c0f6886
4c0f6886c1ff27b12d2221c73ce5fb1493431ded
parent
dd86070f
dd86070f54d4be78b2598bd52045463869035f93
change-id
nxwykrzq
nxwykrzqtkqovtqmyrkslwwputmwztrp
+24
-8
+24
-8
keyfetch/keyfetch.go
+24
-8
keyfetch/keyfetch.go
···
41
41
Usage: "path to log file",
42
42
Value: "/home/git/log",
43
43
},
44
+
&cli.StringFlag{
45
+
Name: "guard-path",
46
+
Usage: "path to the knot binary for the authorized_keys forced command (defaults to os.Executable)",
47
+
},
48
+
&cli.BoolFlag{
49
+
Name: "secure-mode",
50
+
Usage: "emit -secure-mode in the authorized_keys forced command",
51
+
},
44
52
},
45
53
}
46
54
}
···
53
61
logPath := cmd.String("log-path")
54
62
output := cmd.String("output")
55
63
56
-
executablePath, err := os.Executable()
57
-
if err != nil {
58
-
l.Error("error getting path of executable", "error", err)
59
-
return err
64
+
executablePath := cmd.String("guard-path")
65
+
if executablePath == "" {
66
+
var err error
67
+
executablePath, err = os.Executable()
68
+
if err != nil {
69
+
l.Error("error getting path of executable", "error", err)
70
+
return err
71
+
}
60
72
}
61
73
62
74
resp, err := http.Get(internalApi + "/keys")
···
92
104
return err
93
105
}
94
106
case "authorized-keys":
95
-
formatted := formatKeyData(executablePath, gitDir, logPath, internalApi, data)
107
+
formatted := formatKeyData(executablePath, gitDir, logPath, internalApi, cmd.Bool("secure-mode"), data)
96
108
_, err := os.Stdout.Write([]byte(formatted))
97
109
if err != nil {
98
110
l.Error("error writing to stdout", "error", err)
···
111
123
return nil
112
124
}
113
125
114
-
func formatKeyData(executablePath, gitDir, logPath, endpoint string, data []map[string]any) string {
126
+
func formatKeyData(executablePath, gitDir, logPath, endpoint string, secureMode bool, data []map[string]any) string {
127
+
secureFlag := ""
128
+
if secureMode {
129
+
secureFlag = " -secure-mode"
130
+
}
115
131
var result string
116
132
for _, entry := range data {
117
133
raw, _ := entry["key"].(string)
···
120
136
continue
121
137
}
122
138
result += fmt.Sprintf(
123
-
`command="%s guard -git-dir %s -user %s -log-path %s -internal-api %s",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty %s`+"\n",
124
-
executablePath, gitDir, entry["did"], logPath, endpoint, ssh.MarshalAuthorizedKey(key))
139
+
`command="%s guard -git-dir %s -user %s -log-path %s -internal-api %s%s",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty %s`+"\n",
140
+
executablePath, gitDir, entry["did"], logPath, endpoint, secureFlag, ssh.MarshalAuthorizedKey(key))
125
141
}
126
142
return result
127
143
}