operator generate-root -decode: allow token from stdin (#12881)

* operator generate-root -decode: allow token from stdin Allow passing "-" as the value for -decode, causing the encoded token to be read from stdin. This is intended to prevent leaking the encoded token + otp into process logs in enterprise environments. * add changelog entry for PR12881 * add check/test for empty decode value passed via stdin
2025-10-31 18:48:08 +00:00 · 2021-10-20 17:29:17 +01:00
parent 180a24a579
commit ea05477e48
4 changed files with 118 additions and 1 deletions
--- a/command/operator_generate_root_test.go
+++ b/command/operator_generate_root_test.go
@@ -1,3 +1,4 @@
+//go:build !race
 // +build !race

 package command
@@ -158,6 +159,96 @@ func TestOperatorGenerateRootCommand_Run(t *testing.T) {
 		}
 	})

+	t.Run("decode_from_stdin", func(t *testing.T) {
+		t.Parallel()
+
+		encoded := "Bxg9JQQqOCNKBRICNwMIRzo2J3cWCBRi"
+		otp := "3JhHkONiyiaNYj14nnD9xZQS"
+
+		client, closer := testVaultServer(t)
+		defer closer()
+
+		stdinR, stdinW := io.Pipe()
+		go func() {
+			stdinW.Write([]byte(encoded))
+			stdinW.Close()
+		}()
+
+		ui, cmd := testOperatorGenerateRootCommand(t)
+		cmd.client = client
+		cmd.testStdin = stdinR
+
+		// Simulate piped output to print raw output
+		old := os.Stdout
+		_, w, err := os.Pipe()
+		if err != nil {
+			t.Fatal(err)
+		}
+		os.Stdout = w
+
+		code := cmd.Run([]string{
+			"-decode", "-", // read from stdin
+			"-otp", otp,
+		})
+		if exp := 0; code != exp {
+			t.Errorf("expected %d to be %d", code, exp)
+		}
+
+		w.Close()
+		os.Stdout = old
+
+		expected := "4RUmoevJ3lsLni9sTXcNnRE1"
+		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+		if combined != expected {
+			t.Errorf("expected %q to be %q", combined, expected)
+		}
+	})
+
+	t.Run("decode_from_stdin_empty", func(t *testing.T) {
+		t.Parallel()
+
+		encoded := ""
+		otp := "3JhHkONiyiaNYj14nnD9xZQS"
+
+		client, closer := testVaultServer(t)
+		defer closer()
+
+		stdinR, stdinW := io.Pipe()
+		go func() {
+			stdinW.Write([]byte(encoded))
+			stdinW.Close()
+		}()
+
+		ui, cmd := testOperatorGenerateRootCommand(t)
+		cmd.client = client
+		cmd.testStdin = stdinR
+
+		// Simulate piped output to print raw output
+		old := os.Stdout
+		_, w, err := os.Pipe()
+		if err != nil {
+			t.Fatal(err)
+		}
+		os.Stdout = w
+
+		code := cmd.Run([]string{
+			"-decode", "-", // read from stdin
+			"-otp", otp,
+		})
+		if exp := 1; code != exp {
+			t.Errorf("expected %d to be %d", code, exp)
+		}
+
+		w.Close()
+		os.Stdout = old
+
+		expected := "Missing encoded value"
+		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+		if !strings.Contains(combined, expected) {
+			t.Errorf("expected %q to contain %q", combined, expected)
+		}
+	})
+
 	t.Run("cancel", func(t *testing.T) {
 		t.Parallel()