operator generate-root -decode: allow token from stdin (#12881)

* operator generate-root -decode: allow token from stdin Allow passing "-" as the value for -decode, causing the encoded token to be read from stdin. This is intended to prevent leaking the encoded token + otp into process logs in enterprise environments. * add changelog entry for PR12881 * add check/test for empty decode value passed via stdin
2025-11-02 03:27:54 +00:00 · 2021-10-20 17:29:17 +01:00
parent 180a24a579
commit ea05477e48
4 changed files with 118 additions and 1 deletions
--- a/command/operator_generate_root.go
+++ b/command/operator_generate_root.go
@@ -130,7 +130,8 @@ func (c *OperatorGenerateRootCommand) Flags() *FlagSets {
 		Default:    "",
 		EnvVar:     "",
 		Completion: complete.PredictAnything,
-		Usage:      "The value to decode; setting this triggers a decode operation.",
+		Usage: "The value to decode; setting this triggers a decode operation. " +
+			" If the value is \"-\" then read the encoded token from stdin.",
 	})

 	f.BoolVar(&BoolVar{
@@ -328,6 +329,27 @@ func (c *OperatorGenerateRootCommand) decode(client *api.Client, encoded, otp st
 		return 1
 	}

+	if encoded == "-" {
+		// Pull our fake stdin if needed
+		stdin := (io.Reader)(os.Stdin)
+		if c.testStdin != nil {
+			stdin = c.testStdin
+		}
+
+		var buf bytes.Buffer
+		if _, err := io.Copy(&buf, stdin); err != nil {
+			c.UI.Error(fmt.Sprintf("Failed to read from stdin: %s", err))
+			return 1
+		}
+
+		encoded = buf.String()
+
+		if encoded == "" {
+			c.UI.Error("Missing encoded value. When using -decode=\"-\" value must be passed via stdin.")
+			return 1
+		}
+	}
+
 	f := client.Sys().GenerateRootStatus
 	switch kind {
 	case generateRootDR: